Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick
Overview Criminal Code Public sector privacy legislation Private sector privacy legislation Sector-specific legislation
Criminal Code
Interception and seizure of private communications Prohibitions –Wire-to-wire communications –Wireless (radio-based) communications –Systems manager exception (quality control, unauthorized use, mischief) Interception (wiretap) warrants –Content –Routing (“envelope”) data Search and seizure warrants 3d party production orders
Public sector privacy legislation Privacy Act –“Personal information” under control of a “government institution” Provincial legislation
Private sector privacy legislation
PIPEDA Personal Information Protection and Electronic Documents Act
History EU Directive (1995) –“adequate level of protection” CSA Model Code (1996) Phased implementation –Full effect January 1, 2004
Jurisdiction Commercial activities (federal & provincial) Employee information (federal only) Exemptions –Privacy Act –Personal or domestic purposes –“substantially similar” provincial statutes (intra-provincial information only)
Overview Personal information Privacy principles Oversight and enforcement
Personal Information Definition –“information about an identifiable individual... [except] the name, title or business address or telephone number of an employee of an organization” Intimacy not required Collection v. generation irrelevant Anonymity and aggregation
Privacy Principles
Interpretive tools Schedule (“shall” v. “should”) (s. 5(2)) Reasonableness (s. 5(3)) –“An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
The Schedule
Accountability Designated person 3d party transfers –Mere processing (contractual protections) –Disclosure (must comply with Act)
Notice of purposes New purposes
Informed consent No conditions for non-essential information –e.g. “no SIN, no connection” Form of consent –Sensitivity of information –Express v. implied –“Opt-in” v. “opt-out” Withdrawal of consent –Subject to legal and contractual restrictions
Exceptions to consent Collection –Interests of person and consent can’t be obtained –Investigation of breach of contract or law –Journalistic, artistic, or literary purpose –Publicly available and in regulations Use –Investigation of breach of law –Health or security emergency –Statistical or scholarly research (restrictions) –Publicly available and in regulations –Collected under ss. 7(1)(a) or (b)
Exceptions to consent con’t Disclosure –Organization’s lawyer –Debt collection –Court order –Law enforcement and national security (where legal entitlement) –Investigation of breach of contract or law (to or by investigative body) –Health or security emergency –Statistical or scholarly research (restrictions) –Archives –100 years or 20 years after death –Publicly available and in regulations –Compliance with law
Limiting collection Only for identified purposes
Limiting use, disclosure and retention No additional purposes without consent Retain only for as long as necessary to fulfill purpose for which information collected Retain long enough to enable access to information used for decision Guidelines and procedures encouraged, including minimum and maximum retention periods
Accuracy Accurate, complete, and up-to-date
Safeguards Loss or theft, unauthorized access, etc. Measures vary with sensitivity of information Technological measures (e.g. encryption) Employee training
Openness Policies in readily accessible form Contact information Means for access to information General description of types of information held
Access Confirmation of existence Right of review Disclosure of information to third parties (list) Minimal or no cost Due diligence and time limits Amendment and corrections
Exceptions to Access 3d party information Solicitor-client privilege Confidential commercial information Health or security of 3d party Compromise legal investigation Information generated from formal dispute resolution process Notification of access request to government for law enforcement (government veto)
Challenging compliance Procedures and notification Duty to investigate Appropriate remedies
Oversight and Enforcement
Privacy Commissioner Complaints PC’s power to initiate Investigative powers and mediation Reports (confidentiality and shaming) Audits Education, research, and compliance assistance
Federal Court Complainant Privacy Commissioner Remedies
Provincial Legislation Non-commercial Employees in provincial sector Commissioners’ order-making powers Jurisdictional issues