Abstracts

Keynote: Eloïse Gratton “Are privacy laws adequately protecting and servicing privacy?”

Various definitions of privacy have been adopted since the late nineteenth century, illustrating an evolving concept. After first conceptualizing privacy quite simply as “the right to be let alone” in 1890, then as “the respect for one’s private and family life, his home and his correspondence” in the late forties, a third step in theorizing privacy came in the late 1960s and early 1970s, motivated by technological threats to privacy. With the development of automated data banks and the growing use of computers in the private and public sector, privacy was at that point conceptualized as having individuals “in control over their personal information”. The principles of Fair Information Practices (or “FIPs”) were elaborated during this period and have been incorporated in data protection laws, such as PIPEDA and similar provincial laws, adopted in various jurisdictions around the world ever since. The circumstances have changed fundamentally since privacy was conceptualized as “individuals in control of their personal information”: individuals constantly give off personal information, new business models are increasingly based on the notion of greater customization and many online or mobile service providers are using analytic solutions in order to improve their websites, products or services. The power and scope of the activity of aggregating and correlating information have increased along with Internet technologies, new algorithms are being developed that allow extraction of information from a sea of collected data and data-mining techniques and capabilities are reaching new levels of sophistication. In this context, it is reasonable to wonder if data protection laws still provide for a proper legal framework. In order to ensure that data protection laws are still and remain effective over time, the main challenge at this point is to properly identify the weaknesses of our system.

Keynote: Patricia Kosseim "Privacy at the Cutting Edge: A Return to First Principles, but Which Principles?"

Patricia Kosseim will welcome participants on behalf of the Office of the Privacy Commissioner of Canada. She will open the symposium by providing a broad overview of the day's themes, revisit first principles underlying privacy interests at the cutting edge, and raise a few questions for reflection throughout the day. 

Panel 1: Health Privacy

Amy Conroy “Genetic “Junk” Collection and the Future of Canada’s National DNA Data Bank”

Justifications for the existence of forensic DNA databanks have often emphasized that the portions of the genetic code used in criminal identification are limited to non-coding or “junk” DNA. That is, forensic databanks were established and developed based on the idea that the DNA profiles contained on these databases could not reveal sensitive medical information about the individuals from whom they were derived. This assumption has been challenged by recent studies showing the potential for medically relevant characteristics (e.g. propensity towards certain medical conditions) to be revealed through examination of non-coding DNA. Moreover, it has been suggested that this process may allow for determination of other personal characteristics such as race or ethnic background. This presentation will discuss the initial importance of the distinction between coding and non-coding DNA within the context of Canada’s National DNA Data Bank. It will then examine recent evidence that calls the junk-DNA assumption into question. This will include consideration of the meaning of “medically significant” when it comes to junk DNA, emphasizing that while non-coding DNA may not hold a causal relationship with certain characteristics, it may nevertheless correlate with these same characteristics. Finally, the potential for non-coding DNA to play an unanticipated role in the future of Canadian criminal investigations will be examined in order to gain an understanding of the potential power of “junk” DNA within the future of forensic DNA data banking.

Kelly Grindrod “The Reliability of Security Options for Mobile Health Applications Designed for Use With Older Adults with Chronic Disease”

The goal of this project is to evaluate the current security solutions available for mobile health applications (mHealth apps) designed for consumers. The researchers will also provide recommendations for both consumers and mHealth developers on the best mechanisms to easily and reliably secure consumer-generated health data in a way that remains accessible for individuals with age-related or disease-related disabilities. The researchers hope the study findings will provide a model for secure consumer mHealth implementation across Canada and guide regulations for upholding consumer privacy standards for these applications. The ultimate beneficiaries of this research project will be Canadians who want to use mobile applications to manage or prevent disease.

Yann Joly “A policy governance framework for analyzing genomic data in a cloud computing environment”

The biggest challenge in twenty-first century data-intensive genomic science is developing vast computer infrastructure and advanced software tools to perform comprehensive analyses of genomic data sets for biomedical research and clinical practice. Researchers are increasingly turning to cloud computing both as a solution to integrate data from genomics, systems biology and biomedical data mining and as an approach to analyze data to solve biomedical problems. This presentation will identify the core elements for a privacy governance framework for the storage and sharing of genomic data in cloud computing. Our information was gathered from the following research activities. First, the researchers created a cloud computing privacy compendium, which include key citations from a comparative legal review, as well as critical comments drawn from legal and bioinformatics content analysis. Second, the researchers developed a discussion document to provide an overview of the privacy governance frameworks applicable to cloud computing, a comparison of the privacy policies and/or relevant agreements used in cloud service providers in Canada and in other jurisdictions (i.e. United States and European Union) and, an overview of the relevant literature. A short policy brief, available in both English and French, on cloud computing and the law will summarize the main finding of the research.

Derek J. Jones & Colleen Sheppard "Mental Health Information Privacy & Equality in the Workplace (MEHIP)"

With one in five persons experiencing a mental "disorder" during their lives, mental health in the workplace has emerged as a pressing and substantial issue for workers and families, management and institutions, occupational health professionals and insurers, and health and human rights. A Report from the Canadian Senate in 2004 explains: one-third to one-half of people with mental illnesses report being turned down for a job for which they were qualified, after they disclosed their conditions, were dismissed from their jobs, and/or were forced to resign as a result of their mental illness. Recent Canadian and international reports echo and document the phenomena as a global issue. How shall we more effectively respond to the associated health information privacy, disclosure, and safety reporting issues; the stigmatisation dynamics; our accommodation and non-discrimination duties? Drawing on human rights case studies, comparative international research and interdisciplinary literature, the MEHIP project identifies leading issues and questions, best practices and standards, towards just and enabling guidance on mental health information privacy and equality rights in the federally-regulated workplace.

Panel 2: Privacy and Security in a Globalized World 

Luk Arbuckle "Open Data and Privacy"

There is increasing demand for data from both private and public sector institutions. This may be financial data, health and lifestyle data, Internet transaction or clickstream data, and travel/movement data. These data can be used in many ways, such as to develop or improve new services and products, for research and public health purposes, and to inform or even change the behaviour of citizens. 

There is no question that providing greater access to data can have many benefits to society. However, making data about individuals more widely available also entails privacy risks, and inappropriate disclosure of personal information can erode individuals’ trust in public and private sector institutions.

This presentation will provide an overview of responsible methods that can be employed to facilitate the open sharing of data while also protecting individual privacy. This includes techniques to assess risk and de-identify data, and the use of quasi-open data options as well.

David T.S. Fraser "National security and privacy on a borderless internet: A practical perspective for Canadians"

Concern about the USA Patriot Act and Canadians’ data is not new, but has only heightened with the Snowden revelations. This has also coincided with the dramatic growth in the adoption of cloud computing, which does not seem to be letting up. This presentation will provide an overview of US and Canadian national security laws that affect the privacy of data in the cloud, leading to a discussion of how to practically assess the risk to privacy of the adoption of different models of cloud computing.

Michael Geist "Why Watching the Watchers Isn't Enough: Canadian Privacy and Surveillance Law in the Post-Snowden Era"

Months of surveillance-related leaks from U.S. whistleblower Edward Snowden have fuelled an international debate over privacy, spying, and Internet surveillance. The leaks have painted a picture of ubiquitous surveillance that captures “all the signals all the time”, sweeping up billions of phone calls, texts, emails, and Internet activity with dragnet-style efficiency. While the instinctive Canadian nresponse may be to focus on improved oversight and accountability mechanisms, the bigger challenge will be to address the substantive shortcomings of the current Canadian legal framework. Indeed, improved oversight without addressing the limitations within current law threatens to leave many of the core problems in place. In short, watching the watchers is not enough.

Panel 3: Privacy after Death 

Mistrale Goudreau “Can a post-mortem privacy right be recognized? Looking beyond privacy law for insight”

It is generally held that protection against damage to reputation, and invasion of privacy, are personal rights that end at a person’s death; however, this may not be the case. In Civil law, the right to privacy was a creation of courts, and one which judges recognized when the facts of cases brought before them seemed to require court intervention. The 1858 Rachel decision of the Tribunal civil de la Seine is credited with first recognizing the right to privacy in Civil law. This case ruled in favour of the sister of a decease actor, Rachel, who brought an action to destroy an image of Rachel on her deathbed that had been published by a newspaper. While United States law holds that the right to privacy is not transmissible, it also holds that the closely related publicity right continues after death. In Canadian Common Law, we also distinguish between the tort of intrusion upon seclusion and that of wrongful misappropriation of personality. However, it is becoming more and more difficult to define the boundary between breaches of privacy on the one hand, and non-authorized commercial uses of someone else’s personality rights on the other. Is this distinction, then, arbitrary or founded? As well, legislators are increasingly protecting certain aspects of privacy through data protection laws. These laws, however, derive from very different underlying principles. Also, the duration of protection in data protection laws differs by jurisdiction, and furthermore, some jurisdictions recognize only a limited management right for estate liquidators and heirs. An examination of the recent evolution of case law in the area of personal rights can shed light on the concept of privacy and its protection after death. 

Julia Creet "Data Mining the Deceased: Ownership, Privacy and Family Records"

“Need to Know: Ancestry and the Business of Family” is a documentary that explores the need for family history and the industry that encourages interest and provides records. Shot in Canada, the United States, the United Kingdom and Iceland, “Need to Know” features interviews with amateur and expert genealogists, industry representatives and researchers to elucidate the aggregation of genealogical records and bio-data. The story follows Julia Creet as she explores the roles of the two largest providers in the world, The Church of Jesus Christ of the Latter Day Saints and Ancestry.com and their users and issues of the concentration and aggregation of genealogical data in relation to privacy. Iceland features as the canary in the coalmine, as the world’s first  “braided” database, combining genealogical, genetic and medical records, was privately built and sold offshore.

Julia Creet will screen and discuss relevant clips from the documentary with respect to issues of ownership—“a gray area,” according to one of the founders of Ancestry.com—and the aggregation and braiding of genealogical data.

Margaret Ann Wilkinson "In the privacy of your own family?"

Genealogy may be one of Canada's fastest growing pastimes but personal data protection legislation does not particularly recognize the unique place of information about one's own family and, indeed, often frustrates individuals seeking such knowledge.

Panel 4: Privacy Digital Skills and Education for Children and Youth

Matthew Johnson “Privacy Pirates: Teaching Privacy Principles to Young Children Through Multimedia”

When we think about the privacy risks that youth face online, we tend to think in terms of teens and tweens oversharing on cell phones and social networks. Increasingly, though, children are facing privacy issues younger and younger: MediaSmarts’ Young Canadians in a Wired World survey found that almost a third of students in grades 4 to 6 have a Facebook account. What’s more, children – and parents – don’t necessarily know about the privacy issues that they face online. All but one of Canadian children’s favourite sites contain commercial content or advertising, and the vast majority of them have a variety of ways of gathering and collecting personal information.

What all of this means is that as a society we have a responsibility to teach our kids about how to manage their privacy online. Contrary to what a lot of people think, kids do care about privacy, take active steps to control who sees the content they post, would like more control over who collects their personal information and want to learn more about how to manage their privacy.

This is why MediaSmarts, Canada’s centre for digital and media literacy, is bringing our popular educational game Privacy Pirates to mobile platforms. Aimed at children aged seven to nine, Privacy Pirates teaches kids that their personal information is valuable and that they should be careful about when and with whom they share it. Guided by a friendly mentor, players cross an island inhabited by nine cartoon pirates who each test the player’s knowledge about a different privacy topic.

This talk will look at the research that informed the project, the design and educational considerations in its creation, and the lessons learned in adapting it from a browser-based game to an app for mobile devices.

Project Website: http://mediasmarts.ca/game/privacy-pirates-interactive-unit-online-privacy-ages-7-9 

Colin McKay "Digital Adoption in Canada: Observations On How Use and Skills Have Evolved"

Drawing from ten years of qualitative and quantitative research into the adoption of digital tools in Canada, we'll discuss how behaviours, expectations and benefits have evolved. 

Karen Louise Smith “Co-Designing Open Badges for Privacy Education with Canadian Youth”

In the fall of 2014, a design team was formed by Hive Toronto, a digital literacy network stewarded by Mozilla. The design team included researchers, practitioners, and 8 teen peer researchers. The major goal of the design team was to prototype 10 open badges and to create the associated curriculum resources for privacy education, relevant to PIPEDA. In brief, Open Badges are a badge image plus metadata that can be shared online to signify learning. This presentation argues that attributes of connected learning, including peer culture, openly networked connections and production centered learning activities, are effective elements for building an empowerment-oriented approach to privacy education in Canada.

This presentation provides an overview of the design team’s experience, which was informed by connected learning as well as the concepts of privacy as contextual integrity, and networked privacy. Major elements of the project included participatory design workshops with teens, interviews with educators, and a knowledge mobilization workshop. The research with teens surfaced many of the privacy implications that are common in their daily lives such as the power imbalances between data creators and data analyzers, the politics of corporate ownership of social media platforms, and the difficulties of experiencing privacy when data is stored globally in the cloud.  Educators such as community center workers and librarians remain challenged by the digital divide and shifting usages of sites and platforms by teens. Overall, this design-oriented project helps to conceptualize why connected learning approaches to privacy education for youth, which incorporates Open Badges, might contribute to building up empowerment-oriented approaches as a component of privacy education in Canada. 

Back to top