Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.

1. So You Want To Protect Privacy: Now What? ARMA Information Management Symposium June 1, 2011 Stuart Bailey

2. 2 So You Want To Protect Privacy: Now What?

3. 3 Privacy and Social Media “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops."“ “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890) So You Want To Protect Privacy: Now What?

4. 4 Privacy Means… Can be defined in many ways, for example, privacy of: Assault Nuisance Reputation Defamation (Slander, Libel) Property rights (Copyright, intellectual property) Opinions Body Communications Data So You Want To Protect Privacy: Now What?

5. 5 Privacy and Data Protection Data protection legislation is the main lens through which we address privacy interests Documented information about specific individuals Prosser v. Gavison Privacy torts; something unique and distinct As seen recently in Law Times Jones v. Tsige 2011 ONSC 1475 (CanLII) http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html So You Want To Protect Privacy: Now What?

6. 6 Social Media and Privacy The Right to Be Let Alone “The Right to Privacy” Warren and Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890) Freedom of Expression Private Communications The Right to Be Forgotten As seen recently in the European Union Location data Does it locate a data subject, or is data a location itself (i.e., a site)? Crossing Borders If skin is a border between people, what forms the border between data subjects? So You Want To Protect Privacy: Now What?

7. 7 Prosser on Privacy Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; Public disclosure of embarrassing private facts about the plaintiff; Publicity which places the plaintiff in a false light in the public eye; and Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. Privacy, 48 Cal.L.Rev. 383 (1960) So You Want To Protect Privacy: Now What?

10. [53] Turning back now to the various statutory provisions that govern privacy issues, most Canadian jurisdictions have statutory administrative schemes that govern and regulate privacy issues and disputes. In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention.

11. [54] More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.

12. [55] Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, I conclude that the decision of the Court of Appeal in Euteneier is binding and dispositive of the question as to whether the tort of invasion of privacy exists at common law.

13. [56] I would also note that this is not an area of law that requires “judge-made” rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.

14. [57] I conclude that there is no tort of invasion of privacy in Ontario.http://www.canlii.org/en/on/onsc/doc/2011/2011onsc1475/2011onsc1475.html Accessed May 20, 2011 (emphasis added) If there is no tort of invasion of privacy, recoveries for privacy harms must be done through other means – but how will those be acted on? So You Want To Protect Privacy: Now What?

15. 10 A Privacy Proposition If there is no tort for invasion of privacy Privacy harms are appended to other torts And there is still something unique and distinct about privacy that lets us have internal thoughts Privacy rights are based on a concept that cannot be numerated Therefore, protecting privacy rights is a matter of linking shared principles to everyday actions and finding “privacy” through other established activities Data protection and the need to manage information So You Want To Protect Privacy: Now What?

16. 11 Data and Privacy Data are everywhere; some personal, some not – some personal information can be derived from seemingly non-personal information. Personal data can be a location as much as a physical address is. Determining and adhering to “consistent use” can prove to be difficult. So You Want To Protect Privacy: Now What?

17. 12 Information Management Information Management is the discipline of managing information like an asset – the same as we do for money, people, or infrastructure. So You Want To Protect Privacy: Now What?

18. 13 What Is Information Management? http://www.aiim.org/What-is-Information-Management So You Want To Protect Privacy: Now What?

20. IM looks at the information that crosses boundaries:

21. Technical environment (e.g., e-mail > shared drive > collaboration site > report repository)

22. Subject-matter (e.g., policy > business analysis > customer support > application design)So You Want To Protect Privacy: Now What?

23. 15 IM Process and Context Users Intersection of Information Management Issues and Activities fn.ln@ontario.ca; un/pw e.g., Briefing Note; Report; Approval; Procurement; Agreement; Project Records e.g., E-mail; Shared Drive; Collab sites; Mobile Content Context http://collectionscanada.ca/government/news-events/091/007001-misc06-e-v5.jpg Affects ability to enable and support: Sharing, Collecting, Reporting, Collaborating, Re-Using, Guiding, Managing Knowledge, Corporate Knowledge Repositories; Managing the Public Record So You Want To Protect Privacy: Now What?

25. Collection / Creation

26. Use, Disclosure, Maintenance

27. Disposition

28. EvaluationPrivacy Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, and Retention Accuracy Safeguards Openness Individual Access Challenging Compliance So You Want To Protect Privacy: Now What?

29. 17 Planning What information do you want? Why do you want that information? Who will be using that information, and to accomplish what? Does everyone understand what you want to do with the information? Have you got the authority to collect, and use the information? Intended Purpose Authorizations to Collect Notice and Consent So You Want To Protect Privacy: Now What?

30. 18 Collection / Creation Have you given proper notice for what you want to collect? Is the notice traceable to the collection and management of the information? Can you demonstrate how collection has been limited? Do you know how you will protect the information? Can you demonstrate how this is consistent with your policies? Who is accountable if the information is lost? Notifications and Consent Limiting Collection Safeguards Openness Accountability So You Want To Protect Privacy: Now What?

31. 19 Use, Disclosure, Maintenance How can you demonstrate that you have limited use, disclosure, or retention? How have you applied policies (e.g., retention) against information? Where are the safeguards being applied? By whom? For how long? Against what? What if you use encryption – how will you decrypt if needed? If challenged, can you demonstrate compliance with your own policies? Limiting Use, Disclosure, Retention Accuracy Safeguards Challenging Compliance Individual Access So You Want To Protect Privacy: Now What?

32. 20 Disposition When destroying, can you demonstrate that use was limited? When protecting, can you be sure you’re protecting enough – or not too much? How will you ensure that you are working with the most accurate information? If requested, will you know where to find all relevant information? Limiting Use, Disclosure, and Retention Safeguards Accuracy Individual Access So You Want To Protect Privacy: Now What?

33. 21 Evaluation How can you demonstrate that you have complied with the principles? Once you have made your policies open and accessible, can you show how you are complying with them? How is accountability traceable and demonstrable to outside observers? What is the effect of governance decisions? Challenging Compliance Openness Accountability So You Want To Protect Privacy: Now What?

34. Sparkle Eyes 22 So You Want To Protect Privacy: Now What?

35. 23 Information Management http://www.imdb.com/name/nm0000123/ So You Want To Protect Privacy: Now What?

36. 24 Bio on IMDB.com Job Type Year Ratings Votes TV Series Genre Keyword So You Want To Protect Privacy: Now What?

37. 25 Celebrities’ Private Lives Tombstone data Filmography Thoughts and Opinions Movement Communications Intimacy So You Want To Protect Privacy: Now What?

38. 26 Automated Systems For example, in a SharePoint environment, metadata enables features like rights management, document routing, and disposition. So You Want To Protect Privacy: Now What?

39. 27 Retention Schedules So You Want To Protect Privacy: Now What?

40. 28 Demonstrating Compliance To demonstrate compliance with legislation and policies, specific data about specific individuals must be tracked and managed. In the event of a breach, specific actions about specific points in the organization (e.g., database, program area, etc.) need to be taken in order to respond. So You Want To Protect Privacy: Now What?

41. 29 Conclusion Privacy is an abstract concept Respecting and protecting privacy happens through data protection Data protection requires common, consistent management activities in various contexts Data in context is information Therefore, protecting privacy means managing information So You Want To Protect Privacy: Now What?