Interview with Michael Power
July 2003
Terry McQuay recently interviewed Michael Power,
a partner at Gowling Lafleur
Henderson LLP . Michael provides legal advice to public
and private sector clients in the areas of privacy, authentication,
information technology security, electronic government and
internet law. Also, Michael is the firms Privacy Officer.
Nymity: Michael, you refer to privacy as a
governance issue. Please explain.
Power : Privacy management is something that has to be done on an integrated, coordinated basis and involves both the commitment of resources as well as management's time and attention to change corporate policies and procedures concerning an organization's handling of personal information. Because of this, it requires senior management and, given how some organizations structure themselves, corporate boards to focus on the subject.
Nymity: You said that conducting a privacy assessment is one
of the first steps an organization should take toward compliance. Can
you briefly describe how Gowling Lafleur Henderson LLP conducts
a privacy assessment.
Power : A privacy assessment determines how an organization matches up to its obligations under PIPEDA and provincial privacy legislation. For any organization to become privacy-compliant, getting "there" requires knowing the location of "here". This involves examining an organization's current policies, procedures and practices concerning personal information, mapping them to legislated obligations to identify privacy risks and then recommending alternative approaches to mitigate those risks.
Nymity: For each repository of customer and employee information
you conduct a data analysis, privacy analysis and privacy
risk management assessment. This sounds like a huge amount
of work. Is it?
Power : It need not be if the right people within an organization are involved and the right questions are asked. A data analysis is a "snapshot" of the organization; a privacy analysis is comparing what the organization does now to what it will be obliged to do; a privacy risk management plan is simply identifying the "gaps" (labeled "privacy risks") and figuring out how best to close those gaps. It's not "rocket science" but it does involve time and attention - commodities that are often in short supply this close to the coming deadline of January 1, 2004.
Nymity: Your privacy assessment takes a life cycle approach.
Please elaborate.
Power : The privacy obligations of organizations revolve, in part, around the collection, use and disclosure of personal information. When you look at what that really entails, you'll quickly see that it fits within the "lifecycle" of that information: how it is initially brought into the organization (collection); what happens to it (use); who sees it (disclosure); how long it is kept (retention), and where it is retained (security). Once it comes into an organization, one has to examine how personal information is treated up to the point it leaves the organization.
Nymity: In your life cycle approach, you spend as much time
with retention and destruction as you do with collection,
use and disclosure. Why is retention and destruction of information
important?
Power : The CSA Model Code, which forms part of the federal privacy legislation, requires organizations to safeguard personal information in their possession and to limit their retention of that information. Part of the safeguarding or security of personal information is making sure that it is securely disposed of when no longer required. Perhaps not surprisingly, document retention policies for information management are proving to be useful in contexts other than privacy (e.g. e-litigation). Having such a policy is a useful tool for an organization to manage information generally and not just personal information.
Nymity: Compliance with legislation is a legal issues. What
types of organizations should contract a legal firm to help
them complete their privacy assessment?
Power : Any organizations concerned about the latest interpretations by the Privacy Commissioner's Office and legal decisions interpreting PIPEDA should consult legal counsel. Smaller organizations may have less volume of personal information but more issues since they do not often have the necessary infrastructure to manage personal information. Larger organizations may not have the management infrastructure to deal with the issue in the time frame we now have.
Nymity: What are the considerations or risks when an organization
decides to complete the privacy assessment with in-house resources?
Power : January 1, 2004 is less than 6 months away, so time, or lack thereof, is an enemy of any organization at this point. Organizations can take a DIY approach, but it involves both commitment and buy-in from all parts of the organization. If that commitment isn't there, a lot of what needs to be done by January 2004 won't be completed. In-house assessments tend to be slower. That's not necessarily a bad thing unless time is running down fast. Keep in mind, privacy tends to be "Job No. 2" - a task assigned in addition to an individual's or group's primary job.
Nymity: Is privacy as a governance issue purely risk management, or are your clients finding other benefits/returns on their compliance investments?
Power : Surprisingly, organizations are finding out a variety of different things about their information handling practices as they go through a privacy compliance program. Some discover they keep too much information for too long in storage while others find they collect information they no longer require. Still others come across information they didn't know they collected! The result is sometimes a re-engineering of business processes to reduce data flows or changes in policy that result in better customer relations or cost savings.
Nymity: From a legal perspective, can you explain "best efforts" and "due diligence" as it pertains to compliance with PIPEDA?
Power : These terms do not really come up in a PIPEDA context
per se. "Due diligence" comes up more in the sale of a business.
Most legal definitions say something akin to "due diligence
is a measure of prudence to be expected from, and ordinarily
exercised by, a reasonable and prudent person under the particular
circumstances" This is not measured by any absolute standard,
but depends on the relative facts of the case. At a practical
level, due diligence includes understanding all of the business
and legal obligations of a company, which arguably includes
its obligations to comply with the upcoming application of
privacy laws.
"Best efforts" is usually seen as an obligation (usually
contractual) to attempt to meet a goal using every reasonable
means available. The term is generally being replaced with
"commercially reasonable efforts" in light of harsh interpretations
of the term in legal decisions in the United States. The term
shouldn't really arise in a privacy context since one has
legal obligations under a statute as opposed to having to
"best efforts", however the use of the CSA Code in PIPEDA
(and its periodic references to "reasonable") to frame the
legal obligations of organizations muddies the water a bit.
Nymity: In closing, you were recently appointed Chief Privacy
Officer for Gowling Lafleur Henderson LLP. Is this a promotion?
Power : Every organization has to comply with the new privacy law and that includes law firms. I kept getting asked questions for internal purposes so it was decided, in recognition of the effort, I might has well formally have the title since I appeared to have the "job". In conjunction with the Executive Committee and management, I'll be working with lawyers and staff through Canada to make sure Gowlings is ready for January 1, 2004. We are in the midst of working our way through our own privacy action plan. Not only to do I have to "talk the talk" but I also have to "walk the walk" when it comes to privacy management.
|
