certification could signal that a person or organization has met the standards of care necessary to be a trustworthy custodian of your data. Canadian law, such as the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), already mandates certain privacy standards for private sector organizations. But introducing a tiered rating system, similar to driver’s licences, could be an efficient way of letting customers know what measures a company would use to manage and protect their data in accordance with PIPEDA, without having to read a complicated terms of service agreement. For example, to receive a top rating of A, a company would have to guarantee an audit or supervision capability for the data, meaning it would have a record of exactly which employees have viewed the data and for what purpose. For a lower rating of B or C, the data would be protected by password authorization, but not have an audit trail. If a company chose not to complete the certification process, its lack of a rating in itself would send a strong signal to customers. By making clear exactly how a company would manage and protect personal data, customers would be more likely to trust them with their data. Introducing new certification systems that are compliant with the GDPR, PIPEDA or other privacy regulations could also pave the way for different organizations to share their data for innovative new programs or services, such as the opioid example from the introduction. Organizations that meet a certain standard of trust could be permitted to undertake data integration activities using multiple data sets, and consent could be addressed and incorporated to make this work. And because of the challenges and risks associated with these kinds of initiatives, there would still need to be some kind of framework that regulates which data integration programs would be permitted. If it works, the Canadian certification system could become a global benchmark for data management. Companies that secure a Canadian A rating could use it to market themselves worldwide as secure and responsible guardians of data. Trust Standards for Individuals It is not always natural to put your trust in a company — in real life, it is often easier to put
your trust in individual people, not entities. For example, within the Government of Canada, different employees have different levels of security clearance that permit them to access different kinds of information. Just because the Government of Canada has access to your data does not mean that everybody who works for the government has access to it. You might not trust the groundskeeper at a national park with your personal financial information, for instance, as much as you would trust an accountant with the Canada Revenue Agency. A set of trust standards centred on individuals could work like the Nexus program for trusted travellers, allowing someone who has been screened and passed tests for reliability to have greater access to certain kinds of data. This could be another way of permitting the integration of data from multiple sources, if the person handling the data has been verified as someone who can be trusted not to misuse it. Individuals could also be approved to access multiple spheres of trust, so that if two or more organizations wanted to collaborate on a data project, rather than making the relevant data available to both groups, they could instead share it with a select number of employees who have been deemed trustworthy by both organizations involved.
There are also serious concerns that wellestablished businesses — corporate giants with significant legal and human resources — will be in a much better position to navigate the new system, to the detriment of small start-ups that do not have the same resources.
Other Innovations Companies and organizations are getting better about asking users for consent before they collect or store their personal information, but a side effect of this is that many people click on consent forms without giving them any thought. Does anyone really remember which information they have agreed to share with which organizations? If there were a data breach affecting a digital service you used, would you know what information about yourself was vulnerable? While some people are diligent and thorough when reading various consent messaging, research suggests the vast majority click through without reading much or any of it. In other cases, users may have given their consent long ago to share something with a company that seemed insignificant at the time, but their concerns have changed over the years, or the company later shared it with another party without their knowledge. The GDPR is strict about requiring companies to include a privacy notice specifying the third parties with whom they share personal information. Trust and Data
29