Teresa Scassa - Blog

Displaying items by tag: data strategy

 

Ontario launched its Digital and Data Strategy on April 30, 2021, in a the document, titled Building a Digital Ontario. The Strategy – based on a consultation process announced late in 2019 – is built around four main themes. These are “equipped to succeed”, “safe and secure”, “connected” and “supported”.

It is important to note that the digital and data strategy is for the Ontario government. That is, it is predominantly about how government services are delivered to the public and about how government data can be made more readily and usefully available to fuel the data economy. Related objectives are to ensure that Ontarians have sufficient connectivity and digital literacy to benefit from digital government services and that there is a sufficiently skilled workforce to support the digital agenda. That said, there are places where the focus of the strategy is blurred. For example, the discussion of privacy and security shifts between public and private sector privacy issues; similarly, it is unclear whether the discussion of AI governance is about public or private sector uses and of AI, or both. What is most particularly off-base is that the cybersecurity elements of the strategy focus on individuals do not address the need for the government to tackle its own cybersecurity issues – particularly in relation to critical digital and data infrastructures in the province. There is a reference to an existing portal with cybersecurity resources for public sector organizations, so presumably that has been checked off the list, though it hardly seems sufficient.

Do we need better digital services from government? Should there be better public sector data sharing infrastructures to support research and innovation while at the same time stringently protecting privacy? Do we need to take cybersecurity more seriously? The answer is clearly yes. Yet in spite of the laudable objectives of the strategy, it remains unsatisfying. I have three main concerns. First, there seems to be more marketing than strategy with much of what is in this document. Too many of the themes/initiatives have a repackaged feel to them – these are things already underway that are being reverse-engineered into a strategy. Second, the document seems to ignore key actors and sectors – it has the feel of a plan hatched in one part of government with minimal communication with other departments, agencies and partners. Third, much of the strategy is simply vague. It is a bit like saying that the strategy is to do important things. Hard to argue with such a goal, but it is not a strategy – more of an aspiration.

My first concern relates to the fact that so much of what is described in the strategy is work already completed or underway. Each section of the strategy document describes progress already made on existing initiatives, such as the existing, Open Data Catalogue, the Cybersecurity Ontario Learning Portal and the Cybersecurity Centre of Excellence. In some cases, the document announces new initiatives that are imminent – for example the launch of a Digital and Data Fellows Innovation Program in summer of 2021, beta principles for responsible AI in spring of 2021, and a new Digital ID for 2021. To be fair, there are a few newish initiatives – for example, the mysterious Data Authority and the development of digital and data standards. But overall, the document is more of an inventory of existing projects framed as a strategy. It feels like marketing.

My second concern is that the document seems to be a catalogue of Ontario Digital Services projects rather than a strategy for the province as a whole. We hear that we need to build a skilled work force, but apart a reference to already launched enhancement of STEM learning in elementary schools, there is nothing about funding for education or research in STEM fields, whether in high school, college or university. There is a program to “bring the best of Ontario’s tech sector into government, to help design Ontario's digital future”, but there’s nothing about funding for internships for students in government or industry. The pandemic has raised awareness of massive challenges in the province around health data; that these are not addressed as part of an overall data strategy suggests that the strategy is developed within a still-siloed government framework. The main ‘promises’ in this document are those within the purview of Digital Services.

The most disconnected part of the strategy is that dealing with privacy. Privacy is one of the pillars of the strategy, and as part of that pillar the document announces a new “Know Your Rights” portal “to help Ontarians learn how to better protect their personal data and stay safe online”. Ontario already has an Office of the Information and Privacy Commissioner that provides a wealth of information of this kind. Unless and until Ontario has its own private sector data protection law (a matter on which the “strategy”, incidentally, is completely silent), information on private sector data protection is also found on the website of the Office of the Privacy Commissioner of Canada. It is frankly hard to see how creating a new portal is going to advance the interests of Ontarians – rather than waste their money. It would have made more sense to enhance the budget and mandate of Ontario’s Information and Privacy Commissioner than to create a portal ultimately destined to provide links to information already available on the OIPC website. This promise highlights that this is not really an Ontario strategy; rather it is a compilation of ODS projects.

My third concern is with the vagueness of the strategy overall. One of the few new pieces – the Data Authority – is described in the most general of terms. We are told it will be “responsible for building modern data infrastructure to support economic and social growth at scale, while ensuring that data is private, secure, anonymous and cannot identify people individually.” But what is meant by “data infrastructure” in this instance? What is the role of the “authority”? Is it a regulator? A data repository? A computing facility? A combination of the above? One wonders if it is actually going to be a build-out or rebranding of the Ontario Health Data Platform which was pulled together to facilitate data sharing during the COVID-19 pandemic.

Notwithstanding these criticisms, it is important to note that many of the initiatives, whether already underway or not, are designed to address important challenges in the digital and data economy. The problem lies with calling this a strategy. It is much more like a to-do list. It starts with a few things conveniently crossed off. It includes a number of things that need finishing, and a few that need starting. In contrast, a strategy involves thinking about where we need to be within a targeted period of time (5 years? 10 years?) and then lays out what we need to do, and to put in place, in order to get there. In the covering memo to this document, Minister of Finance and Treasury Board President Bethlenfalvy sets a high bar for the strategy, stating: “I like to say that we are moving Ontario from the digital stone age to a global trailblazer”. Dampening the hyperbole on either side of that metaphor, we are not in the digital stone age, but those expecting to blaze trails should not be surprised to discover discarded Timmy’s cups along the way.

Published in Privacy

Ontario is currently engaged in a data strategy consultation process. The stated goals are to create economic opportunities and to improve government services by facilitating greater data sharing and by using more analytics and artificial intelligence. The plan is to do this while maintaining the ‘trust and confidence’ of Ontarians. The consultation process has had an extraordinarily low profile considering what is at stake. That said, it is happening so quickly that it is easy to miss. Even for those paying attention, the consultation is long on boosterism and short on detail. This post outlines some reasons why Ontarians should be concerned.

1. Major transformation without proper debate/consultation

Developing a data strategy is a good idea. Data-driven innovations are dramatically changing our economy and society. There are many ways for government to become more effective and efficient by embracing new technologies. It could also become more transparent and find new ways to engage citizens. To do these things some changes to the law and policy infrastructure will be necessary. Businesses seeking to innovate and grow in the digital and data economy will need better access to quality data and, among other things, new models for data governance and data sharing. Data-driven technologies also bring with them risks of harm and these too may need new legislation or normative frameworks. There is a lot to consider and some of the changes will be transformative, and will rely upon citizen data. These are all good reasons to consult deeply and broadly, both to seek input and to lay the foundations for a transparent public engagement.

The data strategy consultation was announced in February 2019, with a report to be published before the end of the year. The consultation centres around three discussion papers, the first of which was only made available in mid-August 2019 and the last of which has just been released, with comments due by the end of November. The public meetings held as part of these consultations are taking place on very short notice. The process is hurried, obscure and fails to properly engage the full range of stakeholders.

2, Superficiality

Quite apart from the rushed nature of the process, the discussion papers are woefully inadequate. They are full of assertions of the benefits of what is planned, with the occasional nod to the importance of privacy and trust. There is little detail about the nature, scope or timelines for what the government plans to do.

The discussion papers give only brief glimpses of things that merit a much more detailed treatment. For example, on the issue of broad-scale data sharing between different government departments and agencies, we are told that “while ‘connecting the dots’ between datasets can help government provide better services, there are privacy and cybersecurity risks to be managed.” ‘Connecting the dots’ can mean all sorts of things. Perhaps data matching will be used to find ways to improve service delivery. Data analytics might also be used to discover or anticipate certain citizen behaviors. This could include identifying patterns that suggest certain individuals are fraudulently obtaining benefits or cheating on taxes, or identifying children potentially at risk. The data-matching possibilities are endless. And while the goals might be important, there are significant risks of harm. Beyond privacy concerns, there are issues of discrimination and undue surveillance. What processes will be in place to ensure transparency and accountability as these programs are developed and implemented? The consultation documents are so general and superficial that they fail to identify, let alone invite engagement on some of the real challenges posed by the government’s (undisclosed) plans.

An alarming glimpse of what lies beneath the superficial gloss of these documents is found in the second discussion paper which focuses on “Creating Economic Benefits”. The document talks about the value that can be derived by the private sector from data shared by governments. It then casually states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered as a high-value dataset that may present various opportunities for Ontario.” This suggests that the government is planning to make the personal health data of Ontarians available to the private sector. As the Privacy Commissioner, in his comment on this aspect of the discussion paper, aptly notes, “It is important to distinguish between the high value of health-related data in terms of utilizing it to foster innovation and research, and its high monetary value (that is, health-related data as a commodity to be sold as a source of revenue for the government). The specific scope of what the government may be contemplating is not clear from the discussion paper.”

3. The Gaps

The government is designing a data strategy but its focus is relatively narrow. Ontario’s Privacy Commissioner has pointed out that there are many other data-related reforms that could enhance government transparency including open contracting and open procurement, as well as other reforms to improve access to government information. While the Simpler, Faster, Better Services Act introduced reforms around open data, open data is not necessarily the best route to transparency, especially with a government that has indicated it wants to be more strategic about its release of open data and that sees it primarily as a driver of the economy.

4. Social impacts

This consultation process relies far too much on the increasingly tired trope of “trust and confidence”. The first consultation document, a truly abstract exercise in asking people what they think about plans that have neither been discussed or disclosed, is titled “Promoting Public Trust and Confidence”. Trust and confidence must be earned, not promoted.

Although the first discussion paper identifies a broad range of issues, including bias and discrimination, surveillance, data privacy and security, these are raised largely in the abstract. In the subsequent discussion papers on creating economic benefits and smarter government, the issues are boiled down to individual data privacy and security. There needs to be a detailed, robust and informed discussion on the impacts of proposed technological changes on individuals and communities, as well as on limits, oversight and safeguards.

5. ‘Stakeholders’ and the Rest of Us

Another issue that should concern Ontarians in this consultation is whose voices really matter. The lightning fast consultation hints at some major changes, many of which are driven by industry demands (such as the massive sharing of personal health data with the private sector). Industry clearly has the ear of government and does not need the consultation process in order to be heard.

The data strategy consultation has been poorly publicized. The discussion papers have been published late in the process, contain little detail, and have narrow windows for providing feedback. The paper on trust and confidence was released in mid-August with comments due just after Labour Day. The timing could hardly be worse for ensuring public engagement. The public meetings around the province are scheduled with very short notice. This consultation favours larger organizations with the resources to throw together a quick response or to find someone who can attend a meeting at short notice. It does not favour the general public, nor does it favour civil society groups and academia with limited resources and personnel.

At the same time that this speedy data consultation is taking place, there are closed-door consultations underway with “stakeholders” about reforms to the Personal Health Information Protection Act. While there is no doubt that much could be done to modernize this legislation, the fact that it taking place behind the scenes of the superficial data strategy consultation is deeply troubling. There is also, reportedly, work being done on an ethical AI strategy for the government. Not only is this not part of any public consultation process, it is only hinted at in the third discussion paper.

It is also profoundly disturbing that institutions that serve the public interest such as the Office of the Information and Privacy Commissioner so clearly do not have the ear of government. The Privacy Commissioner’s input has been reduced to letters written in response to the discussion papers. These letters politely invite the government to seek out his expertise on issues that are squarely within his mandate.

Proposed massive technological change, ‘trust us’ assurances about privacy that fall short of the mark, and a disregard for early and inclusive consultations are a recipe for disaster. People are not data cows to be milked by government and industry, and acknowledged with only a pat on the rump and a vague assurance that they will be well looked after. The data strategy must serve all Ontarians and must be built on a foundation of credible and meaningful public engagement. As the Sidewalk Toronto process has demonstrated, people do care, the private sector doesn’t have all the answers, and transformative change needs social legitimacy.

Published in Privacy

The second discussion paper in Ontario’s lightning-quick consultation on a new data strategy for the province was released on September 20, 2019. Comments are due by October 9, 2019. If you blink, you will miss the consultation. But if you read the discussion paper, it will make you blink – in puzzlement. Although it is clear from its title that Ontario wants to “create economic benefits” through data, the discussion paper is coy, relying mainly on broad generalities with occasional hints at which might actually be in the works.

Governments around the world are clearly struggling to position their countries/regions to compete in a burgeoning data economy. Canada is (until the election period cooled things off) in the middle of developing its own digital and data strategy. Ontario launched its data strategy consultation in February 2019. The AI industry (in which Canada and Ontario both aspire to compete) is thirsty for data, and governments are contemplating the use of AI to improve governance and to automate decision-making. It is not surprising, therefore, that this document tackles the important issue of how to support the data economy in Ontario.

The document identifies a number of challenges faced by Ontario. These include skill and knowledge deficits in existing industries and businesses; the high cost of importing new technologies, limited digital infrastructure outside urban core areas, and international competition for highly qualified talent for the data economy. The consultation paper makes clear that the data strategy will need to address technology transfer, training/education, recruitment, and support for small businesses. Beyond this, a key theme of the document is enhancing access to data for businesses.

It is with respect to data that the consultation paper becomes troublingly murky. It begins its consideration of data issues with a discussion of open government data. Ontario has had an open data portal for a number of years and has been steadily developing it. A new law, pushed through in the omnibus budget bill that followed the Ford government’s election is the first in Canada to entrench open government data in law. The consultation document seems to suggest that the government will put more resources into open data. This is good. However, the extent of the open data ambitions gives pause. The consultation document notes, “it is important for governments to ensure that the right level of detailed data is released while protecting government security and personal privacy.” Keep in mind that up until now, the approach to open data has been to simply not release as open data datasets that contain personal information. This includes data sets that could lead to the reidentification of individuals when combined with other available data. The consultation paper states “Ontario’s government holds vast amounts of data that can help businesses develop new products and services that make Ontarian’s lives easier, while ensuring that their privacy is protected.” These references to open data and privacy protection are indications that the government is contemplating that it will make personal data in some form or another available for sharing. Alarmingly, businesses may be invited to drive decision-making around what data should be shared. The document states, “New collaboration with businesses can help us determine which data assets have the greatest potential to drive growth.” An out-of-the-blue example provided in the consultation paper is even more disturbing. At a point where the document discusses classic categories of important open data such as geospatial reference and weather data, it suddenly states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered a high-value dataset that may present various opportunities for Ontario.”

If personal data is on the table (and the extent to which this is the case should be a matter of serious public consultation and not lightning-round Q & A), then governance becomes all the more important. The consultation paper acknowledges the importance of governance – of a sort. It suggests new guidelines (the choice of words here is interesting – as guidelines are not laws and are usually non-binding) to help govern how data is shared. The language of standards, guidance and best practices is used. Words such as law, regulation and enforcement are not. While “soft law” instruments can have a role to play in a rapidly changing technological environment, Canadians should be justifiably wary of a self-regulating private sector – particularly where there is so much financially at stake for participating companies. It should also be wary of norms and standards developed by ‘stakeholder’ groups that only marginally represent civil society, consumer and privacy interests.

If there is one thing that governments in Canada should have learned from the Sidewalk Toronto adventure, it is that governments and the private sector require social licence to collect and share a populations’ personal data. What this consultation does instead is say to the public, “the data we collect about you will be very valuable to businesses and it is in the broader public interest that we share it with them. Don’t worry, we’re thinking about how to do it right.” That is an illustration of paternalism, not consultation or engagement. It is certainly not how you gain social licence.

The Ontario government’s first Consultation Paper, which I discuss here was about “promoting trust and confidence”, and it ostensibly dealt with privacy, security and related issues. However, the type of data sharing that is strongly hinted at in the second discussion paper is not discussed in that first paper and the consultation questions in that document do not address it either.

There is a great deal of non-personal government data that can be valuable for businesses and that might be used to drive innovation. There is already knowledge and experience around open data in Ontario, and building upon this is a fine objective. Sharing of personal and human behavioural data may also be acceptable in some circumstances and under some conditions. There are experiments in Canada and in other countries with frameworks for doing this that are worth studying. But this consultation document seems to reflect a desire to put all government data up for grabs, without social licence, with only the vaguest plans for protection, and with a clear inclination towards norms and standards developed outside the usual democratic processes. Yes, there is a need to move quickly – and to be “agile” in response to technological change. But speed is not the only value. There is a difference between a graceful dive and a resounding belly flop – both are fast, only one is agile.

 

Published in Privacy

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

Published in Privacy

Schedule 56 of the Budget Bill introduces a new statute, the Simpler, Faster, Better Services Act, 2019 (SFBSA), that, once passed, will take effect when proclaimed by the Lieutenant Governor. That passage is a foregone conclusion is evidenced by the fact that the role of Chief Digital and Data Officer, created under the statute, has already been filled with the announcement of the appointment of Hillary Hartley. The goal of the SFBSA is to “promote the transformation of government services in Ontario” (s. 1). Among other things, the Act provides for the appointment of a Chief Digital and Data Officer (CDDO) who is tasked with promoting the development and implementation of public sector digital services; providing advice to public sector organizations on digital services; assessing the design, development and effectiveness of these services; and promoting the use of data and effective data management (s. 3(1)). The CDDO will also promote the proactive publication of data by public sector organizations and involve the public in the design and implementation of digital services. Under s. 3(3) of the Act, the CDDP must also establish a digital and data action plan which, in broad terms, will develop initiatives to promote the adoption of digital services, and the improvement of existing services. The action plan will also promote the development of “effective data management and data sharing across public sector organizations”, and will specifically promote the use of technology that is scalable and interoperable. The action plan must also set targets and indicators for the evaluation of progress, and is to be reviewed and adapted as necessary at least every three years.

The CDDO is also charged, under s. 4 of the Act with setting standards for digital services and for open data. The open data standards can include “requirements to make specified datasets publicly available”, and will also include formal and technical standards for the data. This can include standards with respect to metadata, as well as the frequency and manner by which data sets are to be made public.

Interestingly, while this section is described as addressing “open data standards”, the requirements in the SFBSA actually relate to making public sector data “publicly available”. This is subtly different from open data in the classic sense. For example, s. 4(3)(d) allows the CDDO to set “the terms by which a public sector organization shall grant licences for the use of the datasets it publishes”. This suggests that some data might be made publicly available under more restrictive terms and conditions than traditional open data. Examples of possible restrictions might include non-commercial use limitations, or requirements that no attempts be made to reidentify deidentified data in the licensed data set. They might even include fees for access to some data sets, as nothing in the SFBSA actually requires the data to be provided free of charge. The statute also provides for the enactment of regulations, and these regulations can formalize the adopted standards.

The CDDO is also charged with maintaining a catalogue listing and describing all public sector datasets, including those that are required to be publicly available. The only exceptions relate to information that must be kept confidential under a law of Canada or Ontario, or information relating to “confidential law enforcement activities or other matters involving public safety or security” (s. 4(10)). The inventory and the standards developed for public sector data must also be made publicly available.

The SFBSA sets out, in s. 5, principles that must be followed by public sector organizations in developing and using digital services. Section 5(2) identifies principles that should guide the management of data and its public release.

The CDDO has some enforcement powers under the legislation in the sense that she may find organizations to be non-compliant and order them to change their practices, and can provide notice of non-compliance to the Management Board of Cabinet.

It should be noted that this statute is meant to apply both to public sector organizations (government ministries and public bodies), as well as “broader public sector organizations”. This latter category will include organizations referred to in a Schedule to the SFBSA, notably municipalities, school boards and universities, and some health services facilities.

Overall, this is a very interesting piece of public policy. Although provincial, federal and municipal governments across Canada have made commitments to open data, Ontario is the first to legislate open data requirements (or at least ‘publicly available data’ requirements). The establishment of a CDDO with a legislated mandate is also a positive commitment to improving digital and data services in the province. The principles that will guide digital services development and delivery as well as data management are important, straightforward, and public-interest oriented. The importance of this legislation, as Amanda Clarke says in her excellent post (with more to follow), “is exactly why this policy change demands broad and sustained scrutiny”.

While the substance of this statute is interesting and important, the process behind it is problematic. In February 2019 the Ontario government launched its data strategy consultation. The first step (which ended in March) was to accept submissions from the public. The second was to establish an advisory panel that would continue consultations and ultimately report in the Fall of 2019. Yet the SFBSA seems to contain precisely the kinds of measures contemplated by the data strategy consultation. In doing so it calls into question the genuineness of the consultation process. The process deficiencies are further reinforced by the fact that the SFBSA is crammed into an omnibus budget bill which will ultimately pass with a minimum of scrutiny and debate. It’s an interesting statute and an important piece of public policy, but the public and democratic process around it is not good.

Published in Privacy
Thursday, 07 February 2019 08:09

Ontario Launches Data Strategy Consultation

On February 5, 2019 the Ontario Government launched a Data Strategy Consultation. This comes after a year of public debate and discussion about data governance issues raised by the proposed Quayside smart cities development in Toronto. It also comes at a time when the data-thirsty artificial intelligence industry in Canada is booming – and hoping very much to be able to continue to compete at the international level. Add to the mix the view that greater data sharing between government departments and agencies could make government ‘smarter’, more efficient, and more user-friendly. The context might be summed up in these terms: the public is increasingly concerned about the massive and widespread collection of data by governments and the private sector; at the same time, both governments and the private sector want easier access to more and better data.

Consultation is a good thing – particularly with as much at stake as there is here. This consultation began with a press release that links to a short text about the data strategy, and then a link to a survey which allows the public to provide feedback in the form of answers to specific questions. The survey is open until March 7, 2019. It seems that the government will then create a “Minister’s Task Force on Data” and that this body will be charged with developing a draft data strategy that will be opened for further consultation. The overall timeline seems remarkably short, with the process targeted to wrap up by Fall 2019.

The press release telegraphs the government’s views on what the outcome of this process must address. It notes that 55% of Canada’s Big data vendors are located in Ontario, and that government plans “to make life easier for Ontarians by delivering simpler, faster and better digital services.” The goal is clearly to develop a data strategy that harnesses the power of data for use in both the private and public sectors.

If the Quayside project has taught anyone anything, it is that people do care about their data in the hands of both public and private sector actors. The press release acknowledges this by referencing the need for “ensuring that data privacy and protection is paramount, and that data will be kept safe and secure.” Yet perhaps the Ontario government has not been listening to all of the discussions around Quayside. While the press release and the introduction to the survey talk about privacy and security, neither document addresses the broader concerns that have been raised in the context of Quayside, nor those that are raised in relation to artificial intelligence more generally. There are concerns about bias and discrimination, transparency in algorithmic decision-making, profiling, targeting, and behavioural modification. Seamless sharing of data within government also raises concerns about mass surveillance. There is also a need to consider innovative solutions to data governance and the role the government might play in fostering or supporting these.

There is no doubt that the issues underlying this consultation are important ones. It is clear that the government intends to take steps to facilitate intra-governmental sharing of data as well as greater sharing of data between government and the private sector. It is also clear that much of that data will ultimately be about Ontarians. How this will happen, and what rights and values must be protected, are fundamental questions.

As is the case at the provincial and federal level across the country, the laws which govern data in Ontario were written for a different era. Not only are access to information and protection of privacy laws out of date, data-driven practices increasingly impact areas such as consumer protection, competition, credit reporting, and human rights. An effective data strategy might need to reach out across these different areas of law and policy.

Privacy and security – the issues singled out in the government’s documents – are important, but privacy must mean more than the narrow view of protecting identifiable individuals from identity theft. We need robust safeguards against undue surveillance, assurances that our data will not be used to profile or target us or our communities in ways that create or reinforce exclusion or disadvantage; we need to know how privacy and autonomy will be weighed in the balance against the stimulation of the economy and the encouragement of innovation. We also need to consider whether there are uses to which our data should simply not be put. Should some data be required to be stored in Canada, and if so in what circumstances? These and a host of other questions need to be part of the data strategy consultation. Perhaps a broader question might be why we are talking only about a data strategy and not a digital strategy. The approach of the government seems to focus on the narrow question of data as both an input and output – but not on the host of other questions around the digital technologies fueled by data. Such questions might include how governments should go about procuring digital technologies, the place of open source in government, the role and implication of technology standards – to name just a few.

With all of these important issues at stake, it is hard not to be disappointed by the form and substance of at least this initial phase of the government's consultation. It is difficult to say what value will be derived from the survey which is the vehicle for initial input. Some of the questions are frankly vapid. Consider question 2:

2. I’m interested in exploring the role of data in:

creating economic benefits

increasing public trust and confidence

better, smarter government

other

There is no box in which to write in what the “other” might be. And questions 9 to 11 provide sterling examples of leading questions:

9. Currently, the provincial government is unable to share information among ministries requiring individuals and businesses to submit the same information each time they interact with different parts of government. Do you agree that the government should be able to securely share data among ministries?

Yes

No

I’m not sure

10. Do you believe that allowing government to securely share data among ministries will streamline and improve interactions between citizens and government?

Yes

No

I’m not sure

11. If government made more of its own data available to businesses, this data could help those firms launch new services, products, and jobs for the people of Ontario. For example, government transport data could be used by startups and larger companies to help people find quicker routes home from work. Would you be in favour of the government responsibly sharing more of its own data with businesses, to help them create new jobs, products and services for Ontarians?

Yes

No

I’m not sure

In fairness, there are a few places in the survey where respondents can enter their own answers, including questions about what issues should be put to the task force and what skills and experience members should have. Those interested in data strategy should be sure to provide their input – both now and in the later phases to come.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law