Submission to the Provincial Data Strategy Consultation 2019 – Round 1

Here’s my submission to the provincial data strategy consultation, the first discussion paper (of three) is a good backgrounder on data issues. The questions are in italics and taken from the discussion paper.

5.1. – Privacy, Data Protection and Data Governance  

  1. How can the province ensure that privacy and data protection practices throughout Ontario’s public sector: o Put people and users first; o Enable digital transformation; o Promote effective, efficient program management; and, o Protect Ontarians from data-related harms?

The Ontario public service could be reorganized so that issues related to the Westminster system of accountability can be addressed. By explicitly stating this option as part of this work, there could be an assessment of the types of cross-divisional work and data sharing that may support better outcomes for service delivery. This would have to be done in a way that means-testing is an explicitly stated problem that would need to be managed and avoided.  The alternative, which is making administrative supports more accessible for people, could be one core goal.

The province also needs to be honest about the fact that some current practices that have taken hold, both in the public realm and in a range of spaces, may need to be reassessed. There is a lot of path dependency in the current legacy IT systems, and this makes it very difficult to convince people to change. Unfortunately, to really make the changes needed and to lead, globally, on this file there needs to be an admission that the threat of near-total surveillance is very real, and the methods used to attain safety through surveillance need a rethinking. It’s not to say all that is current is wrong or should be destroyed, but the vision for society has to be discussed first before trying to figure out how to graft it onto or reverse engineer it from the current state of affairs. A very data light society may also be a very technically advanced society – it all depends on what gets prioritized.  There has to be a dedicated amount of attention placed on defining how we want our spaces and our liberties to work, and what it means when piecemeal systems undermine fundamental aspects of our systems, including our rule of law, that requires a lack of certainty about where people are at all times.

The discussion of all Ontarians is timely in that this is the right moment to consider what legislation for collective privacy/privacy as a public good may look like – one that shifts us out of the idea that it’s only a personal construct but that it’s also collective. This does not have to happen fast – it can sit in the medium-term spectrum for a thorough set of interventions from a range of stakeholders, but signalling the intention to do this work in a strategy would be a great first step.

One way to improve effective and efficient program management is to assess the tools that the public service currently has to use to do their work and consider the inefficiencies in some of the current systems in terms of labour hours.  In terms of data-related harms, there is an inadequate understanding of current data use both within and outside of government.  One step in the right direction, in terms of managing some types of harms, is to catalogue the types of current use, including the existence of data brokers and data purchased for use in government. When the bulk of the uses have been surfaced, there could be an assessment of regulatory or other actions to consider in terms of addressing the harms. The province should conduct an assessment of the use of data within private companies in a labour management perspective, to understand if and how surveillance may be impacting operational choices they make. The province should also conduct a specific study on surveillance in educational settings at the school boards, to understand if and how such data is being collected and used by a range of stakeholders.

2. How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?

The single most important step here is to let the content and program experts get much more heavily engaged in specification writing and product requirement design. They do not need to learn anything technical. There should be translators that know existing systems well enough to support the application and translation of ideas for service delivery improvements into technical terms and to create bespoke data management practice dependent on the particular use cases. There is a very challenging tension to manage between creating one-size fits all rules and allowing flexibility for distinct use cases. It’s not a good idea to be making universal rules at this point in time. Better to conduct a range of prioritized pilot projects to assess outcomes. A strategy can definitively frame regulatory innovation as an approach to take and to use it as part of a strategy that has short-term/medium-term/long-term goals.

3. How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?

Start by getting a handle on the lay of the land. How much legacy IT are organizations dealing with? Where are their vulnerabilities? How can regulatory pressure begin to resolve them? (Term of data archiving, types of data usage no one is allowed to do, etc.)  The private sector needs crystal clear rules and what they need more than anything are distinct guardrails to work with. The innovation part they can handle, it’s the clarity on what they can and can’t do that is problematic. At this moment in time, government has an opportunity to create a much higher and specific bar than the GDPR. Consider past success in incentivizing businesses as well – are there practices or requirements that might help move this topic up the list of priorities?

5.2.1  Consumer Protection

How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?

One of the fundamental issues to manage is to shift the safeguarding work from business and the consumer to the government – consider how to lift burdens on both parties so that the work around consent and expectations doesn’t have to happen at the end-user level. What this means is setting a new floor that gets away from users having to navigate consent menus and trade-offs. One thing to consider is how to assist a range of different types of companies in doing data risk audits in a way that they aren’t just about attaining compliance but about fundamentally reassessing how data is used in their business. There is low motivation within the legal industry to transform their practice, so governments would be well placed to make the investments in some of these types of supportive partnerships to begin to assess the landscape for improvements.  An example of this type of assessment might be to have a business take a look at the amount of data they collect and hold vs. what they actually use and why.

2. How might the province help ensure that consumers are more meaningfully informed and protected when agreeing to internet-based contracts (including terms of service and privacy policies) involving transactions of their data? 

If the moment of consent is internet based, there are ways to flag compliance with new consumer-oriented standards. This might be a place to work towards voluntary standards around language, explainability, and supports.

3. How might the province improve transparency and accountability concerning the consumer-facing use of automated decision-making applications, including those powered by Artificial Intelligence?

The scope of what this might include is so broad that a starting point, again, might be to do an assessment of the ten most common instances of this issue, and replicate the exercise for a handful of personas, and begin to identify where and why explainability would be necessary.

5.3.1 Human Rights and Civil Liberties

  1. What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians? Where do these occur, and what is their impact?

An acceleration of structural racism and classist discrimination, particularly in terms of personal safety and access to support and services, including shelter, health supports, and food. This would also include discriminatory treatment as consumers and renters.

How can the province best advance and uphold the human rights and civil liberties of Ontarians, in the face of growing digital and data-related harms?

They can better fund the programs that provide housing, health care, education, and safety for all Ontarians, including safety from gender-based violence. The threats that digital and data systems pose to inequity in access to these things is an accelerant. But trying to resolve these issues without resolving the core problem creates a false sense of success and puts attention on the wrong part of the problem.

Should the province institute new rights in relation to data and data-driven practices, such as the right to data ownership, the right to be informed, or the right to erasure?

Ownership is probably the wrong focus, usage is the place to put attention.  Owning our data continues the trend of both commodifying it and also creating new work and responsibility for the end user, which should be an over-arching flag to try and move away from, creating a false sense of problem solving. This is still something I’m working through so my thoughts may change but my instinct at the moment is that thinking about ownership may not be the right way so suggesting it as a right feels out of step.

The right to be informed again may be too much as a “right” – what could be useful is a much simpler and plain language way to explain what is going on with our data and why and when. But the range of answers to those questions shouldn’t be so many that it becomes onerous. We return here to the first idea about trying to simplify the process and consent models so that people don’t have to think so much about these things because there should be norms of practice that take hold in the next five years.

Should the province regulate the use of automated decision-making in the public or private sectors? If so, in what contexts? How might the province guide the responsible and ethical use of these tools?

Again, this is so cross-cutting that examples have to be surfaced in different industries because automated decision-making is so common already. The answers to where to focus here tend to relate to accountability – where is accountability getting murky in terms of explaining a decision and what is the right path from that grey area?

5.4.1 Public Education and Awareness

How can the province best promote public knowledge and awareness about the risks of data-related threats and harms facing Ontario?

It can begin to lay out paths for alternatives. The discourse to date has been, quite necessarily, one of fear and alarm, given the lack of adequate responses or protections. This narrative will not engage a broad range of people – what will is to begin to build alternative models, in a range of ways, so that the building becomes the focal point rather than the harm mitigation. Harm mitigation and protection of existing rights is a set of issues that those in the legal and other communities should be seeking to participate in beyond compliance and into better practices and behaviours. If this work continues to be led by the private sector it will benefit the private sector – there has to be some intentional construction of civic and public digital infrastructure channels, supports and tools – these ideas can be tested and modelled with government support and investment. There should be more sandbox experimentation going on in a a very safe way. Fund public libraries to build out and grow their programming, they are the right home for some of this work, and have vital foundational knowledge around the politics of information management.

How can public education initiatives empower Ontarians to stay safe and protect themselves from data-related threats and harms?

The time is over for Ontarians to have to do this work. The government needs to up its role in protecting residents and citizens as part of its institutional mandate. See how far that work can go without encroaching too far into the realms of liberties and freedoms before returning to see the gap that needs to be filled via traditional consumer protection methods and more. Also, consumer protection requires education to make choices – once you layer in the anti-trust and monopolistic problems currently at play in global markets it is clear that the responsibility can no longer be shifted to residents/citizens/consumers.

How can the province best work with local agencies and organizations delivering public education efforts which are responding to the ground-level impacts of data-related harms?

Public libraries, schools, the charitable and non-profit sectors, as well as faith-based organizations, are obvious spaces to convene and organize conversations. These are trusted nodes in communities and they can play a critical role in sharing information.

Should the province create a mandatory requirement that public institutions be transparent about when automated decision-making practices are occurring?

Yes, including legacy cases of this.