Interview with David Loukidelis

January 2006

Interviewee: David Loukidelis, Information and Privacy Commissioner of British Columbia

Interviewer: Terry McQuay, President of Nymity

Subject: Privacy Challenges in 2006

January 4, 2006

Nymity: Congratulations David on being appointed for another six years as Privacy Commissioner of British Columbia. What are your objectives for 2006?

Loukidelis:  Thanks for the good wishes. I’m very excited about the challenges ahead, this year and in the coming years. My goals this year include enhancing our ability to respond to complaints under PIPA and the Freedom of Information and Protection of Privacy Act and increasing our pro-active work in online support tools for organizations and the public. A committee of our Legislative Assembly recently recommended new funding for the staff positions we need to do these things and I hope to move ahead on this very soon after the next fiscal year starts on April 1.

Nymity: What do see as the top challenges facing privacy officers in 2006?

Loukidelis:  In larger organizations, privacy officers will probably face ongoing challenges in co-ordinating their work with that of IT departments and IT security staff, ensuring that new or upgraded systems comply with Canada’s privacy laws. The issue of notifying customers when their personal information has been compromised is another challenge that is likely to confront privacy officers and their employers.

Nymity: The Privacy & Security Conference, on February 9 - 10th, in Victoria, British Columbia, seems to have grown over the years and now has a number of international speakers. What changes have you seen over the last few years?

Loukidelis:  This conference––which is very reasonably priced––is very, very well-organized and promoted. As for changes over the years, one obvious change is the sheer size of the thing––last year there were over 700 people attending, I believe. Over the years, the range of topics has widened without being unfocussed. And I’m happy to see more speakers from the US and even Europe, my hope being that the conference will continue to attract international speakers and, ideally, more attendees from outside Canada.

Nymity: At the conference, you are the Commentator for the "Privacy and Security Breaches: A Duty to Inform?" session at which I am one of the speakers. What do see as the objectives for this session?

Loukidelis:  I’d like to see the panel bring the audience up to date on legislative and non-legislative developments in the US around mandatory notification. I’d then hope to have some discussion of business community perspectives on such laws—the pros and cons, if you will. Ideally, the panel would help inform the discussion in Canada about whether we need laws that expressly require notification, and when.

Nymity: Also at the conference, you are the Keynote speaker for the second day and your session is entitled "Trans-Border Data Flows". Please share with us what will be covered in this session.

Loukidelis:  As you may know, there was a lot of discussion last year in British Columbia about outsourcing of public sector services involving personal information and the concern that the USA Patriot Act could allow access to that information. To my mind, the USA Patriot Act debate is only a recent example of longstanding challenges associated with trans-border data flows. There’s a reason for the OECD’s interest in the issue starting in the late 1970s, after all.

Although I’ll touch on the BC discussion and legislative response, as well as the recently disclosed federal Treasury Board guidelines, I plan to focus more on private sector privacy issues raised by trans-border data flows. The issues in the private sector differ, in my view, from those involved in public sector outsourcing, and I plan to explore the private sector context more. The goal is to raise questions and suggest that flexible, innovative solutions need to be found to ensure that trans-border data flows continue while protecting privacy.

Nymity: In 2006 there is to be a review of PIPEDA; will your office be making a submission and what areas are likely to be cover?

Loukidelis:  Yes, we plan to make a submission, though we will restrict our comments to high level issues, not issues related to legislative drafting. Our perspective, not surprisingly, will relate to our experiences dealing with overlap between PIPEDA and PIPA.

Nymity: Notification after a privacy breach looks to be a hot topic in 2006. What are the requirements in the Personal Information Protection Act for disclosures after a breach of personal information?

Loukidelis:  It certainly will continue to be a hot topic. PIPA doesn’t expressly deal with notifications of inappropriate disclosure of personal information. It does require organizations to take reasonable measures to guard against unauthorized use of personal information, however, and it’s an open question as to whether this may include a duty to inform, or warn, where personal information has been disclosed inappropriately and there’s a risk of misuse. That will be an interesting question down the road.

Nymity: In closing, what do you see as the hot privacy topics for 2006?

Loukidelis:  Let me limit myself to a few private and public sector examples.

In BC, at least, I think we’ll see ongoing privacy issues in the workplace. We haven’t had the number or variety of workplace privacy complaints the Alberta or federal privacy commissioners’ offices have had, but my sense is we’re already getting more and more of them.

By now it’s cliché to name RFID technology as a hot topic, but I’m going to do it anyway. The technology is in its infancy in many ways—certainly when it comes to B2C applications—but my sense it that factors are converging that will make it an important policy issue this year.

In the public sector, we’ll see ongoing debate about the lawful access proposals, digital rights management initiatives and spyware. The Parliamentary review of the Anti-Terrorism Act will also spark some debate when it’s completed.