Why Privacy

1
(No Transcript)
2
Why Privacy?

• Complying with privacy regulations can be
  considered just a business cost, but many
  companies understand that a reputation for
  guarding privacy can also be a selling point.
  They need to be stewards, to the extent they can
  gain a competitive advantage from privacy.
• Ken DeJarnette, Deloitte Touche

3
Ontario Privacy Legislation

• Public Sector Freedom of Information and
  Protection of Privacy Act (1988) and Municipal
  Freedom of Information and Protection of Privacy
  Act (1991)
• Private Sector Proposed Privacy of Personal
  Information Act, 2002 (PPIA)

4
The Information and Privacy Commissioner/Ontario
(IPC)

• Resolves appeals from access decisions by
  government organizations
• Investigates privacy complaints about
  government-held information
• Conducts research on access and privacy issues
  and advise on proposed government legislation and
  programs and
• Educates the public about access and privacy.

5
What is Privacy?

• In 1890, U.S. Supreme Court Justices Brandeis and
  Warren defined privacy as the right to be let
  alone
• Warren Brandeis,
• The Right to Privacy

6
PIAC/Ekos Survey

• 2001 survey of Canadian opinion by Ekos for the
  Public Interest Advocacy Centre (PIAC)
• 85 of respondents received unsolicited
  advertising material in the previous month of
  which 74 express moderate or high concern
• 61 prefer no more telemarketing calls even if it
  means missing opportunities
• 82 say they should be asked for permission
  before their information is used for marketing.

7
Court Comments on Privacy

• Privacy is at the heart of liberty in the modern
  state. (Alan Westin)
• Interest in being left alone includes the right
  to control the dissemination of confidential
  information.
• Privacy is necessarily related to many
  fundamental human functions.

8
Personal Information Protection and Electronic
Documents Act (PIPEDA)

• Canadas federal private sector privacy law
• Incorporates CSA Code as a schedule
• Since January 1, 2001 has applied to commercial
  activities
• Until January 1, 2004 applies only to federally
  regulated undertakings (banks, airlines, etc.)
  and to sales of personal information across
  provincial borders and
• As of January 1, 2004, will apply within any
  province that has not passed a substantially
  similar law.

9
CSA Model Code - 10 Privacy Principles

• Accuracy
• Safeguards
• Openness
• Individual Access
• Challenging Compliance

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure, Retention

10
PPIA Background

• Joins provisions formerly planned for two
  separate Acts one for health and one for rest
  of private sector.
• Replaces former Bill 159, the Personal Health
  Information Privacy Act, which never became law.
• Some other provinces have health privacy acts,
  but only Quebec has a private sector privacy law.

11
PPIA - Purposes

• Recognizes the privacy right of individuals to
  control the collection, use and disclosure of
  their personal information by organizations and
  the need of organizations to collect, use or
  disclose personal information for purposes that a
  reasonable person would consider appropriate in
  the circumstances.
• (s. 1(c))

12
Does Proposed PPIA Apply to You?

• Proposed bill applies to
• Ontario businesses, partnerships, unions
• Ontario associations (incorporated or not)
• Ontario universities
• Ontario hospitals, doctors, pharmacies, clinics
• Does not apply to
• Federally regulated businesses
• Institutions regulated under public sector
  legislation
• Individuals acting in a personal non-commercial
  capacity
• Artistic, journalistic or literary exemption

13
Consent

• Organizations shall not collect, use or disclose
  personal information about an individual without
  consent, except in specific circumstances laid
  out in the Act.

14
EXPRESS OR IMPLIED CONSENT

• IMPLIED CONSENT
• Purchase of a television might imply consent to
  share the customers address with delivery firm.
• EXPRESS CONSENT
• Consent may require a positive action by an
  individual where sensitive information is
  concerned.

15
OPT-OUT CONSENT

• Sufficient circumstances for opt-out
• Customers consent to receive marketing materials
  or fundraising solicitations.
• How is opt-out consent obtained?
• Provide customers with clearly understood, easily
  exercised opportunity to opt-out.
• Proposed legislation balances individual privacy
  rights and legitimate business need to use
  personal information.

16
No Consent or Withdrawal of Consent

• Circumstances for disclosure of personal
  information without consent
• Where required by law or
• As part of a law enforcement investigation.
• Proposed legislation will provide that consent
  may be withdrawn.
• NB If withdrawal would frustrate a business
  agreement or agreement to provide goods or
  services, it will NOT be permitted.

17
Accountability Access

• Duties and obligations for organizations
  addressed in the consultation draft include
• Accuracy
• Security
• Destruction
• Permitted collection, use and disclosure without
  consent.
• Individuals, including employees, will have a
  right of access.

18
Complaints Appeals

• Right to complain to Commissioner
• Improper collection, use, or disclosure
• Right of appeal
• If access request is denied

19
Current Status of PPIA

• Areas of focused attention
• Simplification of wording / reduced overlap
• Harmonizing wording/approaches with PIPEDA
• Framework for use of opt-out notices in obtaining
  consent
• Effective transition rules for personal
  information in existing databases and
• Creating open / consultative regulation-making
  process.