Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC.

Slides:



Advertisements
Similar presentations
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Advertisements

© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.
The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
IS3350 Security Issues in Legal Context
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
Complying with Privacy to Enable Innovation & Research
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
PRIVATE SECTOR PRIVACY LEGISLATION The New Private Sector Privacy Regime Presented by Christopher Lee.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Information Privacy Policy in Canada Presented By: Sue Wu.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
CASA & CCEL Webinar Series 9. PRIVACY & OLDER ADULTS Aging and The Law: What Every Professional Needs To Know.
Using Technology in Nursing Practice: Part 1: Complying with Policy 1.
Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates.
1 9. PRIVACY & OLDER ADULTS Faculty : Laura Watts, LL.B., National Director, CCEL Aging and The Law : Professional Issues Level 1 Webinar #9 Canadian Academy.
Name of presenter(s) or subtitle Privacy laws and their impact on research David W. Stark MRIA B.C. Chapter November 2, 2005.
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
Forgetting, Non-Forgetting and Quasi-Forgetting: Public Policy and Corporate Practice Colin J. Bennett, Adam Molnar and Christopher Parsons Department.
6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Privacy: It’s just good business
© 2009 Foley Hoag LLP. All Rights Reserved.Presentation Title Final Massachusetts Pharmaceutical and Medical Device Regulations Penalties and Enforcement.
Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Initial reflections of the privacy commissioner on Ontario’s draft privacy bill Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Toronto.
Data Protection Act AS Module Heathcote Ch. 12.
Privacy Professional Practice for Computer Science Guest Lecture, 05 March 2007 Philippa Lawson Director, Canadian Internet Policy & Public Interest Clinic.
Prepared by Douglas Peterson, University of Alberta 15-1 Part 3 – The Law of Contract Chapter 15 Electronic Business Law and Data Protection.
CORPORATE STRUCTURING AND BASIC TAX CONSIDERATIONS.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Session Title: FERPA: What You Need To Know Presented By: Jeffery Loggins Institution: Mississippi Valley State University September 15, 2015.
PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.
Privacy Challenges for Condominium Corporations and Condominium Managers presented to the Association of Condominium Managers of Alberta by Carmen Mann,
BC Public Libraries November, 2008 Privacy Principles.
Copyright © 2004 by Nelson, a division of Thomson Canada Limited CANADIAN BUSINESS AND THE LAW Second Edition by Dorothy Duplessis Steven Enman Shannon.
1 Canadian Privacy Policy: Customizing E.U. Standards Remarks by Jennifer Stoddart Privacy Commissioner of Canada Privacy Symposium: Summer 2007 August.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
1 The Public Interest Disclosure (Whistleblower Protection) Act.
Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
Privacy Issues - Watch Out! John D.R. Craig ORIMS Professional Development Day March 19, 2013.
Data protection—training materials [Name and details of speaker]
The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.
Privacy Legislation: What Every Funeral Director Needs to Know Julie Maciura March 31 and April 1, 2004.
Practical Analysis of Obstacles Encountered by Legal Services as Part of Access to Information Requests Presentation to the Canadian Institute at the Conference.
Nassau Association of School Technologists
PRIVACY TRAINING For CAILBA members
Privacy principles Individual written policies
Obligations of Educational Agencies: Parents’ Bill of Rights
Privacy principles Individual written policies
Data protection issues in regulatory investigations
Data Protection Legislation
Privacy & Access to Information
Move this to online module slides 11-56
Current Privacy Issues That May Affect Your Credit Union
Employee Privacy and Privacy of Employee Information
Mandatory Breach Reporting (isn’t *that* bad)
On the Cutting Edge – Update on Privacy Legislation
Upcoming PIPEDA Changes
Presentation transcript:

Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC

A.Federal Privacy Act, R.S c.P-21 Privacy Act, R.S c.P-21 Personal Information Protection and Electronic Documents Act (PIPEDA), S.C.2000, c.5 Personal Information Protection and Electronic Documents Act (PIPEDA), S.C.2000, c.5 B.Provincial Personal Information Protection Act, S.B.C. 2003, c.63 (PIPA) Personal Information Protection Act, S.B.C. 2003, c.63 (PIPA) Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (FIPPA) Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (FIPPA) Privacy Legislation in Canada I.

The Privacy Act enacted July 1, 1983 enacted July 1, 1983 public sector legislation affecting federal government departments and agencies public sector legislation affecting federal government departments and agencies October 6, 2005 Privacy Commissioner’s Annual Report criticized the Act October 6, 2005 Privacy Commissioner’s Annual Report criticized the Act

PIPEDA Section 3: Purpose The balance between recognition of the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information.

PIPEDA: Statistics In the Annual Report to Parliament (2005), the Privacy Commissioner acknowledged: In the Annual Report to Parliament (2005), the Privacy Commissioner acknowledged: –there is a “significant backlog of complaints” –there was a “large drop” in 2005 in the number of complaints filed under PIPEDA

PIPEDA: Statistics In 2005 the largest number of complaints were against financial institutions BUT In 2005 the largest number of complaints were against financial institutions BUT The number of complaints was just over half of what they were in 2004 The number of complaints was just over half of what they were in 2004 In 2005 the most common complaints were with respect to the inappropriate use or disclosure of personal information (followed by refusals of access and inappropriate collection) In 2005 the most common complaints were with respect to the inappropriate use or disclosure of personal information (followed by refusals of access and inappropriate collection)

PIPEDA Section 4(1):PIPEDA applies to every organization in respect of personal information that, 4(1)(a) the organization “collects, uses or discloses” in the course of commercial activities 4(1)(b) is about an employee that an organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business 4(1)(b) is about an employee that an organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business

PIPEDA PIPEDA does not apply to: any government institution to which the Privacy Act applies any government institution to which the Privacy Act applies any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2)) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))

Substantially similar legislation (B.C., Alta, Quebec) Substantially similar legislation (B.C., Alta, Quebec) Sector-specific legislation (Alta, Sask, Mtba, Ontario) Sector-specific legislation (Alta, Sask, Mtba, Ontario) Provincial Human Rights legislation Provincial Human Rights legislation Common law right to privacy Common law right to privacy How are employees’ privacy rights protected in the private sector?

Statutory right to Privacy A statutory tort of invasion of privacy has been created in: A statutory tort of invasion of privacy has been created in: –B.C. –Saskatchewan –Manitoba –Newfoundland –Quebec

Common Law Ontario residents do not have a statutory remedy for unreasonable intrusion into an individual’s private affairs, BUT Ontario residents do not have a statutory remedy for unreasonable intrusion into an individual’s private affairs, BUT a recent decision recognized that the tort of invasion of privacy may exist: a recent decision recognized that the tort of invasion of privacy may exist: – Somwar v. McDonald’s (2006), 79 O.R. (3d) 172

i) EU Directive ii) Model Code iii) E-com Strategy iv) Bill C-54 v) OECD Guidelines A. Sources of PIPEDA

CUD CUD FWUB FWUB Personal Information Personal Information Organization Organization Commercial activity Commercial activity B. Definitions

defined to mean information about an identifiable individual defined to mean information about an identifiable individual exclusions: name, title, or business address or telephone number of an employee of an organization exclusions: name, title, or business address or telephone number of an employee of an organization “Personal Information” (s.2(1))

defined to include an association, a partnership, a person and a trade union defined to include an association, a partnership, a person and a trade union corporations are “persons” pursuant to s. 35(1) of the Interpretation Act corporations are “persons” pursuant to s. 35(1) of the Interpretation Act “organizations” (s.2(1))

definition: “means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. definition: “means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. “commercial activity” (s.2(1))

Protection of Personal Information Subsection 5(1): Subsection 5(1): “Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.” Schedule 1 enacts the 10 general principles and commentaries contained in the Model Code Schedule 1 enacts the 10 general principles and commentaries contained in the Model Code Subsection 5(2): mandatory obligations versus recommendations in Schedule 1 Subsection 5(2): mandatory obligations versus recommendations in Schedule 1 PIPEDA Part 1, Division 1 C.

1.Accountability 2.Identifying purposes 3.Consent 4.Limiting Collection 5.Limiting use, disclosure and retention 6.Accuracy 7.Safeguards 8.Openness 9.Individual access 10.Challenging compliance The 10 Principles

PIPEDA s.7(1): Collection without Knowledge or consent An organization may collect personal information without the knowledge or consent of the individual where, collection is clearly in the individual’s interest and consent cannot be obtained in a timely way (s.7(1)(a)) collection is clearly in the individual’s interest and consent cannot be obtained in a timely way (s.7(1)(a))

PIPEDA in the context of an investigation of a breach of an agreement or a contravention of the law, it is reasonable to expect that if knowledge or consent were obtained it would compromise the availability or the accuracy of the information (s.7(1)(b)) in the context of an investigation of a breach of an agreement or a contravention of the law, it is reasonable to expect that if knowledge or consent were obtained it would compromise the availability or the accuracy of the information (s.7(1)(b)) the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c)) the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))

PIPEDA s.7(2): Use without Knowledge or Consent An organization may use personal information without the knowledge or consent of the individual only if, the organization reasonably believes the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction (s.7(2)(a)) the organization reasonably believes the information could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction (s.7(2)(a))

PIPEDA It is used for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual (s.7(2)(b)) It is used for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual (s.7(2)(b)) It is used for statistical, or scholarly study or research purposes where it is impracticable to obtain consent and where: confidentiality is maintained and the Commissioner is informed prior to its use (s.7(2)(c)) It is used for statistical, or scholarly study or research purposes where it is impracticable to obtain consent and where: confidentiality is maintained and the Commissioner is informed prior to its use (s.7(2)(c))

PIPEDA Subsection 7(3): Disclosure without Knowledge An organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is, made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a)) made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a)) for the purpose of collecting a debt owed (s.7(3)(b)) for the purpose of collecting a debt owed (s.7(3)(b)) compelled by law (s.7(3)(c)) compelled by law (s.7(3)(c))

Remedies filing of complaints (s.11) filing of complaints (s.11) the Commissioner’s powers (s.12) the Commissioner’s powers (s.12) the Commissioner’s Report (s.13) the Commissioner’s Report (s.13) application to the Federal Court (s.14) application to the Federal Court (s.14) PIPEDA Part 1, Division 2 D.

Complaints (s. 11) Individuals may complain to Individuals may complain to (a)the organization (b)the Office of the Privacy Commissioner the Commissioner may also initiate a complaint (“reasonable grounds”) the Commissioner may also initiate a complaint (“reasonable grounds”)

Types of Complaints an individual may complain to the Commissioner about any matter: an individual may complain to the Commissioner about any matter: (a) specified in sections 5 to 10 of the Act OR (b)in the recommendations OR obligations set out in Schedule 1.

Powers of the Privacy Commissioner (s. 12) PC obliged to investigate complaint (s.12(1)) PC obliged to investigate complaint (s.12(1)) PC must give notice to the organization complained of (s.11(4)) PC must give notice to the organization complained of (s.11(4)) Powers include: Powers include: (a)Summons to compel the giving of evidence under oath (b)Production of documents (c)Power of entry (d)Mediation/conciliation (e)Audits

The Commissioner’s Report (s.13) 1 year to prepare a written report 1 year to prepare a written report Confidentiality of the report Confidentiality of the report Where no report required Where no report required Disposition of complaints Disposition of complaints i)Not well founded ii)Well founded iii)Resolved iv)Discontinued

Broad investigatory powers vs. …. No power to compel compliance with PIPEDA (compare to B.C. PIPA, s. 58) No power to compel compliance with PIPEDA (compare to B.C. PIPA, s. 58) No sanctions for failing to follow recommendations No sanctions for failing to follow recommendations Only real power is the “power of embarrassment” Only real power is the “power of embarrassment” Fines for obstructing an investigation Fines for obstructing an investigation No power to order costs of the investigation No power to order costs of the investigation

Application to the Federal Court (s.14) Complainant or PC may apply Complainant or PC may apply Subject matter restricted but always open for parties (including the organization) to seek judicial review Subject matter restricted but always open for parties (including the organization) to seek judicial review Application must be made within 45 days after Report is sent Application must be made within 45 days after Report is sent Remedies more expansive Remedies more expansive

1.Outsourcing 2.M&A issues 3.Privacy in the workplace 4.Whistleblowing Key Issues in Privacy Law II.

no exemption for disclosure between subsidiary, affiliated, or related companies no exemption for disclosure between subsidiary, affiliated, or related companies Implications of the U.S. Patriot Act Implications of the U.S. Patriot Act The B.C. response (FIPPA) The B.C. response (FIPPA) PIPEDA case summary #313 PIPEDA case summary #313 Outsourcing

M&A Issues Asset sale = commercial activity Asset sale = commercial activity Solutions Solutions i)privacy policies need to address the possibility of a sale of the business ii)“anonymize” the information iii)contractual safeguards iv)review all personal information and disclose only what is “necessary” to close

Monitoring employees’ in the workplace Monitoring employees’ in the workplace –Biometric authentication devices –Video surveillance Employee complaints represent 20% of complaints filed in 2004 Employee complaints represent 20% of complaints filed in 2004 Privacy in the Workplace

(1)Is it demonstrably necessary to meet a specific need? (2)Is it effective in meeting that need? (3)Is the loss of privacy proportional to the benefit gained? (4)Are there less invasive alternatives? PCC’s 4-step analysis of a privacy-invasive measure