IAF Proposal for OPC’s “Contributions Program: Privacy Research and

Related Knowledge Translation Initiatives” IAF Big Data Ethics Initiative: Assessment for Canadian Organizations Project

December 2015

Information Accountability Foundation Proposal

2

THE PROPOSAL

Basic Information Organization name: Information Accountability Foundation (“IAF”) Address: 201 S. Chester St., Little Rock, AR 72201, USA Telephone number: 972-955-5654 Authorized representative email address: mabrams@informationaccountability.org Names of principal personnel: Martin Abrams and Lynn Goldstein Name of project administrator: Nick Warren Principal researcher: Martin Abrams 972-955-5654 mabrams@informationaccountability.org Person responsible for administering project: Nick Warren 202-236-7279 nwarren@informationaccountability.org Person responsible for finance/accounting

Candice Johnson, CPA, PFS 501-372-4180 cjohnson@informationaccountability.org Legal Status IAF is a tax-exempt non-profit organization under section 501(c)(3) of the United States Internal Revenue Code. It is organized and operated exclusively for research and educational charitable purposes. Organizational Background IAF was created in September 2013 by incorporating the Global Accountability Dialogue that began in 2009 and was responsible for producing “Data Protection Accountability: The Essential Elements”, the foundation for the Canadian guidelines on “Getting Accountability Right with a Privacy Management Program”.1 The mandate of IAF is to be the preeminent global information policy think tank that successfully works with regulatory authorities, policymakers, business leaders, civil society, and other key stakeholders around the world to help frame and advance data protection law and practice through accountability-based information governance. The objective of IAF is

1 The Centre for Information Policy Leadership (2009), “Data Protection Accountability: The Essential Elements”, http://www.huntonfiles.com/files/webupload/CIPL_Galway_Accountability_Paper.pdf.

Information Accountability Foundation Proposal

3

to, through active consultations and research, achieve effective information governance systems to facilitate information-driven innovation while protecting individuals’ rights to privacy and autonomy. The mission of IAF is to encourage accountability by focusing on impediments to protecting individuals while still encouraging the innovative uses of data. To date, IAF has established a strong track record of producing a variety of influential papers, workshops, and teleconferences that have educated the privacy community on issues of data protection and governance. IAF’s accomplishments began during its first year when its Executive Director wrote two book chapters, created a data taxonomy based on data origin, and began a global dialogue on transparency, legitimate interest vetting, and accountability agents.2 The first meeting of the dialogue in May of 2014 was cohosted by IAF with the United Kingdom’s Information Commissioner’s Office. That same year, IAF partnered with Indiana University and the Center for Democracy and Technology in the United States on a dialogue series on government use of private sector data around the world for law enforcement and national security. IAF began the Big Data Ethics Initiative in early 2014. IAF brought together numerous thought leaders, including former data protection commissioners, to discuss the issues related to trustworthy big data analytics. Based on that dialogue, IAF published “A Unified Ethical Frame for Big Data Analysis” (“Unified Ethical Frame” or “Frame”) in October 2014.3 IAF also organized a plenary session at the 36th International Conference of Data Protection and Privacy Commissioners on the ethical use of big data. In 2015, IAF continued the Big Data Ethics Initiative with the creation of a model assessment framework and a customized assessment framework for digital marketing.4 That same year IAF authored a paper on how such an assessment process might be enforced by regulatory authorities with different mandates.5 A session to explain the oversight of big data was organized by IAF as a side event at the 37th International Conference of Data Protection and Privacy Commissioners. The Office of the Privacy Commissioner (“OPC”) has participated in the Big Data Ethics Initiative that is the basis for this Canadian-specific proposal, Assessment for Canadian Organizations Project. Concepts explored in the Unified Ethical Frame are reflected in the latest two opinions issued by the European Data Protection Supervisor,6 including assessment frameworks.

2 Abram, Martin (2014) “The Origins of Personal Data and its Implications for Governance” http://informationaccountability.org/wp-content/uploads/Data-Origins-Abrams.pdf. Abram, Martin (2014) “The Marco Civil and Beyond: Privacy Governance for the Future” http://informationaccountability.org/wp-content/uploads/Privacy-Governance-for-the-Future1.pdf. 3 See attachment Part A. 4 See attachment Part B and attachment Part D. 5 See attachment Part C. 6 European Data Protection Supervisor (2015), “Opinion 4/2015: Towards a New Digital Ethics”, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-09-11_Data_Ethics_EN.pdf.

Information Accountability Foundation Proposal

4

A number of companies are building comprehensive impact assessments, and others have committed to do so in the New Year. IAF is led by Martin Abrams who has 15 years’ experience in running privacy think tanks. He led the Global Accountability Dialogue that established the Essential Elements of Accountability and organized the content for the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. He has led multi-stakeholder sessions on every continent (except Antarctica). Since founding the IAF in September 2013, he has produced research papers for the OECD, written numerous book chapters, and led numerous conferences. Lynn A. Goldstein, an IAF Senior Strategist, will join Mr. Abrams on the Assessment for Canadian Organizations Project. Ms. Goldstein formerly was Chief Privacy Officer for JPMorgan Chase and Chief Data Officer at New York University’s Center for Urban Science + Progress. Ms. Goldstein brings legal expertise to this project. Given its established record of accomplishment, IAF is confident that it can deliver on the research and education project that is the subject of this proposal. The proposal requires IAF to understand uses of personal data that go beyond individuals’ expectations, understand the laws that govern privacy, develop a strawman assessment framework, conduct multi-stakeholder evaluation sessions, report the results, and socialize the final assessment framework with stakeholders. Many aspects of the methodology for the proposed project below have been utilized by IAF to produce its innovative work on the ethical use of big data over the last two years. IAF has experience in all of the project’s critical components. For more information about IAF accomplishments, see the Foundation’s ”Publications” webpage and ”Activities” webpage. Previous Financial Support IAF has not received financial support from the OPC previously. Description of the Big Data Ethics Initiative: Assessment for Canadian Organizations Project Project Description Summary IAF will create and evaluate an assessment process to determine whether personal data used beyond the expectations of Canadian individuals is processed in a manner that is legal, fair, and just and to demonstrate how that determination is reached. The

European Data Protection Supervisor (2015), “Opinion 7/2015: Meeting the challenges of big data”, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf.

Information Accountability Foundation Proposal

5

Canadian law firm Osler, Hoskin & Harcourt LLP has a privacy consulting and legal services group called AccessPrivacy. The group will assist IAF in the creation, and relevant end-users will be engaged as active participants in the evaluation, of this Canadian process. The Assessment for Canadian Organizations Project will begin with a discussion with the business community on the utility of such a process to comply with the requirements of the Personal Information Protection and Electronic Documents Act (“PIPDEA”) as more and more data feeds analytic processes. That session will take place on December 4, 2015. The session will establish the need for a Canadian assessment process that would be part of a comprehensive privacy management program as set forth in the guidelines on “Getting Accountability Right with a Privacy Management Program” from the OPC and the Offices of the Information and Privacy Commissioners (OIPCs) for British Columbia and of Alberta. In the first quarter of 2016, IAF and AccessPrivacy will convene a group of Canadian companies to customize IAF’s big data ethical assessment framework for Canadian projects that are beyond the expectations of data subjects. The assessment framework will create the means to determine whether big data undertakings are legal, fair, and just and to demonstrate how that determination was reached. The Canadian framework developed by this first phase will then be evaluated in a multi-stakeholder session that will occur in either Toronto or Ottawa. Based on the learning from the multi-stakeholder process, the assessment framework and a supporting memorandum will be finalized. These documents will be submitted to the OPC, published on the IAF website, promoted on social media, and a topic at AccessPrivacy’s annual conference. IAF also will apply to present the findings at IAPP Canada and at the 38th International Conference of Data Protection and Privacy Commissioners. At every point in the process, IAF will dialogue with the OPC and Canada’s provincial commissioners. The project will be funded by both private sector contributions and this grant if IAF is among the winning submissions. It is expected that the private sector will provide $40,000 to $50,000 Canadian to this endeavor, and IAF is applying for $33,283.80 Canadian from the OPC grant program. At least 50 percent of this project will be private sector funded. The greater the funding received by IAF, the greater the outreach and communication IAF will be able to conduct. All of AccessPrivacy’s costs will be covered by the private sector. The Assessment for Canadian Organizations Project is an expansion of the “Pathways to Privacy Symposium: Helping Canadians Find Pathways to Privacy” (“Pathways Project”),

Information Accountability Foundation Proposal

6

a research project previously funded under the Contributions Program.7 The Pathways Project educated individuals about a wide spectrum of privacy concerns affecting Canadians: commercial genetic testing and health information, protecting personal information online and offline, and privacy of financial information. The Assessment for Canadian Organizations Project addresses another privacy concern affecting Canadians: big data analytics that are conducted without individuals’ knowledge so consent is not fully effective. Since big data projects are often undertaken at a distance from the individual, educating individuals does not serve the same purpose. Rather, organizations must conduct big data assessments that look at all stakeholders, define the full range of risks and benefits from analytics for all stakeholders, focus on whether risk mitigation is effective, and make a determination that, on balance, the big data undertaking is legal, fair, and just and demonstrate how that determination was reached. Such an assessment framework would be part of a comprehensive privacy management program overseen by the OPC. Project Description Background In June 2015, the OPC issued its “Privacy Priorities 2015-2020” (“Priorities Paper”). First among four priorities is the economics of personal information. The Priorities Paper, in setting forth the goals for the OPC for the economics of personal information, states: “Our policy work will help to build normative frameworks around new business models and will seek to identify enhancements to the consent model so that concerns raised both by individuals and organizations are addressed.”8 It is the IAF’s intent to supplement the work of the OPC in developing an assessment process that would fit within a Canadian comprehensive privacy program. In doing so, IAF also will be responsive to two of the five cross-cutting strategies to implement the OPC’s four priorities: enhancing accountability and promoting good privacy governance, and taking into consideration the fact that privacy knows no borders. Specifically, IAF is exploring ways to use codes of practice/conduct as part of the oversight of an assessment framework. Big data is truly a proxy for analytic uses of personal data that go beyond the individual’s imagination. Big data makes use of data not typically created or collected for big data analytic purposes but rather for other purposes such as risk assessment, fulfillment, marketing, and other purposes that are readily recognizable and understood by individuals. In Canada, individuals provide consent for those purposes. Sometimes, broad data-driven research is contained in the purpose specification notice. At other times, consent for big data research may be implied. Section 7(2)(c) of PIPEDA also contains an exception to consent when personal data is used for research. However,

7 Canadian Civil Liberties Association (n.d.), “Pathways 2 Privacy Symposium: Helping Canadians Find Pathways to Privacy”, https://ccla.org/pathways2privacy/, accessed November 10, 2015. 8 Page 12. Office of the Privacy Commissioner of Canada (2015), “The OPC Privacy Priorities 2015-2020“, https://www.priv.gc.ca/information/pub/pp_2015_e.pdf.

Information Accountability Foundation Proposal

7

the stretch between the readily apparent purposes and big data uses are beginning to concern policy strategists and may create legal and reputational risk for organizations. IAF was charged in 2014 with thinking about the broader issue of accountable big data processing. The result was the Big Data Ethics Initiative consisting of four parts. Part A, the Unified Ethical Frame, published in October 2014, defines an assessment process to determine whether big data undertakings are legal, fair, and just and to demonstrate how that determination was reached.9 The subsequent two documents, Parts B and D, are a model assessment framework (published in March 2015) and a customized assessment framework for digital marketing (published in April 2015).10 In October 2015, IAF published Part C, “Enforcing Big Data Assessment Processes” (“Enforcement Paper”), after consultations with privacy enforcement agencies in North America, Asia, Latin America, and Europe.11 The Big Data Ethics Initiative is the basis for the Assessment for Canadian Organizations Project. The Enforcement Paper identifies the elements necessary for an assessment framework to fit into a code of conduct or practice that would be enforceable by a regulatory agency or a third-party accountability agent, either on demand or as part of a certification scheme. The Enforcement Paper discusses ombudsman oversight systems like the one in Canada. In April 2015, AccessPrivacy hosted an event for businesses and regulators to discuss uses of big data, implied consent and the European concept of legitimate interests. This workshop explored implied consent as defined by PIPEDA. Implied consent requires transparency and the opportunity for the individual to opt-out of data uses subject to implied consent. The group also discussed concepts of responsible use so that accountability might supplement the protections related to implied consent. At the conclusion of that workshop, there was a general agreement that even with implied consent, the Canadian accountability principle requires a more robust assessment process to determine whether big data undertakings are legal, fair, and just and to demonstrate how that determination was reached. Today, even with privacy notices and consent based on those notices, many data applications go beyond individuals’ imagination making consent-based governance less than effective in protecting individuals. As technology and data applications evolve rapidly, this problem only becomes more pressing. The Assessment for Canadian Organizations Project will create a comprehensive impact assessment and related governance structure that will supplement existing accountability governance issued by the OPC and provincial commissioners in British Columbia and Alberta. Not only will this protect Canadians, it will also reduce the reticence that comes when organizations do not process data in a manner that creates huge benefits for individuals and society since they have no means to demonstrate the processing is legal, fair, and just. At the 36th

9 See attachment Part A. 10 See attachment Part B and attachment Part D. 11 See attachment Part C.

Information Accountability Foundation Proposal

8

Annual Conference of Data Protection and Privacy Commissioners, Christopher Graham, United Kingdom Information Commissioner stated, “I want to pay tribute to the work that the Foundation has done here, because the ethical framework [on big data published by IAF] that you have described is exactly what is required.”12 The Assessment for Canadian Organizations Project will create the guidance to implement this innovative approach in Canada. Privacy impact assessments are not new. Comprehensive impact assessments are new. They go beyond the individual’s interest in autonomy and look at that individual’s full range of fundamental rights, the rights of others, and business’ and society’s interest in information-driven innovation. This process is the first to take assessments beyond the law to the full range of ethical data processing. Big data ethics was first explored by the IAF in 2014, and has since been discussed by various global authorities, including the European Data Protection Supervisor. Project Description - Goals and Objectives The objective of the Assessment for Canadian Organizations Project is to build upon the work of the IAF Big Data Ethics Initiative to develop a Canadian-specific guide for using data beyond individuals’ imagination where the data use creates real value for individuals, society, and organizations. The goal is the creation of a customized assessment framework based on PIPEDA and a supporting memorandum. IAF’s methodology is to begin with the established scholarship, the Unified Ethical Frame, the model assessment framework, and the Enforcement Paper. Next, the Foundation will determine the changes necessary to comply with PIPEDA and the provincial private, health, and public sector laws. Then, IAF will perfect the assessment framework through consultations with participating businesses and with regulators. Subsequently, an evaluation of the draft Canadian assessment framework would take place in a multi-stakeholder session that would include non-governmental organizations, civil society, and academics. Finally, IAF will publish the guidance and socialize it with the public. Project Description - Target Groups The target groups are all possible stakeholders given the potential use of the data. Possible stakeholders include individuals, organizations (including businesses and non-governmental organizations), political and governmental entities, civil society, public-at-large, and communities. IAF will include representatives of each of these groups throughout the knowledge translation activities.

12 36th International Conference of Data Protection and Privacy Commissioners (n.d.), “ICDPPC2014 - Day04 - Video 17 of 25“, https://www.youtube.com/watch?v=BHKl1BXEOns, accessed November 23, 2015.

Information Accountability Foundation Proposal

9

Project Description – Anticipated Results and Expected Benefits The Frame lays out the basic philosophy for big data governance. The foundation of the Frame is a governance process that balances the interests of the individual, society and the organization conducting a big data project. This balancing process considers the full range of fundamental rights and interests that affect the individual, including the fundamental rights of human dignity, privacy, and data protection. Supplemental to the Frame is a model assessment framework that considers and balances the various interests. While this assessment framework can be customized to meet the needs of organizations, industries and sectors, the basic assessment framework provides the key question areas that must be addressed. The anticipated results of the Assessment for Canadian Organizations Project are the creation of a customized assessment framework for Canada that is based on PIPEDA and an accompanying supporting memorandum. A customized Canadian assessment framework would consist of a set of key questions to be asked and answered to identify significant issues. This framework would take into consideration all individual as well societal and business interests and rights. The purpose of such an assessment framework is to identify key issues that decision makers in the organization should consider. Documentation of that process provides evidence that justifies the decisions made. At the beginning of each section of such an assessment framework are key issues that should be explored. Such an assessment framework should be used as big data projects reach key milestones or decision points.

Such a customized assessment framework for Canada would significantly add to the tools developed by the OPC to assist organizations in developing comprehensive privacy management programs. In so doing, the Assessment for Canadian Organizations Project has enormous potential for positively affecting the protection of privacy rights of a large number of Canadians. Predicting future outcomes, no matter the endeavor, is compelling. Big data isolates correlations humans cannot see. This leads to predictions beyond the individual’s knowledge and control. As a result, big data creates both benefits and risks. Therefore, an assessment process needs to be part of a comprehensive privacy management program that determines whether big data undertakings are legal, fair, and just, and demonstrates how that determination was reached. Such an assessment process is not solely focused on compliance but rather is focused on the full range of benefits and risks and whether risk mitigation is effective. This assessment process takes organizations beyond mere compliance to the ethical use of data.

Project Description – Project Deliverables

In-person meetings on December 4, 2015, by April 15, 2016, by May 30, 2016, by June 15, 2016, on July 10, 2016

Draft of Canadian assessment framework by February 28, 2016; revisions of draft Canadian assessment framework by April 30, 2016, by June 15, 2016, and by August 30, 2016

Information Accountability Foundation Proposal

10

Presentation of draft Canadian assessment framework at AccessPrivacy annual conference by June 30, 2016

Final Canadian assessment framework submitted to OPC and published on IAF website and promoted with social media by September 30, 2016

Presentation of final Canadian assessment framework within Canada and at IAPP Canada and at 38th International Conference of Data Protection and Privacy Commissioners by March 30, 2017

One-Page Summary

Assessment for Canadian Organizations Project Big data processing creates significant accountability challenges for organizations that seek insights from the correlations that exist between diverse data sets and for the governmental agencies that oversee data protection and privacy. The uses of big data stretch the purposes for which data was originated and create insights that are new data elements. Big data analytics are conducted at a distance from the individual so governance concepts such as consent are not fully effective. To be trustworthy, big data analytics must be governed, but information policy governance has lagged the development of big data. The Big Data Ethics Initiative of the Information Accountability Foundation (IAF) fills this governance gap. It consists of four parts. Part A, “The Unified Ethical Frame for Big Data Analysis”, defines as assessment process to determine whether big data undertakings are legal, fair, and just and to demonstrate how that determination was reached.13 Part B is a model assessment framework, and Part D is a customized assessment framework for digital marketing.14 Part C, “Enforcing Big Data Assessment Processes”, identifies the elements necessary for an assessment framework to fit into a code of conduct or practice that might be enforceable by a data protection commissioner and discusses ombudsman oversight systems like the one in Canada. 15 Under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), organizations both must gain the consent of individuals to process data and must act in an accountable manner when processing data. However, expressed consent is challenged by the highly observational and mathematics driven ecosystems created by big data. PIPEDA provides for implied consent, which is more flexible than expressed consent, in appropriate circumstances. The Office of the Privacy Commissioner (OPC) and the Offices of the Information and Privacy Commissioners (OIPCs) for British Columbia and of Alberta have issued

13 See attachment Part A. 14 See attachment Part B and attachment Part D. 15 See attachment Part C.

Information Accountability Foundation Proposal

11

guidelines on “Getting Accountability Right with a Privacy Management Program”. The guidelines recommend that organizations use privacy impact assessments (PIAs) for all new projects involving personal information and thereafter on any new collections, uses, or disclosures of personal information. IAF research on the ethical use of big data suggests that PIAs need to be replaced by an instrument that is more robust. Such a robust instrument, a big data assessment framework, must look at all stakeholders, must define the risks and benefits from analytics for all stakeholders, and must make a determination that, on balance, the big data undertaking is legal, fair, and just and must demonstrate how that determination was reached. The Assessment for Canadian Organizations Project proposes an assessment framework for jurisdictions under PIPEDA that would be part of a comprehensive privacy management program that could be overseen by the OPC. Such a customized assessment framework that leverages both implied consent and accountability is reflective of the policy intent behind PIPEDA and might also be overseen by provinces with private, health, and public sector laws.

Timeline and Monitoring

The purpose of the Assessment for Canadian Organizations Project is to develop a Canadian specific guide for using data beyond individuals’ imagination where the data use creates real value for individuals, society, and organizations. The final product will be a customized Canadian assessment framework and a supporting memorandum. The IAF methodology is to begin with established scholarship, the “Unified Ethical Frame for Big Data Analysis”, the model assessment framework, and the “Enforcing Big Data Assessment Processes” papers; determine the changes necessary to comply with PIPEDA and provincial private, health and public sector laws; perfect the assessment process through consultations with participating businesses and with regulators; evaluate the draft Canadian assessment framework in a multi-stakeholder session that would include non-governmental organizations, civil society, and academics; publish the guidance; and socialize the guidance with the public. The IAF steps and deadlines are as follows: Step Deadline IAF begins with materials developed as part of the IAF Big Data Ethics Initiative. Those documents, Parts A – D, are described above and are attached.

Completed

AccessPrivacy organizes an in-person meeting in Toronto on December 4, 2015 to set private sector priorities for the Assessment for Canadian Organizations Project.

12-04-2015

IAF creates a draft Canadian assessment framework by modifying the 2-28-2016

Information Accountability Foundation Proposal

12

model Part B assessment framework. IAF and AccessPrivacy hold a meeting with participating companies in Toronto to review the draft Canadian assessment framework and modify it for the cultural and legal environment of Canada.

4-15-2016

IAF revises the draft Canadian assessment framework based on the Toronto feedback and begins drafting a supporting memorandum.

4-30-2016

IAF and AccessPrivacy dialogue with Canada’s privacy commissioners and amend the documents to reflect the privacy commissioners’ concerns.

5-30-2016

IAF and AccessPrivacy schedule a second meeting with the private sector participants to review the draft documents. The group discusses how the assessment framework fits into (a) a comprehensive privacy management program, and/or (b) a code of practice that might be certified.

6-15-2016

IAF drafts documents to be discussed at a multi-stakeholder session.

6-15-2016

IAF presents the draft Canadian assessment framework at the AccessPrivacy annual conference.

6-30-2016

IAF organizes a multi-stakeholder session to be held either in Toronto or Ottawa to evaluate the draft Canadian assessment framework. Canada’s privacy commissioners and a limited number of scholars are invited to participate. IAF collects comments.

7-10-2016

IAF revises documents based on feedback from the multi-stakeholder session and circulates them to a number of key project participants.

8-30-2016

IAF finalizes documents, provides them to the OPC, publishes them on the IAF website, and promotes them on social media

9-30-2016

IAF makes presentations to raise awareness of use of the final Canadian assessment framework as part of a comprehensive privacy management program both within Canada and at international conferences.

3-30-2017

Community Involvement and Support

Access Privacy, the privacy consulting and legal service group of the Osler, Hoskin & Harcourt LLP law firm, will provide significant in-kind support to the Assessment for Canadian Organizations Project.

Information Accountability Foundation Proposal

13

Provincial/Territorial Support

None.

Knowledge Translation Activities IAF will transform theoretical research into useable outcomes that relevant end-users can apply in practice by taking established scholarship based on guidance from laws and regulations and creating new best practice guidance for Canada using the following approach:

IAF begins with the materials already developed as part of the IAF Big Data Ethics

Initiative. Those documents, Parts A – D, are described above and are attached.

AccessPrivacy organizes an in-person meeting in Toronto on December 4, 2015,

to set private sector priorities for the Assessment for Canadian Organizations

Project.

IAF creates a draft Canadian assessment framework by modifying the current

Part B assessment framework.

IAF and AccessPrivacy hold a meeting with participating companies in Toronto in

the first quarter of 2016 to review the draft Canadian assessment framework

and modify it for the cultural and legal environment of Canada.

IAF revises the draft Canadian assessment framework based on the Toronto

feedback and begins drafting a supporting memorandum.

IAF and AccessPrivacy dialogue with Canada’s privacy commissioners and amend

the documents to reflect the privacy commissioners’ concerns.

IAF and AccessPrivacy schedule a second meeting with the private sector

participants to review the draft documents. The group discusses how the

assessment framework fits into (a) a comprehensive privacy management

program, and/or (b) a code of practice that might be certified.

IAF drafts documents to be discussed at a multi-stakeholder session.

IAF organizes the multi-stakeholder session to be held either in Toronto or

Ottawa on July 10, 2016, to evaluate the draft Canadian assessment framework.

Canada’s privacy commissioners and a limited number of scholars are invited to

participate. IAF collects comments.

IAF revises documents based on feedback from the multi-stakeholder session

and circulates them to a number of key project participants.

IAF finalizes documents, publishes them on the IAF website, submits them to the

OPC, and references them on social media.

IAF makes presentation at AccessPrivacy’s annual conference and seeks other

Canadian venues to raise awareness of use of the final Canadian assessment

framework as part of a comprehensive privacy management program.

Information Accountability Foundation Proposal

14

Acknowledgement of OPC Funding IAF will acknowledge OPC funding by prominently mentioning it in the memorandum supporting the Canadian assessment framework, on IAF’s website, and acknowledging it in presentations made by IAF about the Canadian assessment framework.