PRIVATE SECTOR PRIVACY LEGISLATION The New Private Sector Privacy Regime Presented by Christopher...
-
Upload
joshua-owen -
Category
Documents
-
view
217 -
download
0
Transcript of PRIVATE SECTOR PRIVACY LEGISLATION The New Private Sector Privacy Regime Presented by Christopher...
PRIVATE PRIVATE SECTOR SECTOR PRIVACY PRIVACY LEGISLATIONLEGISLATION
The New Private The New Private Sector Privacy Sector Privacy RegimeRegime
Presented byChristopher Lee
What is Private Sector What is Private Sector Privacy Legislation?Privacy Legislation?
• Rules governing the private sector with respect to the collection, use, retention, security and disclosure of, and access to, personal information
• Intended to strike a balance between the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances
• Two key concepts underlying privacy legislation
reasonable person test - “an organization must consider what a reasonable person would consider appropriate in the circumstances”
consent (express, implied, no consent)
Where are we as ofWhere are we as ofJanuary 1, 2004?January 1, 2004?
Privacy Legislation in Canada
• Canada
Personal Information Protection and Electronic Documents Act (“PIPEDA”) and related regulations
• British Columbia
Personal Information Protection Act (“PIPA”) Personal Information Protection Act Regulations
• Alberta
Personal Information Protection Act Personal Information Protection Act Regulation
Where are we as ofWhere are we as ofJanuary 1, 2004?January 1, 2004?
Privacy Legislation in Canada, Cont’d
• Québec
Act Respecting the Protection of Personal Information in the Private Sector (declared substantially similar)
• Ontario
The Provincial Privacy Commissioner is currently recommending the adoption of BC/Alberta model
• Other Provinces and Territories
“wait and see”; in the meantime PIPEDA applies
How did we get here?How did we get here?
• On January 1, 2001 PIPEDA extended privacy legislation to the federally regulated private sector – i.e. federal works, undertakings and businesses
• PIPEDA was a response to the European Union’s personal data protection directive (preventing transfers of personal data between EU members and jurisdictions without “adequate” privacy protections - PIPEDA declared adequate in December, 2001), e-commerce and public opinion in Canada
NEWS RELEASE
PRIVACY COMMISSIONER WELCOMES A NEW ERA IN PRIVACY PROTECTION
OTTAWA, April 17, 2000—A major improvement in the laws protecting Canadians' privacy rights results from the passage of the Personal Information Protection and Electronic Documents Act, says Bruce Phillips, Privacy Commissioner of Canada. The Act – which received Royal Assent April 13 and comes into force on January 1, 2001 – establishes for the first time a comprehensive national set of rules which govern the collection, use and disclosure of personal information in the commercial world."
"The right to privacy is one of the essential underpinnings of human dignity and autonomy in our democratic society," said Bruce Phillips, the Privacy Commissioner of Canada since 1991. "I am delighted that Parliament has endorsed as a fundamental civil right our ability to control what others can learn about us. At the same time, the Act also respects legitimate business needs to gather and use personal information and will protect Canada's international markets by bringing our privacy standards into line with those of our European trading partners."
Why separate legislation?Why separate legislation?
• PIPEDA, §26(2)(b), specifically contemplates separate provincial legislation
• PIPEDA is widely considered to be unnecessarily complex and poorly drafted legislation; PIPA is promoted as plain language legislation particularly suited for SMEs
• Other perceived shortcomings in PIPEDA, e.g. no grandfathering, limited exceptions to consent
Why separate legislation? Why separate legislation? Cont’dCont’d
• Constitutional legislative powers issue - federal trade and commerce power vs. provincial property and civil rights power
PIPEDA limited to commercial activities
PIPEDA does not cover personal information of employees of provincially regulated organizations
Québec has initiated a constitutional challenge to PIPEDA
How was PIPA developed?How was PIPA developed?
• Working group established in February 2001 comprised of BC, and Alta
• Discussion paper developed by BC and Alta
• Detailed and extensive consultation process - stakeholders emphasized two key requirements:
plain language statute
harmonization across jurisdictions
• Common drafter - BC and Alta acts developed from the same initial draft and are approximately 90% identical
What applies in BC?*What applies in BC?*
• PIPEDA - in respect of the collection, use or disclosure of personal information (including employee personal information in the case of a federal work, undertaking or business) by organizations in the course of commercial activities
• PIPA - in respect of the collection, use or disclosure of personal information (including employee personal information) by organizations occurring within BC to the extent PIPEDA does not apply (i.e. non-commercial activities; provincially regulated employees)
* Assuming PIPEDA is constitutionally valid and PIPA is not declared substantially similar. If PIPA is declared substantially similar then PIPA rather than PIPEDA will apply to the collection, use or disclosure of personal information by organizations in the course of commercial activities
What applies in BC?*What applies in BC?*
Conclusion
Currently both PIPA and PIPEDA apply in BC and Industry Canada has not identified any substantive issues to PIPA being declared substantially similar to PIPEDA (although the former federal privacy commissioner has). In practical terms, an organization in compliance with PIPA with respect to the collection, use and disclosure of personal information in the course of commercial activities will generally be in compliance with PIPEDA.
Which “organizations” are Which “organizations” are covered?covered?
“Organization” - PIPA
“organization” is broadly defined to include
a person, unincorporated association, trade union, trust and not for profit organization
but does not include an individual acting in a personal or domestic capacity or acting as
an employee, a public body, the Courts or the Nisga’a Government
“Organization” - PIPEDA
“organization” is similarly broadly defined to include an association, a partnership, a person and a trade union
Which activities are covered?Which activities are covered?
Activities - PIPA
PIPA applies to every organization in respect of personal information it collects, uses or discloses, except
if the collection, use or disclosure of personal information is solely for personal or domestic purposes, solely for journalistic, artistic or literary purposes covered by PIPEDA
personal information to which FOIPPA applies
personal information in a court document
the collection of personal information collected before PIPA came into force
Which activities are covered?Which activities are covered?
Activities - PIPEDA
PIPEDA applies to every organization in respect of personal information it collects, uses or discloses in the course of commercial activities, or about an employee in connection with the operation of a federal work, undertaking or business, except
if the collection, use or disclosure of personal information is solely for personal or domestic purposes, solely for journalistic, artistic or literary purposes
a government institution to which the Privacy Act applies
Which “organizations” and Which “organizations” and activities are covered?activities are covered?
Conclusion
The scope of application of PIPA is generally clearer and broader than PIPEDA with respect to organizations and activities covered (for-profit and not-for-profit).
What is “personal What is “personal information”?information”?
“Personal Information” - PIPA
“personal information” means information about an identifiable individual and includes
“employee personal information” - personal information about an individual collected, used or disclosed solely for purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual
What is “personal What is “personal information”?information”?
“Personal Information” - PIPA, cont’d
but does not include
“contact information” - information to enable an individual at a place of business to be contacted, including the name, position name or title, business telephone number, business address, business e-mail or business fax number of the individual, or
”work product information” - information prepared or collected by an individual as a part of the individual’s responsibilities or activities related to the individual’s employment or business but does not include personal information about an individual who did not prepare or collect the personal information
What is “personal What is “personal information”?information”?
“Personal Information” - PIPEDA
“personal information” means information about an identifiable individual but does not include the name, title or business address or telephone number of an employee of an organization
What is “personal What is “personal information”?information”?
Conclusion
PIPA and PIPEDA share a similar definition of personal information, but PIPA specifically distinguishes employee personal information as a subset of personal information to which a special set of rules apply.
What general obligations* are What general obligations* are imposed on organizations?imposed on organizations?
Reasonable Person Test - PIPA / PIPEDA
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances
Accountability - PIPA / PIPEDA
An organization is responsible for personal information under its control, whether or not in its custody
* universal privacy principles found in most legislation
What general obligations are What general obligations are imposed on organizations?imposed on organizations?
Accountability - PIPA / PIPEDAAn organization must
designate one or more individuals to be responsible for ensuring that the organization complies with PIPA,
develop and follow policies and practices that are necessary for the organization to comply with PIPA and develop a process to respond to complaints that may arise pursuant to PIPA, and
make available
to the public the position name or title and contact information for each designated individual referred to above,
upon request, information about the policies, practices and complaint process referred to above
When is consent required?When is consent required?
Consent Required - PIPA
An organization must not collect, use or disclose personal information about an individual unless
the individual gives consent to the collection, use or disclosure,
PIPA authorizes the collection, use or disclosure without consent, or
PIPA deems the individual to have given consent to the collection, use or disclosure
When is consent required?When is consent required?
Consent Required - PIPEDA
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate
When is consent not When is consent not required?required?
Consent Not Required - PIPA / PIPEDAWhere the collection, use or disclosure
is clearly in the interests of the individual and consent cannot be obtained in a timely way
with the consent of the individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or proceeding
is necessary for medical treatment, is necessary to facilitate the collection or payment of a debt, or is required or authorized by law the information is publicly available from a prescribed source
How can consent be How can consent be obtained?obtained?
Express Consent - PIPA / PIPEDA
May be given verbally or in writing
Implied Consent - PIPA
Consent is implied
if at the time the consent is deemed to be given the purpose would be obvious to a reasonable person and the personal information is voluntarily provided for that purpose
in the case of less sensitive information, if an organization notifies the individual of its intent to collect, use or disclose personal information, gives the individual a reasonable opportunity to decline and the individual does not decline (opt-out)
How can consent be How can consent be obtained?obtained?
Implied Consent - PIPEDA
In obtaining consent,
the reasonable expectations of the individual are relevant
implied consent would generally be appropriate when the information is less sensitive
opt-out forms may be used
Withdrawal of Consent - PIPA / PIPEDA
An individual may withdraw consent at any time subject to legal or contractual obligations and reasonable notice
What about personal What about personal information of employees?information of employees?
Employee Personal Information - PIPAWith respect to employment relationships, PIPA replaces the consent requirement with a notice requirement
an organization may collect “employee personal information” about an individual for purposes of establishing, managing or terminating an employment relationship with that individual
consent is not required if the organization notifies the individual in advance of the collection, use, disclosure and the purposes for it
exceptions to consent apply equally to the notice requirement
What about personal What about personal information of employees?information of employees?
Employee Personal Information - PIPEDAPIPEDA only applies to personal information of employees of federal works, undertakings and businesses, and does not make a distinction in the case of such personal information
How must organizations care How must organizations care for personal information?for personal information?
Accuracy
• an organization must make reasonable efforts to ensure that personal information collected by it is accurate, complete and up-to-date...
PIPA - if the personal information is likely
to be used by the organization to make a decision affecting the individual, or
to be disclosed by the organization to another organization
PIPEDA - as is necessary for the purposes for which it is to be used
How must organizations care How must organizations care for personal information?for personal information?
Protection - PIPA / PIPEDA• an organization must protect personal information in its custody
or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks includes non-disclosure agreements with employees with access to
the personal information PIPEDA - the nature of the security arrangements will depend on
the sensitivity of the information and should include: physical measures - locked filing cabinets, restricted access to offices, organization measures - security clearances and limiting access on a
“need-to-know” basis, and technological measures - use of passwords and encryption
How must organizations care How must organizations care for personal information?for personal information?
Retention• if an organization uses an individual’s personal information to
make a decision that directly affects the individual, the organization must retain that information... PIPA - for at least one year after using it PIPEDA - long enough to allow the individual access to the
information after the decision has been made
• an organization must destroy or make anonymous documents containing personal information as soon as... PIPA - the purpose for which it was collected is no longer being
served and retention is no longer necessary for legal or business purposes
PIPEDA - it is no longer required to fulfil the identified purposes
What about rights of What about rights of individuals?individuals?
Access to Personal Information - PIPA / PIPEDA
Subject to certain exceptions, on the request of an individual, an organization must provide the individual with
the individual’s personal information under the control of the organization,
information about the ways in which such personal information has been and is being used by the organization, and
the names of the parties to whom such personal information has been disclosed by the organization
PIPEDA encourages disclosure of the source of such personal information as well, but PIPA only requires this in the case of credit reporting agencies
What about rights of What about rights of individuals?individuals?
Access to Personal Information
The organization must respond to an access request within 30 days after receipt of the request (unless the time period is extended in accordance with the applicable act)...
PIPA - and may charge a minimal fee for access except for access to employee personal information
PIPEDA - at minimal or no cost to the individual
What about rights of What about rights of individuals?individuals?
Exceptions to Access - PIPA / PIPEDANo obligation to grant access to personal information
protected by solicitor-client privilege, if disclosure would reveal confidential commercial information, collected without consent for an investigation or proceeding, collected or created in the conduct of a mediation or arbitration could threaten the safety or physical or mental health of an
individual, would reveal personal information about another individual, would reveal the identity of individuals who provided the personal
information and do not consent to disclosure of their identity (PIPA) that is prohibitively costly to provide (PIPEDA)
What about rights of What about rights of individuals?individuals?
Correction of Personal Information - PIPA / PIPEDAIndividuals may request an organization to correct an error or omission in their personal information under the control of the organization, which must either
correct the personal information and send the corrected personal information to each organization to which the personal information was disclosed by the organization during the previous year, or
annotate the personal information with the correction that was requested but not made
What other differences are What other differences are there between the acts?there between the acts?
Scope of “Investigation”
“Investigation” means investigations related to breach of an agreement or contravention of the laws of Canada or a province
PIPA - also includes investigations related to conduct that may result in a remedy or relief under an enactment under common law or in equity, the prevention of fraud or trading in a security
What other differences are What other differences are there between the acts?there between the acts?
Grandfathering
PIPA does not apply to the collection of personal information collected before January 1, 2004, but PIPA does apply with respect to the use, retention, security and disclosure of, and access to, such information
means organizations do not need to re-collect personal information already held
Sale of Organization or Business Assets
PIPA contains special provisions allowing for collection, use and disclosure, without consent, of personal information of its employees, customers, directors, officers or shareholders for purposes solely related to the proposed business transaction
What is the role of the What is the role of the privacy commissioner?privacy commissioner?
• The federal and provincial privacy commissioners have similar responsibilities under their respective acts, however,
PIPA - the privacy commissioner has order making power
PIPEDA - the privacy commissioner can only make recommendations
• An organization or person that commits an offence under...
PIPA - is liable to fine of up to $10K (individuals) or $100K (other than individuals), and may be liable for actual harm suffered by an affected individual
PIPEDA - is liable to fine of up to $10K (summary conviction) or $100K (indictable offence),
What is the role of the What is the role of the privacy commissioner?privacy commissioner?
• PIPA - emphasis will be placed on mediation; individuals may be required to resolve disputes directly with the organization before the privacy commissioner begins or continues a review or investigation
• PIPEDA - new privacy commissioner…???
What other resources are What other resources are available?available?
Privacy Commissioner of Canadawww.privcom.gc.ca
Office of the Information & Privacy Commissionerfor British Columbia
www.oipcbc.org/
BC Ministry of Management Services,Corporate Privacy & Information Access Branch
www.mser.gov.bc.ca/foi_pop
What other resources are What other resources are available?available?
Lang Michener Privacy Law Practice Group
www.langmichener.com
Christopher Lee
(604) 893-2343
N. David McInnes Karam Bayrakal James Bond
(604) 691-7441 (604) 691-7434 (604) 691-7437