PRIVATE SECTOR PRIVACY LEGISLATION The New Private Sector Privacy Regime Presented by Christopher Lee

What is Private Sector Privacy Legislation? Rules governing the private sector with respect to the collection, use, retention, security and disclosure of, and access to, personal information Intended to strike a balance between the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances Two key concepts underlying privacy legislation  reasonable person test - “an organization must consider what a reasonable person would consider appropriate in the circumstances”  consent (express, implied, no consent)

Where are we as of January 1, 2004? Privacy Legislation in Canada Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”) and related regulations British Columbia Personal Information Protection Act (“PIPA”) Personal Information Protection Act Regulations Alberta Personal Information Protection Act Personal Information Protection Act Regulation

Where are we as of January 1, 2004? Privacy Legislation in Canada, Cont’d Québec Act Respecting the Protection of Personal Information in the Private Sector (declared substantially similar) Ontario The Provincial Privacy Commissioner is currently recommending the adoption of BC/Alberta model Other Provinces and Territories “wait and see”; in the meantime PIPEDA applies

How did we get here? On January 1, 2001 PIPEDA extended privacy legislation to the federally regulated private sector – i.e. federal works, undertakings and businesses PIPEDA was a response to the European Union’s personal data protection directive (preventing transfers of personal data between EU members and jurisdictions without “adequate” privacy protections - PIPEDA declared adequate in December, 2001), e-commerce and public opinion in Canada NEWS RELEASE PRIVACY COMMISSIONER WELCOMES A NEW ERA IN PRIVACY PROTECTION OTTAWA, April 17, 2000—A major improvement in the laws protecting Canadians' privacy rights results from the passage of the Personal Information Protection and Electronic Documents Act, says Bruce Phillips, Privacy Commissioner of Canada. The Act – which received Royal Assent April 13 and comes into force on January 1, 2001 – establishes for the first time a comprehensive national set of rules which govern the collection, use and disclosure of personal information in the commercial world." "The right to privacy is one of the essential underpinnings of human dignity and autonomy in our democratic society," said Bruce Phillips, the Privacy Commissioner of Canada since "I am delighted that Parliament has endorsed as a fundamental civil right our ability to control what others can learn about us. At the same time, the Act also respects legitimate business needs to gather and use personal information and will protect Canada's international markets by bringing our privacy standards into line with those of our European trading partners."

Why separate legislation? PIPEDA, §26(2)(b), specifically contemplates separate provincial legislation PIPEDA is widely considered to be unnecessarily complex and poorly drafted legislation; PIPA is promoted as plain language legislation particularly suited for SMEs Other perceived shortcomings in PIPEDA, e.g. no grandfathering, limited exceptions to consent

Why separate legislation? Cont’d Constitutional legislative powers issue - federal trade and commerce power vs. provincial property and civil rights power  PIPEDA limited to commercial activities  PIPEDA does not cover personal information of employees of provincially regulated organizations  Québec has initiated a constitutional challenge to PIPEDA

How was PIPA developed? Working group established in February 2001 comprised of BC, and Alta Discussion paper developed by BC and Alta Detailed and extensive consultation process - stakeholders emphasized two key requirements:  plain language statute  harmonization across jurisdictions Common drafter - BC and Alta acts developed from the same initial draft and are approximately 90% identical

What applies in BC?* PIPEDA - in respect of the collection, use or disclosure of personal information (including employee personal information in the case of a federal work, undertaking or business) by organizations in the course of commercial activities PIPA - in respect of the collection, use or disclosure of personal information (including employee personal information) by organizations occurring within BC to the extent PIPEDA does not apply (i.e. non-commercial activities; provincially regulated employees) * Assuming PIPEDA is constitutionally valid and PIPA is not declared substantially similar. If PIPA is declared substantially similar then PIPA rather than PIPEDA will apply to the collection, use or disclosure of personal information by organizations in the course of commercial activities

What applies in BC?* Conclusion Currently both PIPA and PIPEDA apply in BC and Industry Canada has not identified any substantive issues to PIPA being declared substantially similar to PIPEDA (although the former federal privacy commissioner has). In practical terms, an organization in compliance with PIPA with respect to the collection, use and disclosure of personal information in the course of commercial activities will generally be in compliance with PIPEDA.

Which “organizations” are covered? “Organization” - PIPA “organization” is broadly defined to include  a person, unincorporated association, trade union, trust and not for profit organization but does not include  an individual acting in a personal or domestic capacity or acting as an employee, a public body, the Courts or the Nisga’a Government “Organization” - PIPEDA “organization” is similarly broadly defined to include  an association, a partnership, a person and a trade union

Which activities are covered? Activities - PIPA PIPA applies to every organization in respect of personal information it collects, uses or discloses, except  if the collection, use or disclosure of personal information is  solely for personal or domestic purposes,  solely for journalistic, artistic or literary purposes  covered by PIPEDA  personal information to which FOIPPA applies  personal information in a court document  the collection of personal information collected before PIPA came into force

Which activities are covered? Activities - PIPEDA PIPEDA applies to every organization in respect of personal information it collects, uses or discloses in the course of commercial activities, or about an employee in connection with the operation of a federal work, undertaking or business, except  if the collection, use or disclosure of personal information is  solely for personal or domestic purposes,  solely for journalistic, artistic or literary purposes  a government institution to which the Privacy Act applies

Which “organizations” and activities are covered? Conclusion The scope of application of PIPA is generally clearer and broader than PIPEDA with respect to organizations and activities covered (for-profit and not-for-profit).

What is “personal information”? “Personal Information” - PIPA “personal information” means information about an identifiable individual and includes  “employee personal information” - personal information about an individual collected, used or disclosed solely for purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual

What is “personal information”? “Personal Information” - PIPA, cont’d but does not include  “contact information” - information to enable an individual at a place of business to be contacted, including the name, position name or title, business telephone number, business address, business or business fax number of the individual, or  ”work product information” - information prepared or collected by an individual as a part of the individual’s responsibilities or activities related to the individual’s employment or business but does not include personal information about an individual who did not prepare or collect the personal information

What is “personal information”? “Personal Information” - PIPEDA “personal information” means information about an identifiable individual but does not include the name, title or business address or telephone number of an employee of an organization

What is “personal information”? Conclusion PIPA and PIPEDA share a similar definition of personal information, but PIPA specifically distinguishes employee personal information as a subset of personal information to which a special set of rules apply.

What general obligations* are imposed on organizations? Reasonable Person Test - PIPA / PIPEDA An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances Accountability - PIPA / PIPEDA An organization is responsible for personal information under its control, whether or not in its custody * universal privacy principles found in most legislation

What general obligations are imposed on organizations? Accountability - PIPA / PIPEDA An organization must  designate one or more individuals to be responsible for ensuring that the organization complies with PIPA,  develop and follow policies and practices that are necessary for the organization to comply with PIPA and develop a process to respond to complaints that may arise pursuant to PIPA, and  make available  to the public the position name or title and contact information for each designated individual referred to above,  upon request, information about the policies, practices and complaint process referred to above

When is consent required? Consent Required - PIPA An organization must not collect, use or disclose personal information about an individual unless  the individual gives consent to the collection, use or disclosure,  PIPA authorizes the collection, use or disclosure without consent, or  PIPA deems the individual to have given consent to the collection, use or disclosure

When is consent required? Consent Required - PIPEDA The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate

When is consent not required? Consent Not Required - PIPA / PIPEDA Where the collection, use or disclosure  is clearly in the interests of the individual and consent cannot be obtained in a timely way  with the consent of the individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or proceeding  is necessary for medical treatment,  is necessary to facilitate the collection or payment of a debt, or  is required or authorized by law  the information is publicly available from a prescribed source

How can consent be obtained? Express Consent - PIPA / PIPEDA May be given verbally or in writing Implied Consent - PIPA Consent is implied  if at the time the consent is deemed to be given the purpose would be obvious to a reasonable person and the personal information is voluntarily provided for that purpose  in the case of less sensitive information, if an organization notifies the individual of its intent to collect, use or disclose personal information, gives the individual a reasonable opportunity to decline and the individual does not decline (opt-out)

How can consent be obtained? Implied Consent - PIPEDA In obtaining consent,  the reasonable expectations of the individual are relevant  implied consent would generally be appropriate when the information is less sensitive  opt-out forms may be used Withdrawal of Consent - PIPA / PIPEDA An individual may withdraw consent at any time subject to legal or contractual obligations and reasonable notice

What about personal information of employees? Employee Personal Information - PIPA With respect to employment relationships, PIPA replaces the consent requirement with a notice requirement  an organization may collect “employee personal information” about an individual for purposes of establishing, managing or terminating an employment relationship with that individual  consent is not required if the organization notifies the individual in advance of the collection, use, disclosure and the purposes for it  exceptions to consent apply equally to the notice requirement

What about personal information of employees? Employee Personal Information - PIPEDA PIPEDA only applies to personal information of employees of federal works, undertakings and businesses, and does not make a distinction in the case of such personal information

How must organizations care for personal information? Accuracy an organization must make reasonable efforts to ensure that personal information collected by it is accurate, complete and up-to-date...  PIPA - if the personal information is likely  to be used by the organization to make a decision affecting the individual, or  to be disclosed by the organization to another organization  PIPEDA - as is necessary for the purposes for which it is to be used

How must organizations care for personal information? Protection - PIPA / PIPEDA an organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks  includes non-disclosure agreements with employees with access to the personal information  PIPEDA - the nature of the security arrangements will depend on the sensitivity of the information and should include:  physical measures - locked filing cabinets, restricted access to offices,  organization measures - security clearances and limiting access on a “need-to-know” basis, and  technological measures - use of passwords and encryption

How must organizations care for personal information? Retention if an organization uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain that information...  PIPA - for at least one year after using it  PIPEDA - long enough to allow the individual access to the information after the decision has been made an organization must destroy or make anonymous documents containing personal information as soon as...  PIPA - the purpose for which it was collected is no longer being served and retention is no longer necessary for legal or business purposes  PIPEDA - it is no longer required to fulfil the identified purposes

What about rights of individuals? Access to Personal Information - PIPA / PIPEDA Subject to certain exceptions, on the request of an individual, an organization must provide the individual with  the individual’s personal information under the control of the organization,  information about the ways in which such personal information has been and is being used by the organization, and  the names of the parties to whom such personal information has been disclosed by the organization PIPEDA encourages disclosure of the source of such personal information as well, but PIPA only requires this in the case of credit reporting agencies

What about rights of individuals? Access to Personal Information The organization must respond to an access request within 30 days after receipt of the request (unless the time period is extended in accordance with the applicable act)...  PIPA - and may charge a minimal fee for access except for access to employee personal information  PIPEDA - at minimal or no cost to the individual

What about rights of individuals? Exceptions to Access - PIPA / PIPEDA No obligation to grant access to personal information  protected by solicitor-client privilege,  if disclosure would reveal confidential commercial information,  collected without consent for an investigation or proceeding,  collected or created in the conduct of a mediation or arbitration  could threaten the safety or physical or mental health of an individual,  would reveal personal information about another individual,  would reveal the identity of individuals who provided the personal information and do not consent to disclosure of their identity (PIPA)  that is prohibitively costly to provide (PIPEDA)

What about rights of individuals? Correction of Personal Information - PIPA / PIPEDA Individuals may request an organization to correct an error or omission in their personal information under the control of the organization, which must either  correct the personal information and send the corrected personal information to each organization to which the personal information was disclosed by the organization during the previous year, or  annotate the personal information with the correction that was requested but not made

What other differences are there between the acts? Scope of “Investigation” “Investigation” means investigations related to breach of an agreement or contravention of the laws of Canada or a province  PIPA - also includes investigations related to conduct that may result in a remedy or relief under an enactment under common law or in equity, the prevention of fraud or trading in a security

What other differences are there between the acts? Grandfathering PIPA does not apply to the collection of personal information collected before January 1, 2004, but PIPA does apply with respect to the use, retention, security and disclosure of, and access to, such information  means organizations do not need to re-collect personal information already held Sale of Organization or Business Assets PIPA contains special provisions allowing for collection, use and disclosure, without consent, of personal information of its employees, customers, directors, officers or shareholders for purposes solely related to the proposed business transaction

What is the role of the privacy commissioner? The federal and provincial privacy commissioners have similar responsibilities under their respective acts, however,  PIPA - the privacy commissioner has order making power  PIPEDA - the privacy commissioner can only make recommendations An organization or person that commits an offence under...  PIPA - is liable to fine of up to $10K (individuals) or $100K (other than individuals), and may be liable for actual harm suffered by an affected individual  PIPEDA - is liable to fine of up to $10K (summary conviction) or $100K (indictable offence),

What is the role of the privacy commissioner? PIPA - emphasis will be placed on mediation; individuals may be required to resolve disputes directly with the organization before the privacy commissioner begins or continues a review or investigation PIPEDA - new privacy commissioner…???

What other resources are available? Privacy Commissioner of Canada Office of the Information & Privacy Commissioner for British Columbia BC Ministry of Management Services, Corporate Privacy & Information Access Branch

What other resources are available? Lang Michener Privacy Law Practice Group Christopher Lee (604) N. David McInnesKaram BayrakalJames Bond (604) (604) (604)