Transcript PRIVATE SECTOR PRIVACY LEGISLATION

PRIVATE
SECTOR
PRIVACY
LEGISLATION
The New Private
Sector Privacy
Regime
Presented by
Christopher Lee
What is Private Sector
Privacy Legislation?
• Rules governing the private sector with respect to the collection,
use, retention, security and disclosure of, and access to, personal
information
• Intended to strike a balance between the right of individuals to
protect their personal information and the need of organizations
to collect, use or disclose personal information for purposes that a
reasonable person would consider appropriate in the
circumstances
• Two key concepts underlying privacy legislation

reasonable person test - “an organization must consider what a
reasonable person would consider appropriate in the circumstances”

consent (express, implied, no consent)
Where are we as of
January 1, 2004?
Privacy Legislation in Canada
•
Canada
Personal Information Protection and Electronic Documents Act
(“PIPEDA”) and related regulations
•
British Columbia
Personal Information Protection Act (“PIPA”)
Personal Information Protection Act Regulations
•
Alberta
Personal Information Protection Act
Personal Information Protection Act Regulation
Where are we as of
January 1, 2004?
Privacy Legislation in Canada, Cont’d
•
Québec
Act Respecting the Protection of Personal Information in the Private
Sector (declared substantially similar)
•
Ontario
The Provincial Privacy Commissioner is currently recommending
the adoption of BC/Alberta model
•
Other Provinces and Territories
“wait and see”; in the meantime PIPEDA applies
How did we get here?
• On January 1, 2001 PIPEDA extended
privacy legislation to the federally
regulated private sector – i.e. federal
works, undertakings and businesses
• PIPEDA was a response to the
European Union’s personal data
protection directive (preventing
transfers of personal data between EU
members and jurisdictions without
“adequate” privacy protections PIPEDA declared adequate in
December, 2001), e-commerce and
public opinion in Canada
NEWS RELEASE
PRIVACY COMMISSIONER WELCOMES A NEW
ERA IN PRIVACY PROTECTION
OTTAWA, April 17, 2000—A major improvement in the
laws protecting Canadians' privacy rights results from the
passage of the Personal Information Protection and
Electronic Documents Act, says Bruce Phillips, Privacy
Commissioner of Canada. The Act – which received
Royal Assent April 13 and comes into force on January
1, 2001 – establishes for the first time a comprehensive
national set of rules which govern the collection, use and
disclosure of personal information in the commercial
world."
"The right to privacy is one of the essential
underpinnings of human dignity and autonomy in our
democratic society," said Bruce Phillips, the Privacy
Commissioner of Canada since 1991. "I am
delighted that Parliament has endorsed as a fundamental
civil right our ability to control what others can learn
about us. At the same time, the Act also respects
legitimate business needs to gather and use personal
information and will protect Canada's international
markets by bringing our privacy standards into line with
those of our European trading partners."
Why separate legislation?
• PIPEDA, §26(2)(b), specifically contemplates separate provincial
legislation
• PIPEDA is widely considered to be unnecessarily complex and
poorly drafted legislation; PIPA is promoted as plain language
legislation particularly suited for SMEs
• Other perceived shortcomings in PIPEDA, e.g. no
grandfathering, limited exceptions to consent
Why separate legislation?
Cont’d
• Constitutional legislative powers issue - federal trade and
commerce power vs. provincial property and civil rights power

PIPEDA limited to commercial activities

PIPEDA does not cover personal information of employees of
provincially regulated organizations

Québec has initiated a constitutional challenge to PIPEDA
How was PIPA developed?
• Working group established in February 2001 comprised of BC,
and Alta
• Discussion paper developed by BC and Alta
• Detailed and extensive consultation process - stakeholders
emphasized two key requirements:

plain language statute

harmonization across jurisdictions
• Common drafter - BC and Alta acts developed from the same
initial draft and are approximately 90% identical
What applies in BC?*
• PIPEDA - in respect of the collection, use or disclosure of
personal information (including employee personal information in
the case of a federal work, undertaking or business) by
organizations in the course of commercial activities
• PIPA - in respect of the collection, use or disclosure of personal
information (including employee personal information) by
organizations occurring within BC to the extent PIPEDA does not
apply (i.e. non-commercial activities; provincially regulated
employees)
*
Assuming PIPEDA is constitutionally valid and PIPA is not declared substantially
similar. If PIPA is declared substantially similar then PIPA rather than PIPEDA will
apply to the collection, use or disclosure of personal information by organizations
in the course of commercial activities
What applies in BC?*
Conclusion
Currently both PIPA and PIPEDA apply in BC and Industry Canada
has not identified any substantive issues to PIPA being declared
substantially similar to PIPEDA (although the former federal privacy
commissioner has). In practical terms, an organization in
compliance with PIPA with respect to the collection, use and
disclosure of personal information in the course of commercial
activities will generally be in compliance with PIPEDA.
Which “organizations” are
covered?
“Organization” - PIPA
“organization” is broadly defined to include

a person, unincorporated association, trade union, trust and not for
profit organization
but does not include

an individual acting in a personal or domestic capacity or acting as
an employee, a public body, the Courts or the Nisga’a Government
“Organization” - PIPEDA
“organization” is similarly broadly defined to include

an association, a partnership, a person and a trade union
Which activities are covered?
Activities - PIPA
PIPA applies to every organization in respect of personal information it
collects, uses or discloses, except

if the collection, use or disclosure of personal information is

solely for personal or domestic purposes,

solely for journalistic, artistic or literary purposes

covered by PIPEDA

personal information to which FOIPPA applies

personal information in a court document

the collection of personal information collected before PIPA came into
force
Which activities are covered?
Activities - PIPEDA
PIPEDA applies to every organization in respect of personal
information it collects, uses or discloses in the course of commercial
activities, or about an employee in connection with the operation of a
federal work, undertaking or business, except


if the collection, use or disclosure of personal information is

solely for personal or domestic purposes,

solely for journalistic, artistic or literary purposes
a government institution to which the Privacy Act applies
Which “organizations” and
activities are covered?
Conclusion
The scope of application of PIPA is generally clearer and broader
than PIPEDA with respect to organizations and activities covered (forprofit and not-for-profit).
What is “personal
information”?
“Personal Information” - PIPA
“personal information” means information about an identifiable
individual and includes

“employee personal information” - personal information about an
individual collected, used or disclosed solely for purposes reasonably
required to establish, manage or terminate an employment
relationship between the organization and that individual
What is “personal
information”?
“Personal Information” - PIPA, cont’d
but does not include

“contact information” - information to enable an individual at a place
of business to be contacted, including the name, position name or
title, business telephone number, business address, business e-mail
or business fax number of the individual, or

”work product information” - information prepared or collected by an
individual as a part of the individual’s responsibilities or activities
related to the individual’s employment or business but does not
include personal information about an individual who did not prepare
or collect the personal information
What is “personal
information”?
“Personal Information” - PIPEDA
“personal information” means information about an identifiable
individual but does not include the name, title or business address or
telephone number of an employee of an organization
What is “personal
information”?
Conclusion
PIPA and PIPEDA share a similar definition of personal information,
but PIPA specifically distinguishes employee personal information as
a subset of personal information to which a special set of rules apply.
What general obligations* are
imposed on organizations?
Reasonable Person Test - PIPA / PIPEDA
An organization may collect, use or disclose personal information
only for purposes that a reasonable person would consider are
appropriate in the circumstances
Accountability - PIPA / PIPEDA
An organization is responsible for personal information under its
control, whether or not in its custody
* universal privacy principles found in most legislation
What general obligations are
imposed on organizations?
Accountability - PIPA / PIPEDA
An organization must

designate one or more individuals to be responsible for ensuring that
the organization complies with PIPA,

develop and follow policies and practices that are necessary for the
organization to comply with PIPA and develop a process to respond
to complaints that may arise pursuant to PIPA, and

make available

to the public the position name or title and contact information for each
designated individual referred to above,

upon request, information about the policies, practices and complaint
process referred to above
When is consent required?
Consent Required - PIPA
An organization must not collect, use or disclose personal
information about an individual unless

the individual gives consent to the collection, use or disclosure,

PIPA authorizes the collection, use or disclosure without consent, or

PIPA deems the individual to have given consent to the collection,
use or disclosure
When is consent required?
Consent Required - PIPEDA
The knowledge and consent of the individual are required for the
collection, use or disclosure of personal information, except where
inappropriate
When is consent not
required?
Consent Not Required - PIPA / PIPEDA
Where the collection, use or disclosure






is clearly in the interests of the individual and consent cannot be
obtained in a timely way
with the consent of the individual would compromise the availability
or accuracy of the personal information and the collection is
reasonable for an investigation or proceeding
is necessary for medical treatment,
is necessary to facilitate the collection or payment of a debt, or
is required or authorized by law
the information is publicly available from a prescribed source
How can consent be
obtained?
Express Consent - PIPA / PIPEDA
May be given verbally or in writing
Implied Consent - PIPA
Consent is implied

if at the time the consent is deemed to be given the purpose would
be obvious to a reasonable person and the personal information is
voluntarily provided for that purpose

in the case of less sensitive information, if an organization notifies
the individual of its intent to collect, use or disclose personal
information, gives the individual a reasonable opportunity to decline
and the individual does not decline (opt-out)
How can consent be
obtained?
Implied Consent - PIPEDA
In obtaining consent,

the reasonable expectations of the individual are relevant

implied consent would generally be appropriate when the information
is less sensitive

opt-out forms may be used
Withdrawal of Consent - PIPA / PIPEDA
An individual may withdraw consent at any time subject to legal or
contractual obligations and reasonable notice
What about personal
information of employees?
Employee Personal Information - PIPA
With respect to employment relationships, PIPA replaces the
consent requirement with a notice requirement

an organization may collect “employee personal information” about
an individual for purposes of establishing, managing or terminating
an employment relationship with that individual

consent is not required if the organization notifies the individual in
advance of the collection, use, disclosure and the purposes for it

exceptions to consent apply equally to the notice requirement
What about personal
information of employees?
Employee Personal Information - PIPEDA
PIPEDA only applies to personal information of employees of
federal works, undertakings and businesses, and does not make a
distinction in the case of such personal information
How must organizations care
for personal information?
Accuracy
• an organization must make reasonable efforts to ensure that
personal information collected by it is accurate, complete and
up-to-date...


PIPA - if the personal information is likely

to be used by the organization to make a decision affecting the
individual, or

to be disclosed by the organization to another organization
PIPEDA - as is necessary for the purposes for which it is to be
used
How must organizations care
for personal information?
Protection - PIPA / PIPEDA
• an organization must protect personal information in its custody
or under its control by making reasonable security arrangements
to prevent unauthorized access, collection, use, disclosure,
copying, modification, disposal or similar risks


includes non-disclosure agreements with employees with access to
the personal information
PIPEDA - the nature of the security arrangements will depend on
the sensitivity of the information and should include:



physical measures - locked filing cabinets, restricted access to offices,
organization measures - security clearances and limiting access on a
“need-to-know” basis, and
technological measures - use of passwords and encryption
How must organizations care
for personal information?
Retention
• if an organization uses an individual’s personal information to
make a decision that directly affects the individual, the
organization must retain that information...


PIPA - for at least one year after using it
PIPEDA - long enough to allow the individual access to the
information after the decision has been made
• an organization must destroy or make anonymous documents
containing personal information as soon as...


PIPA - the purpose for which it was collected is no longer being
served and retention is no longer necessary for legal or business
purposes
PIPEDA - it is no longer required to fulfil the identified purposes
What about rights of
individuals?
Access to Personal Information - PIPA / PIPEDA
Subject to certain exceptions, on the request of an individual, an
organization must provide the individual with

the individual’s personal information under the control of the
organization,

information about the ways in which such personal information has
been and is being used by the organization, and

the names of the parties to whom such personal information has
been disclosed by the organization
PIPEDA encourages disclosure of the source of such personal
information as well, but PIPA only requires this in the case of credit
reporting agencies
What about rights of
individuals?
Access to Personal Information
The organization must respond to an access request within 30 days
after receipt of the request (unless the time period is extended in
accordance with the applicable act)...

PIPA - and may charge a minimal fee for access except for access
to employee personal information

PIPEDA - at minimal or no cost to the individual
What about rights of
individuals?
Exceptions to Access - PIPA / PIPEDA
No obligation to grant access to personal information








protected by solicitor-client privilege,
if disclosure would reveal confidential commercial information,
collected without consent for an investigation or proceeding,
collected or created in the conduct of a mediation or arbitration
could threaten the safety or physical or mental health of an
individual,
would reveal personal information about another individual,
would reveal the identity of individuals who provided the personal
information and do not consent to disclosure of their identity (PIPA)
that is prohibitively costly to provide (PIPEDA)
What about rights of
individuals?
Correction of Personal Information - PIPA / PIPEDA
Individuals may request an organization to correct an error or
omission in their personal information under the control of the
organization, which must either


correct the personal information and send the corrected personal
information to each organization to which the personal information
was disclosed by the organization during the previous year, or
annotate the personal information with the correction that was
requested but not made
What other differences are
there between the acts?
Scope of “Investigation”
“Investigation” means investigations related to breach of an
agreement or contravention of the laws of Canada or a province

PIPA - also includes investigations related to conduct that may
result in a remedy or relief under an enactment under common law
or in equity, the prevention of fraud or trading in a security
What other differences are
there between the acts?
Grandfathering
PIPA does not apply to the collection of personal information
collected before January 1, 2004, but PIPA does apply with respect
to the use, retention, security and disclosure of, and access to,
such information

means organizations do not need to re-collect personal information
already held
Sale of Organization or Business Assets
PIPA contains special provisions allowing for collection, use and
disclosure, without consent, of personal information of its
employees, customers, directors, officers or shareholders for
purposes solely related to the proposed business transaction
What is the role of the
privacy commissioner?
• The federal and provincial privacy commissioners have similar
responsibilities under their respective acts, however,

PIPA - the privacy commissioner has order making power

PIPEDA - the privacy commissioner can only make
recommendations
• An organization or person that commits an offence under...

PIPA - is liable to fine of up to $10K (individuals) or $100K (other
than individuals), and may be liable for actual harm suffered by an
affected individual

PIPEDA - is liable to fine of up to $10K (summary conviction) or
$100K (indictable offence),
What is the role of the
privacy commissioner?
• PIPA - emphasis will be placed on mediation; individuals may be
required to resolve disputes directly with the organization before
the privacy commissioner begins or continues a review or
investigation
• PIPEDA - new privacy commissioner…???
What other resources are
available?
Privacy Commissioner of Canada
www.privcom.gc.ca
Office of the Information & Privacy Commissioner
for British Columbia
www.oipcbc.org/
BC Ministry of Management Services,
Corporate Privacy & Information Access Branch
www.mser.gov.bc.ca/foi_pop
What other resources are
available?
Lang Michener Privacy Law Practice Group
www.langmichener.com
Christopher Lee
(604) 893-2343
[email protected]
N. David McInnes
(604) 691-7441
[email protected]
Karam Bayrakal
(604) 691-7434
[email protected]
James Bond
(604) 691-7437
[email protected]