6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues and Solutions Barry Sookman, Partner, McCarthy Tétrault Chair, Internet and Electronic Commerce Law Group (Toronto) (416) C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Importance of Privacy »Privacy protection for personal information is an important social goal OECD Guidelines 1980 OECD Guidelines 1980 Council of Europe Convention 1985 Council of Europe Convention 1985 United Nations Guidelines 1990 United Nations Guidelines 1990 CSA Model Code for Protection of Personal Information 1995 CSA Model Code for Protection of Personal Information 1995
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Legal Basis for Privacy »Common law »Constitutional law »Criminal law »Privacy legislation EU Directive on the Protection of Personal Information EU Directive on the Protection of Personal Information Quebec Privacy Legislation Quebec Privacy Legislation Sectorial Legislation Sectorial Legislation Bill C6 Protection of Information in the Private Sector Bill C6 Protection of Information in the Private Sector Other Provincial Legislation Other Provincial Legislation
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Fair Information Practice Principles »OECD Guidelines 1980 »CSA Model Code for the Protection of Personal Information »US Information Infrastructure Task Force »Bill C-6 Protection of Personal Information in the Private Sector - modifies CSA Model Code »Quebec Privacy Legislation »Foreign Legislation - EU Directive on the Protection of Personal Information, COPPA »Many reports, guidelines, and model codes set out fair information practices for private sector.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Bill C-6 - Purposes »Express purposes “is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Phase-in of Act »April 13, 2000: Received Royal Assent »January 1, 2001: applies to federally regulated private sector; federal works, undertakings and businesses; inter- provincial and international disclosure for consideration »January 1, 2002: applies to personal health information »January 1, 2004: applies to all private sector commercial activities
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault To Whom Does It Apply? »Applies to every organization in respect of personal information that (a) the organization collects, uses or discloses in the course of commercial activities; or (a) the organization collects, uses or discloses in the course of commercial activities; or (b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business. (b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business. »“commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is a of a commercial character”
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault What is Personal Information? »Means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”. »Does not need to be sensitive or private. »Includes information relating to race, national or ethnic origin, colour, religion, age or marital status; educational or medical or criminal history; information relating to financial transactions in which the individual has been involved; any identifying number, symbol or other data assigned to the individual. »Can be in any form. »Is data collected about an identifiable individual?
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault CSA Model Code Principles 1.Accountability 2.Identifying purposes 3.Consent 4.Limiting collection 5.Limiting use, disclosure and retention 6.Accuracy 7.Safeguards (security) 8.Openness 9.Individual access 10.Challenging compliance
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Identifying Purposes of Collection »The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected. »The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. »When personal information that has been collected is to be used for a purpose not previously identified, the new purpose must be identified prior to use.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Information Audits »To determine all information being collected by the organization about each product and service. »A detailed privacy analysis is performed to examine the privacy implications of the company’s information practices and especially the need to collect different categories of personal data.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Technology Audits »New products and services are often subject to review by technology audits. »This inquiry is directed to determining the privacy implications that might result from the introduction or use of a new information technology product or service. »For example see Ontario Privacy Commissioner report related to Smart Card Applications.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Consents »Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. » Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. »Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. »Any choice regime should provide a simple and easily- accessible way for consumers to exercise their choice. »Difficulties associated with obtaining consents »Building systems to handle consents.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Limiting Use and Disclosure of Information »Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. »Principle poses challenges for: data mining data mining profiling profiling intelligent agents intelligent agents data modelling data modelling use of cookies use of cookies
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Data Accuracy »Personal information shall be as accurate, complete, and up-to- date as is necessary for the purposes for which it is to be used. »Information shall be sufficiently accurate, complete, and up-to- date to minimize the possibility that inappropriate information may be used to make a decision about the individual. »An organization must not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected. »Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Security »Principle 7 states that "personal information shall be protected by security safeguards appropriate to the sensitivity of the information". »”Security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification". »The obligation applies regardless of the format in which the information is held.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Security »Information that is made available over the Internet is particularly vulnerable to unauthorized access, disclosure and use. Here appropriate security will involve both managerial and technical measures to protect against the loss and unauthorized access, destruction, use, or disclosure of data. »Technical security measures to prevent unauthorized access might include encryption in the transmission and storage of data, limits on access through use of passwords, use of fire walls, and the storage of data on secure servers. »The security principle will require that appropriate measures being taken to guard against the unauthorized access, disclosure, copying or use of such information.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Integrity »The security principle extends to security safeguards against the "modification" of personal information. »The security principle will create the need for security mechanisms to assure the integrity of information. »This principle will be particularly relevant to electronic commerce applications where transmission integrity is important such as in electronic payment systems where security is critical.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Third Party Uses »The security principle includes the obligation to prevent unauthorized use of information. This principle requires the organization not only to monitor its own uses, but also uses by third parties of information. »An organization that maintains personal information on a web site might have to take measures to block access to search engines if the processing by the person launching the search is unauthorized, such as where the person performing the search seeks to use the information contrary to the limiting use principle.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Retention of Information »Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. »Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. »Personal information must also be retained only as long as necessary for the fulfillment of those purposes.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Individual Access »Upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. An individual must also be able to challenge the accuracy and completeness of the information and have it amended as appropriate. »Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault Challenging Compliance »An individual shall be able to address a challenge concerning compliance to the designated individual or individuals accountable for the organization's compliance. »Organizations must put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. »Organizations must inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. »An organization must investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.
6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues and Solutions Barry Sookman, Partner, McCarthy Tétrault Chair, Internet and Electronic Commerce Law Group (Toronto) (416) C ANADA’S N ATIONAL L AW F IRM McCarthy Tétrault