Non-Profits in Canada: Trends in Privacy Compliance

As privacy breaches become more common, Canada’s non-profit sector find themselves in a questionable area of expected responses to data breaches. Most non-profits operating in Canada are not required to comply with federal or provincial privacy legislation. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) does not cover most non-profit activities, unless they are of a commercial nature, and non-profits that operate in provinces without their own privacy legislation (which is most of them) all fall under this stipulation. A number of provinces have drafted their own, similar legislation, and, in most cases, non-profits are treated the same way. However, Alberta’s privacy commissioner is signaling a potential new trend in non-profit privacy legislative compliance in the country.

The province, which has legislation very similar to the federal policy, is currently pushing for non-profits to be brought under the legislation, as, according to the Calgary Herald, the province’s privacy commissioner is concerned about her office’s inability to act on the majority of complaints related to non-profits that it receives from the public. Importantly, this statement from March of this year was not the first time Jilly Clayton expressed her desire to see non-profits brought under the Freedom of Information and Protection of Privacy Act (FOIP Act). In a formal review of the Act from July 2013, Clayton issued an opinion that she was “concerned that the personal information of Albertans may not be protected” in cases of service delivery partnerships between non-profits and the public sector (2). She recommended that, in such partnerships, the public sector should be more responsible for handling the personal information, as non-profits are not yet subject to the Act. These issues speak to growing concerns about the amount of personal information that organizations possess, as well as how effectively it is protected. As privacy breaches become more common, people want to know that when they provide their information to an organization it will be securely stored and responsibly managed.

This is not to say that non-profits are being irresponsible with the information they possess. Many have their own publicly-available privacy policies, and groups like the Ontario Non-Profit Network help members bring their privacy and security systems up to a higher standard. In a recent survey, members of the public responded saying they now expect more out of the organizations that handle their personal information, and it is important for the country’s non-profits to be more aware of trends in compliance.

If Alberta’s pursuit of mandatory compliance becomes a trend across Canada, non-profits will be expected to improve their response to privacy breaches, and improve their technical capabilities.
And even if other provinces are slow to adapt their own legislation, it is important that non-profits develop proactive strategies for handling privacy breaches, before personal information they possess ends up in the wrong hands.

Posted in Information Management, Information Security, Privacy | Tagged , , , , , , | Comments Off

Electronic Discovery Reference Model and Information Governance Reference Model more integrated than ever!

The EDRM model has recently been updated to include the detailed Information Governance Reference Model (IGRM) into the diagram, giving a more holistic view of the relationship between information governance and e-discovery” and more importance to Information Governance.

Posted in E-Discovery, EDRM, Governance | Tagged | Comments Off

Getting Ready for Superman – The Governance of Supplier Management Risk


IDC predicts that by 2020 40% of all organizational data will reach the cloud.  A staggering statistic if you think about the implications for many data management programs and governance functions that have traditionally focused their efforts for on-premise hosted data warehouses and repositories.  The outsourcing of the data custodian, technology asset and even data ownership functions means increased complexity needing to be managed consistent with contractual obligations, service delivery and performance standards, and established supplier risk management governance frameworks at the enterprise level.  This paradigm shift will also have a huge impact on the perception as well as prevalence of dark data.  Data Management functions will need to be consistently aware of the data that lies at the periphery of the governance programs and within the custody and sometimes control of other entities to ensure that it doesn’t go dark or go forgotten. 

Data protection and lifecycle management controls increasingly become important to not only implement but enforce over the long term in order to ensure that dark data doesn’t become an organization’s kryptonite. As a result, enterprise data governance functions will increasingly be paramount to manage the risks of dark data on the shadowed edges of an organization’s control.

Posted in Uncategorized | Comments Off

EDT: now part of KPMG’s Ediscovery Managed Services

KPMG announced the addition of a new product to its KPMG Ediscovery Managed Services at LegalTech 2016 in New York.
With EDT, our clients no longer need to rely on service providers or to make important capital investments in their infrastructure. They can now manage their cases by themselves, from ingestion through production to the Court, including Early Case Assessment (“ECA”), processing and review.

The solution offers many functionalities such as:
- Indexing large volume of data in a matter of seconds
- Filtering and organizing content as you see fit
- Running keyword and similarity searches
- Manage access privileges
- Review and code documents
- Produce documents in most standard formats

KPMG’s Ediscovery Managed Services offer packages for a wide range of needs. Contact or access our website for more details.

EDT Product illustration

EDT screen capture

Posted in Collection, Document Review, E-Discovery, EDRM, Forensic, Information Technology, Legal Technology, Predictive Coding, Processing, Technology, Uncategorized | Comments Off

Data Privacy…still a long road to go!

Every January 28, many countries including Canada are celebrating Data Privacy Day. Unfortunately lacking of publicity, this day should help us remember the importance of privacy in our digital world.

Privacy starts with basic rules such as a strong password. Recently Splash Data provided its list of the 2015 most popular passwords. We were astonished to discover that top ones were “123456” and “password”.

For information and advice on how to improve your data privacy, the Office of the Privacy Commissioner of the Canada recently released some documents on its website.

Posted in Cyber Security, Information Security, Privacy | Tagged , , , , | Comments Off

An Inspiring Model!

In July 2011, Australia and more specifically David Fricker, Director-General, National Archives of Australia, launched its Digital Transition Policy and declared that 2015 would be the last year in which the National Archives would accept paper records from the various Australian agencies and departments.

In order to help agencies and departments make the transition to digital, National Archives of Australia (NAA) launched a new Digital Information and Records Management Capability Matrix. This matrix is available online for free, since in a digital environment, all employees, regardless of their level or specialty, are responsible for the information they create or receive. The matrix identifies the different areas of digital information management for government staff, technology and communications specialists or information and records management specialists. For each topic, there are links to courses, tutorials, policies and standards, which make the matrix a very interesting tool.

Knowing that Australia is a pioneer in electronic records management—ISO 15489 is based on an Australian standard—we can only hope that a similar initiative will be launched in Canada.

Posted in Uncategorized | Comments Off

Latest news on the revision of ISO 15489 on Records Management

You may already know that ISO 15489, published in 2001, is under revision. This winter, the public was invited to comment on the latest draft produced by the Working Group.

The said Group reunited a few days ago in Beijing to review and discuss all the comments made to the draft. 

A revised draft of ISO 15489’s Part 1 should be released by Mid-August in order to start the ISO formal process of approval. The new version of ISO 15489 – Part 1 should be released by Mid-2016, so in a year’s time.

The Working Group also came to the conclusion that Part 2 of ISO should be replaced gradually by guidelines on different topics such as classification, metadata, disposition, etc.


Posted in ISO 15489, Records Management | Comments Off

kCura Relativity Training and Certification Exams at KPMG’s Toronto offices, June 2015

As a leading provider of Relativity in Canada and Premium Hosting Partner since 2011, KPMG is pleased to offer the opportunity to attend the following exams and training sessions of kCura’s Relativity review platform at its downtown Toronto offices during the week of June 22, 2015.

Certification Exams

Mon Jun 22

9 am – 12 pm     Certified Administrator (RCA)

1 pm – 3 pm       Review & Analytics Specialist

3 pm – 5 pm       Assisted Review & Infrastructure Specialist



Tues Jun 23         9 am – 5 pm        Administrative

Wed Jun 24         9 am – 5 pm        Administrative cont.

Thu Jun 25           9 am – 5 pm        Analytics

Fri Jun 26             9 am – 5 pm        Processing

For more information on course itineraries and to register, please visit:



(In the Training listings, don’t forget to click “see more dates” if the Toronto session is not appearing.)

Breakfast and lunch will be provided.

The sessions will all be held at KPMG’s downtown offices: 333 Bay Street, Toronto, ON  M5H 2S5. Session seats are limited and will be booked on a first come first serve basis. Don’t miss out on this opportunity to hone existing skills and become certified in the legal industry’s leading hosting and review software.

Please do not hesitate to contact David Sharpe or me for questions or registration assistance. We look forward to seeing you there!

Posted in Certification, Document Review, E-Discovery, Training | Comments Off

Dark Governance Rises: Maturing Beyond an Operational Data Governance Model

Over the course of the last year or so, the buzz-phrase “dark data” has entered the common lexicon of data management, information management, technology and business analytics circles. When I first heard the term my mind conjured up the image of the bat-cave wired with the technical capabilities to track Gotham City’s super villains. Armed with my rapacious curiosity I set out on a deliberate quest to study the shadowed periphery of the information landscape.

This four part blog series shall examine the emergent phenomenon known as “dark data” with the objective of evaluating and contextualizing the trend’s influence on information management practice discipline.


The reality of big data – is that prioritization is key since the data landscape is growing at an exponential rate. We can’t boil the ocean as much as many would like to. As such, enterprise governance and risk management strategies are not only valuable in standardizing operational data management practices and monitor for risk, benefits realization, performance and compliance… but also can assist in rationalizing existing data management processes prioritized within larger enterprise data, business, compliance and technology views. Interestingly, a recent article published in CIO magazine echoes these sentiments while providing an overview of enterprise risk considerations as it relates to the prevalence of unstructured dark data.

Unfortunately, the most common data governance framework that is adopted by organizations is often reactive and/or point-solution-based reinforcing a lack of data management practice maturity. The results of this piecemeal and operationally-driven approach for data governance may include:

(i) operational data management service delivery issues prioritized in a vacuum;
(ii) the emergence of a fractured data ownership (and decision-making) model;
(iii) inconsistent procedural practices across data stores;
(iv) lack of enforceability or alignment with broader organizational data management policies or procedures;
(v) siloed and/or fractured data management decision-making that may fail to consider downstream/upstream process impacts;
(vi) a lack of oversight into broader legal, compliance or governance risks impacting data management practices;
(vii) minimal detective/predictive controls implemented to support proactive governance capabilities;
(viii) increased emphasis on governing performance and process as opposed to risk; and
(ix) a lack of measurable and demonstrated value of the governance function.

In a nutshell, a data management program that seeks to implement governance only at the operational data management layer will undoubtedly find difficulty in unlocking the value and/or manage the risk of dark data in a consistent fashion unless it matures to include an enterprise governance function.

Stay Tuned for Part 4 of our Series…
Getting Ready for Superman – The Governance of Supplier Management Risk

Posted in Governance, Information Management | Comments Off

Cybersecurity at hearth!

Since about 3 years, cybercrime is expanding and every organisations can be a target, from the smallest to the biggest.

It is always better to prevent than cure so every organization should develop and implement plans and procedures to prevent and respond to any cyber threats.

The U.S. Department of Justice recently developed and published their Best Practices for Victim Response and Reporting of Cyber Incidents (PDF). If your organization is not prepared yet against cyber incidents, this is a good starting point.

If you need any help to develop or implement your cyber prevention and response plan or if you are victim of a cyber incident, KPMG’s Cyber Security team of professionals can help you.

Posted in Cyber Security, Cybercrime, Information Security, Information Technology, IT Security | Comments Off