Title: PRIVATE SECTOR PRIVACY LEGISLATION
1PRIVATE SECTOR PRIVACY LEGISLATION
- The New Private Sector Privacy Regime
- Presented by
- Christopher Lee
2What is Private Sector Privacy Legislation?
- Rules governing the private sector with respect
to the collection, use, retention, security and
disclosure of, and access to, personal
information - Intended to strike a balance between the right of
individuals to protect their personal information
and the need of organizations to collect, use or
disclose personal information for purposes that a
reasonable person would consider appropriate in
the circumstances - Two key concepts underlying privacy legislation
- reasonable person test - an organization must
consider what a reasonable person would consider
appropriate in the circumstances - consent (express, implied, no consent)
3Where are we as ofJanuary 1, 2004?
- Privacy Legislation in Canada
- Canada
- Personal Information Protection and Electronic
Documents Act (PIPEDA) and related regulations - British Columbia
- Personal Information Protection Act (PIPA)
- Personal Information Protection Act Regulations
- Alberta
- Personal Information Protection Act
- Personal Information Protection Act Regulation
4Where are we as ofJanuary 1, 2004?
- Privacy Legislation in Canada, Contd
- Québec
- Act Respecting the Protection of Personal
Information in the Private Sector (declared
substantially similar) - Ontario
- The Provincial Privacy Commissioner is currently
recommending the adoption of BC/Alberta model - Other Provinces and Territories
- wait and see in the meantime PIPEDA applies
5How did we get here?
NEWS RELEASE PRIVACY COMMISSIONER WELCOMES A NEW
ERA IN PRIVACY PROTECTION OTTAWA, April 17,
2000A major improvement in the laws protecting
Canadians' privacy rights results from the
passage of the Personal Information Protection
and Electronic Documents Act, says Bruce
Phillips, Privacy Commissioner of Canada. The Act
which received Royal Assent April 13 and comes
into force on January 1, 2001 establishes for
the first time a comprehensive national set of
rules which govern the collection, use and
disclosure of personal information in the
commercial world." "The right to privacy is one
of the essential underpinnings of human dignity
and autonomy in our democratic society," said
Bruce Phillips, the Privacy Commissioner of
Canada since 1991. "I am delighted that
Parliament has endorsed as a fundamental civil
right our ability to control what others can
learn about us. At the same time, the Act also
respects legitimate business needs to gather and
use personal information and will protect
Canada's international markets by bringing our
privacy standards into line with those of our
European trading partners."
- On January 1, 2001 PIPEDA extended privacy
legislation to the federally regulated private
sector i.e. federal works, undertakings and
businesses - PIPEDA was a response to the European Unions
personal data protection directive (preventing
transfers of personal data between EU members and
jurisdictions without adequate privacy
protections - PIPEDA declared adequate in
December, 2001), e-commerce and public opinion in
Canada
6Why separate legislation?
- PIPEDA, 26(2)(b), specifically contemplates
separate provincial legislation - PIPEDA is widely considered to be unnecessarily
complex and poorly drafted legislation PIPA is
promoted as plain language legislation
particularly suited for SMEs - Other perceived shortcomings in PIPEDA, e.g. no
grandfathering, limited exceptions to consent
7Why separate legislation? Contd
- Constitutional legislative powers issue - federal
trade and commerce power vs. provincial property
and civil rights power - PIPEDA limited to commercial activities
- PIPEDA does not cover personal information of
employees of provincially regulated organizations - Québec has initiated a constitutional challenge
to PIPEDA
8How was PIPA developed?
- Working group established in February 2001
comprised of BC, and Alta - Discussion paper developed by BC and Alta
- Detailed and extensive consultation process -
stakeholders emphasized two key requirements - plain language statute
- harmonization across jurisdictions
- Common drafter - BC and Alta acts developed from
the same initial draft and are approximately 90
identical
9What applies in BC?
- PIPEDA - in respect of the collection, use or
disclosure of personal information (including
employee personal information in the case of a
federal work, undertaking or business) by
organizations in the course of commercial
activities - PIPA - in respect of the collection, use or
disclosure of personal information (including
employee personal information) by organizations
occurring within BC to the extent PIPEDA does not
apply (i.e. non-commercial activities
provincially regulated employees) - Assuming PIPEDA is constitutionally valid and
PIPA is not declared substantially similar. If
PIPA is declared substantially similar then PIPA
rather than PIPEDA will apply to the collection,
use or disclosure of personal information by
organizations in the course of commercial
activities
10What applies in BC?
- Conclusion
- Currently both PIPA and PIPEDA apply in BC and
Industry Canada has not identified any
substantive issues to PIPA being declared
substantially similar to PIPEDA (although the
former federal privacy commissioner has). In
practical terms, an organization in compliance
with PIPA with respect to the collection, use and
disclosure of personal information in the course
of commercial activities will generally be in
compliance with PIPEDA.
11Which organizations are covered?
- Organization - PIPA
- organization is broadly defined to include
- a person, unincorporated association, trade
union, trust and not for profit organization - but does not include
- an individual acting in a personal or domestic
capacity or acting as an employee, a public body,
the Courts or the Nisgaa Government - Organization - PIPEDA
- organization is similarly broadly defined to
include - an association, a partnership, a person and a
trade union
12Which activities are covered?
- Activities - PIPA
- PIPA applies to every organization in respect of
personal information it collects, uses or
discloses, except - if the collection, use or disclosure of personal
information is - solely for personal or domestic purposes,
- solely for journalistic, artistic or literary
purposes - covered by PIPEDA
- personal information to which FOIPPA applies
- personal information in a court document
- the collection of personal information collected
before PIPA came into force
13Which activities are covered?
- Activities - PIPEDA
- PIPEDA applies to every organization in respect
of personal information it collects, uses or
discloses in the course of commercial activities,
or about an employee in connection with the
operation of a federal work, undertaking or
business, except - if the collection, use or disclosure of personal
information is - solely for personal or domestic purposes,
- solely for journalistic, artistic or literary
purposes - a government institution to which the Privacy Act
applies
14Which organizations and activities are covered?
- Conclusion
- The scope of application of PIPA is generally
clearer and broader than PIPEDA with respect to
organizations and activities covered (for-profit
and not-for-profit).
15What is personal information?
- Personal Information - PIPA
- personal information means information about an
identifiable individual and includes - employee personal information - personal
information about an individual collected, used
or disclosed solely for purposes reasonably
required to establish, manage or terminate an
employment relationship between the organization
and that individual
16What is personal information?
- Personal Information - PIPA, contd
- but does not include
- contact information - information to enable an
individual at a place of business to be
contacted, including the name, position name or
title, business telephone number, business
address, business e-mail or business fax number
of the individual, or - work product information - information prepared
or collected by an individual as a part of the
individuals responsibilities or activities
related to the individuals employment or
business but does not include personal
information about an individual who did not
prepare or collect the personal information
17What is personal information?
- Personal Information - PIPEDA
- personal information means information about an
identifiable individual but does not include the
name, title or business address or telephone
number of an employee of an organization
18What is personal information?
- Conclusion
- PIPA and PIPEDA share a similar definition of
personal information, but PIPA specifically
distinguishes employee personal information as a
subset of personal information to which a special
set of rules apply.
19What general obligations are imposed on
organizations?
- Reasonable Person Test - PIPA / PIPEDA
- An organization may collect, use or disclose
personal information only for purposes that a
reasonable person would consider are appropriate
in the circumstances - Accountability - PIPA / PIPEDA
- An organization is responsible for personal
information under its control, whether or not in
its custody - universal privacy principles found in most
legislation
20What general obligations are imposed on
organizations?
- Accountability - PIPA / PIPEDA
- An organization must
- designate one or more individuals to be
responsible for ensuring that the organization
complies with PIPA, - develop and follow policies and practices that
are necessary for the organization to comply with
PIPA and develop a process to respond to
complaints that may arise pursuant to PIPA, and - make available
- to the public the position name or title and
contact information for each designated
individual referred to above, - upon request, information about the policies,
practices and complaint process referred to above
21When is consent required?
- Consent Required - PIPA
- An organization must not collect, use or disclose
personal information about an individual unless - the individual gives consent to the collection,
use or disclosure, - PIPA authorizes the collection, use or disclosure
without consent, or - PIPA deems the individual to have given consent
to the collection, use or disclosure
22When is consent required?
- Consent Required - PIPEDA
- The knowledge and consent of the individual are
required for the collection, use or disclosure of
personal information, except where inappropriate
23When is consent not required?
- Consent Not Required - PIPA / PIPEDA
- Where the collection, use or disclosure
- is clearly in the interests of the individual and
consent cannot be obtained in a timely way - with the consent of the individual would
compromise the availability or accuracy of the
personal information and the collection is
reasonable for an investigation or proceeding - is necessary for medical treatment,
- is necessary to facilitate the collection or
payment of a debt, or - is required or authorized by law
- the information is publicly available from a
prescribed source
24How can consent be obtained?
- Express Consent - PIPA / PIPEDA
- May be given verbally or in writing
- Implied Consent - PIPA
- Consent is implied
- if at the time the consent is deemed to be given
the purpose would be obvious to a reasonable
person and the personal information is
voluntarily provided for that purpose - in the case of less sensitive information, if an
organization notifies the individual of its
intent to collect, use or disclose personal
information, gives the individual a reasonable
opportunity to decline and the individual does
not decline (opt-out)
25How can consent be obtained?
- Implied Consent - PIPEDA
- In obtaining consent,
- the reasonable expectations of the individual are
relevant - implied consent would generally be appropriate
when the information is less sensitive - opt-out forms may be used
- Withdrawal of Consent - PIPA / PIPEDA
- An individual may withdraw consent at any time
subject to legal or contractual obligations and
reasonable notice
26What about personal information of employees?
- Employee Personal Information - PIPA
- With respect to employment relationships, PIPA
replaces the consent requirement with a notice
requirement - an organization may collect employee personal
information about an individual for purposes of
establishing, managing or terminating an
employment relationship with that individual - consent is not required if the organization
notifies the individual in advance of the
collection, use, disclosure and the purposes for
it - exceptions to consent apply equally to the notice
requirement
27What about personal information of employees?
- Employee Personal Information - PIPEDA
- PIPEDA only applies to personal information of
employees of federal works, undertakings and
businesses, and does not make a distinction in
the case of such personal information
28How must organizations care for personal
information?
- Accuracy
- an organization must make reasonable efforts to
ensure that personal information collected by it
is accurate, complete and up-to-date... - PIPA - if the personal information is likely
- to be used by the organization to make a decision
affecting the individual, or - to be disclosed by the organization to another
organization - PIPEDA - as is necessary for the purposes for
which it is to be used
29How must organizations care for personal
information?
- Protection - PIPA / PIPEDA
- an organization must protect personal information
in its custody or under its control by making
reasonable security arrangements to prevent
unauthorized access, collection, use, disclosure,
copying, modification, disposal or similar risks - includes non-disclosure agreements with employees
with access to the personal information - PIPEDA - the nature of the security arrangements
will depend on the sensitivity of the information
and should include - physical measures - locked filing cabinets,
restricted access to offices, - organization measures - security clearances and
limiting access on a need-to-know basis, and - technological measures - use of passwords and
encryption
30How must organizations care for personal
information?
- Retention
- if an organization uses an individuals personal
information to make a decision that directly
affects the individual, the organization must
retain that information... - PIPA - for at least one year after using it
- PIPEDA - long enough to allow the individual
access to the information after the decision has
been made - an organization must destroy or make anonymous
documents containing personal information as soon
as... - PIPA - the purpose for which it was collected is
no longer being served and retention is no longer
necessary for legal or business purposes - PIPEDA - it is no longer required to fulfil the
identified purposes
31What about rights of individuals?
- Access to Personal Information - PIPA / PIPEDA
- Subject to certain exceptions, on the request of
an individual, an organization must provide the
individual with - the individuals personal information under the
control of the organization, - information about the ways in which such personal
information has been and is being used by the
organization, and - the names of the parties to whom such personal
information has been disclosed by the
organization - PIPEDA encourages disclosure of the source of
such personal information as well, but PIPA only
requires this in the case of credit reporting
agencies
32What about rights of individuals?
- Access to Personal Information
- The organization must respond to an access
request within 30 days after receipt of the
request (unless the time period is extended in
accordance with the applicable act)... - PIPA - and may charge a minimal fee for access
except for access to employee personal
information - PIPEDA - at minimal or no cost to the individual
33What about rights of individuals?
- Exceptions to Access - PIPA / PIPEDA
- No obligation to grant access to personal
information - protected by solicitor-client privilege,
- if disclosure would reveal confidential
commercial information, - collected without consent for an investigation or
proceeding, - collected or created in the conduct of a
mediation or arbitration - could threaten the safety or physical or mental
health of an individual, - would reveal personal information about another
individual, - would reveal the identity of individuals who
provided the personal information and do not
consent to disclosure of their identity (PIPA) - that is prohibitively costly to provide (PIPEDA)
34What about rights of individuals?
- Correction of Personal Information - PIPA /
PIPEDA - Individuals may request an organization to
correct an error or omission in their personal
information under the control of the
organization, which must either - correct the personal information and send the
corrected personal information to each
organization to which the personal information
was disclosed by the organization during the
previous year, or - annotate the personal information with the
correction that was requested but not made
35What other differences are there between the acts?
- Scope of Investigation
- Investigation means investigations related to
breach of an agreement or contravention of the
laws of Canada or a province - PIPA - also includes investigations related to
conduct that may result in a remedy or relief
under an enactment under common law or in equity,
the prevention of fraud or trading in a security
36What other differences are there between the acts?
- Grandfathering
- PIPA does not apply to the collection of personal
information collected before January 1, 2004, but
PIPA does apply with respect to the use,
retention, security and disclosure of, and access
to, such information - means organizations do not need to re-collect
personal information already held - Sale of Organization or Business Assets
- PIPA contains special provisions allowing for
collection, use and disclosure, without consent,
of personal information of its employees,
customers, directors, officers or shareholders
for purposes solely related to the proposed
business transaction
37What is the role of the privacy commissioner?
- The federal and provincial privacy commissioners
have similar responsibilities under their
respective acts, however, - PIPA - the privacy commissioner has order making
power - PIPEDA - the privacy commissioner can only make
recommendations - An organization or person that commits an offence
under... - PIPA - is liable to fine of up to 10K
(individuals) or 100K (other than individuals),
and may be liable for actual harm suffered by an
affected individual - PIPEDA - is liable to fine of up to 10K (summary
conviction) or 100K (indictable offence),
38What is the role of the privacy commissioner?
- PIPA - emphasis will be placed on mediation
individuals may be required to resolve disputes
directly with the organization before the privacy
commissioner begins or continues a review or
investigation - PIPEDA - new privacy commissioner???
39What other resources are available?
- Privacy Commissioner of Canada
- www.privcom.gc.ca
- Office of the Information Privacy
Commissionerfor British Columbia - www.oipcbc.org/
- BC Ministry of Management Services,Corporate
Privacy Information Access Branch - www.mser.gov.bc.ca/foi_pop
40What other resources are available?
- Lang Michener Privacy Law Practice Group
- www.langmichener.com
- Christopher Lee
- (604) 893-2343
- clee_at_lmls.com
- N. David McInnes Karam Bayrakal James Bond
- (604) 691-7441 (604) 691-7434 (604) 691-7437
- dmcinnes_at_lmls.com kbayrakal_at_lmls.com jbond_at_lmls.co
m