Teresa Scassa - Blog

Displaying items by tag: digital strategy

 

Ontario launched its Digital and Data Strategy on April 30, 2021, in a the document, titled Building a Digital Ontario. The Strategy – based on a consultation process announced late in 2019 – is built around four main themes. These are “equipped to succeed”, “safe and secure”, “connected” and “supported”.

It is important to note that the digital and data strategy is for the Ontario government. That is, it is predominantly about how government services are delivered to the public and about how government data can be made more readily and usefully available to fuel the data economy. Related objectives are to ensure that Ontarians have sufficient connectivity and digital literacy to benefit from digital government services and that there is a sufficiently skilled workforce to support the digital agenda. That said, there are places where the focus of the strategy is blurred. For example, the discussion of privacy and security shifts between public and private sector privacy issues; similarly, it is unclear whether the discussion of AI governance is about public or private sector uses and of AI, or both. What is most particularly off-base is that the cybersecurity elements of the strategy focus on individuals do not address the need for the government to tackle its own cybersecurity issues – particularly in relation to critical digital and data infrastructures in the province. There is a reference to an existing portal with cybersecurity resources for public sector organizations, so presumably that has been checked off the list, though it hardly seems sufficient.

Do we need better digital services from government? Should there be better public sector data sharing infrastructures to support research and innovation while at the same time stringently protecting privacy? Do we need to take cybersecurity more seriously? The answer is clearly yes. Yet in spite of the laudable objectives of the strategy, it remains unsatisfying. I have three main concerns. First, there seems to be more marketing than strategy with much of what is in this document. Too many of the themes/initiatives have a repackaged feel to them – these are things already underway that are being reverse-engineered into a strategy. Second, the document seems to ignore key actors and sectors – it has the feel of a plan hatched in one part of government with minimal communication with other departments, agencies and partners. Third, much of the strategy is simply vague. It is a bit like saying that the strategy is to do important things. Hard to argue with such a goal, but it is not a strategy – more of an aspiration.

My first concern relates to the fact that so much of what is described in the strategy is work already completed or underway. Each section of the strategy document describes progress already made on existing initiatives, such as the existing, Open Data Catalogue, the Cybersecurity Ontario Learning Portal and the Cybersecurity Centre of Excellence. In some cases, the document announces new initiatives that are imminent – for example the launch of a Digital and Data Fellows Innovation Program in summer of 2021, beta principles for responsible AI in spring of 2021, and a new Digital ID for 2021. To be fair, there are a few newish initiatives – for example, the mysterious Data Authority and the development of digital and data standards. But overall, the document is more of an inventory of existing projects framed as a strategy. It feels like marketing.

My second concern is that the document seems to be a catalogue of Ontario Digital Services projects rather than a strategy for the province as a whole. We hear that we need to build a skilled work force, but apart a reference to already launched enhancement of STEM learning in elementary schools, there is nothing about funding for education or research in STEM fields, whether in high school, college or university. There is a program to “bring the best of Ontario’s tech sector into government, to help design Ontario's digital future”, but there’s nothing about funding for internships for students in government or industry. The pandemic has raised awareness of massive challenges in the province around health data; that these are not addressed as part of an overall data strategy suggests that the strategy is developed within a still-siloed government framework. The main ‘promises’ in this document are those within the purview of Digital Services.

The most disconnected part of the strategy is that dealing with privacy. Privacy is one of the pillars of the strategy, and as part of that pillar the document announces a new “Know Your Rights” portal “to help Ontarians learn how to better protect their personal data and stay safe online”. Ontario already has an Office of the Information and Privacy Commissioner that provides a wealth of information of this kind. Unless and until Ontario has its own private sector data protection law (a matter on which the “strategy”, incidentally, is completely silent), information on private sector data protection is also found on the website of the Office of the Privacy Commissioner of Canada. It is frankly hard to see how creating a new portal is going to advance the interests of Ontarians – rather than waste their money. It would have made more sense to enhance the budget and mandate of Ontario’s Information and Privacy Commissioner than to create a portal ultimately destined to provide links to information already available on the OIPC website. This promise highlights that this is not really an Ontario strategy; rather it is a compilation of ODS projects.

My third concern is with the vagueness of the strategy overall. One of the few new pieces – the Data Authority – is described in the most general of terms. We are told it will be “responsible for building modern data infrastructure to support economic and social growth at scale, while ensuring that data is private, secure, anonymous and cannot identify people individually.” But what is meant by “data infrastructure” in this instance? What is the role of the “authority”? Is it a regulator? A data repository? A computing facility? A combination of the above? One wonders if it is actually going to be a build-out or rebranding of the Ontario Health Data Platform which was pulled together to facilitate data sharing during the COVID-19 pandemic.

Notwithstanding these criticisms, it is important to note that many of the initiatives, whether already underway or not, are designed to address important challenges in the digital and data economy. The problem lies with calling this a strategy. It is much more like a to-do list. It starts with a few things conveniently crossed off. It includes a number of things that need finishing, and a few that need starting. In contrast, a strategy involves thinking about where we need to be within a targeted period of time (5 years? 10 years?) and then lays out what we need to do, and to put in place, in order to get there. In the covering memo to this document, Minister of Finance and Treasury Board President Bethlenfalvy sets a high bar for the strategy, stating: “I like to say that we are moving Ontario from the digital stone age to a global trailblazer”. Dampening the hyperbole on either side of that metaphor, we are not in the digital stone age, but those expecting to blaze trails should not be surprised to discover discarded Timmy’s cups along the way.

Published in Privacy

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

Published in Privacy

Schedule 56 of the Budget Bill introduces a new statute, the Simpler, Faster, Better Services Act, 2019 (SFBSA), that, once passed, will take effect when proclaimed by the Lieutenant Governor. That passage is a foregone conclusion is evidenced by the fact that the role of Chief Digital and Data Officer, created under the statute, has already been filled with the announcement of the appointment of Hillary Hartley. The goal of the SFBSA is to “promote the transformation of government services in Ontario” (s. 1). Among other things, the Act provides for the appointment of a Chief Digital and Data Officer (CDDO) who is tasked with promoting the development and implementation of public sector digital services; providing advice to public sector organizations on digital services; assessing the design, development and effectiveness of these services; and promoting the use of data and effective data management (s. 3(1)). The CDDO will also promote the proactive publication of data by public sector organizations and involve the public in the design and implementation of digital services. Under s. 3(3) of the Act, the CDDP must also establish a digital and data action plan which, in broad terms, will develop initiatives to promote the adoption of digital services, and the improvement of existing services. The action plan will also promote the development of “effective data management and data sharing across public sector organizations”, and will specifically promote the use of technology that is scalable and interoperable. The action plan must also set targets and indicators for the evaluation of progress, and is to be reviewed and adapted as necessary at least every three years.

The CDDO is also charged, under s. 4 of the Act with setting standards for digital services and for open data. The open data standards can include “requirements to make specified datasets publicly available”, and will also include formal and technical standards for the data. This can include standards with respect to metadata, as well as the frequency and manner by which data sets are to be made public.

Interestingly, while this section is described as addressing “open data standards”, the requirements in the SFBSA actually relate to making public sector data “publicly available”. This is subtly different from open data in the classic sense. For example, s. 4(3)(d) allows the CDDO to set “the terms by which a public sector organization shall grant licences for the use of the datasets it publishes”. This suggests that some data might be made publicly available under more restrictive terms and conditions than traditional open data. Examples of possible restrictions might include non-commercial use limitations, or requirements that no attempts be made to reidentify deidentified data in the licensed data set. They might even include fees for access to some data sets, as nothing in the SFBSA actually requires the data to be provided free of charge. The statute also provides for the enactment of regulations, and these regulations can formalize the adopted standards.

The CDDO is also charged with maintaining a catalogue listing and describing all public sector datasets, including those that are required to be publicly available. The only exceptions relate to information that must be kept confidential under a law of Canada or Ontario, or information relating to “confidential law enforcement activities or other matters involving public safety or security” (s. 4(10)). The inventory and the standards developed for public sector data must also be made publicly available.

The SFBSA sets out, in s. 5, principles that must be followed by public sector organizations in developing and using digital services. Section 5(2) identifies principles that should guide the management of data and its public release.

The CDDO has some enforcement powers under the legislation in the sense that she may find organizations to be non-compliant and order them to change their practices, and can provide notice of non-compliance to the Management Board of Cabinet.

It should be noted that this statute is meant to apply both to public sector organizations (government ministries and public bodies), as well as “broader public sector organizations”. This latter category will include organizations referred to in a Schedule to the SFBSA, notably municipalities, school boards and universities, and some health services facilities.

Overall, this is a very interesting piece of public policy. Although provincial, federal and municipal governments across Canada have made commitments to open data, Ontario is the first to legislate open data requirements (or at least ‘publicly available data’ requirements). The establishment of a CDDO with a legislated mandate is also a positive commitment to improving digital and data services in the province. The principles that will guide digital services development and delivery as well as data management are important, straightforward, and public-interest oriented. The importance of this legislation, as Amanda Clarke says in her excellent post (with more to follow), “is exactly why this policy change demands broad and sustained scrutiny”.

While the substance of this statute is interesting and important, the process behind it is problematic. In February 2019 the Ontario government launched its data strategy consultation. The first step (which ended in March) was to accept submissions from the public. The second was to establish an advisory panel that would continue consultations and ultimately report in the Fall of 2019. Yet the SFBSA seems to contain precisely the kinds of measures contemplated by the data strategy consultation. In doing so it calls into question the genuineness of the consultation process. The process deficiencies are further reinforced by the fact that the SFBSA is crammed into an omnibus budget bill which will ultimately pass with a minimum of scrutiny and debate. It’s an interesting statute and an important piece of public policy, but the public and democratic process around it is not good.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law