New Privacy Rules for Alberta

1
New Privacy Rules for Alberta

• Liz Denham, Private Sector Lead
• Office of the Information and
• Privacy Commissioner of Alberta
• January 2004

2
What is privacy?

• the right to be let alone -- the most
  comprehensive of rights and the right most valued
  by civilized men.
• U.S. Supreme Court Justice Louis Brandeis,1928

3
Why Privacy?

• The Information Age. We have the technology
  what are the rules?
• World-wide action on privacy
• OECD Guidelines
• CSA Code
• EU Directive
• US legislative patchwork safe harbours
• Federal Personal Information Protection and
  Electronic Documents Act
• Quebec, Alberta and B.C. legislation

4
Why Privacy?

• Its the law.
• International transactions.
• Accountability.
• Reputation/brand.
• Profitability RBC Financial estimates privacy
  drives 6.9 of customer demand.
• Risk management.
• Employee trust and morale.

5
Fair Information Practices

• Be accountable
• Identifying purposes for collecting PI
• Obtain consent
• Limit collection
• Limiting use, disclosure and retention
• Be accurate
• Use reasonable safeguards
• Be open about info management practices
• Individual access
• Means to challenge compliance

6
Personal Information Protection Act -PIPA-

• Personal Information Protection Act given Royal
  Assent, Dec. 4, 2003
• Proclamation date was January 1, 2004

7
PIPA - application

• Sections 3, 6, and 9.
• The Act applies to the
• collection,
• use and
• disclosure of
• personal information by
• organizations.

8
PIPA - application

• Organizations are Corporations, unincorporated
  associations, trade unions (Labour Relations
  Code), partnerships (Partnerships Act),
  individuals acting in a commercial capacity,
  persons acting on behalf of an organization.
• BUT NOT an individual acting in a non-commercial
  activity.
• Personal information means information about an
  identifiable individual

9
Non-profit organizations

• Non-profit includes
• Societies incorporated under the Societies Act,
  Agricultural Societies Act, Part 9 of the
  Companies Act or otherwise defined in regulation
• Act applies to personal information collected,
  used or disclosed in connection with a commercial
  activity carried out by the non-profit
  organization

10
PIPA application - section 4

• Some personal information is excluded
• Personal or domestic purposes of an individual
• Artistic, literary or journalistic purposes
• In a record that is at least 100 years old, or of
  an individual dead for at least 20 years
• Personal information protected under FOIP Act
• Personal information that is health information
  (as defined in HIA) collected, used or disclosed
  for health care purposes

11
PIPA Pre-PIPA information section 4

• Grandfathering allowed
• Personal information collected before January 1,
  2004, is deemed to have been collected with
  consent
• It may be used and disclosed by an organization
  for the purpose for which it was collected
• General rules in the Act regarding safeguards,
  access, correction, etc. still apply to this
  information

12
PIPA a note on what is reasonable

• PIPA requires a lot of reasonableness.
• Section 2 refers to reasonableness.
• Organizations must act reasonably section 5(4).
• Due diligence
• You have turned your mind to it, considered it
  and have a logical reason for doing it
• Industry standards are evidence of reasonableness

13
PIPA General rules

• Generally an organization needs to get consent
  for collection, use and disclosure of personal
  information section 7. There are exceptions.
• If an organization collects personal information
  directly from a person, the person has to be told
  the purpose of the collection and the name of
  someone who can answer questions section 13.

14
PIPA Consent

• A person is deemed to have consented to
  collection, use and disclosure for a purpose when
  they voluntarily give their information for that
  purpose section 8.
• Implied and express (opt-in and opt-out) forms
  of consent are allowed under the Act
• The level of sensitivity of personal information
  may determine the form of consent.

15
PIPA Consent is not needed (section 14)

• If the collection is clearly in the interests of
  the person and consent cant be obtained in a
  timely way.
• Pursuant to statute.
• Investigations, legal proceedings.
• Publicly available.
• Debt collection.

16
PIPA General rules continued

• Collect, use and disclose for reasonable
  purposes sections 11, 16, 19.
• Collect, use and disclose the least amount of
  information necessary for the business purpose
• Give people notice of the purposes of collection
  this is important because it establishes the
  baseline - must be somewhat specific.

17
Collect, use or disclose information without
consent in some cases

• When clearly in interests of individual and
  timely consent cannot be obtained and someone
  would not reasonably be expected to withhold
  consent sections 14, 17, 20.
• When another act or reg authorizes it
• To or from a public body if authorized
• For an investigation or legal proceeding
• If p.i is publicly available
• To determine individuals suitability for an
  honour, award or benefit
• To create a credit report
• To collect a debt or repay monies owed
• For archival or research purposes

18
Disclose personal information without consent
section 20.

• To comply with a subpoena or court order
• If necessary to respond to an emergency
• To contact next of kin
• To a surviving spouse or related of a deceased
  individual, if reasonable
• To protect against fraud or unfair trading
  practices
• P.I. is needed in acquisition/sale of a business
• If the disclosure meets the requirements for
  archival purposes or research and it is not
  possible to obtain consent

19
Access to personal info section 24

• Give people access to their personal information
  with specific exceptions
• If Information would reveal the p.i. of another
  individual
• If information reveals the identity of an
  individual who has provided an opinion in
  confidence
• If giving access could threaten the life or
  security of someone
• Legal privilege
• Proprietary information
• Investigation or legal proceeding
• If giving access may result in that type of
  information no longer being provided
• If collected by a mediator or arbitrator

20
Employee info sections 15, 18, 21

• Treated differently from customer info
• Organizations will have to determine what info is
  reasonably required for establishing, managing or
  terminating employment relationships
• Dont assume anything just because it has been
  done in the past
• The burden of proof will likely be on the
  organization

21
Employee info

• Employee information s.1(d)
• Employee includes an individual employed by the
  organization who performs a service for an
  organization, including
• Apprentice
• Volunteer
• Participant
• Student
• Under contract or agency relationship

22
Collection, use or disclosure of employee
information without consent sections 15, 18,
21.

• If individual is an employee of the organization,
  OR
• If the collection, use or disclosure is for the
  purpose of recruiting a potential employee.
• However,
• The collection, use or disclosure must be
  reasonable,
• The information relates to the employment
  relationship.

23
Looking after personal information.

• Organizations are responsible for the personal
  information in their custody or under their
  control section 5.
• Organizations have to designate someone to be
  responsible for compliance section 5. PICK THE
  RIGHT PERSON.
• Organizations have to use reasonable efforts to
  ensure personal information collected , used or
  disclosed is accurate and complete section 33.
• Organizations have to make reasonable security
  arrangements section 34.

24
Information and Privacy Commissioner

• Same Commissioner for the FOIP Act and the Health
  Information Act
• The Commissioner can
• refer an individual to another grievance,
  complaint or review process before dealing with
  the complaint
• authorize mediation to settle a complaint
• conduct an inquiry
• issue binding orders
• authorize an organization to disregard requests

25
Penalties and damages sections 59, 60

• It is an offence to destroy or conceal a record
  to avoid a request for access to it.
• If convicted of an offence fines are (section
  59)
• Up to 10,000 for individuals
• Up to 100,000 for businesses
• An individual can pursue damages for loss or
  injury suffered as a result of breach of privacy
  section 60.

26
Ten Steps to Compliance

• Obtain executive support within your organization
  appoint a privacy lead a privacy committee
  can help
• Conduct a corporate wide assessment of compliance
• Develop a plan to address compliance gaps
• Evaluate information management and security
  policies and practices
• Develop privacy policies and procedures including
  a records retention policy

27
10 Steps continued

• Review revise third party agreements
• Develop and deliver privacy security training
  for employees
• Establish procedures to allow access to
  individuals own information
• Implement a process for handling privacy
  complaints
• Ensure all information privacy policies meet
  ongoing objective of privacy compliance (e.g.
  annual audits)

28
Dealing with the Commissioners office

• We want this to work
• Organizations get first chance to resolve
  complaints
• We mediate (assist us)
• Sometimes an inquiry will be necessary
• Advance rulings

29
PIPA/PIPEDA

• Both based on fair info practices
• Substantially similar, but not necessarily the
  same
• There will be issues and conflicts and we will
  have to work them out
• Federal and Provincial Commissioners are working
  to harmonize practices and protocols
• If an organization is compliant with PIPEDA,
  prima facie, it is compliant with PIPA

30
Privacy HelpResources and Guides available

• Office of the Information and Privacy
  Commissioner
• 780 422-6860 (Edmonton)
• 403 297-7247 (Calgary)
• www.oipc.ab.ca
• Information Management, Access Privacy Branch
• 780-644-7472
• www.psp.gov.ab.ca
• Privacy Commissioner of Canada
• www.privcom.gc.ca