Stakeholder Engagement Plan: Innovative Technology Development Sector

 

The Office of the Information and Privacy Commissioner (OIPC) has developed a stakeholder engagement plan for the innovative technology development sector in Alberta, which will be implemented throughout 2024 and improved and maintained in the years to come.

JANUARY 2024

Background

In its 20-year plan, the Government of Alberta has included investments in the use of technology to support innovation in the delivery of services in the public and health sectors. Most of the technology that will be used to deliver these services will primarily be created in the private sector.

Included in this 20-year plan is the use of machine learning and artificial intelligence (AI) to deliver public and health services. Other developments, which often leverage or support AI, are personalized medicine, an increase in connected healthcare devices, and data-driven government. These developments will enhance healthcare and service delivery by leveraging personal and health information.

It is recognized globally that the use of AI has significant risks to the public that must be mitigated through regulatory reform and technology design. Regulatory reforms are being explored locally, nationally and internationally.

Alberta hosts a great number of AI institutions, businesses, networks and public-private partnerships. Most organizations that develop, customize, distribute or fund AI are either part of these networks or partner with these AI-specialized institutions. As a result, there are a number of umbrella organizations or larger institutions that are in a suitable position to help create standards and communicate regulatory requirements and best practices to developers and users of AI.

It is anticipated that the health sector will lead the way in using AI-enabled technologies to relieve the pressures on the health system in Alberta and/or to improve outcomes. There are already several initiatives underway.

Goals

Given the developments noted above, there is a need to enable innovation while preserving privacy and access rights through the use of control measures that will achieve this balance. To do so, the OIPC will use a three-pronged approach to 1) build alliances, 2) create trusted networks for data sharing, and 3) contribute to making legislation and regulatory practices fit for the current and future waves of innovation.

One of the three main goals identified in the OIPC 2024-2027 strategic business plan is to provide information and support to improve the protection of personal and health information. One priority is to support stakeholders in implementing proactive measures to protect personal information and facilitate access to information.

This includes supporting innovation in the public, health and private sectors through the use of technology and ensuring our office works to proactively support compliance with Alberta’s privacy and access laws.

To achieve this, we aim to create alliances for technology engagement; obtain stakeholder input; support the broad adoption of privacy management programs by private sector organizations; and establish a foundation for a trusted network to facilitate the responsible development and use of innovative technologies in all three sectors.

The following phases have been identified.

  1. Identify the key players in the innovative technology development sector.
  2. Meet with key/core/leading organizations to build and transfer knowledge.
  3. Work with organizations to identify and target high risk systems.
  4. Assess privacy risks associated with these systems.
  5. Help embed controls to mitigate identified risks in the design or operation of innovative technology to facilitate compliance with privacy and access legislation.

This engagement will help the OIPC improve how we connect with the innovative technology development community and gather valuable input for OIPC programs and activities.

We aim to develop a mutual understanding and common language with the organizations we engage with through communications and participation.

Primary and Secondary Stakeholders

The OIPC has begun to identify primary stakeholders in the field of innovative technology development. Our plan is to build relations with these stakeholders to inform and stay informed of developments related to technology innovation, its effects on privacy, and its regulation. We also hope to provide consultation and guidance in matters of privacy protection.

These primary stakeholders qualify as foundational organizations because they play a large role in either the development of innovative technology, or in a network of organizations that have influence by providing funding, resources, expertise, information or other inputs to start-ups and small and medium enterprises.

Secondary stakeholders, including standards organizations and other regulators, may be contacted once the OIPC has a better understanding of the innovative technology ecosystem in the private sector, especially what technologies and what impacts are likely to be most pertinent in the years to come.

Our Process

The engagement plan relies on the following steps with each primary stakeholder.

  1. Creating and building mutual understanding, rapport and a good working relationship. This will primarily be done by understanding the core business of our stakeholder, explaining our mandate and goals, and managing expectations.
  2. Exploring the use of innovative technology that is researched, funded, developed or deployed by the stakeholder, developing knowledge about technologies used, and obtaining information about relevant innovative technologies in the organizational network of the stakeholder.

When relevant, the following steps are included in our engagement plan.

  1. Assessing the risks of established or developing innovative technology that has privacy implications, especially with sensitive personal or health information.
  2. Collaborating with the stakeholder to embed controls in the design of innovative technology to facilitate compliance with privacy and access laws, through the development and use of risk mitigation tools.
  3. Collecting feedback from the stakeholder and verifying their observations in order to inform our legislative review process. There may either be obstacles within privacy legislation affecting the development of innovative technology in private, public and health sectors, or a void in the protection of privacy or access to information. In both cases, we would seek input regarding how best to address such issues, while minimizing regulatory burden.

Expectations

Through the engagement plan, the OIPC will provide its expertise regarding organizational privacy management. The OIPC will also comment on options for proactive compliance in relation to innovative technology.

  1. The OIPC can make recommendations about embedding privacy into the stakeholder’s organization, operations and products. Our office has guidance and expertise available to help organizations prepare for technological and organizational changes needed to stay competitive. Experience with privacy compliance offers an advantage when scaling products or services to other jurisdictions.
  2. The OIPC provides input for the legislative review processes of privacy legislation. Although our stakeholders cannot directly influence this work, they can provide us with input for consideration of recommendations to be provided, and validation of recommendations we intend to issue.
  3. The OIPC may in the future provide the option to test specific innovative technology in the form of a proof of concept, product or service in a so-called ‘sandbox’. A sandbox provides an environment in which the developing organization and the regulator can meet, learn and explore ways in which innovation can be done while complying with privacy legislation. Short-cycle demonstrations, reviews and meetings offer the opportunity to learn about technology used and improve compliance.

Our hope and expectation of stakeholders is that they are willing to work with our office in good faith on improving their privacy posture and involve us during the design, development and deployment of innovative technology.

Expectations should be clarified periodically and may be formalized by means of a Letter of Intent or other document clarifying mutual understanding and commitment.