The CIO Strategy Council published a new National Standard of Canada for third-party access to data last week, news that quickly got buried after Sidewalk Labs announced it was pulling the plug on its smart city project in Toronto.
And while the rest of the country argues over whether or not the project’s demise is good or bad for the country, the absence of such standards during the early planning stages of the project becomes increasingly evident in retrospect, according to Keith Jansa, executive director of the CIO Strategy Council.
“This is where standards become a very effective tool, because you have a consensus built across diverse interest groups, and you have that dialogue on a national level that effectively provides a high level of assurance that these minimum requirements benefit the businesses and individuals,” Jansa said.
A quick look at Waterfront Toronto’s initial request for proposal reveals next to zero mention of third-party access to people’s data or a set of standards interested applicants would have to adhere to. Meanwhile, Sidewalk Labs’ attempts to quell fears among the public when it came to protecting people’s information came in the form of an urban data trust, a concept that was eventually scrapped after pushback from privacy experts.
And while the project likely collapsed due to a number of reasons – Dan Doctoroff, Sidewalk Labs’ chief executive officer, published a blog post citing “unprecedented economic uncertainty” from the COVID-19 pandemic as the primary reason – a set of standards, such as the ones published by the CIO Strategy Council, could have helped Waterfront Toronto and Sidewalk Labs reach consensus on a number of items, including third-party access to data, much faster, Jansa explained.
“Whether you’re a public or private company, the government, a not-for-profit, the scope of these standards can be applied across all industries and across all the organizations,” he said, noting these guidelines help those organizations establish a strong baseline to combat the rising number of cyber and privacy threats.
The two standards that are currently published are around the ethical design and use of automated decision systems and third-party access to data. Another standard focusing on the data protection of digital assets was submitted to the Standards Council of Canada for approval as a National Standard of Canada on May 8, indicated Jansa on Twitter. The latest standard about third-party access to data is a 10-page document covering organizational and risk management, as well as control access and confidentiality. It got the attention of Navdeep Bains, Minister of Innovation, Science and Industry, who praised the new standard in a recent statement.
Several more are planned, including standards offering organizations guidance around de-identification. It’s unclear when, if at all, these standards will eventually be reflected in future legislation or amendments to current ones, but Jansa mentioned how the standards help support Canada’s 10-principle Digital Charter. The Charter is a series of proposals that would bring federal privacy private sector legislation — the Personal Information Protection and Electronic Documents Act (PIPEDA) — close to the European Union’s General Data Protection Regulation.
“These standards serve as an effective mechanism as regulation and legislation catch up,” Jansa said.
The government has confirmed that it wants the Digital Charter to apply to all federal legislation and regulations. However, PIPEDA, the Competition Act, the Canada Anti-Spam Legislation (CASL) and possibly the Competition Act would have to be changed.
Anyone interested in participating in the development of these standards, Jansa encourages people to contact him. The standards are formed with the help of technical committees featuring more than 100 stakeholders and experts spanning government, industry, academia and civil society groups, according to Jansa, who reinforced the notion that these standards can’t be built without a diverse group of participants engaged in the process.
“Any stakeholder can engage in the process. There’s no fee to participate,” he said.
Correction: A previous version of this article said the data protection of digital assets standard was submitted to the National Standards of Canada. However, the standard was submitted to the Standards Council of Canada for approval as a National Standard of Canada. IT World apologizes for the error.