NAFTA Renegotiation will affect information privacy, access to information, and data protection compliance in Canada

At the instigation of the US government, the North American Free Trade Agreement (NAFTA) is about to be renegotiated. NAFTA came into force in 1994 — before computers, smart phones, social media, and advanced analytics were in common usage — and was intended as a vehicle to minimize trade barriers between Canada, Mexico and the United States.

In July 2017, the United States Trade Representative released a Summary of Objectives for the NAFTA Renegotiation which sets out the US objectives — and makes clear that the renegotiation will affect how, where, and by whom information may (and may not) be processed, stored and managed. The list of objectives indicates that the US seeks to reduce “barriers to digital trade” and to:

Establish rules to ensure that NAFTA countries do not impose measures that restrict crossborder data flows and do not require the use or installation of local computing facilities.

The Canadian government will be represented in the negotiations by a “NAFTA Council” that it created, and which is composed of individuals who have impressive track records in industry and the political sphere. The Council is missing key perspectives and representation from the privacy and access profession, and from civil society.

As a voice for privacy and access in Canada that speaks on behalf of its members and other concerned Canadians, PACC seeks input about the impact that proposed NAFTA changes could have on the ability of Canada’s access, privacy, data governance and compliance professionals to fulfill their roles and responsibilities.

This is your opportunity to have your voice heard. Complete the short survey by August 31, 2017 so that we can integrate the results into a single comprehensive report to Government. (Survey site:

Your employment or other associations could hamper your freedom to express personal or unpopular views. As an independent organization, PACC is at liberty to convey the views of its members and others.

The survey asks for very basic demographic information, but does not (and will not) seek to identify respondents.

For a copy of the survey results, email NAFTA_at_pacc-ccap_dot_ca with appropriate contact information.


Posted in Uncategorized

2017 National Seminar and Tabletop Exercise for Institutions of Higher Education

The U.S. Department of Homeland Security (DHS) and The University of Utah invite you to participate in the 2017 National Seminar and Tabletop Exercise for Institutions of Higher Education on October 10-11, at the S.J. Quinney College of Law.

This two-day event will include workshop sessions, a tabletop exercise and an after-action review session on preparing participants to respond to a campus emergency. This year’s event will focus on a failure in campus infrastructure caused by cyber-attack. More detailed information on the specific topics for workshops and the tabletop exercise will be available closer to the event.

The event seeks to provide participants with insight into planning, preparedness and resilience best practices for the academic community. Because emergency planning involves a team of individuals from across an institution, we recommend a team of up to five (5) senior leaders representing various functions (i.e. information technology, security, leadership, public safety, student life, communications, etc.) attend from each institution. Participants also will include representatives from federal departments and agencies that support campus resilience.

Foreign nationals are permitted to attend and participate in this informative and interactive learning event.

This event qualifies for CPD credits applicable toward PACC Professional Certification.

For more information on the National Seminar and Tabletop Exercise for Institutions of Higher Education Series, visit

Posted in Uncategorized

PACC supports petition E-1090 (Access to Information)

The Privacy and Access Council of Canada (PACC) has pledged its support and signed petition e-1090, a petition before the House of Commons that “[calls] upon the Government of Canada to immediately begin the process of turning over all historical documents” to Library and Archives Canada (LAC); and to “reform the ATI and Library and Archives Canada Act to ensure historical material does not remain hidden outside of LAC”.

The petition was drafted in response to the revelation that several governmental institutions including the Privy Council Office, Global Affairs, and the Department of Justice have withheld historical material from Library and Archives Canada.

PACC as an association supports effective privacy and access legislation that preserves and strengthens democratic and Charter-protected freedoms, and calls on the Government of Canada to transfer all historical materials to Library and Archives Canada — regardless of the format of the records, and regardless where they might be located within the Government, federal agencies, boards, commissions, Crown corporations and other entities.

PACC also calls on the Government to reform the Access to Information Act and the Library and Archives Canada Act with clear language to ensure that future documents will be archived, and that all such archived documents will be readily available to Canadians — without being hidden behind a paywall, obscured through the application of overly-broad exemptions in ATI legislation, granting authority to data holders to deny access requests, or providing other mechanisms to effectively shield information from view.

Access to historical government documents is important for researchers and for the advancement of social knowledge in Canada, and is an essential component of a free and democratic society. Clear and workable access-to-information legislation is essential for ATI professionals to be able to carry out their roles in an effective and efficient manner, without undue interference, in order to provide Canadians with access to information held by governments and public institutions.

In supporting signed petition e-1090, PACC joins the Canadian Historical Association (CHA), Canadian Association of Professional Academic Librarians and other group and individual signatories of the petition; and PACC encourages its corporate and individual members to sign the petition. The petition is available for signature until 4:31pm (EDT) on September 8th, 2017.

Posted in Uncategorized Tagged with:

PACC Calls on Government to Take a More Active Leadership Role in the Open Government Partnership

The Privacy and Access Council of Canada has joined more than 20 other organizations and individuals in calling on the Government of Canada to seize the rare opportunity now available to take a leadership in the Open Government Partnership (OGP).

Accepting a leadership role in the OGP would be a concrete demonstration of the Government’s commitment to being open and accountable to Canadians — a move that would support the important and challenging work carried out by PACC members and other access and privacy professionals in private sector, public sector, and non-profit organizations across the country.

The full text of the letter is below.



10 July 2017

Dear Prime Minister,

We are writing to you as Canadian organisations and individuals who have engaged with the Open Government Partnership (OGP) within Canada and/or internationally and who believe strongly in the importance of the OGP as a forum for advancing transparency, accountability and civic engagement.

We are aware that Canada has been considering playing a more active role in the leadership of the OGP first by acting as a support co-chair for one year and then as the lead country chair for another year. We are also aware that the OGP requires a decision on this imminently, while Canada has been delaying its response.

We urge Canada to take on this important role within the OGP. Although many of us have asked Canada to do better in some of the areas of focus for the OGP, at the same time we are conscious that Canada is well poised to play a leadership role within the organisation. Indeed, Canada is enjoying an unprecedentedly strong global reputation at the moment, and becoming the lead country chair would build on that in ways which would benefit both Canada and other members of the OGP. Globally and within the member countries of the OGP, civil society space is shrinking, and Canada’s leadership to promote inclusion and high quality participation, both at home and abroad, can be of great value to the initiative.

Other countries have made their contribution by acting as chair and it is now Canada’s turn to step up and take on this important global support role. We are willing to work with and support the government in this.

We look forward to hearing a positive announcement from Canada regarding the OGP chair position very shortly.



  1. Canadian Taxpayers Federation
  2. Centre for Law and Democracy (CLD)
  3. Open North
  4. Powered by Data
  5. Privacy and Access Council of Canada – Conseil du Canada de l’Accès et la vie Privée
  6. Reboot
  7. Rocky Mountain Civil Liberties Association
  8. Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC)


  1. Ana Brandusescu, Researcher, World Wide Web Foundation
  2. Merlin Chatwin, Open Government Consultant, Researcher
  3. Rob Davidson, Open Data Institute Ottawa
  4. Mary Francoli, Associate Professor, School of Journalism and Communication, Carleton University
  5. Jury Konga, Open Knowledge Canada Ambassador
  6. Tracey P. Lauriault, Assistant Professor, Critical Media and Big Data, School of Journalism and Communication, Carleton University
  7. Panthea Lee, Co-Founder & Principal, Reboot
  8. Don Lenihan, Senior Associate, Policy and Engagement, Canada 2020
  9. Lindsey Marchessault Open Contracting Partnership
  10. Heather Morrison, Associate Professor, School of Information Studies, University of Ottawa
  11. Daniel J. Paré, Associate Professor, Department of Communication, School of Information Studies, and Institute for Science, Society and Policy (ISSP), University of Ottawa
  12. Sharon Polsky MAPP, Access & Privacy Advisor
  13. Teresa Scassa, Canada Research Chair in Information Law, University of Ottawa
  14. Claire Schouten, Senior Program Officer, International Budget Partnership
  15. Mary-Doug Wright, Information Specialist/Consultant, Apex Information
  16. Geoff Zakaib, Executive Director, Open Calgary


Posted in Uncategorized

Helping You Make a Great First Impression

12 Surprising Job Interview Tips discusses non-typical job interview tips and advice.

We have all seen tips for preparing to ace a job interview, including how (not) to dress, what (not) to do and say, and how (not) to behave. Knowing something about the company and industry, and being prepared to answer common questions are both important in making a good impression. But that’s not enough.

New techniques used by headhunters and potential employers demand new strategies to help you stand out from the crowd in a positive way.

You’re almost there. Your resume landed you an interview and now it’s time to seal the deal. So what’s the best way to prepare?

To find the answer, I looked back on my interviews, sifted through research, and most importantly, asked employees from today’s most coveted companies. I tried to find deep insights beyond the typical “sit up straight!” and “dress to impress!” tips we hear too much.

Below you’ll find the 12 best tips to help before, during and after your interview.


Posted in Uncategorized

National Privacy & Data Governance Congress (April 5-7, 2017)

Registration is open for the National Privacy & Data Governance Congress being hosted by the Privacy and Access Council of Canada with the support of the Office of the Information and Privacy Commissioner of Alberta, Miller Thomson LLP, Legal Education Society of Alberta, the Runnymede Society, (ISC)2, CIPS, CHIMA, and NIHI. The Congress is organized in collaboration with the Rocky Mountain Civil Liberties Association.

From April 5-7, regulatory authorities and thought leaders from industry, government and academia will gather to share insights about technological trends and regulatory developments that affect public and private sector organizations’ efforts to protect data and comply with privacy laws.

The Focus

The Congress theme — A World of Change — will focus on the most critical and timely privacy and data protection issues facing organizations today: those that foretell significant consequences for employers, employees and policy makers. A range of topics will address timely issues affecting employers and employees including:

  • Privacy Impact Assessment Fundamentals
  • Managing a Data Breach
  • Privacy Guidance for Small & Medium Businesses
  • Crafting Clear Cloud Computing Contracts
  • GDPR and the Death of Privacy Shield
  • Urgent Privacy Challenges in the Internet of Things
  • Digital Privacy at the Border


The National Privacy & Data Governance Congress is an important opportunity to increase awareness about the intersection of privacy, security, law and technology. The Congress takes a uniquely multi-disciplinary approach that offers practical guidance that can be put to use right away — to increase skills, minimize risk, and improve compliance.

Lawyers, privacy professionals, access-to-information practitioners, members of the media, civil libertarians, as well as compliance, security, and governance and public policy professionals will find value in the Congress.

Posted in Uncategorized

Cybercrime is a Growth Industry

How often have you marveled at a child’s cleverness? They quickly catch on to new concepts — whether how to dress their latest doll, ride a bike, or use their parent’s cellphone or tablet. The newfound skills are acquired and honed at the child’s pace, typically with plenty of encouragement but little guidance.

Long before many children are taught about online safety they receive a mobile phone for their own use — and tacit guidance that it’s perfectly fine to reveal their innermost secrets to a smartphone or computer screen. Using FaceTime, Skype or any other videoconferencing system allows children to see and talk with a face on screen. Mommy has said the face is that of Grandma — whom the child might have never met — and the repeated experience inculcates the youngster with the clear knowledge that talking to a face on a computer screen is perfectly fine. Mommy said so.

Another facet of this training — or, more correctly, desensitization — process comes in the form of countless toys armed with digital sensors, microphones and speakers. Imagine how thrilling it will be for any child to be able to talk to their new Hello Barbie doll. No more imaginary friends. Hello Barbie is real.

Like Nest and Alexa that help around the house, Wifi enabled Hello Barbie monitors what’s going on around her. Not only is she among the latest toys that desensitizes children to accept surveillance as the norm, but Mattel continuously updates and enhances Hello Barbie’s vocabulary. Within months of being launched into the market, more than 1700 phrases had been added to Hello Barbie’s voice recognition/response system that is programmed with more than 8,000 lines of dialogue,

By listening to children’s delightful banter Hello Barbie learns everything it can: Her likes and dislikes, her preferences, her family and friends, and the nearby conversations and sounds.

Does Mattel really need to hear, record and retain the conversations from a child’s bedroom or living room? Do parents realize that inviting Hello Barbie and other digital surveillance devices into their home might (and often does) grant virtually unlimited access to their personal information? Perhaps parents are reassured knowing that Hello Barbie has been reviewed by kidSAFE Seal Program and that, like My Little Pony Storybook Collection, it meets minimum standards of online safety and/or privacy.

Like their children, many mommies and daddies (many of whom are teachers!) are baffled why targeted ads appear on their screen so soon after asking ‘Mr Google’ a related question. They marvel at how accurately Google can predict their needs and pander to their predilections; but few appreciate how that came to be.

Although desktop computers became commonplace in the early 1980s — almost 40 years ago — online privacy, safety and digital citizenship remain foreign concepts to many people. The extent of many people’s digital education is the oft-repeated mantra “stay safe online” — which imparts as much knowledge as does tossing one’s car keys to a 10-year-old and urging them to “stay safe out there”.

The parallel to driving is even greater: The time lag between the world’s first practical automobile to be powered by an internal-combustion engine — in 1885 — and the first high school driver’s education course, in 1935, was 50 years. That was long after the first automobile-related fatality was recorded in the United States, in 1899 and only 15 years before the millionth in 1951.

Computers, on the other hand, became commonplace in offices and homes at about the same time that Canada’s Privacy Act and the Access to Information Act were proclaimed, in July of 1983. When dial phones were giving way to push button phones and fax machines were being introduced. The technology-based future that Star Trek predicted a mere 20 years earlier had started to come to life, and moved ahead at light speed.

No need to wait until Stardate 1513.1 in the 23rd century for personal communicators. We carry those already. iPhones. Androids. Galaxies. And we count on our pocket-sized computers for staying in touch in our personal lives, and often for our professional existence as well.

The power and potential of new phones, new apps, and new disruptive technologies offer tremendous potential benefit for people, nations and corporations. But without a clear and correct understanding of how their design can affect people — not just corporate bottom lines or governments’ tax revenues — the trend of ignorance that has been so carefully cultivated will continue. And it is being further entrenched as curricula are updated to include robotics and coding — but not how to evaluate risk or be self-sufficient.

Young coders will soon be able to tinker with the inner workings of computers and apps, but remain ignorant about how to evaluate risk. Governments, lawmakers and lobbyists know that there is great utility in ignorance. Perpetuating ignorance is important to ensuring people continue to be reliant on third parties. It’s also important to ensure they are unable to link the cause and effect of their new apps that transmit personal information and health data to nameless, faceless corporations that promise to provide a better user experience.

Perhaps that’s why, for all the breaches that have occurred, despite the billions of dollars devoted to developing and promoting security and privacy safeguards, there’s been precious little improvement. Breaches — that continue to occur with increasing frequency and impact — have been used as justification for new apps and laws ostensibly to help protect people from their own ignorance — but not for new education enabling people to be knowledgeable and self-sufficient about computer technology.

Like youngsters who grow up with their head under the hood of a car and can adjust a car’s fuel injectors, but don’t know the rules of the road, it’s an accident waiting to happen.

Depending on one’s perspective, it’s all very discouraging or very, very motivating indeed!

Posted in Uncategorized

PACC to Participate in the Canadian Cybersecurity Alliance

The Privacy and Access Council of Canada (PACC) will be participating in the Canadian Cybersecurity Alliance (CCA) / Alliance canadienne sur la cybersécurité (ACC). The CCA-ACC (originally initiated as the Inter-Association Working Group on Cyber Security – IAWGCS) is a voluntary, non-hierarchical, not-for-profit agile network, founded by Grant Lecky in 2013. The primary purpose of the CCA-ACC is to enhance the professionalization of the Canadian cyber domain through effective inter-association engagement and knowledge-sharing.

To date, more than 90 associations with a stake in cyber security have confirmed their participation in the CCA-ACC, making this initiative unprecedented in both scale and scope. Each of the participating associations contribute their own unique perspective on the Canadian cyber landscape.

The CCA-ACC is administered by a National Council, whose role includes maintaining the structure of the CCA-ACC itself, and facilitating inter-association dialogue.

PACC President Sharon Polsky, MAPP, will be the primary association representative to participate on behalf of PACC.

The Alliance is a national network that contributes to an increased understanding of the current state of cybersecurity in Canada, and the identification of future directions for research, education, dialogue and professionalization of the domain.

Alliance members include the Canadian branch of the High Technology Crime Investigation Association,  the Canadian Centre for Cyber Risk Management,  Gaming Security Professionals of Canada, the Canadian branch of the International Information System Security Certification Consortium (ISC2),  the Association de la sécurité de l’information du Québec (ASIQ), the Ottawa Area Security Klatch (OASK), the Canadian Association of Petroleum Producers, The Canadian Gas Association, the Canadian Advanced Technology Association (CATA), the Cloud Security Alliance (Canada), the Canadian Information Processing Society (CIPS) , National Cyber-Forensics and Training Alliance Canada and others.

Posted in Uncategorized

Biometric Bonanza or Boondoggle

First it was passwords, then two factor authentication that promised to be the ultimate form of data protection. Then came fingerprint scanners as the new and improved security mechanism. And now comes word that iris scans will become the standard form of protecting smartphones from prying eyes. Or spying eyes.

Like the latest version of new and improved laundry soap, each iteration of newfangled security technology has come with the promise of better security. For our data, our finances and our future.

Biometrics-Boondoggle-Fiche_Henri_Leon_SCHEFFER_2_novembre_1902We have been promised that the reward for offering up pieces of ourselves will include greater data security and better data protection. But while the production and implementation costs of biometric systems have been dropping and reliability has improved, the promise has not yet been fulfilled. As we see almost daily, many of the most well-funded, technically competent public and private organizations are vulnerable. Even governments and the NSA haven’t been able to avoid being hacked.

Why? Perhaps it’s because the imperfect systems are created by imperfect people.

Indeed, iris, facial, and fingerprint are among the biometric security systems that have already been proven to be imperfect — sometimes using remarkably low technology such as Gummy Bear candies. Even something as variable as our own unique handwriting can be recreated by computers, eliminating the security of our penmanship.

And because more information in a database — and more sensitive information, such as biometrics — increases the likelihood that the data will have greater marketability, biometrics repositories are very attractive targets indeed.

We also have to consider that in many countries, discrimination based on disability is illegal. Employers have a duty to accommodate and cannot refuse to hire someone based on their disability. In other words, if an employee loses their eyes and the company implements iris scanning for security, it can’t simply dismiss the employee. The company has a duty to accommodate and could be compelled to provide a way for the person to use the security system without having to provide an iris scan. In other words, high-tech biometric security systems must have an override — a built-in backdoor that could be used to defeat the entire system and make an entire enterprise vulnerable.

From a privacy perspective, biometrics makes it easier to safeguard information than having to type in pesky passwords, and biometrics can make it more difficult for someone else to use your device. But it also makes it almost impossible to refute allegations of impropriety. So while it’s relatively easy to argue if your password has been compromised that the account activity was carried out by someone else, it’s much more difficult to substantiate a claim that your biometrics aren’t your own. Worse yet is that passwords can be changed, but biometrics cannot.

Biometric challenges already follow us to the grave. It is now possible to create fake fingerprints and to recreate the fingerprints of a dead person to be able to unlock their phone, but it will be much more difficult to recreate an iris scan. That will ensure ongoing protection of the information within a device; but it will also frustrate any attempt by family or police who might want to gain access to a dead person’s smartphone, whether to retrieve family photos or for investigative purposes.

So what recourse will we have if — or, more likely, when — biometric databases or iris scans are compromised? As Tom Cruise’s character forewarned us in Steven Spielberg’s 2002 science fiction thriller Minority Report, changing eyes won’t be very easy.

The easier route will be to balance the value of biometrics against the significant risk that relying on them poses to privacy, data compromise, identity theft and, like Tom Cruise’s character, false arrest and conviction.

So while biometrics offer great promise, the risk just might be greater than the reward.

Posted in Uncategorized Tagged with:

The Motive Behind the Madness

Security industry estimates indicate that it costs $100 per person for notification/remediation about a data breach. Add to that the beneficial economic spinoffs from consulting fees, credit monitoring fees, and Identity Theft Insurance premiums, tuition fees to teach a new generation of cyber sleuths and government agents, etc., etc., and it becomes hard to dispute that there just might be a method to this madness.

Imagine the economic impact if USBs were encrypted by default or if individuals were properly educated, starting in kindergarten, to be able to be knowledgeable and self-sufficient about privacy and computer technology, instead of being ignorant about scams and online predators, and reliant (hostage) on third parties for advice and protection. What would happen to the consulting and license fees paid to the security software and consulting firms of the world? What would happen to the new Identity Theft Insurance industry that has been spawned by breaches, inadequate privacy awareness, and fallible security?

And what would the political fallout be when an educated public is harder to bamboozle and reduces its reliance on third parties? How easily could the economy, and the government, withstand the consulting/security sector shrinking, resulting in temporary increases in unemployment and a reduced tax base as that sector adjusts to a new reality. And what sort of questions would come from an educated populace?

Who could withstand the scrutiny of an electorate that is well enough educated to know the right questions to ask. Who would venture a guess as to why — for all the billions spent on improved security, system upgrades, and public awareness campaigns — has there been so little improvement; nay, why have the breach rates continued to climb?

Why has there been so little education to enable individuals to be knowledgeable about handling, divulging, and safeguarding sensitive information.

Why haven’t schools embedded digital citizenship and privacy into the mandatory curriculum, starting in kindergarten (by which time many children have already been using tablets and smart phones)?

Why haven’t governments written laws to limit the amount of personal data that industry and government may gather and commoditize?

Why have people (including the same ones who work in the organizations that collect and broker endless reams of data about us and themselves) been so reticent to question the message that nobody cares about their own privacy, and that giving up our privacy and other freedoms is good and right and necessary so that we can be saved from…. well, we were originally told that it was to save us from terrorists but we might want to reconsider just who that is and what their motives really are. And what is the real cost to us all.

Posted in Uncategorized