Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates Inc. and Richard Shields, McCarthy Tétrault, Ottawa
Federal Legislation PIPEDA – Personal Information Protection and Electronic Documents Act. Ground rules for how organizations may collect personal information in the course of conducting commercial activities. Compliance – January 1, 2004
Overview of Provincial Legislation B.C – May 1, nd Reading Personal Information Act – Jan. 2004, Federal Government must decide if provincial legislation is substantially similar as to preclude PIPEDA. Applies to private and not-for-profit sector. Alberta – Enacted health information and protection law. Personal Information Protection Act – May Will apply to the private sector in Alberta and limited application to not-for-profit sector. Both provinces have acts that cover information on the consumer and the employee.
Provincial Legislation Saskatchewan – Province has enacted, but not enforced a health protection law that applies to private and public sector and amended in 2003 to include privacy legislation. Province has enacted a provincial privacy legislation separate from above. Manitoba – Province has enacted a health protection law covering the public and private sector, now enforced. No move made to introduce privacy legislation for the private or not-for-profit sector.
What is Considered Personal Information An individual’s… Race Nationality Age Gender Marital Status Biometrics – fingerprints, blood type, genetic characteristics
What is Considered Personal Information Personal health care history Financial history Educational history Criminal history Anyone’s opinion about the individual, i.e. reference checks The individual’s personal views
Considered Private but – in the Public Domain Name Address Telephone Number Business Address Business Telephone Number (The public domain pertains to information available to the general public)
Publicly Available Information Five Categories: 1.Phone books (White Pages, CD Roms) 2.Professional Directories (members of the Bar) 3.Public databases (property tax rolls, licenses) 4.Court records (divorce, bankruptcy, law suits) 5.Information provided by an individual to a publication (want ads, interviews)
Limits of Reasonableness Consent is always required! Immediate sale obligations Related marketing Building marketing database Building customer profiles Disclosing data to third parties Completely unrelated uses Future sales calls Mergers & Acquisitions Sharing of data with affiliates
The Privacy Rules The law incorporates the CSA Model Code for the Protection of Personal Information. The 10 Principles reflect international fair information practices. They balance individual privacy rights with legitimate business interests.
Principle 1 The person(s) responsible must be designated and identified. These persons must ensure training, communications and procedures documentation. Contracts and oversight of third party data processing required. Accountability
Principle 2 Purposes must be identified before any personal information can be collected or used. Purposes must be what a reasonable person would expect in the circumstances. Identifying Purposes
Principle 3 The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. There are exceptions – such as bill collection, crime investigation, etc. Consent must be obtained fairly – it can be withdrawn at any time. Consent
Principle 4 Companies can only collect information specifically required for identified purposes. Purposes should not be identified too broadly. However, overly narrow purposes could require continuous new consents. Limiting Collection
Principle 5 New purposes require new consent. Data cannot be kept beyond the end date of the last specified purpose. A retention/disposal policy is required. Limiting Use, Disclosure and Retention
Principle 6 Information must be as accurate as necessary for the purposes. Decisions must not be made based on inaccurate information. Routine data updating without a purpose is not permitted. Accuracy
Principle 7 Personal information must be protected appropriately. Employees must be made aware of the importance of maintaining confidentiality of this information. Care must be used in disposing of records to prevent unauthorized access. Safeguards
Principle 8 Companies must communicate their privacy policies including: Openness what data is collected, how it is used, who it is disclosed to, how to access it, and who to make inquiries or complaints to
Principle 9 People have a right to find out what information you have about them, to know how it is used or disclosed, to access it, and to have it amended as appropriate. There are some allowable or required restrictions on access. Individual Access
Principle 10 People can challenge your compliance with any aspect of the CSA Code or the law. Companies must respond to all inquiries and complaints. Individuals can also go directly to the Privacy Commissioner. The law has whistleblower protection. Challenging Compliance
Commissioner Powers Investigatory powers include the right to enter premises and obtain records. Powers of mediation and conciliation. Power to conduct audits of business practices. Power to publicize with impunity. No order-making powers.
Reference Checks Only with knowledge and consent. Applies to both collecting and providing references.
Employee Monitoring Employees must be informed. The use must be reasonable under the circumstances. Employees may have a right of access. This applies to phone, , video, etc.
New Privacy Rights (Fed. & Prov. Laws) Knowledge and consent to collect, use or disclose employee personal information. Right to access and amend files, with some limited exceptions. Right to file a complaint with the Privacy Commissioner.
Investigations Companies can collect personal information without knowledge or consent to investigate the breach of an agreement or the contravention of a law.
Biometrics Information collection must be reasonable for the purposes. Privacy Commissioners are concerned about drug testing, fingerprinting, and biometrics-based technologies such as retinal scans, DNA, etc.
Employee data not subject to the Act Business card-type data – except for addresses Joe Blow Sales Manager Sagamow Products 333 Main Street Sagamow Falls, ON (519)
Compliance The key steps to developing and implementing a Privacy Policy
Choosing a Chief Privacy Officer (CPO) It is a senior position with public visibility. The CPO needs authority to ensure the company is compliant. The CPO oversees training, developing and documenting procedures, communications, and privacy policy on third-party contracts. The CPO responds to inquiries and complaints and Privacy Commissioner investigations.
Forming a Privacy Team Implementing a privacy policy requires cooperative team effort. Your privacy team should include customer service, marketing, information management, legal, human resource and security personnel. It could take several months to develop and implement policies.
Start with an Audit Purposes for collecting, using or disclosing personal information. What data is currently collected and used and who it is disclosed to. How consent is obtained. How data is stored and safeguarded. Review your current data collection and handling practices. Look at the following:
Develop a Privacy Code Review the 10 principles and how they apply to your circumstances. You may need some legal advice on additional points in the new privacy law. Avoid legal language. Keep it simple. Have it reviewed by a third party. The CSA Model Code is a good starting point – it’s also built into the law.
Develop Procedures You will need documented procedures for the following: New purposes, obtaining consent, limiting uses, third-party processing, records retention and disposal, individual access, inquiries and complaints, and more. These are legal obligations. Develop and document procedures to help ensure employees follow your code – the Privacy Commissioner can ask for your documentation.
What’s left? Employee communications and training Providing information about your privacy policy Dealing with inquiries and complaints Regular review of how you’re doing
Communications and Training Front-line Employees and HR Managers need to know how to recognize and expedite an access request or inquiry/complaint under the law. Training is required on safeguards, retention periods, disposal, purpose limitations, etc. Use your operations procedures manual as a basis.
Public Information about your Privacy Use the KISS principle. Avoid legalese and 20-page privacy agreements. Key information includes purposes, disclosures, who to contact, and a summary statement of your Code. On the Internet, include special issues such as cookies use, IP address tracking, etc. Provide privacy tools and guidance.
Dealing with inquiries and complaints You have 30 days to respond to written access requests. You must respond to all inquiries and complaints (within 30 days). You must not destroy any information or hinder a Privacy Commissioner investigation.
Wrap-Up Points Age, name, ID numbers, income, ethnic origin or blood type. Opinions, evaluations, comments, social status, or disciplinary actions. Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (to acquire goods or services, or change jobs) Views of the Privacy Commissioner Examples of Personal Information:
Wrap-Up Points Opening an account, verifying credit- worthiness, providing benefits to employees, processing a magazine subscription, sending out association membership information, guaranteeing a travel reservation, identifying customer preferences, establishing customer eligibility for special offers or discounts More views of the PC Examples of Information Purposes:
Contact Info Janet Emmett VP, Association Services & Leadership Development YMCA Canada (416) ext. 209