PRIVATE SECTOR PRIVACY LEGISLATION - PowerPoint PPT Presentation

About This Presentation
Title:

PRIVATE SECTOR PRIVACY LEGISLATION

Description:

PRIVATE SECTOR PRIVACY LEGISLATION The New Private Sector Privacy Regime Presented by Christopher Lee What is Private Sector Privacy Legislation? Rules governing the ... – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 41
Provided by: Lep
Category:

less

Transcript and Presenter's Notes

Title: PRIVATE SECTOR PRIVACY LEGISLATION


1
PRIVATE SECTOR PRIVACY LEGISLATION
  • The New Private Sector Privacy Regime
  • Presented by
  • Christopher Lee

2
What is Private Sector Privacy Legislation?
  • Rules governing the private sector with respect
    to the collection, use, retention, security and
    disclosure of, and access to, personal
    information
  • Intended to strike a balance between the right of
    individuals to protect their personal information
    and the need of organizations to collect, use or
    disclose personal information for purposes that a
    reasonable person would consider appropriate in
    the circumstances
  • Two key concepts underlying privacy legislation
  • reasonable person test - an organization must
    consider what a reasonable person would consider
    appropriate in the circumstances
  • consent (express, implied, no consent)

3
Where are we as ofJanuary 1, 2004?
  • Privacy Legislation in Canada
  • Canada
  • Personal Information Protection and Electronic
    Documents Act (PIPEDA) and related regulations
  • British Columbia
  • Personal Information Protection Act (PIPA)
  • Personal Information Protection Act Regulations
  • Alberta
  • Personal Information Protection Act
  • Personal Information Protection Act Regulation

4
Where are we as ofJanuary 1, 2004?
  • Privacy Legislation in Canada, Contd
  • Québec
  • Act Respecting the Protection of Personal
    Information in the Private Sector (declared
    substantially similar)
  • Ontario
  • The Provincial Privacy Commissioner is currently
    recommending the adoption of BC/Alberta model
  • Other Provinces and Territories
  • wait and see in the meantime PIPEDA applies

5
How did we get here?
NEWS RELEASE PRIVACY COMMISSIONER WELCOMES A NEW
ERA IN PRIVACY PROTECTION OTTAWA, April 17,
2000A major improvement in the laws protecting
Canadians' privacy rights results from the
passage of the Personal Information Protection
and Electronic Documents Act, says Bruce
Phillips, Privacy Commissioner of Canada. The Act
which received Royal Assent April 13 and comes
into force on January 1, 2001 establishes for
the first time a comprehensive national set of
rules which govern the collection, use and
disclosure of personal information in the
commercial world." "The right to privacy is one
of the essential underpinnings of human dignity
and autonomy in our democratic society," said
Bruce Phillips, the Privacy Commissioner of
Canada since 1991. "I am delighted that
Parliament has endorsed as a fundamental civil
right our ability to control what others can
learn about us. At the same time, the Act also
respects legitimate business needs to gather and
use personal information and will protect
Canada's international markets by bringing our
privacy standards into line with those of our
European trading partners."
  • On January 1, 2001 PIPEDA extended privacy
    legislation to the federally regulated private
    sector i.e. federal works, undertakings and
    businesses
  • PIPEDA was a response to the European Unions
    personal data protection directive (preventing
    transfers of personal data between EU members and
    jurisdictions without adequate privacy
    protections - PIPEDA declared adequate in
    December, 2001), e-commerce and public opinion in
    Canada

6
Why separate legislation?
  • PIPEDA, 26(2)(b), specifically contemplates
    separate provincial legislation
  • PIPEDA is widely considered to be unnecessarily
    complex and poorly drafted legislation PIPA is
    promoted as plain language legislation
    particularly suited for SMEs
  • Other perceived shortcomings in PIPEDA, e.g. no
    grandfathering, limited exceptions to consent

7
Why separate legislation? Contd
  • Constitutional legislative powers issue - federal
    trade and commerce power vs. provincial property
    and civil rights power
  • PIPEDA limited to commercial activities
  • PIPEDA does not cover personal information of
    employees of provincially regulated organizations
  • Québec has initiated a constitutional challenge
    to PIPEDA

8
How was PIPA developed?
  • Working group established in February 2001
    comprised of BC, and Alta
  • Discussion paper developed by BC and Alta
  • Detailed and extensive consultation process -
    stakeholders emphasized two key requirements
  • plain language statute
  • harmonization across jurisdictions
  • Common drafter - BC and Alta acts developed from
    the same initial draft and are approximately 90
    identical

9
What applies in BC?
  • PIPEDA - in respect of the collection, use or
    disclosure of personal information (including
    employee personal information in the case of a
    federal work, undertaking or business) by
    organizations in the course of commercial
    activities
  • PIPA - in respect of the collection, use or
    disclosure of personal information (including
    employee personal information) by organizations
    occurring within BC to the extent PIPEDA does not
    apply (i.e. non-commercial activities
    provincially regulated employees)
  • Assuming PIPEDA is constitutionally valid and
    PIPA is not declared substantially similar. If
    PIPA is declared substantially similar then PIPA
    rather than PIPEDA will apply to the collection,
    use or disclosure of personal information by
    organizations in the course of commercial
    activities

10
What applies in BC?
  • Conclusion
  • Currently both PIPA and PIPEDA apply in BC and
    Industry Canada has not identified any
    substantive issues to PIPA being declared
    substantially similar to PIPEDA (although the
    former federal privacy commissioner has). In
    practical terms, an organization in compliance
    with PIPA with respect to the collection, use and
    disclosure of personal information in the course
    of commercial activities will generally be in
    compliance with PIPEDA.

11
Which organizations are covered?
  • Organization - PIPA
  • organization is broadly defined to include
  • a person, unincorporated association, trade
    union, trust and not for profit organization
  • but does not include
  • an individual acting in a personal or domestic
    capacity or acting as an employee, a public body,
    the Courts or the Nisgaa Government
  • Organization - PIPEDA
  • organization is similarly broadly defined to
    include
  • an association, a partnership, a person and a
    trade union

12
Which activities are covered?
  • Activities - PIPA
  • PIPA applies to every organization in respect of
    personal information it collects, uses or
    discloses, except
  • if the collection, use or disclosure of personal
    information is
  • solely for personal or domestic purposes,
  • solely for journalistic, artistic or literary
    purposes
  • covered by PIPEDA
  • personal information to which FOIPPA applies
  • personal information in a court document
  • the collection of personal information collected
    before PIPA came into force

13
Which activities are covered?
  • Activities - PIPEDA
  • PIPEDA applies to every organization in respect
    of personal information it collects, uses or
    discloses in the course of commercial activities,
    or about an employee in connection with the
    operation of a federal work, undertaking or
    business, except
  • if the collection, use or disclosure of personal
    information is
  • solely for personal or domestic purposes,
  • solely for journalistic, artistic or literary
    purposes
  • a government institution to which the Privacy Act
    applies

14
Which organizations and activities are covered?
  • Conclusion
  • The scope of application of PIPA is generally
    clearer and broader than PIPEDA with respect to
    organizations and activities covered (for-profit
    and not-for-profit).

15
What is personal information?
  • Personal Information - PIPA
  • personal information means information about an
    identifiable individual and includes
  • employee personal information - personal
    information about an individual collected, used
    or disclosed solely for purposes reasonably
    required to establish, manage or terminate an
    employment relationship between the organization
    and that individual

16
What is personal information?
  • Personal Information - PIPA, contd
  • but does not include
  • contact information - information to enable an
    individual at a place of business to be
    contacted, including the name, position name or
    title, business telephone number, business
    address, business e-mail or business fax number
    of the individual, or
  • work product information - information prepared
    or collected by an individual as a part of the
    individuals responsibilities or activities
    related to the individuals employment or
    business but does not include personal
    information about an individual who did not
    prepare or collect the personal information

17
What is personal information?
  • Personal Information - PIPEDA
  • personal information means information about an
    identifiable individual but does not include the
    name, title or business address or telephone
    number of an employee of an organization

18
What is personal information?
  • Conclusion
  • PIPA and PIPEDA share a similar definition of
    personal information, but PIPA specifically
    distinguishes employee personal information as a
    subset of personal information to which a special
    set of rules apply.

19
What general obligations are imposed on
organizations?
  • Reasonable Person Test - PIPA / PIPEDA
  • An organization may collect, use or disclose
    personal information only for purposes that a
    reasonable person would consider are appropriate
    in the circumstances
  • Accountability - PIPA / PIPEDA
  • An organization is responsible for personal
    information under its control, whether or not in
    its custody
  • universal privacy principles found in most
    legislation

20
What general obligations are imposed on
organizations?
  • Accountability - PIPA / PIPEDA
  • An organization must
  • designate one or more individuals to be
    responsible for ensuring that the organization
    complies with PIPA,
  • develop and follow policies and practices that
    are necessary for the organization to comply with
    PIPA and develop a process to respond to
    complaints that may arise pursuant to PIPA, and
  • make available
  • to the public the position name or title and
    contact information for each designated
    individual referred to above,
  • upon request, information about the policies,
    practices and complaint process referred to above

21
When is consent required?
  • Consent Required - PIPA
  • An organization must not collect, use or disclose
    personal information about an individual unless
  • the individual gives consent to the collection,
    use or disclosure,
  • PIPA authorizes the collection, use or disclosure
    without consent, or
  • PIPA deems the individual to have given consent
    to the collection, use or disclosure

22
When is consent required?
  • Consent Required - PIPEDA
  • The knowledge and consent of the individual are
    required for the collection, use or disclosure of
    personal information, except where inappropriate

23
When is consent not required?
  • Consent Not Required - PIPA / PIPEDA
  • Where the collection, use or disclosure
  • is clearly in the interests of the individual and
    consent cannot be obtained in a timely way
  • with the consent of the individual would
    compromise the availability or accuracy of the
    personal information and the collection is
    reasonable for an investigation or proceeding
  • is necessary for medical treatment,
  • is necessary to facilitate the collection or
    payment of a debt, or
  • is required or authorized by law
  • the information is publicly available from a
    prescribed source

24
How can consent be obtained?
  • Express Consent - PIPA / PIPEDA
  • May be given verbally or in writing
  • Implied Consent - PIPA
  • Consent is implied
  • if at the time the consent is deemed to be given
    the purpose would be obvious to a reasonable
    person and the personal information is
    voluntarily provided for that purpose
  • in the case of less sensitive information, if an
    organization notifies the individual of its
    intent to collect, use or disclose personal
    information, gives the individual a reasonable
    opportunity to decline and the individual does
    not decline (opt-out)

25
How can consent be obtained?
  • Implied Consent - PIPEDA
  • In obtaining consent,
  • the reasonable expectations of the individual are
    relevant
  • implied consent would generally be appropriate
    when the information is less sensitive
  • opt-out forms may be used
  • Withdrawal of Consent - PIPA / PIPEDA
  • An individual may withdraw consent at any time
    subject to legal or contractual obligations and
    reasonable notice

26
What about personal information of employees?
  • Employee Personal Information - PIPA
  • With respect to employment relationships, PIPA
    replaces the consent requirement with a notice
    requirement
  • an organization may collect employee personal
    information about an individual for purposes of
    establishing, managing or terminating an
    employment relationship with that individual
  • consent is not required if the organization
    notifies the individual in advance of the
    collection, use, disclosure and the purposes for
    it
  • exceptions to consent apply equally to the notice
    requirement

27
What about personal information of employees?
  • Employee Personal Information - PIPEDA
  • PIPEDA only applies to personal information of
    employees of federal works, undertakings and
    businesses, and does not make a distinction in
    the case of such personal information

28
How must organizations care for personal
information?
  • Accuracy
  • an organization must make reasonable efforts to
    ensure that personal information collected by it
    is accurate, complete and up-to-date...
  • PIPA - if the personal information is likely
  • to be used by the organization to make a decision
    affecting the individual, or
  • to be disclosed by the organization to another
    organization
  • PIPEDA - as is necessary for the purposes for
    which it is to be used

29
How must organizations care for personal
information?
  • Protection - PIPA / PIPEDA
  • an organization must protect personal information
    in its custody or under its control by making
    reasonable security arrangements to prevent
    unauthorized access, collection, use, disclosure,
    copying, modification, disposal or similar risks
  • includes non-disclosure agreements with employees
    with access to the personal information
  • PIPEDA - the nature of the security arrangements
    will depend on the sensitivity of the information
    and should include
  • physical measures - locked filing cabinets,
    restricted access to offices,
  • organization measures - security clearances and
    limiting access on a need-to-know basis, and
  • technological measures - use of passwords and
    encryption

30
How must organizations care for personal
information?
  • Retention
  • if an organization uses an individuals personal
    information to make a decision that directly
    affects the individual, the organization must
    retain that information...
  • PIPA - for at least one year after using it
  • PIPEDA - long enough to allow the individual
    access to the information after the decision has
    been made
  • an organization must destroy or make anonymous
    documents containing personal information as soon
    as...
  • PIPA - the purpose for which it was collected is
    no longer being served and retention is no longer
    necessary for legal or business purposes
  • PIPEDA - it is no longer required to fulfil the
    identified purposes

31
What about rights of individuals?
  • Access to Personal Information - PIPA / PIPEDA
  • Subject to certain exceptions, on the request of
    an individual, an organization must provide the
    individual with
  • the individuals personal information under the
    control of the organization,
  • information about the ways in which such personal
    information has been and is being used by the
    organization, and
  • the names of the parties to whom such personal
    information has been disclosed by the
    organization
  • PIPEDA encourages disclosure of the source of
    such personal information as well, but PIPA only
    requires this in the case of credit reporting
    agencies

32
What about rights of individuals?
  • Access to Personal Information
  • The organization must respond to an access
    request within 30 days after receipt of the
    request (unless the time period is extended in
    accordance with the applicable act)...
  • PIPA - and may charge a minimal fee for access
    except for access to employee personal
    information
  • PIPEDA - at minimal or no cost to the individual

33
What about rights of individuals?
  • Exceptions to Access - PIPA / PIPEDA
  • No obligation to grant access to personal
    information
  • protected by solicitor-client privilege,
  • if disclosure would reveal confidential
    commercial information,
  • collected without consent for an investigation or
    proceeding,
  • collected or created in the conduct of a
    mediation or arbitration
  • could threaten the safety or physical or mental
    health of an individual,
  • would reveal personal information about another
    individual,
  • would reveal the identity of individuals who
    provided the personal information and do not
    consent to disclosure of their identity (PIPA)
  • that is prohibitively costly to provide (PIPEDA)

34
What about rights of individuals?
  • Correction of Personal Information - PIPA /
    PIPEDA
  • Individuals may request an organization to
    correct an error or omission in their personal
    information under the control of the
    organization, which must either
  • correct the personal information and send the
    corrected personal information to each
    organization to which the personal information
    was disclosed by the organization during the
    previous year, or
  • annotate the personal information with the
    correction that was requested but not made

35
What other differences are there between the acts?
  • Scope of Investigation
  • Investigation means investigations related to
    breach of an agreement or contravention of the
    laws of Canada or a province
  • PIPA - also includes investigations related to
    conduct that may result in a remedy or relief
    under an enactment under common law or in equity,
    the prevention of fraud or trading in a security

36
What other differences are there between the acts?
  • Grandfathering
  • PIPA does not apply to the collection of personal
    information collected before January 1, 2004, but
    PIPA does apply with respect to the use,
    retention, security and disclosure of, and access
    to, such information
  • means organizations do not need to re-collect
    personal information already held
  • Sale of Organization or Business Assets
  • PIPA contains special provisions allowing for
    collection, use and disclosure, without consent,
    of personal information of its employees,
    customers, directors, officers or shareholders
    for purposes solely related to the proposed
    business transaction

37
What is the role of the privacy commissioner?
  • The federal and provincial privacy commissioners
    have similar responsibilities under their
    respective acts, however,
  • PIPA - the privacy commissioner has order making
    power
  • PIPEDA - the privacy commissioner can only make
    recommendations
  • An organization or person that commits an offence
    under...
  • PIPA - is liable to fine of up to 10K
    (individuals) or 100K (other than individuals),
    and may be liable for actual harm suffered by an
    affected individual
  • PIPEDA - is liable to fine of up to 10K (summary
    conviction) or 100K (indictable offence),

38
What is the role of the privacy commissioner?
  • PIPA - emphasis will be placed on mediation
    individuals may be required to resolve disputes
    directly with the organization before the privacy
    commissioner begins or continues a review or
    investigation
  • PIPEDA - new privacy commissioner???

39
What other resources are available?
  • Privacy Commissioner of Canada
  • www.privcom.gc.ca
  • Office of the Information Privacy
    Commissionerfor British Columbia
  • www.oipcbc.org/
  • BC Ministry of Management Services,Corporate
    Privacy Information Access Branch
  • www.mser.gov.bc.ca/foi_pop

40
What other resources are available?
  • Lang Michener Privacy Law Practice Group
  • www.langmichener.com
  • Christopher Lee
  • (604) 893-2343
  • clee_at_lmls.com
  • N. David McInnes Karam Bayrakal James Bond
  • (604) 691-7441 (604) 691-7434 (604) 691-7437
  • dmcinnes_at_lmls.com kbayrakal_at_lmls.com jbond_at_lmls.co
    m
Write a Comment
User Comments (0)
About PowerShow.com