Privacy working group meeting 2 - July 25, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Objective
To ensure the efficient functioning of an open banking system, the Advisory Committee on Open Banking (the Committee) recommended that common rules be established in the areas of liability, privacy and security.
The aim of this working group is to draft common rules on privacy to recommend to the government.
In their final report, the Committee noted that the core objective for implementing open banking in Canada is to realize consumers’ right to data portability and move to a system of secure, efficient and consumer-permissioned data sharing.
Approach and timelines
Meetings will be held approximately every three weeks. Members are encouraged to review the following material in advance of meetings:
- Canada's Digital Charter: Trust in a digital world
- Final Report, Advisory Committee on Open Banking
- Terms of reference for the open banking working groups and steering committee
- Annex A – Timeline of privacy working group topics
The open banking lead, with support from the Department of Finance (the Secretariat), will distribute documents guiding the discussion for each meeting which will also be available on the open banking implementation page. Members may also be asked to draft material for discussion.
Privacy working group topics and timeline
Limits of consent and operational considerations
While consent is foundational to data sharing, it is neither absolute nor perpetual. Consumers may authorize data to be shared for a particular use. However, the object of such consent may lapse. Furthermore, consent may be given for a limited period of time or revoked at the discretion of the consumer.
Discussion
- How frequently should consumer consent be “refreshed”?
- What should the consent revocation process look like?
- How can the revocation process be made quick and efficient?
- Other than revocation and length, are there any other factors which may contribute to the validity of a consent?
- When the validity of a consent expires, what related processes should be considered? For example, this may include deleting the consumer data held by the service provider.
Annex A – Timeline of privacy working group topics
Timeline July |
Topic | Outcome |
---|---|---|
Meeting 1 | Essentials of consent | Common rules on the fundamental elements of valid consent |
Meeting 2 | Limits of consent and operational considerations | Common rules on the factors contributing to consent lapsing and the processes related thereto |
Timeline Aug. to Oct. |
Topic | Outcome |
---|---|---|
Meeting 3 | Public disclosure | Common rules on the process to publicly disclose consumer complaints |
Meeting 4 | Consent standardization | Common rules on the customer journey experience |
Meeting 5 | Consent management process | Common rules on how consent dashboards for participants should be managed, including types of privacy information that should be available |
Meeting 6 | Customer protection | Common rules on how vulnerable customers will be protected |
Outcomes
Essentials of consent (from meeting 1)
Discussion 6
What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?
- There was general consensus on the need to align data minimization principles with the consent framework for open banking as well as with existing privacy frameworks that apply in Canada.
- There was general consensus on the importance of being clear on how the data will be used when collected as part of the consent process.
- There was some discussion, but no consensus, on whether data providers have a data minimization obligation, since they would not know whether the data being provided was required for the service provided by the data recipient.
Limits of consent and operational considerations
Discussion 1
How frequently should consumer consent be “refreshed”?
- There was agreement that this topic was discussed at privacy working group meeting 1 and further discussion was not required.
Discussion 2
What should the consent revocation process look like?
- There was general consensus that a consumer consent revocation process should:
- Be clear, simple and transparent for the consumer;
- Permit the consumer to initiate revocation with either the data recipient or the data provider, and reasonably expect that both parties will communicate with one another very soon afterwards;
- Require the data provider to complete a customer’s request for revocation as quickly as possible, with some flexibility for technical limitations as well as consideration of options for consumer benefit (for instance, providing the option to revoke access at the end of a billing cycle or a subscription period);
- Require the data provider, upon receiving revocation of consent, to immediately notify the data recipient; and
- Notify consumers clearly over the course of the revocation process, including in regards to what happens to their data, and should be given options as to whether to delete or retain the data.
Discussion 3
How can the revocation process be made quick and efficient?
- There was general consensus for a standardized and simple approach to the revocation of consent, particularly on the process and language.
- There was general consensus that the process to revoke consent should aspire to be as simple and clear as the process for collecting consent. Consumers should be able to revoke consent with the same (or fewer) number of clicks as providing consent.
- A participant noted India’s approach in aggregating consent, to help a consumer manage their consent agreements across multiple participants.
Discussion 4
Other than revocation and length, are there any other factors which may contribute to the validity of a consent?
- There was general consensus that if the status of accreditation of a participant lapses it affects the consent they hold from consumers and they would need to re-seek consent.
- Participants also suggested that a change in a consumer’s status would also impact consent (for example, death). Privacy breaches or cyber incidents may also impact consent.
- There was general consensus that the approach to consent should align with financial services industry standards, such as signing up for a credit card.
Discussion 5
When the validity of a consent expires, what related processes should be considered? For example, this may include deleting the consumer data held by the service provider.
- There was general consensus that current legislative frameworks provide guidance that can be applied to open banking. This includes record-retention obligations for anti-money laundering purposes, and federal and provincial privacy frameworks regarding the retention, destruction and control of consumers’ personal data.
Privacy working group attendees
Members
- Bank of Montreal
- Borrowell
- Brim Financial
- Coast Capital Savings
- Desjardins
- First Nations Bank of Canada
- Interac
- Mogo
- Option consommateurs
- Prospera Credit Union
- Public Interest Advocacy Centre
- Royal Bank of Canada
- Scotiabank
External guests
- Financial Consumer Agency of Canada
- Financial Services Regulatory Authority of Ontario
- Office of the Superintendent of Financial
Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: