What privacy means to us

Privacy is a fundamental human right, an essential part of complete human psychological development and self-actualization, and a necessary precondition to the exercise of cherished democratic and legal rights like the freedom of expression, the freedom to vote, the right to security of the person, and the freedom from unreasonable search and seizure. Without privacy, we lose what it means to be free and a big part of what is means to be Canadian. Privacy must, therefore, be given the priority its status demands in this policy and in 3rd Space Consulting (3SC) information management practices beyond it.

Who we are

3SC is a consulting firm headquartered in Edmonton, Alberta but with significant presence throughout the province and operations in British Columbia and the Northwest Territories. While our specific service portfolio fluctuates with the expertise of the people who work with us at any given time, our current service offerings include:

• institutional bias assessments and anti-bias training,

• education policy, practice, and pedagogy,

• business turnaround, strategy, and IT system needs analysis and deployment,

• legal issue management (note this is not legal advice or representation),

• public policy research, development, and evaluation,

• major capital project design process advisory, and

• project or initiative results assessment and reporting.

We were founded to pursue truth. This seems trite but all of the founding partners experienced that moment at work when what was easy or convenient or familiar was pursued over what was hard but right; where what was safe won over what would work.

3rd Space is the safe space for what the data and evidence say. What flies here is the most effective and powerful solution to permanently work a problem into oblivion. We’re on a mission to bring principle, evidence, courage, and strategy back into the decisions that matter. If you’re ready to hear what you need instead of misled by what feels good, to actually deal with problems at their roots instead of tinkering around edges and hoping for the best, step into our space. It’s not comfortable, but it is a lot of fun.

What is this thing you’re reading?

This is a summary of 3SC’s Website Privacy Policy. The policy is a series of rules that describe what personal information is involved in interacting with a website generally and this website in particular, what personal information 3SC collects and on what terms, what personal information we retain and use, how we use that information, what we will do to protect it, what happens if our protections are breached, what rights the law and/or 3SC grant to you over the information in our care, how you can go about doing things related to those rights, and what to do if you have any questions or concerns.

Those seeking to review the detailed policy document can find it here.

Authorities

Although there is some complexity here that the policy gets into, in the vast majority of cases our authority to collect personal information by operating a business website comes from section 11 of the Personal Information Protection Act, RSA 2003, c. P-6.5 (PIPA (Alberta)) on a section 8(2) deemed consent basis.

If this is not clear now, it should get more so after you review the classes of personal information involved which is next.

Why we collect personal information

Purpose of collection
We operate a public website for our business: www.3rdspaceconsulting.com. In our view, having a website is essential to any and every business operating today. Having an online presence does the following things:

• It creates a marketing channel for us to communicate information about 3rd Space to prospective, current, and prior clients. It helps people find us, and then plays a role in convincing them we’re the right fit for their needs so they can hire us. Generating revenue is a fairly important part of operating a private business. Revenue comes from clients and the website helps them find us. A fairly good overview of the specific ways it does so can be found in this article (no paywall).

• It sends a signal to someone who doesn’t know anything about us that 3rd Space is real and a serious outfit. People need to reach some level of comfort with paying money for services that is higher when most business is transacted online. A website is part of the package of things businesses do (we would go further and say ‘are expected to do’) to build this assurance with strangers.

• It is a tool of convenience for clients and not-yet-clients trying to contact us. The website has all that information so if contact information wasn’t saved in a phone, or if it was but the phone is now broken, missing, or otherwise unavailable, it is relatively easy to get our digits.

How we collect personal information

Technical backgrounder: the internet
Explain quickly how the internet works. Okay…

The internet is a whole bunch of computers connected with each other. There are many different kinds, connected many different ways, across many different types of wired and wireless connections, using many different languages and protocols and information formats, but underneath it is like any highway system. There are big roads for lots of traffic managed by huge computers designed to do that one thing really well. The biggest of these are cross-continental data cables like Dunand (300 terabytes per second) and 2Africa (180 TB/s). There are also little tiny branches serving low density, highly remote areas with either generalist computers that do other stuff concurrently or tiny little specialists. The goal is to provide the ability for any computer to send and receive digital instructions in the form of data packets from anywhere on the network. It does this by passing that data packet from computer to computer until it gets to the right receiving device.

The design is resilient and dispersed but this approach has costs. One of these is the less centralized and coordinated a network is, the more information, or more powerful information, about each individual network member is required in order to keep individual unique identities clear. Having single unique and known network end points to send and receive data from is necessary for information to flow between the right devices. If the network can’t reliably tell you apart from the other identical, mass-produced devices connected to it, how it can reliably serve up the content you request is unclear.

Today we have a mix of both powerful and multiple data points the computers on the network can use to differentiate your current device from all the others floating around. A powerful data point is the internet protocol (IP) address of the device. This single data point alone is enough to build a deep, pervasive, and highly accurate record of your online behaviour. It is also essential to accessing the internet because it is how your internet service provider (ISP) routes all the internet data packets that are intended for you to you and your devices. It is effectively a unique address [per device] for you and all your data on the internet. An example of the many-but-individually-not-that-powerful are the mix of device and software characteristics that are regularly presented when two computers first begin a direct dialogue. For example, the following data points about a device are apparently sufficient for Xiaomi to make a high fidelity guess that links the device with a unique Google Analytics marketing profile ID which is enough to identify you as an individual human person:

• some endpoint data that was encrypted so precise contents uncertain,

• browser brand and version number,

• hardware board model,

• device brand,

• device model number,

• OS version string,

• network type,

• country code, and

• OS version number.

This plethora of individually-weak-but-predictive-together information is regularly presented to all kinds of computers for reasons that boil down to ‘someone somewhere built their software to request or require it’. Individually, each software call for the system information it needs makes total sense in the moment.

• I, a well-intentioned software developer, am coding a mobile app that shows videos. I think it’s a good idea to call system information about the display so video feeds can be optimized for that device.

• at the same time somewhere else I, another well-intentioned software developer, need the OS version as a check at run-time because we don’t support all prior OSs and we’re aware of serious security issues with some prior versions. I know the version string lives in a variable so I’ll just call that variable and take what I need inside my own program.

The challenges now are,

• the cumulative effect of these individual decisions to call system information given the sheer volume of software running simultaneously on devices today producing a data set that allows individual identification, and

• the rolling-up of all these calls into the status quo culture (quote-unquote ‘the way it is in the industry’) such that everyone is anaesthetized to them and unaware of the challenge to individual privacy interests the culture itself represents.

When your device connects with a website
Back to what 3SC collects. Displaying a website on a screen is therefore your device processing data packets that contain the computer code necessary to do so that are sent to it by the website server. Imagine there are very small delivery vans running back and forth between your device and the server. Each van contains one brown box. Each box contains exactly 1,024 bits, or 128 bytes, of website and website-adjacent data. If an average picture file is 5 megabytes or 5,000 bytes, 40 vans are required to bring it from the server to your device. Each van travels at 79% of the speed of light on a fibre optic cable or 236,836,042 metres per second which is 852,609,751 kilometres per hour (km/h). In Canada, the speed limit for a car on the highway is 110 km/h (68 miles per hour) in most cases.

Each van checks in with the computers that guide it along its way to your device. Each computer can see the address information on the outside of the packet. Most do not retain it, they merely keep in in temporary memory while they find directions for the next network segment along which the data are to travel, send the van on its way, and then clear their memory.

3SC’s position is that a computer reading data at the machine level to determine what the information is and what to do with it is not a ‘collection’ of information within the meaning of privacy legislation. It is possible to convert this activity into a collection by storing the data in permanent memory and making it available in unencrypted formats for individuals to access, but at this stage we do not believe collection has occurred.

When your device connects with 3SC’s website
By now you’re wondering why you care about any of this.

The reason is because we’re trying to answer the question about what personal information is collected by 3SC, our computer equipment, and/or out website server host. To get this, you need to know what the computers themselves are doing because that is where collection does or does not happen.

When you connect to www.3rdspaceconsulting.com, your device sends a connection request to our website host’s computer server. That server starts doing more than just sending website data packets. In particular, it does two things:

1. It will request a series of data points from the incoming device so it can differentiate it from any others it is handling simultaneously and so it can return website data in the form that works for that device’s specifications and software, and

2. It will request and receive automatic permission, unless you have taken very specific measures to prevent it, from your device to install a series of cookies some of which have tracking power.

The cookies the host server wants to install are detailed deep inside their legal disclosure materials. If you want to read this yourself, you, dear reader, are an “End User” while we, 3SC, are “Users” because we contract directly with the provider. To them, we are its clients or users while you are a step beyond.

In the majority of cases, the data our host collects from you directly when you talk to the server are placed into a fictional bucket called “User Controlled PI” and quarantined away from the data they collect in their own right for their own purposes. It exists for us to manage using the tools our host provides or third party software we obtain independently of the host. This includes cookie- and non-cookie-based data.

But this is not all they do. Sometimes our host collects your data for their own reasons. This has its own fictional bucket called “Squarespace Controlled PI”. These data might be exactly the same as the data they collect for us or they may be different. They might be from cookies, or they might be direct device system calls, or they might be information your device must present in order to connect to the server like its IP address.

Redirection to host privacy materials
At this stage, we direct you to our website host’s privacy materials for detail on what they do with personal information collected from you and your device when you access our website. Incorporating their materials here is both off-topic and would result in an intensely long document. Key materials are as follows with more detail in the complete policy document linked to this summary:

• Squarespace Privacy Policy - Covers data collected from us, its Users, and you, our users and its End Users, for host [a.k.a. not 3SC] purposes.

• Squarespace Cookie Policy - Covers data collected from you on our behalf using cookies.

• Squarespace The cookies Squarespace uses - Cookie-by-cookie breakdown (helpful and recommended reading) focused on those installed on your device.

• Squarespace Data Processing Addendum - Detail on how the host processes “User Controlled PI” on our behalf but dense legal language. Written to us as its users, not you as website end users.

Our analysis of our host’s privacy practices
Section 5(2) of PIPA requires us to assess the privacy practices of all contracted service providers for compliance with the Canadian legislation. 3SC also assesses service provider practices against our values.

Our host’s collection, use, and disclosure of personal information from you for their own purposes and on our behalf is consistent with the baseline legal obligations contained in PIPA. They collect it for legitimate reasons and to the degree required to achieve those reasons. We detect no legally-gratuitous collection, use, or disclosure.

That said, the scope, use, and implementation of their practices does not fully align with 3SC privacy values. More detail on this is found in the main policy document.

What we collect

Finally.

Personal information about you is collected from your device by our website host when you connect with 3SC’s site. As discussed above, this could fall into two distinct buckets:

• personal information they collect on our behalf that is managed by us, and

• personal information they collect for their own purposes and is managed by them.

Their policy framework deals with the latter. This policy is about the former.

Collection occurs through a variety of mechanisms:

• from cookies installed on your device by the website host,

• from direct system calls to your device by website hosting server equipment,

• from third parties like marketing and advertising network affiliates, payment processors, single sign-on partners (e.g. Google), and so on,

• from messages you send to our host directly or through our website contact form to us, and

• from public authorities.

We, however, receive a subset of these data. We principally receive technical data collected by our host through the analytics panel offered to help us manage our site. We do not receive bespoke data downloads from their systems outside of this panel. We do not associate with digital marketing or advertising networks, we do not participate or share information with any such network (nor will we - ever), we do not directly access our host’s hardware outside of the analytics panel, and we generally would disclose directly to you any contact, information request, or data demand from a public authority. We would also disclose in most cases where a public authority appears and drops information about you on us, though it is difficult to see exactly what circumstances such an unusual event would occur in.

Note 1: Some cookies have been disabled
3SC has already disabled as many cookies as we can disable via our host’s website management tool. We believe, but due to the superficiality of the privacy documentation available publicly cannot fully confirm, that the only remaining cookies that should be active on our site are some function- and performance-enhancing ones that present limited privacy risk but provide real quality-of-life improvements when using our website. The analytics and tracking cookies should all be offline.

Note 2: 3SC has no capability to store technical data
We have not implemented, nor will we implement, any electronic system to permanently store any of the personal information our host’s website infrastructure extracts from your device. We have no capability to record IP addresses, device characteristics, software data, or other data points in permanent memory. After you log off and the server’s temporary memory is wiped, the only permanent records accessible by us include whatever is in the analytics panel and the content of any messages you yourself have sent to us via the website.

What 3SC collects at least kind-of-permanently
Together, these mean 3SC collects in a permanent or quasi-permanent way the following personal information about you when you use this website:

1. Technical data stored by our website host that feeds into the analytics panel less those elements of the panel that require cookies we have already disabled, and

2. The content of any messages you send us using the website’s contact form.

With respect to the contact us web form, we have made the name and email address fields mandatory for the following reasons.

Name field
We need a way to tell messages and submitters apart so we can respond effectively to the content of messages and to record our responses in a filing system where we can easily recall and locate past information. Humans, for better or worse, include the identity of the person they converse with as an often important method of recalling the content of the discussion. Who one speaks to can also determine the content and form of a reply so identity is an important part of the context for future staff finding and fully understanding what was said and why it was said in that way.

As a business that values fairness, it is important for us to know how we have responded to issues in the past. Fairness demands that similarly situated persons receive similar treatment. We need to be able to tell what we’ve done in the past so our decisions remain fair in the future. We therefore need to know at least some of the facts about individuals so we can make a determination as to whether they are similarly situated with others or not.

That said, this implementation of a name field leaves some important elements to be desired:

• We cannot make the name field optional inside the website builder. We wouldn’t make it optional anyway but the lack of an ability to do so seems troubling.

• We cannot amend the firstname-surname structure of this field. Assuming all humans have precisely one first name and one surname is a highly ethnocentric, cis-het-exclusive assumption to make. Unfortunately, we have no ability to alter this field in the website builder so everyone will have to live with it for now.

Email
This is the primary return contact method. Email is assumed because the submitter is using a website so is already online. We need to be sure we have a way to contact submitters and making this field mandatory means someone cannot forget about it accidentally. Since not having contact information makes responding impossible, having it be mandatory seems proportionate to privacy reduction.

Tradeoff: Users do not have to use real inputs
Given requiring both data points is a privacy issue, and some of the available fields are structurally flawed, we considered alternatives but ultimately were satisfied with the current approach. In addition to the balancing exercise weighing in favour of proceeding despite the issues, there is also the general observation that no one at 3SC is going to perform an in-depth investigation to verify the content of these form fields. We are uninterested in total certainty that website users are providing only their legal first and legal last names that match government-issued ID in this form.

If someone wants to submit a message to us using first name ‘Luna’ last name ‘Meow’ they can do so if they wish and no one at 3SC is going to care (if they have time to, we can find them more value-added work to be doing).

How we use personal information we hold

To be fair, we don’t really use the analytics panel at all nor is it clear what we would use it for. Maybe to assess overall traffic vs. total projects successfully secured using other channels, or maybe to ask questions about website design or efficacy, but that is all that comes to mind at the moment.

We will use the name field for the filing, understanding prior message content, and fairness purposes as described above. The email address, unless otherwise specified in the body of the message, will be our primary communication method and used in filing.

The message itself will be used to respond to whatever it says and perhaps in aggregated form to understand website use and traffic.

If we receive unacceptable messages, both data points will be used to protect our office and our staff by implementing protective practices that by their nature need to be targeted at a particular source of vexatious behaviour.

We do not and will not provide information submitted through the website to any third party including national security or law enforcement outside of very narrow exceptions:

• If we believe there is a credible threat to our physical or digital safety, especially to our staff over whom we are exceptionally protective, we will respond with proportionate countermeasures. If that safety threat exists in the physical world, we may have no option but to seek personal protective assistance which will require a degree of disclosure to either security firms or law enforcement organizations. We may also begin targeted capture of additional personal information to disrupt and ultimately end the credible threat.

• If we receive a lawful judicial or quasi-judicial order issued during an adversarial proceeding, we will honour it. While the justice system may not be perfect, the Canadian judiciary is on average exceptional on a relative basis compared internationally. This will be respected by 3SC.

• We will not tolerate even the slightest indication of intimate partner violence. In this sole circumstance, any legal or legal-like request, ex parte or otherwise, will be seriously considered and acted on expeditiously.

When we disclose personal information

Not often.

We may need to disclose personal information if we need to seek added skills or capacity under contracts, like if we require specialist engineering support for a project for example. Importantly, however, the principles of this policy will be incorporated into those subcontracts so service providers should be bound by our standards and values in the same way we voluntarily do so.

The latter uses involving threats to safety or formal proceedings of some kind (detailed above) require a measure of disclosure to public authorities in the appropriate cases.

We do not and will not belong to any marketing or advertising network nor will we permit contracted service providers to use personal data obtained from us for those purposes.

Who to contact inside 3SC

If you have further questions or concerns with respect to this policy or our privacy practices, our designated privacy officer (in GDPR countries, our data protection officer) can be reached by emailing:

privacy@3rdspaceconsulting.com

This officer can assist you understand privacy principles generally, how we have understood and operationalized them in this and other corporate policies. They are empowered to respond to concerns or complaints respecting our privacy handling practices. They are your first stop to lodge any complaints you have about our conduct.

You may, in the case of an alleged breach or misconduct on our part, wish to contact the lead privacy commissioner. In most cases, this will be the Office of the Information and Privacy Commissioner of Alberta because our head office is located within its jurisdiction so most of our operations are similarly within its purview.

A note on complaints. It does 3SC no favours long-term if our privacy handling policies or practices are poor and sometimes people don’t see problems from inside the bubble. Mistakes also happen. Having a privacy officer perform some kind of self-protective non-investigation makes absolutely no sense to us. It is therefore 3SC firm policy that when the privacy officer is undertaking an internal investigation into a complaint, they are expected to do a thorough and impartial job. Their employment with us depends on their ability to hold 3SC to account when it breaches its own rules. Conversely, if they perform poor investigations that aim to exonerate 3SC from criticism, that is when they should fear dismissal, not when they point out objectively provable failures.

Breaches

If, despite our best efforts, personal data held by us is accessed without authorization by internal or external parties, our commitment is to proactively notify you consistent with the following protocol. Added detail is available in the policy document.

1. On discovery of the breach, immediately (that moment) take steps to trace and contain it, repatriate exfiltrated data where possible, and begin planning to close the source of the breach. Assess the statutory rules around mandatory breach reporting and ensure timeline are met.

2. As soon as is practicable after discovery, 3SC shall notify affected parties and provide those parties with contact information for the privacy commissioner with jurisdiction over the breach.

3. Manage the breach until it is resolved. There will be a natural place here where recovery is possible or not and where the breach is sealed.

4. During this process, 3SC shall ensure that protecting the needs and interests of affected data subjects are the most important consideration when making decisions about the breach and its resolution. It cannot be the only factor, but it must be the most important.

In this context, the phrase “as soon as practicable after discovery” needs some additional clarity.

When responding to an emergency, there is a tension between communicating immediately despite having almost no real information about what is happening, and communicating later when more information that would help victims is known. In our experience, communicating that an event has occurred whilst not having had time to learn anything of any consequence is very bad. It frustrates everyone when the answer to every question is “we are looking into that”.

However, it is extremely and obviously reprehensible for there to be a long delay while the company protects itself and gathers most of the likely discoverable information before saying anything about the breach. It is facially unacceptable to get a notice saying there was a breach months ago, that yes 3SC knew, but no one informed the data subjects until now. There are measures that individuals can take to protect themselves from the improper use of personal information taken by scoundrels and 3SC must not rob them of the opportunity to put those in place in time to be effective.

A balance must be struck, then, based on the facts in any particular case. What should be clear, though, is that there is real pressure to notify as quickly as possible. Immediately before any information is known is too soon, but whatever comes after that should be strongly considered by the lead 3SC representative responsible for the breach response.

Reviewing, Amending, and Replacing

This policy shall be periodically reviewed by 3SC’s executive management committee not less than five years from the date it came into force last or from the date of the last review, substantive amendment, or full replacement.