Privacy working group meeting 1 – July 8, 2022

This discussion guide is provided to assist working group members in preparing for the meeting.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

Discussion guide

Objective

To ensure the efficient functioning of an open banking system, the Advisory Committee on Open Banking (the Committee) recommended that common rules be established in the areas of liability, privacy and security.

The aim of this working group is to draft common rules on privacy to recommend to the government.

Common Rules for Open Banking

Text Version

Common Rules for Open Banking

Objectives:

Consumer Protection and Positive Consumer Experience

Liability:

Allocating responsibility if something goes wrong and ensuring consumer access to redress.

Privacy:

Ensuring express consent and consumer control over data

Security:

Ensuring consumer data is protected in accordance with best practices

In their final report, the Committee noted that the core objective for implementing open banking in Canada is to realize consumers’ right to data portability and move to a system of secure, efficient and consumer-permissioned data sharing.

Approach and timelines

Meetings will be held approximately every three weeks. Members are encouraged to review the following material in advance of meetings:

The open banking lead, with support from the Department of Finance Canada (the Secretariat), will distribute documents guiding the discussion for each meeting which will also be available on the open banking implementation page. Members may also be asked to draft material for discussion.

Privacy working group topics and timeline

Discussion

  1. Are there other topics that should be considered by the privacy working group which were not captured in Annex A?
  2. What are your views on the proposed timeline and cadence of the work plan?

Essentials of consent

Consumer privacy rights are governed by provincial and federal privacy legislation, which detail how personal information is to be collected, used, and shared. Consent is an essential element of Canadian privacy legislation. Without express or explicit consent, meaning consumers are presented with clear options to accept or reject, consumers may not provide valid authorization for the open banking participant to access their data. There is also a risk that consumers may provide consent without fully understanding the extent and scope of their consent.
The Committee recommended that the Canada’s open banking system provide consumers:

Discussion

  1. What are the fundamental elements of a valid customer consent? For example, must consent be explicit?
  2. How should each element of consent be understood? For example, as above, what would constitute an “explicit” consent?
  3. Who has the responsibility for collecting the consumer consent: data recipients or data providers?

The concept of data minimization complements the requirement for consent. Data minimization provides that the collection and use of data should be limited to only that which is necessary for a specific purpose. While the concept may appear simple and self-explanatory, it merits further elaboration given the limits it imposes on data recipients.

Discussion

  1. What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?

Annex A – Timeline of privacy working group topics

Theme 1: Consent
Timeline
July  
Topic Outcome
Meeting 1 Essentials of consent Common rules on the fundamental elements of valid consent
Meeting 2 Limits of consent and operational considerations Common rules on the factors contributing to consent lapsing and the processes related thereto
Theme 2: Consent management and journey
Timeline
Aug. to Oct.
Topic Outcome
Meeting 3 Public disclosure Common rules on the process to publicly disclose consumer complaints
Meeting 4 Consent standardization Common rules on the customer journey experience
Meeting 5 Consent management process Common rules on how consent dashboards for participants should be managed, including types of privacy information that should be available
Meeting 6 Customer protection Common rules on how vulnerable customers will be protected

Outcomes

Privacy working group topics and timeline

Discussion 1

Are there other topics that should be considered by the privacy working group which were not captured in Annex A?

Discussion 2

What are your views on the proposed timeline and cadence of the work plan?

Essentials of consent

Discussion 3

What are the fundamental elements of a valid customer consent? For example, must consent be explicit?

Discussion 4

How should each element of consent be understood? For example, as above, what would constitute an “explicit” consent?

Discussion 5

Who has the responsibility for collecting the consumer consent: data recipients or data providers?

Discussion 6

What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?

Privacy working group attendees

Members

  • Bank of Montreal
  • Borrowell
  • Brim Financial
  • Coast Capital Savings
  • Desjardins
  • First Nations Bank of Canada
  • Interac
  • Mogo
  • Option consommateurs
  • Prospera Credit Union
  • Public Interest Advocacy Centre
  • Royal Bank of Canada
  • Scotiabank

External guests

  • Financial Consumer Agency of Canada
  • Financial Services Regulatory Authority of Ontario
  • Office of the Superintendent of Financial Institutions

Chair

  • Abraham Tachjian, Open banking lead

Secretariat

  • Department of Finance Canada

Page details

Date modified: