3. Security, privacy and AI
Outline
• A primer in workplace privacy law
• The law today - use of IT system data
• AI and workplace privacy
• The future of privacy regulation and AI
3
4. Security, privacy and AI
Workplace privacy law primer - Statutes
• Employees of federally regulated
employers
• Plus employees BC, Alberta, Quebec
• Governs handling of “personal
information”
• Imposes rules based on “Fair Information
Practice Principles” or “FIPPS”
4
5. Security, privacy and AI
Workplace privacy law primer - FIPPS
• No Canadian privacy statue expressly
addresses AI and predictive analytics
• Statutes support EE control when PI is not
strongly linked to employment
administration
• Statutes support transparent processing
of PI
• Statutes support “data minimization” –
limiting the collection of PI, minimizing the
building of linkages between data sources
5
6. Security, privacy and AI
Workplace privacy law primer – “Common law”
• Applied by arbitrators (and less so judges)
• The rules are vague – develop and articulated
in case law over time
• Essential question is about “reasonableness in
the circumstances” and “balancing of [ER and
EE] interests”
• No cases expressly address the use of AI and
predictive analytics in the workplace as of today
6
7. Security, privacy and AI
Use of IT system data – R v Cole
• Employees have a limited
expectation of privacy in system use
• You need to disclaim that privacy
interest and set out your interests but
can’t eradicate the privacy interest
• So you have a “right” to access
system data as part of a reasonably
conducted investigation
7
10. Security, privacy and AI
AI and workplace privacy - applications
• Fraud detection
• Data security
10
5 top trends in endpoint security for 2018, CSO (May 2018)
11. Security, privacy and AI
AI and workplace privacy - applications
• Fraud detection
• Data security
• Process automation
11
Artificial Intelligence In The Workplace:
How AI Is Transforming Your Employee Experience
Forbes (May 2019)
12. Security, privacy and AI
AI and workplace privacy - applications
• Fraud detection
• Data security
• Process automation
• Employee retention
12
IBM artificial intelligence can predict with 95% accuracy which
workers are about to quit their jobs
CNBC (April 2019)
13. Security, privacy and AI
AI and workplace privacy – What’s creepiest?
Common elements
• All rest on building a model from data
that provides very little insight about
individuals
• All invite the ongoing processing of the
same data
• All produce new insights
Differences
• Varying levels of transparency
• Data collection differs
• Breadth of collection
• Matching across systems
• Some insights are more personal than
others
• Are you attributing something to a person or
a non-person? What’s the attribution?
13
14. Security, privacy and AI
AI and workplace privacy – “Research” or “Use”?
• Though far from clear, modelling is
arguably not a use of PI given you’re
examining data to derive insights about a
population as a whole
• Practical notes
• You still need to secure it!
• Losing a “data lake” is worse than
losing a database
• Watch your service provider contract
terms!
14
15. Security, privacy and AI
AI and workplace privacy – Can we collect?
• We have cases about collection of
metadata from work tools
• Vehicle GPS and telematics
• Saanich endpoint case
• They are permissive
• Limitations, however
• Limited data collection of non-
sensitive data, without an analytic
overlay
• Insights linked tightly to work
15
Investigation Report F15-01
BC OPIC (March 2015)
16. Security, privacy and AI
AI and workplace privacy – And practically?
• Model and assess the risks before investing
• Recognize that imposition increases the risk
• Plan for reasonable transparency
• Conduct your regular vendor due diligence
(selection, contracting, administration)
• Privacy
• Data security
• Decision-making bias
• Be sophisticated about implementation –
communication and change management
16
17. Security, privacy and AI
Future AI regulation in Canada? - GDPR
• Choice re “decision[s] based solely on
automated processing” unless necessary
or subject to special authorization
• “…suitable measures to safeguard the
data subject's rights and freedoms and
legitimate interests, at least the right to
obtain human intervention on the part of
the controller, to express his or her point
of view and to contest the decision.”
• Not based on special categories of
personal data (w exceptions)
17
18. Security, privacy and AI
Future AI regulation in Canada? – Digital Charter
• We therefore propose to… provide more
meaningful controls and increased
transparency to individuals by…
informing individuals about the use of
automated decision-making, the factors
involved in the decision, and where the
decision is impactful, information about
the logic upon which the decision is
based… The purpose of shining more
light on automated decisions is to assist
individuals in better understanding how
such decisions are made about them.
18
19. Security, privacy and AI
Future AI regulation in Canada? - Ontario
• Data holds vast possibilities that can help all
industries while ensuring public trust and
security. The development of an Ontario data
strategy will be guided by core principles—
which include a focus on ensuring that data
privacy and protection is paramount, and that
data will be kept safe and secure.
• Promoting Public Trust and Confidence: In the
face of growing risks, ensure public trust and
confidence in the data economy by introducing
world-leading, best-in-class privacy protections
19
20. Security, privacy and AI
The privacy and security implications of AI, big data,
and predictive analytics
November 12, 2019
Dan Michaluk