Data are the lifelines of a digital economy. They are driving forces for innovation, enabling cutting edge research and next generation technologies including artificial intelligence (AI), robotics and the Internet of things (IoT). But these opportunities introduce new sources of risk that must be properly managed. Canadians are raising significant questions such as, “How will personal data be used?” and “What controls are in place to safeguard privacy and security?” To encourage innovation within the digital economy while managing this risk, the government of Canada has established the need for digital trust between citizens and organizations as an enabler to support the balancing act of risk vs. reward.
Enabling Confidence Through Digital Trust
The COVID-19 pandemic triggered a transformation in how Canadians use digital technologies to engage, work and perform business interactions with each other. The increasing reliance on digital technologies led the Canadian government to take steps to strengthen the digital economy by promoting its benefits while acknowledging risk factors that must be managed, such as ensuring that personal information is private and that organizations are being responsible (and not misusing data) when pursuing their digital strategies. As cited by the Canadian government, “[T]rust is the foundation on which our digital and data-driven Canadian economy will be built.”1 This digital trust is defined by the “confidence that users have in the ability of people, technology, and processes to create a secure digital world. Digital trust is given to organizations [that] have shown their users that they can provide safety, privacy, security, reliability, and data ethics with their online programs or devices. When a person decides to use an organization's products/services, they are confirming their digital trust in the business.”2
The COVID-19 pandemic triggered a transformation in how Canadians use digital technologies to engage, work and perform business interactions with each other.
Understanding the Digital Charter Implementation Act
The Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry, for the Canadian government has said:
In today’s economy, Canada’s competitiveness depends on our ability to use digital innovation to harness the power of data. Safety and trust must be the foundation of this new digital economy. By introducing the Digital Charter Implementation Act, 2022, we are ensuring that Canadians can trust when and how their information is being used. It will also give businesses clear rules to support their efforts to innovate with data and will introduce a new regulatory framework for the responsible development of artificial intelligence systems, while recognizing the need to protect young people and their information. This will not only promote confidence in the digital space but also ensure a safe, more inclusive, and secure digital economy for the benefit of all Canadians.3
In June 2022, the Canadian government proposed the Digital Charter Implementation Act, which establishes digital trust as a core component for a data-driven/digital economy. The act provides the Privacy Commissioner of Canada with broad order-making powers, including the ability to order an enterprise to stop collecting data and/or using personal information and set significant fines for noncompliant organizations, with fines of up to 5% of global revenue or CDN$25 million, whichever is greater, for the most serious offenses.4
In addition to the Digital Charter Implementation Act, a regulatory framework will be introduced consisting of 3 new acts: the Consumer Privacy Protection Act, the Artificial Intelligence and Data Act, and the Personal Information and Data Protection Tribunal Act. These acts to support the regulatory framework for the Digital Charter Implementation Act are required to address several key risk areas using various controls to mitigate the following:
- Lack of rules governing AI development and deployment—The Artificial Intelligence and Data Act will protect Canadians by establishing rules for how AI systems are developed and deployed in ways that identify, assess and mitigate the risk of harm and bias. AI and data commissioners will be appointed to monitor organizational compliance, order third-party audits and share information with other regulators when necessary. Also, penalties will be set for unlawful use (e.g., fraudulent intent) or where deployment of AI poses serious harm (e.g., financial losses).
- Lack of principles to guide the digital economy’s growth—To address “challenges and leverage Canada's unique talents and strengths in order to harness the power of digital and data transformation,”5 the Digital Charter Implementation Act established 10 principles to guide its implementation, based on 3 attributes:
- Privacy is protected.
- Data-driven innovation is human-centered.
- The digital economy is led by encouraging innovation.
There are 10 principles of the Digital Charter that are intended to benefit all Canadians (figure 1).6
Figure 1—Digital Charter Principles
Digital Charter Principles | Description |
---|---|
1. Universal Access | Equal opportunity to participate in the digital world and the necessary tools to do so including access, connectivity, literacy and skills |
2. Safety and Security | Ability to rely on the integrity, authenticity and security of digital services and feel safe online |
3. Control and Consent | Control over which data are shared, who is using personal data and for what purposes, and knowledge that privacy is protected |
4. Transparency, Portability and Interoperability | Clear and manageable access to personal data, which should be free to share or transfer without undue burden |
5. Open and Modern Digital Government | Access to modern digital services from the Government of Canada, which are secure and simple to use |
6. A Level Playing Field | Fair competition in the online marketplace to facilitate the growth of Canadian enterprises and affirm Canada’s leadership on digital and data innovation, while protecting Canadian consumers from market abuses |
7. Data and Digital for Good | Ethical use of data to create value, promote openness and improve the lives of people—at home and around the world |
8. Strong Democracy | Freedom of expression and protection against online threats and disinformation designed to undermine the integrity of elections and democratic institutions |
9. Free from Hate and Violent Extremism | Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content |
10. Strong Enforcement and Real Accountability | Clear, meaningful penalties for violations of the laws and regulations that support the Digital Charter principles |
Digital Charter Implications for Organizations
Given the new data security and privacy requirements being proposed by the Digital Charter Implementation Act’s regulatory framework, a gap analysis is a good starting point for organizations to assess impacts. With this approach, the organization can review its current state of personal data management policies and procedures and identify gaps to meet the future state requirements. It is important to identify and understand the new requirements for an organization under the regulatory framework, assess the degree of alignment with the current state and develop recommendations for senior management for what is required (e.g., resources, budget, implementation plan) to be compliant.
For example, there are several key requirements for the regulatory framework to which organizations must adhere:
- Implementing a privacy management program that includes addressing protection of personal information, handling complaints and requests for information, training staff and developing materials to explain the organization’s policies and procedures7
- Meeting new data protection requirements for children’s privacy (i.e., minors) with personal information defined as being sensitive and limits being placed on what type of information can be collected
- Enabling individuals to request destruction of their personal information (i.e., right to be forgotten)
- Implementation of physical, organizational and technological security safeguards to protect personal information, with the level of protection being proportionate to the sensitivity of the information
The Canadian Government has indicated that given the volume and complexity of changes required for an organization to be compliant with the Digital Charter Implementation Act, a significant amount of time will be allowed for organizations to implement the changes.
Conclusion
Canada’s Digital Charter Implementation Act states that “To truly be a nation of innovators, we must build a culture of innovation, one which embraces resilience and risk.”8 The overall goal of the Digital Charter Implementation Act is for Canadians to be confident that their privacy is protected, AI is being developed and used responsibly, and digital trust is underpinning the innovation required for a strong digital economy. The Digital Charter Implementation Act supports effective risk taking, balancing economic growth with digital trust to encourage user confidence and innovation.
Endnotes
1 Government of Canada, “Canada’s Digital Charter: Trust in a Digital World”
2 Ritter, J.; “Digital Trust,” TechTarget
3 Government of Canada, “New Laws to Strengthen Canadians' Privacy Protection and Trust in the Digital Economy”
4 Op cit Government of Canada, “Canada’s Digital Charter: Trust in a Digital World”
5 Ibid
6 Ibid
7 Ibid
8 Ibid
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Enabling Digital Trust Through Canada's Digital Charter” episode of the ISACA® Podcast.
Mary Carmichael, CISA, CFE, CPA
Is the assistant director of technology risk and assurance at the University of British Columbia (Vancouver, British Columbia, Canada). She leads assurance and advisory initiatives for a technology portfolio spanning a wide spectrum of operations including research, learning and administration.