Transcript Operational Strategies for compliance with the new privacy

Operational Strategies
for compliance with the
new privacy legislation
Excerpted from a Powerpoint presentation by
Murray Long, Murray Long & Associates Inc. and
Richard Shields, McCarthy Tétrault, Ottawa
Federal Legislation
PIPEDA –
• Personal Information Protection and
Electronic Documents Act.
• Ground rules for how organizations
may collect personal information in
the course of conducting
commercial activities.
• Compliance – January 1, 2004
Overview of Provincial
Legislation
• B.C – May 1, 2003 2nd Reading Personal Information
Act – Jan. 2004, Federal Government must decide if
provincial legislation is substantially similar as to
preclude PIPEDA. Applies to private and
not-for-profit sector.
• Alberta – Enacted health information and protection
law. Personal Information Protection Act – May
2003. Will apply to the private sector in Alberta and
limited application to
not-for-profit sector.
• Both provinces have acts that cover information on
the consumer and the employee.
Provincial Legislation
• Saskatchewan – Province has enacted, but
not enforced a health protection law that
applies to private and public sector and
amended in 2003 to include privacy
legislation.
• Province has enacted a provincial privacy
legislation separate from above.
• Manitoba – Province has enacted a health
protection law covering the public and private
sector, now enforced. No move made to
introduce privacy legislation for the private or
not-for-profit sector.
What is Considered
Personal Information
An individual’s…
•
•
•
•
•
•
Race
Nationality
Age
Gender
Marital Status
Biometrics – fingerprints, blood
type, genetic characteristics
What is Considered
Personal Information
•
•
•
•
•
Personal health care history
Financial history
Educational history
Criminal history
Anyone’s opinion about the
individual, i.e. reference checks
• The individual’s personal views
Considered Private but –
in the Public Domain
• Name
• Address
• Telephone Number
• Business Address
• Business Telephone Number
(The public domain pertains to information
available to the general public)
Publicly Available
Information
Five Categories:
1. Phone books (White Pages, CD Roms)
2. Professional Directories (members of
the Bar)
3. Public databases (property tax rolls,
licenses)
4. Court records (divorce, bankruptcy,
law suits)
5. Information provided by an individual
to a publication (want ads, interviews)
Limits of
Reasonableness
Immediate sale
obligations
Future sales
calls
Building
customer profiles
Related
marketing
Mergers &
Acquisitions
Disclosing data
to third parties
Building
marketing
database
Sharing of
data with
affiliates
Completely
unrelated uses
Consent is always required!
The Privacy Rules
The law incorporates the CSA
Model Code for the Protection of
Personal Information.
The 10 Principles reflect
international fair information
practices.
They balance individual privacy
rights with legitimate business
interests.
Principle 1
Accountability
The person(s) responsible must
be designated and identified.
These persons must ensure
training, communications and
procedures documentation.
Contracts and oversight of third
party data processing required.
Principle 2
Identifying Purposes
Purposes must be identified
before any personal information
can be collected or used.
Purposes must be what a
reasonable person would expect
in the circumstances.
Principle 3
Consent
The knowledge and consent of the
individual are required for the
collection, use or disclosure of
personal information.
There are exceptions – such as bill
collection, crime investigation, etc.
Consent must be obtained fairly – it
can be withdrawn at any time.
Principle 4
Limiting Collection
Companies can only collect
information specifically required for
identified purposes.
Purposes should not be identified
too broadly.
However, overly narrow purposes
could require continuous new
consents.
Principle 5
Limiting Use, Disclosure and Retention
New purposes require new
consent.
Data cannot be kept beyond the
end date of the last specified
purpose.
A retention/disposal policy is
required.
Principle 6
Accuracy
Information must be as accurate
as necessary for the purposes.
Decisions must not be made
based on inaccurate information.
Routine data updating without a
purpose is not permitted.
Principle 7
Safeguards
Personal information must be
protected appropriately.
Employees must be made aware of
the importance of maintaining
confidentiality of this information.
Care must be used in disposing of
records to prevent unauthorized
access.
Principle 8
Openness
Companies must communicate
their privacy policies including:
•
•
•
•
•
what data is collected,
how it is used,
who it is disclosed to,
how to access it, and
who to make inquiries or
complaints to
Principle 9
Individual Access
People have a right to find out
what information you have about
them, to know how it is used or
disclosed, to access it, and to
have it amended as appropriate.
There are some allowable or
required restrictions on access.
Principle 10
Challenging Compliance
People can challenge your
compliance with any aspect of the
CSA Code or the law.
Companies must respond to all
inquiries and complaints.
Individuals can also go directly to the
Privacy Commissioner.
The law has whistleblower protection.
Commissioner Powers
Investigatory powers
include the right to enter
premises and obtain
records.
Powers of mediation and
conciliation.
Power to conduct audits
of business practices.
Power to publicize with
impunity.
No order-making powers.
Reference Checks
Only with knowledge
and consent.
Applies to both
collecting and
providing
references.
Employee Monitoring
Employees must be
informed.
The use must be
reasonable under the
circumstances.
Employees may have a
right of access.
This applies to phone,
e-mail, video, etc.
New Privacy Rights
(Fed. & Prov. Laws)
Knowledge and consent to
collect, use or disclose employee
personal information.
Right to access and amend files,
with some limited exceptions.
Right to file a complaint with the
Privacy Commissioner.
Investigations
Companies can collect
personal information
without knowledge or
consent to investigate
the breach of an
agreement or the
contravention of a law.
Biometrics
Information collection
must be reasonable for
the purposes.
Privacy Commissioners
are concerned about
drug testing,
fingerprinting, and
biometrics-based
technologies such as
retinal scans, DNA, etc.
Employee data not
subject to the Act
Business card-type
data – except for
e-mail addresses
Joe Blow
Sales Manager
Sagamow Products
333 Main Street
Sagamow Falls, ON
(519) 555-8983
Compliance
The key steps to
developing and
implementing a
Privacy Policy
Choosing a Chief Privacy
Officer (CPO)
It is a senior position with public
visibility. The CPO needs authority to
ensure the company is compliant.
The CPO oversees training, developing
and documenting procedures,
communications, and privacy policy on
third-party contracts.
The CPO responds to inquiries and
complaints and Privacy Commissioner
investigations.
Forming a Privacy Team
Implementing a privacy policy
requires cooperative team effort.
Your privacy team should include
customer service, marketing,
information management, legal,
human resource and security
personnel.
It could take several months to
develop and implement policies.
Start with an Audit
Review your current data collection and
handling practices. Look at the following:
Purposes for collecting, using or
disclosing personal information.
What data is currently collected and
used and who it is disclosed to.
How consent is obtained.
How data is stored and safeguarded.
Develop a Privacy Code
The CSA Model Code is a good starting point –
it’s also built into the law.
Review the 10 principles and how they
apply to your circumstances.
You may need some legal advice on
additional points in the new privacy
law.
Avoid legal language. Keep it simple.
Have it reviewed by a third party.
Develop Procedures
Develop and document procedures to help
ensure employees follow your code – the Privacy
Commissioner can ask for your documentation.
You will need documented procedures
for the following:
New purposes, obtaining consent,
limiting uses, third-party processing,
records retention and disposal,
individual access, inquiries and
complaints, and more.
These are legal obligations.
What’s left?
Employee communications and
training
Providing information about your
privacy policy
Dealing with inquiries and
complaints
Regular review of how you’re
doing
Communications and
Training
Front-line Employees and HR Managers
need to know how to recognize and
expedite an access request or
inquiry/complaint under the law.
Training is required on safeguards,
retention periods, disposal, purpose
limitations, etc. Use your operations
procedures manual as a basis.
Public Information about
your Privacy
Use the KISS principle. Avoid legalese
and 20-page privacy agreements.
Key information includes purposes,
disclosures, who to contact, and a
summary statement of your Code.
On the Internet, include special issues
such as cookies use, IP address
tracking, etc. Provide privacy tools and
guidance.
Dealing with inquiries
and complaints
You have 30 days to
respond to written access
requests.
You must respond to all
inquiries and complaints
(within 30 days).
You must not destroy any
information or hinder a
Privacy Commissioner
investigation.
Wrap-Up Points
Views of the Privacy Commissioner
Examples of Personal Information:
Age, name, ID numbers, income, ethnic
origin or blood type.
Opinions, evaluations, comments, social
status, or disciplinary actions.
Employee files, credit records, loan
records, medical records, existence of a
dispute between a consumer and a
merchant, intentions (to acquire goods or
services, or change jobs)
Wrap-Up Points
More views of the PC
Examples of Information Purposes:
Opening an account, verifying creditworthiness, providing benefits to
employees, processing a magazine
subscription, sending out association
membership information, guaranteeing a
travel reservation, identifying customer
preferences, establishing customer
eligibility for special offers or discounts
Contact Info
Janet Emmett
VP, Association Services
& Leadership Development
YMCA Canada
(416) 967-9622 ext. 209
[email protected]