Part 6 – Special Legal Rights and Relationships

Chapter 35 – Privacy Law

Prepared by Michael Bozzo, Mohawk College

© 2015 McGraw-Hill Ryerson Limited 34-1

Privacy LegislationApplication of the Act and Personal

InformationManaging Privacy and Personal Information

Anti-Spam LegislationCanada’s Anti-Spam Legislation

© 2015 McGraw-Hill Ryerson Limited 34-2

Overview

Federal law - Personal Information and Electronic Documents Act (PIPEDA) requires business and personal accountability for the use and collection of personal information – In contract and otherwise

PIPEDA applies in the absence of equivalent provincial legislationPrivacy legislation of B.C., Alberta, and Quebec

meet PIPEDA standards

Privacy Legislation

© 2015 McGraw-Hill Ryerson Limited 10-3

Act covers all personal information collected, used and retained by an organization in commercial activityBusinesses held accountable if they use or disclose

personal information for purposes other than those for which consent was given

Personal information includes but not limited to: name, date of birth, medical facts, ethnicity, personal description, employee records, earnings, credit and loan files, survey responses, beliefs, opinions or intentions

Application of the Act and Personal Information

© 2015 McGraw-Hill Ryerson Limited 10-4

1. Accountability – Someone must have delegated personal responsibility at each business.

2. Identifying Purposes – Reason for collection shall be documented before collection and use of info.

3. Consent – Use of Personal Info. (P.I.) requires consent of individuals concerned.

4. Limited to Necessary Info. – Fair and lawful. 5. Limited Use, Disclosure and Retention 6. Accuracy – Accurate, complete and up-to-date. 7. Safeguards Required – Appropriate to sensitivity.

PIPEDA COMPLIANCE REQUIREMENTS

© 2015 McGraw-Hill Ryerson Limited 10-5

8. Openness – about P.I. policies and practices. 9. Individual Access – Individuals may request

disclosure of their P.I. and may challenge its accuracy and completeness; having it amended where appropriate.

10. Challenging Compliance - May challenge parties responsible under the legislation where there is non-compliance with the requirements of the Act.

PIPEDA COMPLIANCE REQUIREMENTS cont’d

© 2015 McGraw-Hill Ryerson Limited 10-6

Privacy commissioner oversees private sector compliance with PIPEDA, and compliance by the federal government with the Privacy ActInvestigate complaints, conduct audits and pursue action

under two federal lawsPublicly report on personal information handling practicesSupport, undertake and publish research into privacy

issuesPromote public awareness and understanding of privacy

issues

Privacy Commissioner

© 2015 McGraw-Hill Ryerson Limited 10-7

Chief Privacy Officer’s (CPO) role to ensure compliance with legislationSafeguard client’s personal informationPhysical safeguards such as locks, containers and access

controlOrganizational safeguards such as restricting access to

employees with a true “need to know”Technological safeguards such as security features,

password protection, and data encryption

Managing Privacy and Personal Information

© 2015 McGraw-Hill Ryerson Limited 10-8

2014 amendment to PIPEDAObligation to notify Commissioner of material breach of

security has occurred around personal information holdings

Individuals concerned must be notified where the breach of security creates a real risk of significant harm

Harm not limited to bodily harm, but includes humiliation, damage to credit records, reputation and relationships, financial loss and identity theft

Digital Privacy Act

© 2015 McGraw-Hill Ryerson Limited 10-9

Tort of physical, or non-physical into a person’s private places and/or affairs, by way of listening or looking with or without mechanical aidsSeparate from a violation of the legislation under PIPEDAFactors assessed by court in determining liability: ○ the reckless or intentional conduct of the defendant ○ the unlawful invasion of the plaintiff’s privacy ○ the harm caused as a reasonable consequence of the

conduct

Intrusion Upon Seclusion

© 2015 McGraw-Hill Ryerson Limited 10-10

July 1, 2014 Canada’s Anti-Spam Legislation (CASL) came into forceIntent is to control electronic spam messagesSpam is considered to be an annoyance, a

vehicle to introduce viruses or malware to computer systems, steal a person’s identity or money from bank accounts

CASL regulates the sending of Commercial Electronic Messages (CEMs)

Anti-Spam Legislation

© 2015 McGraw-Hill Ryerson Limited 10-11

Any electronic message that has as its purpose encouraging participation in a commercial activityIncludes emails or messages sent to social media

accounts and texts to mobile devicesCASL prohibits address harvesting and

unauthorized collection of personal information from a computer system

Commercial Electronic Messages (CEMs)

© 2015 McGraw-Hill Ryerson Limited 10-12

CASL requires the sender to receive express consent from the recipient to receive the CEM

CEM must contain contact information of sender, including its address and telephone contacts, as well as website and electronic information

CEMs must set out a straightforward mechanism for unsubscribing from receiving future CEMs

Commercial Electronic Messages (CEMs)

© 2015 McGraw-Hill Ryerson Limited 10-13

Privacy LegislationResponsibility of businesses to be accountable for

personal information they collect, hold, and use in the course of commercial activity

Concept of privacy based on consent of individual, minimal use, and commitment to safeguard information

CASLRigorous new rules in place for sending electronic

messages that have a commercial purposeExpress consent required, identify sender’s

information, allow recipient to unsubscribe

SUMMARY

© 2015 McGraw-Hill Ryerson Limited 34-14