Updated: Aug 4
In this article I discuss data citizenship and some of its key concepts. I will also mention some of the relevant laws and regulations in Alberta, Canada, having to do with the collection, use and sharing of data across the province.
1. Data Citizenship at Large
In recent years, the amount of data being generated and collected has grown exponentially, driven by advances in technology and the proliferation of digital devices. This has led to a range of new opportunities and challenges, from more personalized products and services to concerns about privacy and security.
As a result, there has been growing interest in the concept of data citizenship as a way of framing the rights and responsibilities of individuals and organizations in relation to data. While there is no single definition of data citizenship out there, it generally refers to the idea that individuals and organizations have a role to play in shaping the use and impact of data, and that they should be mindful of the ways in which data is collected, used, and shared.
One key aspect of data citizenship is the idea of data literacy, which refers to the ability to read, interpret, and analyze data. As data becomes more central to our lives, it is important for individuals to develop these skills in order to participate in the digital world in a reasonable capacity. This includes being able to identify different types of data, understand and evaluate how it is collected and analyzed, and evaluate the quality and accuracy of data sources.
At the same time, data citizenship also involves recognizing the rights of individuals to control their own data, which is closely connected the privacy. This includes the right to know what data is being collected about them, the right to request that data be deleted or corrected, and the right to opt out of certain uses of their data. In many cases, these rights are enshrined in data protection laws such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, or the Freedom of Information and Protection of Privacy Act (FOIP) in Alberta, Canada (more on the latter below).
Another important aspect of data citizenship is the idea of data ethics, which refers to the moral principles and values that guide the collection, use, and sharing of data. This includes issues such as transparency, fairness, and accountability. For example, organizations that collect data should be transparent about their data practices, including what data they collect, how it is used, and who it is shared with. They should also take steps to ensure that their data practices are fair and non-discriminatory and that they are accountable for any negative impacts that may result from their use of data.
What was said above only scratches the surface of the space of data citizenship, serving as an introductory blurb on the matter. An increasing number of research articles and projects are dedicated to this topic and its expanding branches. We hope to cover these in more detail in the future.
2. Data Citizenship in Alberta
Where does Alberta fall when in the space of data citizenship? In this section, we attend to data citizenship in the province and particularly shed some light on matters of data ethics from the perspective of the law.
There are two main privacy laws that apply to public bodies (including
healthcare bodies) in Alberta: The Freedom of Information and Protection of Privacy Act (the FOIP Act) and The Health Information Act (HIA). The FOIP Act outlines regulations for safeguarding personal information and accessing information held by public entities in Alberta, including the provincial government and its agencies, local government bodies, school districts, post-secondary institutions, healthcare organizations, and police services. The HIA specifically applies to health information held by "custodians," such as Alberta Health and Wellness, regional health authorities, pharmacies, and physicians. It establishes guidelines for collecting, using, disclosing, and protecting personal health information, as well as granting individuals the right to access their own health information.
As for the private-sector privacy laws that apply in Alberta, they include Alberta's Personal Information Protection Act (PIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPA's primary goal is to protect the privacy of individuals by mandating private-sector institutions to secure consent for the collection, usage, and disclosure of personal information in most cases, and allowing individuals to access their personal information. PIPA is not applicable to public bodies in Alberta, but it may be relevant to businesses that public bodies work with.
Moreover, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) prescribes regulations for private-sector institutions that are federally regulated. Although PIPEDA does not apply to public bodies in Alberta, it may be applicable to organizations that public bodies partner with. It also applies to businesses that are under provincial regulation in provinces where private sector privacy legislation, such as Alberta's PIPA, is not substantially similar.
Due to the scope and focus of this article, we can’t discuss all of these laws in detail. Instead, in the rest of this article, I’ll take a closer look at PIPA, notice an interesting point in it, and finish by raising a question.
The Personal Information Protection Act (PIPA) went into effect in Jan 1, 2004. PIPA establishes a structure for private sector entities to handle the collection, use, and disclosure of personal information while also giving individuals the right to request access to their personal information.
Entities such as corporations, unincorporated associations, professional regulatory associations, trade unions, partnerships, private schools or colleges, and any individual engaging in commercial activities are subject to PIPA. Non-profit organizations are subject to PIPA only if they participate in commercial activities, and the act applies to them in a limited manner.
The Personal Information Protection Act of Alberta, Canada is divided into several sections and subsections that attend to data collection, use and privacy rights in the province. We can’t cover all sections in great detail here, but some highlights are as follows.
Section 14 outlines the circumstances under which an organization can collect personal information without an individual's consent. Specifically, an organization may collect personal information without consent if it is reasonable to do so for the purposes of:
(a) investigating a possible violation of a law,
(b) detecting, suppressing, or preventing fraud,
(c) protecting public interests (such as national security or public health),
(d) creating a credit report,
(h) securing the health or safety of an individual,
(i) determining a person's suitability for an employment or volunteering opportunity,
(j) providing a product or service that has been requested by an individual,
(k) establishing, managing, or terminating an employment or volunteer relationship,
(l) engaging in research.
Section 16, which deals with the collection of personal information. Under Section 16, an organization may collect personal information only if it is reasonable to do so, and the individual consents to the collection. However, if the individual is an employee of the organization, they must be notified in advance of the collection and the purposes for which the information will be used. Nothing in this section restricts an organization's ability to collect personal information under Section 14.
Section 17 deals with the use of personal information. An organization may use personal information only for purposes that are reasonable, and only to the extent necessary to achieve those purposes. However, there are circumstances under which an organization may use personal information without an individual's consent. For example, the use of the information may be authorized by law, necessary to comply with a collective agreement or a regulatory audit, or necessary to respond to an emergency that threatens an individual's life, health, or security.
Section 22 deals with access to personal information. An individual has the right to access the personal information held by an organization, and to request that any inaccuracies be corrected. The organization must respond to the request within a reasonable time and at minimal or no cost to the individual, subject to certain exceptions.
As the reader can see, most of these rules and regulations heavily hinge on the use of the term ‘reasonable’, which isn’t clearly defined in the Act. The only place where there is a mention of the use of this term is on page 7, which keeps using the term in explaining it:
“Standard as to what is reasonable. Where in this Act anything or any matter (a) is described, characterized or referred to as reasonable or unreasonable, or (b) is required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner, the standard to be applied under this Act in determining whether the thing or matter is reasonable or unreasonable, or has been carried out or otherwise dealt with reasonably or in a reasonable manner, is what a reasonable person would consider appropriate in the circumstances”
It is natural to occur to the reader that since many of the dos and don'ts of collecting, using and revealing individual and organization data (at times without their consent) according to this Act revolves around the term ‘reasonable’, the term perhaps should be clarified further by the law in the interest of transparency, safety and privacy of Albertans. In fact, one might argue that this is a necessary step in promoting data citizenship in Alberta.