On the Cutting Edge – Update on Privacy Legislation

Slides:



Advertisements
Similar presentations
Procedural Safeguards
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
McCarthy Tétrault McCarthy Tétrault LLP An Act respecting the protection of personal information in the private sector (Quebec): « Particularities of the.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
ZHRC/HTI Financial Management Training
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Information Privacy Policy in Canada Presented By: Sue Wu.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.
The Client Relationship Model: The Civil Impact of Regulatory Changes Association of Corporate Counsel - Ontario Chapter Program ACC Securities Law Committee.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.
BC Public Libraries November, 2008 Privacy Principles.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Let’s Make a Deal Buying and Selling a Practice. Presented by Denise Robertson, Mills & Mills LLP Denise joined Mills & Mills LLP as an Associate in 2005.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.
Your Rights! An overview of Special Education Laws Presented by: The Individual Needs Department.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
Nassau Association of School Technologists
Monique Jefferson & Nadine Mather
PRIVACY TRAINING For CAILBA members
PowerPoint presentation
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA CONFIDENTIALITY
Privacy principles Individual written policies
HIPAA Administrative Simplification
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Privacy principles Individual written policies
Data protection issues in regulatory investigations
APP entities (organisations)
PERSONAL DATA PROTECTION ACT 2010
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Privacy & Access to Information
G.D.P.R General Data Protection Regulations
Disability Services Agencies Briefing On HIPAA
Current Privacy Issues That May Affect Your Credit Union
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
PRIVACY PRESENTATION TO THE SPRING 2013 CONFERENCE BY HANK MOORLAG
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
Good Spirit School Division
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

On the Cutting Edge – Update on Privacy Legislation Presented to the CPBI 2007 National Conference Brian Bowman PITBLADO LLP June 15, 2007 © June 2007, PITBLADO LLP May be reproduced with credit to Brian Bowman and PITBLADO LLP

“Houston, we have a problem.”

“You have zero privacy anyway – get over it.” Scott McNealy, CEO of Sun Microsystems, 1999

Scott McNealy, CEO of Sun Microsystems, 2006 “It’s going to get scarier if we don’t come up with technology and rules to protect appropriately, privacy and secure [sic] the data, and the most important asset we have is obviously the data of our people – our customers and employees and partners.” Scott McNealy, CEO of Sun Microsystems, 2006

Why should I care about privacy?

Good privacy is good business

What are we going to discuss?

LEGAL MINEFIELDS

SALE OF BUSINESS

INVESTIGATIONS

MANAGING RECORDS

ACCESS TO INFORMATION REQUESTS

OUTSOURCING

LEGAL MINEFIELDS Relevant Laws PIPEDA Provincial Privacy Laws (British Columbia, Alberta and Quebec) Provincial Privacy Acts (i.e. Manitoba) Others?

LEGAL MINEFIELDS PIPEDA’s 10 Privacy Principles Accountability Identifying purposes Consent Limiting collection Limiting use, disclosure and retention Accuracy Safeguards Openness Individual Access Challenging Compliance

LEGAL MINEFIELDS Privacy Commissioner of Canada Findings PIPEDA Finding #364: Employer agrees to revise language of consent form regarding exchanges of health information PIPEDA Finding #358: Individual objects to insurance company’s consent requirements

LEGAL MINEFIELDS PIPEDA Finding #293 Commissioner considers access, correction and inappropriate disclosure allegations against insurance company PIPEDA Settled Case: Even a public record should be protected

LEGAL MINEFIELDS Other Legal Minefields Dealing with sale of business or practice Carrying out investigations Effectively managing your records Responding to access to information requests Reconciling outsourcing matters and privacy law requirements

SALE OF BUSINESS Introduction Personal information is valuable asset. PIPEDA lacks express provisions to allow organizations to disclose personal information to prospective purchasers or business partners without consent. Parliamentary Committee has recommended PIPEDA by amended to include provisions permitting organizations to collect, use and disclose personal information without consent for purposes of business transactions.

SALE OF BUSINESS PIPEDA requires knowledge and consent of individuals for any disclosure of personal information, subject to specific exemptions. Organizations must make reasonable effort to ensure individuals advised of purposes for which information will be used. Current legal uncertainty whether, and what form of, notification and consent required for certain business transactions.

SALE OF BUSINESS Recommendations Limit personal information transfers. Consider restructuring transaction (i.e. share sale vs. asset sale). Consider obtaining opt-in consent. Consider relying on prior consent. Consider providing opt-out consent.

SALE OF BUSINESS In certain limited circumstances, may be able to rely on “transfer for processing” provision. Consider adopting approach similar to Alberta and BC’s PIPAs “business transaction” exemptions: Enter privacy agreements for due diligence investigations For closings, consider an agreement under which the use and disclosure of personal information only for certain purposes. If transaction not completed, personal information must either be destroyed or returned to transferor.

SALE OF BUSINESS Immediate Recommendations Review and possibly amend your privacy policy. Review and possibly amend consent language. Inventory personal information holdings. Advise decision makers that purchase and sale agreements must consider privacy implications.

INVESTIGATIONS Basic Principle Except as permitted, personal information cannot be collected, used or disclosed without the prior knowledge and consent of the individual, and then only for purposes that a reasonable person would consider appropriate in the circumstances

INVESTIGATIONS Under the Consent Principle - Principle 3, the knowledge and consent of an individual with respect to the collection, use and disclosure of personal information is required, except where inappropriate. One of the circumstances described as inappropriate relates to investigations.

INVESTIGATIONS PIPEDA provides that organizations may conduct certain investigations without consent Disclosure to “third parties” without consent requires agency relationship or “investigative body” designation Disclosures to third party organizations without consent must be last resort Privacy agreements, privacy agreements, privacy agreements!

INVESTIGATIONS Consent obligation waived for “investigative bodies” 47 investigative bodies are identified in the regulation

MANAGING RECORDS Introduction PIPEDA requires “personal information shall be retained only as long as necessary for the fulfillment of those purposes”.

MANAGING RECORDS PIPEDA further requires that “organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.”

MANAGING RECORDS PIPEDA further requires that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”

MANAGING RECORDS Recommendations Consider retention and destruction a business issue. Limit personal information holdings to reduce administrative costs. Exercise care in destruction practices to mitigate complaints and negative headlines.

MANAGING RECORDS Consider electronic and paper records in relation to retention and destruction policies. Review and/or draft retention and destruction polices and procedures in accordance with PIPEDA and other legal and/or regulatory requirements.

ACCESS TO INFORMATION REQUESTS Introduction New access to information obligations in private sector (similar to government body access to information obligations already in force)

ACCESS TO INFORMATION REQUESTS Typical requirements: Access requests should be in writing Organizations should help individuals requiring assistance Organizations must respond no later than 30 days after receipt of request Extension of time limit exemptions exist

ACCESS TO INFORMATION REQUESTS Failing to respond is deemed refusal Organizations may respond at a cost to individual Organizations must retain information to allow individual access Numerous and detailed exceptions to right of access

ACCESS TO INFORMATION REQUESTS Key Issues Respond accordingly Third-party data? Report access request to privacy officer Document access request Request identification

ACCESS TO INFORMATION REQUESTS Ensure sufficient identification Document identification Calculate fees for access (if applicable) Inform individual of cost (if applicable)

ACCESS TO INFORMATION REQUESTS Propose alternatives to access if necessary Meet time requirements Request extension if necessary Clearly explain document reason for extension Send notice

OUTSOURCING Do you outsource?

Then you’re responsible. OUTSOURCING Then you’re responsible.

OUTSOURCING Accountability for information provided to third parties PIPEDA PIPA Agent vs. independent contractor? Privacy agreements required

OUTSOURCING Privacy agreements: Define objectives Define service expectations Contemplate subcontractors

OUTSOURCING Identify and require security and privacy benchmarks Establish monitoring and auditing rights

OUTSOURCING Clarify termination and transition rights Identify other elements of relationship

CONCLUDING THOUGHTS Privacy compliance is a legal requirement that is here to stay. Public expectations regarding privacy are crucial. Privacy compliance, when managed properly, can be a competitive advantage.

QUESTIONS & ANSWERS

THANK YOU! BRIAN BOWMAN PITBLADO LLP pitblado.com 2500 – 360 Main Street, Winnipeg, MB, R3C 4H6 Tel: 204.956.3520 (direct) Email: bowman@pitblado.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.