4720: Legal Issues in Business Analytics

more on AI and AIDA in slides that I did not put in here

Intentional Tort

Invasion of Privacy:

• Trespass (e.g. to collect image or other sensor data)

• Breach of confidence (e.g. unauthorized use of confidential

  information)

• Intrusion on seclusion (e.g. employees inappropriately

  using data access)

• Public disclosure of private facts

  Defences:

  • Consent

  • Assumption of risk

  • Contributory negligence

Negligence

Examples

• Data Loss or Breach

• Physical or economic loss due to advice based on analytics model

Duty of Care

• Reasonably foreseeable

• Affordable precautions

• Proximity of loss (incl. careless statements)

• Product liability (incl. data/information products)

Defences

• Assumption of risk

• Contributory negligence

Contracts

Examples in Business Analytics

• Purchase or sale of data

• Collection or creation of data

• Licensing of data

• Data processing and manipulation (e.g. data cleaning, anonymization, etc)

• Provide or access/use analytics service

Specify

• What is being purchased (e.g. copyright (assignment), licence, or analytics service)?

• What is the required quality and how is it measured?

Licences

Permission to use or do something

• Exclusive, sole, or non-exclusive (ordinary)

• Revocable or irrevocable

• Transferrable or non-transferrable

• Sublicenseable or not sublicenseable

• Limited or unlimited (in time or geography)

• Indemnification

• etc.

Copyrights

• Non-trivial, original work

• Requiring skill and judgment

Is this copyrightable?: Data as compilation of facts

Copyrightable by transformation, curation, collection

Websites

Using Web Data

• Terms of use

• Automatic access (”bots”, ”crawlers”)

Robots files

• Specify user agent (”User-agent”)

  • ”Googlebot”, ”Bingbot”, ”Googlebot-Image”, . . .

• Specify prohibited files or folders (all others allowed)

• Specify allowed files or folders (all others prohibited)

• Specify crawl frequency (”Crawl-delay”)

• Specify no search indexing (”Noindex”)

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Federal

• Protects: personal information, opinions/comments, etc.

• Applies to commercial activity in all Canadian provinces

• Mandatory breach reporting

• Complaint process through the OPC

• Authority to audit

• Except for activity solely within provinces that have ”substantially similar” legislation (BC, ON)

• Does not apply to federal government, covered by Privacy Act and Access to Information Acts

• Does not apply to provincial government (e.g. Newfoundland Access to Information and Protection of Privacy Act (ATIPPA))

Office of the Privacy Commissioner of Canada (OPC)

• Investigate complaints

• Report with recommendation but no enforcement powers

• Federal Court

Fair Information Principles

1 Be accountable

2 Identify the purpose

3 Obtain valid, informed consent

4 Limit collection

5 Limit use, disclosure and retention

6 Be accurate

7 Use appropriate safeguards

8 Be open

9 Give individuals access

10 Challenging compliance

PIPEDA: 1. Accountability

• Comply with all 10 principles

• Appoint privacy officer responsible for compliance

• Define reporting mechanisms to/from this person or office

• Protect all personal information, incl. that transferred to 3rd parties and agents

• Develop and implement policies and procedures for compliance

• Privacy training and education for all employees

• External communication procedures

• Risk and threat assessment for all operations (esp. international 3rd party)

• Document compliance for audits

PIPEDA: 2. Identifying Purpose

• Ensure information is required for a purpose

• Explain purpose when collecting information

• Maintain records for purpose and received consents

• Ensure purpose is reasonably and appropriately limited

PIPEDA: 3. Consent

• Consent must be meaningful and valid

• Consent can be required only if necessary to fulfill a legitimate purpose

• Form of consent must take into account the sensitivity of information

• Individuals may withdraw consent at any time

• Make privacy information clearly available (what is collected, who it’s shared to, why, and what are the potential risks)

• Provide a clear choice

• Ensure consent process is user friendly

• Allow individuals to withdraw consent

• Re-obtain consent when making significant changes to privacy policy

• Retain documentation of consent for compliance

• Consent is necessary but NOT sufficient - purpose of collection must be reasonable

  • Must serve real business interest and loss of privacy must be proportional to benefits gained

• GPS data can be collected by implied consent for purposes of improving productivity or protecting company assets, but not for employee evaluation

“No Go Zones”

• Collection, use or disclosure that would be illegal

• Profiling or categorization that leads to unfair, unethical, or discriminatory treatment

• Collection, use, or disclosure that is likely to cause significant harm

• Publishing information with intent to charge for removal

• Requiring social media passwords for employee screening

• Surveillance through an individual’s own device

PIPEDA: 4. Limiting Collection

• Information must fulfill a legitimate, identified purpose

• Collection must be fair and lawful

• Information collected should be identified in information management policies

• Collecting less information reduces risk or impact of loss or breach

PIPEDA Video Collection

• Use less privacy-intensive alternatives, if possible (ex: infared, LIDAR)

• Establish business reason

• Develop policy on use of data

• Limit use and viewing range as far as possible, do not record audio unless necessary

• Inform public that surveillance is taking place

• Store data securely, destroy when no longer needed

• Allow individuals to access their video data (but not that of others)

• Train and educate human camera operators and data processors on privacy obligations

PIPEDA: 5. Limiting Use, Disclosure, and Retention

• Define appropriate retention period

• Limit employee access

• Monitor information access

• Define deletion procedures for different media

  • Maintain security and access controls during deletion

  • Include back-ups

  • Verify deletion/contractual compliance by 3rd party disposal providers

PIPEDA: 6. Accuracy

• Ensure accuracy, completeness, and currency of information

• Record collection dates for all information

• Record and document measures to ensure accuracy

• Information must be as accurate as necessary for purpose

• Industry standards are not an appropriate reference for adequate accuracy

• Responsibility for accuracy rests with the organization, not the individual

• Information must be updated also to third parties

PIPEDA: 7. Safeguards

• Develop and implement security policies

• Use physical, technological, and organizational measures to provide protection

• Anonymize unnecessary personal information

• Review safeguards

• Safeguards must be commensurate with sensitivity

• Policies must be effectively applied

• Secure disposal policies must be implemented

• Medical and payroll information are highly sensitive

• Employee training and education is required

• Organizations must ensure that third parties have safeguards in place

• Data on portable devices and in online storage must be encrypted

• Organizations must ensure technological safeguards remain current

• Privacy culture

• Training and reminders

• Policies for granting and revoking access

• Ensure access is restricted to roles, geography, time, etc.

• Monitor access and detect anomalies and inappropriate access

PIPEDA: 8. Openness

• Inform customers and employees about policies and procedures

• Ensure that policies are easily available and easy to understandable

• Specify (at minimum):

  • Accountable person

  • How to access and amend/update/delete personal information

  • How to complain about practices

  • Collected information and disclosure to others

PIPEDA: 9. Individual Access

• Advise individuals about their information held, how it was collected and used, and disclosures to third parties.

• Requests have to be in writing

• Verify requestor identify before disclosing to requestor

• Document requests for information and their processing, incl. the documents provided to the requestor

• Provide access at minimal or no cost, using easy process

• 30 day to provide requested information; 30 day extension in exceptional circumstances (e.g. legal consult, format shifting, etc.)

• Ensure retention is updated

• Inform individuals of their right to complain to OPC

• Ensure staff training

• Disclosure would reveal information about others

• Solicitor-client privilege

• Confidential commercial information

• Threaten security of others

PIPEDA: 10. Challenging Compliance

• Simple complaint handling procedures

• Inform complainants about organization’s procedures, and those of industry bodies, regulators, and OPC

• Record and acknowledge complaints

• Notify and record outcomes, decisions, and actions taken in response

AIDA

• Prohibit reckless and malicious use of AI

• Ensure accountability of risks associated with AI systems

• Applicable to ”high-impact AI systems”

• Severity of potential harm

• Evidence of risks to health or safety, risk of adverse impact on human rights

• Imbalances of economic and social circumstances, or age of impacted persons

• Consider both intended and unintended consequences

• Examples: Screening systems and biometric systems (potential discriminatory outcomes/impacts on mental health)