Privacy working group meeting 2 - July 25, 2022

This discussion guide is provided to assist working group members in preparing for the meeting.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

Discussion guide

Objective

To ensure the efficient functioning of an open banking system, the Advisory Committee on Open Banking (the Committee) recommended that common rules be established in the areas of liability, privacy and security.

The aim of this working group is to draft common rules on privacy to recommend to the government.

Common Rules for Open Banking

Text Version

Common Rules for Open Banking

Objectives:

Consumer Protection and Positive Consumer Experience

Liability:

Allocating responsibility if something goes wrong and ensuring consumer access to redress.

Privacy:

Ensuring express consent and consumer control over data

Security:

Ensuring consumer data is protected in accordance with best practices

In their final report, the Committee noted that the core objective for implementing open banking in Canada is to realize consumers’ right to data portability and move to a system of secure, efficient and consumer-permissioned data sharing.

Approach and timelines

Meetings will be held approximately every three weeks. Members are encouraged to review the following material in advance of meetings:

The open banking lead, with support from the Department of Finance (the Secretariat), will distribute documents guiding the discussion for each meeting which will also be available on the open banking implementation page. Members may also be asked to draft material for discussion.

Privacy working group topics and timeline

Limits of consent and operational considerations

While consent is foundational to data sharing, it is neither absolute nor perpetual. Consumers may authorize data to be shared for a particular use. However, the object of such consent may lapse. Furthermore, consent may be given for a limited period of time or revoked at the discretion of the consumer.

Discussion

  1. How frequently should consumer consent be “refreshed”?
  2. What should the consent revocation process look like?
  3. How can the revocation process be made quick and efficient?
  4. Other than revocation and length, are there any other factors which may contribute to the validity of a consent?
  5. When the validity of a consent expires, what related processes should be considered? For example, this may include deleting the consumer data held by the service provider.

Annex A – Timeline of privacy working group topics

Theme 1: Consent
Timeline
July  
Topic Outcome
Meeting 1 Essentials of consent Common rules on the fundamental elements of valid consent
Meeting 2 Limits of consent and operational considerations Common rules on the factors contributing to consent lapsing and the processes related thereto
Theme 2: Consent management and journey
Timeline
Aug. to Oct.
Topic Outcome
Meeting 3 Public disclosure Common rules on the process to publicly disclose consumer complaints
Meeting 4 Consent standardization Common rules on the customer journey experience
Meeting 5 Consent management process Common rules on how consent dashboards for participants should be managed, including types of privacy information that should be available
Meeting 6 Customer protection Common rules on how vulnerable customers will be protected

Outcomes

Essentials of consent (from meeting 1)

Discussion 6

What are the requirements associated with the implementation of the data minimization principle? How can this notion be implemented in practice?

Limits of consent and operational considerations

Discussion 1

How frequently should consumer consent be “refreshed”?

Discussion 2

What should the consent revocation process look like?

Discussion 3

How can the revocation process be made quick and efficient?

Discussion 4

Other than revocation and length, are there any other factors which may contribute to the validity of a consent?

Discussion 5

When the validity of a consent expires, what related processes should be considered? For example, this may include deleting the consumer data held by the service provider.

Privacy working group attendees

Members

  • Bank of Montreal
  • Borrowell
  • Brim Financial
  • Coast Capital Savings
  • Desjardins
  • First Nations Bank of Canada
  • Interac
  • Mogo
  • Option consommateurs
  • Prospera Credit Union
  • Public Interest Advocacy Centre
  • Royal Bank of Canada
  • Scotiabank

External guests

  • Financial Consumer Agency of Canada
  • Financial Services Regulatory Authority of Ontario
  • Office of the Superintendent of Financial
    Institutions

Chair

  • Abraham Tachjian, Open banking lead

Secretariat

  • Department of Finance Canada

Page details

Date modified: