On the Cutting Edge – Update on Privacy Legislation Presented to the CPBI 2007 National Conference Brian Bowman PITBLADO LLP June 15, 2007 © June 2007, PITBLADO LLP May be reproduced with credit to Brian Bowman and PITBLADO LLP
“Houston, we have a problem.”
“You have zero privacy anyway – get over it.” Scott McNealy, CEO of Sun Microsystems, 1999
Scott McNealy, CEO of Sun Microsystems, 2006 “It’s going to get scarier if we don’t come up with technology and rules to protect appropriately, privacy and secure [sic] the data, and the most important asset we have is obviously the data of our people – our customers and employees and partners.” Scott McNealy, CEO of Sun Microsystems, 2006
Why should I care about privacy?
Good privacy is good business
What are we going to discuss?
LEGAL MINEFIELDS
SALE OF BUSINESS
INVESTIGATIONS
MANAGING RECORDS
ACCESS TO INFORMATION REQUESTS
OUTSOURCING
LEGAL MINEFIELDS Relevant Laws PIPEDA Provincial Privacy Laws (British Columbia, Alberta and Quebec) Provincial Privacy Acts (i.e. Manitoba) Others?
LEGAL MINEFIELDS PIPEDA’s 10 Privacy Principles Accountability Identifying purposes Consent Limiting collection Limiting use, disclosure and retention Accuracy Safeguards Openness Individual Access Challenging Compliance
LEGAL MINEFIELDS Privacy Commissioner of Canada Findings PIPEDA Finding #364: Employer agrees to revise language of consent form regarding exchanges of health information PIPEDA Finding #358: Individual objects to insurance company’s consent requirements
LEGAL MINEFIELDS PIPEDA Finding #293 Commissioner considers access, correction and inappropriate disclosure allegations against insurance company PIPEDA Settled Case: Even a public record should be protected
LEGAL MINEFIELDS Other Legal Minefields Dealing with sale of business or practice Carrying out investigations Effectively managing your records Responding to access to information requests Reconciling outsourcing matters and privacy law requirements
SALE OF BUSINESS Introduction Personal information is valuable asset. PIPEDA lacks express provisions to allow organizations to disclose personal information to prospective purchasers or business partners without consent. Parliamentary Committee has recommended PIPEDA by amended to include provisions permitting organizations to collect, use and disclose personal information without consent for purposes of business transactions.
SALE OF BUSINESS PIPEDA requires knowledge and consent of individuals for any disclosure of personal information, subject to specific exemptions. Organizations must make reasonable effort to ensure individuals advised of purposes for which information will be used. Current legal uncertainty whether, and what form of, notification and consent required for certain business transactions.
SALE OF BUSINESS Recommendations Limit personal information transfers. Consider restructuring transaction (i.e. share sale vs. asset sale). Consider obtaining opt-in consent. Consider relying on prior consent. Consider providing opt-out consent.
SALE OF BUSINESS In certain limited circumstances, may be able to rely on “transfer for processing” provision. Consider adopting approach similar to Alberta and BC’s PIPAs “business transaction” exemptions: Enter privacy agreements for due diligence investigations For closings, consider an agreement under which the use and disclosure of personal information only for certain purposes. If transaction not completed, personal information must either be destroyed or returned to transferor.
SALE OF BUSINESS Immediate Recommendations Review and possibly amend your privacy policy. Review and possibly amend consent language. Inventory personal information holdings. Advise decision makers that purchase and sale agreements must consider privacy implications.
INVESTIGATIONS Basic Principle Except as permitted, personal information cannot be collected, used or disclosed without the prior knowledge and consent of the individual, and then only for purposes that a reasonable person would consider appropriate in the circumstances
INVESTIGATIONS Under the Consent Principle - Principle 3, the knowledge and consent of an individual with respect to the collection, use and disclosure of personal information is required, except where inappropriate. One of the circumstances described as inappropriate relates to investigations.
INVESTIGATIONS PIPEDA provides that organizations may conduct certain investigations without consent Disclosure to “third parties” without consent requires agency relationship or “investigative body” designation Disclosures to third party organizations without consent must be last resort Privacy agreements, privacy agreements, privacy agreements!
INVESTIGATIONS Consent obligation waived for “investigative bodies” 47 investigative bodies are identified in the regulation
MANAGING RECORDS Introduction PIPEDA requires “personal information shall be retained only as long as necessary for the fulfillment of those purposes”.
MANAGING RECORDS PIPEDA further requires that “organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.”
MANAGING RECORDS PIPEDA further requires that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”
MANAGING RECORDS Recommendations Consider retention and destruction a business issue. Limit personal information holdings to reduce administrative costs. Exercise care in destruction practices to mitigate complaints and negative headlines.
MANAGING RECORDS Consider electronic and paper records in relation to retention and destruction policies. Review and/or draft retention and destruction polices and procedures in accordance with PIPEDA and other legal and/or regulatory requirements.
ACCESS TO INFORMATION REQUESTS Introduction New access to information obligations in private sector (similar to government body access to information obligations already in force)
ACCESS TO INFORMATION REQUESTS Typical requirements: Access requests should be in writing Organizations should help individuals requiring assistance Organizations must respond no later than 30 days after receipt of request Extension of time limit exemptions exist
ACCESS TO INFORMATION REQUESTS Failing to respond is deemed refusal Organizations may respond at a cost to individual Organizations must retain information to allow individual access Numerous and detailed exceptions to right of access
ACCESS TO INFORMATION REQUESTS Key Issues Respond accordingly Third-party data? Report access request to privacy officer Document access request Request identification
ACCESS TO INFORMATION REQUESTS Ensure sufficient identification Document identification Calculate fees for access (if applicable) Inform individual of cost (if applicable)
ACCESS TO INFORMATION REQUESTS Propose alternatives to access if necessary Meet time requirements Request extension if necessary Clearly explain document reason for extension Send notice
OUTSOURCING Do you outsource?
Then you’re responsible. OUTSOURCING Then you’re responsible.
OUTSOURCING Accountability for information provided to third parties PIPEDA PIPA Agent vs. independent contractor? Privacy agreements required
OUTSOURCING Privacy agreements: Define objectives Define service expectations Contemplate subcontractors
OUTSOURCING Identify and require security and privacy benchmarks Establish monitoring and auditing rights
OUTSOURCING Clarify termination and transition rights Identify other elements of relationship
CONCLUDING THOUGHTS Privacy compliance is a legal requirement that is here to stay. Public expectations regarding privacy are crucial. Privacy compliance, when managed properly, can be a competitive advantage.
QUESTIONS & ANSWERS
THANK YOU! BRIAN BOWMAN PITBLADO LLP pitblado.com 2500 – 360 Main Street, Winnipeg, MB, R3C 4H6 Tel: 204.956.3520 (direct) Email: bowman@pitblado.com