A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton County
2 March 11, Presented by Jeffrey H. McCully, B.A., LL.B. PrivacyConsult phone fax
3 March 11, Agenda Overview of private sector privacy legislation in Canada PIPEDA - Application of the law Definitions - what is “personal information”? “governance”? Why privacy protections? Privacy Principles - the heart of PIPEDA Role of Privacy Commissioner & Remedies Privacy Management / Governance Privacy Compliance - Third Party Relations, Employees, Professionals
4 March 11, Agenda (continued) Conclusion Good Governance = Mitigation of Risk = Added Value Question & Answer Session
5 March 11, Overview of Legislation 2 federal privacy laws Privacy Act (1983) & PIPEDA (2001) Privacy Act - imposes obligations on federal departments - gives Canadians protections re collection, use, disclosure, access - covers tax records, military records, security clearances, etc.
6 March 11, Overview of Legislation (continued) PIPEDA - in force in stages from fully in force on January 1, 2004 Provincial laws - only Quebec (1994), BC, Alberta
7 March 11, PIPEDA: Application Jan 1, Federal work, undertaking or business collecting, using, disclosing personal information in the course of commercial activities. - Organizations that trade in information for consideration across a national border or provincial border. Jan 1, All organizations collecting, using or disclosing personal information in the course of commercial activities (excluding those subject to “substantially similar” provincial privacy laws).
8 March 11, Definitions Commercial Activity - means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Governance - authoritative care/control over an organization; relates to accountability for the activities of an organization. Organization - association, partnership, person (corporation) and trade union.
9 March 11, Definitions (continued ) Grandfathering (retroactivity) - refers to the treatment of information already in the organization’s possession pre-PIPEDA. Data already there is subject to the same rules. Personal Information - information that relates to an identifiable individual, but does NOT include the name, title and business address or telephone number of an employee of an organization. Privacy - the right of individuals to control the collection, use and disclosure of their own information.
10 March 11, Definitions (continued) Whistleblowing - section 27 of the PIPEDA protects persons who inform the Commissioner that a person or organization has or intends to contravene the Act. Such persons cannot be retaliated against.
11 March 11, Why Privacy Protection? To avoid cost of non-compliance –legal violations and damages/costs flowing from them (unlimited punitive damages; costs of litigation; court fines of $10,000, $100,000) –reputation, goodwill and brand image damage –psychological, economic harm to clients –consumer flight - loss of revenue –public companies - will a violation or a delay in compliance result in a loss of share value?
12 March 11, PIPEDA’S 10 Principles 1. Accountability 2. Identifying purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual access 10. Challenging Compliance Each principle may require organizational changes. The heart of the law. Based on Canadian Standards Association Model Code.
13 March 11, Role of Privacy Commissioner (PC) PC has substantial powers - that of a Superior Court –investigate complaints –summon and question under oath –receive and consider evidence –search business premises –examine records found therein. PC may try to resolve complaints through mediation or conciliation. PC will issue a report, usually within 1 year.
14 March 11, Federal Court Persons may seek a hearing in Federal Court Trial Division if dissatisfied by the PC’s Report. Court may: –order correction of practices –order publication of actions taken –award substantial damages. Obstruction or punishing whistleblowers - up to $100,000 fine.
15 March 11, Privacy Management / Governance Organizations must ask questions: –Does PIPEDA apply? (collect personal information for commercial purposes) –Do we have an individual responsible for compliance (CPO)? –Have we conducted a privacy assessment? An audit periodically? –Have we obtained appropriate consent? –Have we identified use? –Do we have a procedure for access to information? –Have our front line staff and junior managers been educated?
16 March 11, Privacy Management / Governance –Have we reviewed documentation for necessary consents, confidentiality agreements, indemnities, audits? –Have we reviewed the information practices of third party data processors?
17 March 11, Privacy Compliance - Third Parties Liability can result if a business partner or a mere third party outsourcing arrangement violates PIPEDA. Commercial printers, payroll outsourcers, information technology companies (website designers) are a source of liability for you. An organization cannot avoid its privacy obligations by outsourcing. Set out adequate security measures: –confidentiality agreements –encryption technology
18 March 11, Privacy Compliance - Third Parties (continued) –“Chinese walls” and other good practices –proper consents –indemnities –privacy audit rights for you.
19 March 11, Privacy Compliance - Employees PIPEDA applies to employee information in federal works, undertakings and businesses only - NOT to provincially regulated businesses. Balance is required - what does an employer really need to know? (pay, benefits, records, health records, resumes). Question: What about psychological tests, keystroke monitoring, ?
20 March 11, Privacy Compliance - Employees (continued) Collect, use, disclose only with consent (#3). Disclose what information is collected, why, what is done with the information (#2, 4, 5). Collect only what is necessary for stated purpose (#4). Collect by fair/lawful means. Ensure that any consents given by employees are real, and not forced as a condition of employment. Keep information accurate and up to date (#6). Give employees access to it and allow them to challenge or correct it (#6, 9, 10).
21 March 11, Privacy Compliance - Professionals Lawyers, accountants, financial advisors will receive much information on third parties, collected by their clients: –payroll information –rent rolls –life insurance information with respect to claims. In an assurance contract, the professional does not have direct access to third parties. The client has the link to the third party. The client should obtain the appropriate consents.
22 March 11, Privacy Compliance - Professionals Mere transfers of information for processing (eg. preparation of tax returns) are non-assurance contracts. No further consent is necessary. Consent is implied when, for example, a CA is hired to prepare a tax return. Third parties not involved.
23 March 11, Wording in Assurance Contract “It is acknowledged that we will have access to all personal information in your custody that we require to complete our engagement. Our services are provided on the basis that: –you represent to us that you have obtained the required consents for the collection and use of personal information under PIPEDA; and –we will hold all personal information in compliance with our Privacy Policy.”
24 March 11, Conclusion Good privacy practice is good information management. Good information management gives a competitive advantage. Governance is enhanced when an organization’s “directing mind” identifies potential business risks and implements systems to mitigate those risks. Privacy is now key to good governance. Good Governance = Mitigation of Risk = Added Value