A NEW GOVERNANCE PARADIGM:Canadian Privacy Law Developments

March 11, 2004Haliburton, Ontario

Canada Volunteerism InitiativeArts Council for Haliburton County

March 11, 2004 22

Presented by

Jeffrey H. McCully, B.A., LL.B.PrivacyConsult

613-230-1070 - phone613-230-2422 - faxjmccully@privacy-consulting.comwww.privacy-consulting.com

March 11, 2004 33

Agenda

• Overview of private sector privacy legislation in Canada

• PIPEDA - Application of the law• Definitions - what is “personal information”?

“governance”?• Why privacy protections?• Privacy Principles - the heart of PIPEDA• Role of Privacy Commissioner & Remedies• Privacy Management / Governance• Privacy Compliance - Third Party Relations,

Employees, Professionals

March 11, 2004 44

Agenda (continued)

• ConclusionGood Governance = Mitigation of Risk = Added Value

• Question & Answer Session

March 11, 2004 55

Overview of Legislation

• 2 federal privacy lawsPrivacy Act (1983) & PIPEDA (2001)

• Privacy Act - imposes obligations on federal departments- gives Canadians protections re collection, use, disclosure, access- covers tax records, military records, security clearances, etc.

March 11, 2004 66

Overview of Legislation (continued)

• PIPEDA- in force in stages from 2001- fully in force on January 1, 2004

• Provincial laws- only Quebec (1994), BC, Alberta

March 11, 2004 77

PIPEDA: Application

• Jan 1, 2001 - Federal work, undertaking or business collecting, using, disclosing personal information in the course of commercial activities.- Organizations that trade in information for consideration across a national border or provincial border.

• Jan 1, 2004 - All organizations collecting, using or disclosing personal information in the course of commercial activities (excluding those subject to “substantially similar” provincial privacy laws).

March 11, 2004 88

Definitions

• Commercial Activity - means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

• Governance - authoritative care/control over an organization; relates to accountability for the activities of an organization.

• Organization - association, partnership, person (corporation) and trade union.

March 11, 2004 99

Definitions (continued)

• Grandfathering (retroactivity) - refers to the treatment of information already in the organization’s possession pre-PIPEDA. Data already there is subject to the same rules.

• Personal Information - information that relates to an identifiable individual, but does NOT include the name, title and business address or telephone number of an employee of an organization.

• Privacy - the right of individuals to control the collection, use and disclosure of their own information.

March 11, 2004 1010

Definitions (continued)

• Whistleblowing - section 27 of the PIPEDA protects persons who inform the Commissioner that a person or organization has or intends to contravene the Act. Such persons cannot be retaliated against.

March 11, 2004 1111

Why Privacy Protection?

• To avoid cost of non-compliance– legal violations and damages/costs flowing from them

(unlimited punitive damages; costs of litigation; court fines of $10,000, $100,000)

– reputation, goodwill and brand image damage– psychological, economic harm to clients– consumer flight - loss of revenue– public companies - will a violation or a delay in

compliance result in a loss of share value?

March 11, 2004 1212

PIPEDA’S 10 Principles

1. Accountability2. Identifying purposes3. Consent4. Limiting Collection5. Limiting Use,

Disclosure, Retention

6. Accuracy7. Safeguards8. Openness9. Individual access10. Challenging

Compliance

Each principle may require organizational changes.

• The heart of the law. Based on Canadian Standards Association Model Code.

March 11, 2004 1313

Role of Privacy Commissioner (PC)

• PC has substantial powers - that of a Superior Court– investigate complaints– summon and question under oath– receive and consider evidence– search business premises– examine records found therein.

• PC may try to resolve complaints through mediation or conciliation.

• PC will issue a report, usually within 1 year.

March 11, 2004 1414

Federal Court

• Persons may seek a hearing in Federal Court Trial Division if dissatisfied by the PC’s Report.

• Court may:– order correction of practices– order publication of actions taken– award substantial damages.

• Obstruction or punishing whistleblowers - up to $100,000 fine.

March 11, 2004 1515

Privacy Management / Governance

• Organizations must ask questions:– Does PIPEDA apply? (collect personal information for

commercial purposes)– Do we have an individual responsible for compliance

(CPO)?– Have we conducted a privacy assessment? An audit

periodically?– Have we obtained appropriate consent?– Have we identified use?– Do we have a procedure for access to information?– Have our front line staff and junior managers been

educated?

March 11, 2004 1616

Privacy Management / Governance

– Have we reviewed documentation for necessary consents, confidentiality agreements, indemnities, audits?

– Have we reviewed the information practices of third party data processors?

March 11, 2004 1717

Privacy Compliance - Third Parties

• Liability can result if a business partner or a mere third party outsourcing arrangement violates PIPEDA.

• Commercial printers, payroll outsourcers, information technology companies (website designers) are a source of liability for you.

• An organization cannot avoid its privacy obligations by outsourcing.

• Set out adequate security measures:– confidentiality agreements– encryption technology

March 11, 2004 1818

Privacy Compliance - Third Parties(continued)

– “Chinese walls” and other good practices– proper consents– indemnities– privacy audit rights for you.

March 11, 2004 1919

Privacy Compliance - Employees

• PIPEDA applies to employee information in federal works, undertakings and businesses only - NOT to provincially regulated businesses.

• Balance is required - what does an employer really need to know? (pay, benefits, records, health records, resumes).

• Question: What about psychological tests, keystroke monitoring, email?

March 11, 2004 2020

Privacy Compliance - Employees (continued)

• Collect, use, disclose only with consent (#3).• Disclose what information is collected, why, what is

done with the information (#2, 4, 5).• Collect only what is necessary for stated purpose

(#4).• Collect by fair/lawful means.• Ensure that any consents given by employees are

real, and not forced as a condition of employment.• Keep information accurate and up to date (#6).• Give employees access to it and allow them to

challenge or correct it (#6, 9, 10).

March 11, 2004 2121

Privacy Compliance - Professionals

• Lawyers, accountants, financial advisors will receive much information on third parties, collected by their clients:– payroll information– rent rolls– life insurance information with respect to claims.

• In an assurance contract, the professional does not have direct access to third parties. The client has the link to the third party. The client should obtain the appropriate consents.

March 11, 2004 2222

Privacy Compliance - Professionals

• Mere transfers of information for processing (eg. preparation of tax returns) are non-assurance contracts. No further consent is necessary. Consent is implied when, for example, a CA is hired to prepare a tax return. Third parties not involved.

March 11, 2004 2323

Wording in Assurance Contract

• “It is acknowledged that we will have access to all personal information in your custody that we require to complete our engagement. Our services are provided on the basis that:– you represent to us that you have obtained the required

consents for the collection and use of personal information under PIPEDA; and

– we will hold all personal information in compliance with our Privacy Policy.”

March 11, 2004 2424

Conclusion

• Good privacy practice is good information management.

• Good information management gives a competitive advantage.

• Governance is enhanced when an organization’s “directing mind” identifies potential business risks and implements systems to mitigate those risks.

• Privacy is now key to good governance.

Good Governance = Mitigation of Risk = Added Value