PRIVACY: TODAYS BUSINESS, TOMORROWS LAW

1
PRIVACY TODAYS BUSINESS, TOMORROWS LAW

• Ann Cavoukian, Ph.D.
• Information and Privacy Commissioner/Ontario
• Privacy Trends Complying with new Demands
• Ottawa, Ontario
• October 22, 2002

2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
Impetus for Change

• Growth of Privacy as a Global Issue
• EU Directive on Data Protection
• Expanding IT Networks
• Consumer Backlash

6
(No Transcript)
7
for Business, itsbusiness as usual

• The world after 9/11
• Clear distinction between public safety and
  business issues make no mistake
• NO reduction in consumer expectations
• Increased value of trusted relationships

8
Consumer Attitudes

• Business is not a beneficiary of the post-9/11
  Trust Mood
• Increased trust in government has not been
  paralleled by increased trust in business
  handling of personal information
• Privacy On and Off the Internet What consumers
  Want
• Conducted by Harris Interactive
• February 7, 2002

9
Importance of Consumer Trust

• In the post-9/11 world
• Consumers either as concerned or more concerned
  about online privacy
• Concerns focused on the business use of personal
  information, not new government surveillance
  powers
• If consumers have confidence in a companys
  privacy practices, consumers are more likely to
• Increase volume of business with
  company.... 91
• Increase frequency of business.... 90
• Recommend to friends and family.. 89
• Harris/Westin Poll, Nov. 2001 Feb. 2002

10
The Impact of Federal Legislation

• Personal Information Protection and Electronic
  Document Act (PIPEDA)
• Staggered implementation
• Federally regulated businesses, 2001
• Federal health sector, 2002
• Provincially regulated private sector, 2004

11
Why Ontario Legislation?

• Broader coverage than PIPEDA
• Include universities, not-for profits
• Special rules for health records
• Recognize special relationship between patients
  and health care providers
• Employee records will be protected
• One-stop shopping for provincial inquiries

12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Privacy of Personal Information Act (PPIA)

• Consultation Draft released in
• February, 2002
• Integrated private sector and health information
  privacy legislation
• Extensive consultations since the Spring
• Introduction of the bill?

16
Scope of the Draft Ontario Legislation (PPIA)

• Applies to
• Ontario businesses
• Ontario universities
• Ontario hospitals, doctors, pharmacies, clinics
• Ontario associations (incorporated or not)
• Ontario partnerships
• Ontario unions

• Does not apply to
• Individuals acting in a personal, non-commercial
  capacity
• Artistic, journalistic or literary exemption

17
What the Law Will Say

• Legislation based on fair information practices
• Consent basis for collection, use and disclosure
  of personal information
• Special rules for personal health information
• Right of access and correction
• Office of the Information and Privacy
  Commissioner to oversee legislation

18
(No Transcript)
19
Past Issues

• Directed Disclosures
• Scope of Potential Regulations
• Opt-in versus Opt-out

20
(No Transcript)
21
Health Data Institute

• Analysis of health system
• Minister may require disclosure to health data
  institute which de-identifies information
• Ministers proposal first reviewed by technical
  committee and IPC
• Identifiable information goes to Ministry only
  with approval of IPC

22
(No Transcript)
23
Scope of Regulations

• Regulation-making powers are extensive
• Provide ability to create exemptions from most
  aspects of bill
• Process to ensure transparency has been proposed

24
(No Transcript)
25
Consent for Marketing

• Initial Position of Government Opt-in only
• Canadian Marketing Association, other business
  groups organize opposition
• Charitable and Not-for-Profit Sectors strongly
  opposed opt-in

26
(No Transcript)
27
The Solution

• Bill will allow for opt-out consent for
  marketing/fundraising purposes
• Clear rules for content of opt-out notice and how
  it is to be exercised
• Limits on use of opt-out established

28
Role of the IPC

• IPC will be oversight body
• Power to investigate individual complaints and
  refusal of access
• Review of information practices
• Extensive order-making powers

29
(No Transcript)
30
Role of the IPC (contd)

• Use of Mediation to be stressed
• Order-making power - last resort
• Conducting public education programs
• Commenting on an organizations information
  practices

31
(No Transcript)
32
Stressing the 3 Cs

• Consultation
• Opening lines of communication with businesses
  and stakeholders
• Co-operation
• Non-confrontational approach when resolving
  complaints
• Collaboration
• Working together to find solutions

33
Preparations Are Starting

• IPC outreach to business community
• Met with key stakeholder associations, including
• Retail Council of Canada
• Canadian Marketing Association
• Insurance Bureau of Canada
• Ontario Hospital Association
• Consumer Council of Canada

34
The Bottom Line

• Privacy should be viewed as a business issue, not
  a compliance issue

35
How to Contact Us
Ann Cavoukian, Ph.D. Information Privacy
Commissioner, Ontario 80 Bloor Street West, Suite
1700 Toronto, Ontario M5S 2V1 Phone (416)
326-3333 Web www.ipc.on.ca E-mail
commissioner_at_ipc.on.ca