Privacy working group meeting 1 – July 8, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Objective
To ensure the efficient functioning of an open banking system, the Advisory Committee on Open Banking (the Committee) recommended that common rules be established in the areas of liability, privacy and security.
The aim of this working group is to draft common rules on privacy to recommend to the government.
In their final report, the Committee noted that the core objective for implementing open banking in Canada is to realize consumers’ right to data portability and move to a system of secure, efficient and consumer-permissioned data sharing.
Approach and timelines
Meetings will be held approximately every three weeks. Members are encouraged to review the following material in advance of meetings:
- Canada's Digital Charter: Trust in a digital world
- Final Report, Advisory Committee on Open Banking
- Terms of reference for the open banking working groups and steering committee
- Annex A – Timeline of privacy working group topics
The open banking lead, with support from the Department of Finance Canada (the Secretariat), will distribute documents guiding the discussion for each meeting which will also be available on the open banking implementation page. Members may also be asked to draft material for discussion.
Privacy working group topics and timeline
Discussion
- Are there other topics that should be considered by the privacy working group which were not captured in Annex A?
- What are your views on the proposed timeline and cadence of the work plan?
Essentials of consent
Consumer privacy rights are governed by provincial and federal privacy legislation, which detail how personal
information is to be collected, used, and shared. Consent is an essential element of Canadian privacy
legislation. Without express or explicit consent, meaning consumers are presented with clear options to accept
or reject, consumers may not provide valid authorization for the open banking participant to access their data.
There is also a risk that consumers may provide consent without fully understanding the extent and scope of
their consent.
The Committee recommended that the Canada’s open banking system provide consumers:
- a clear line of sight into who has their data, what that data includes, and how it is being used;
- a clear standardized process for consumers to provide and revoke consent to share their data; and,
- considerations of how financially marginalized or vulnerable consumers will navigate an open banking system.
Discussion
- What are the fundamental elements of a valid customer consent? For example, must consent be explicit?
- How should each element of consent be understood? For example, as above, what would constitute an “explicit” consent?
- Who has the responsibility for collecting the consumer consent: data recipients or data providers?
The concept of data minimization complements the requirement for consent. Data minimization provides that the collection and use of data should be limited to only that which is necessary for a specific purpose. While the concept may appear simple and self-explanatory, it merits further elaboration given the limits it imposes on data recipients.
Discussion
- What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?
Annex A – Timeline of privacy working group topics
Timeline July |
Topic | Outcome |
---|---|---|
Meeting 1 | Essentials of consent | Common rules on the fundamental elements of valid consent |
Meeting 2 | Limits of consent and operational considerations | Common rules on the factors contributing to consent lapsing and the processes related thereto |
Timeline Aug. to Oct. |
Topic | Outcome |
---|---|---|
Meeting 3 | Public disclosure | Common rules on the process to publicly disclose consumer complaints |
Meeting 4 | Consent standardization | Common rules on the customer journey experience |
Meeting 5 | Consent management process | Common rules on how consent dashboards for participants should be managed, including types of privacy information that should be available |
Meeting 6 | Customer protection | Common rules on how vulnerable customers will be protected |
Outcomes
Privacy working group topics and timeline
Discussion 1
Are there other topics that should be considered by the privacy working group which were not captured in Annex A?
- There was general consensus that the proposed topics for the privacy working group were appropriate.
Discussion 2
What are your views on the proposed timeline and cadence of the work plan?
- There was a general consensus that the proposed timeline and cadence of meetings for the privacy working group were appropriate. However, there may need to be more time allocated to meeting 4, consent standardization.
Essentials of consent
Discussion 3
What are the fundamental elements of a valid customer consent? For example, must consent be explicit?
- There was general agreement on the essentials of consent. This entails consent to be explicit, list the implications of the data use, be fully transparent on how the data will be used, limited in time, and revocable. It was also noted that the customer journey should be designed in support of these elements. A participant also noted that it is important to build on top of existing privacy guidance and not to deviate from it.
- Participants also raised considerations with respect to how consent may be provided in respect of joint accounts.
Discussion 4
How should each element of consent be understood? For example, as above, what would constitute an “explicit” consent?
- Participants agreed to focus the discussion on the timing of consent and revocation.
- On timing, a majority of participants supported a 12-month interval to refresh consent. A small number of participants favoured no requirement to refresh consent in cases where a consumer was actively using the application. Some participants also favoured a shorter timeline to refresh consent in situations where a consumer is not regularly using the application. It was further noted that refreshing consent based on application usage may pose technical challenges.
- On revocation, participants agreed that revocation would be deemed where the consumer closes their account or if the purpose for which the data was collected changes.
Discussion 5
Who has the responsibility for collecting the consumer consent: data recipients or data providers?
- Participants noted that both parties share the responsibility for collecting consent and that the customer journey needs to have a seamless flow. It was also noted that most of the burden would be on the data recipient. Discussion of the issue at a subsequent meeting is needed to arrive at a consensus.
Discussion 6
What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?
- This item was deferred to the next privacy working group meeting.
Privacy working group attendees
Members
- Bank of Montreal
- Borrowell
- Brim Financial
- Coast Capital Savings
- Desjardins
- First Nations Bank of Canada
- Interac
- Mogo
- Option consommateurs
- Prospera Credit Union
- Public Interest Advocacy Centre
- Royal Bank of Canada
- Scotiabank
External guests
- Financial Consumer Agency of Canada
- Financial Services Regulatory Authority of Ontario
- Office of the Superintendent of Financial Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: