Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1

 Privacy Legislation  Application of the Act and Personal Information  Managing Privacy and Personal Information  Anti-Spam Legislation  Canada’s Anti-Spam Legislation © 2015 McGraw-Hill Ryerson Limited 34-2 Overview

 Federal law - Personal Information and Electronic Documents Act (PIPEDA) requires business and personal accountability for the use and collection of personal information – In contract and otherwise  PIPEDA applies in the absence of equivalent provincial legislation Privacy legislation of B.C., Alberta, and Quebec meet PIPEDA standards Privacy Legislation © 2015 McGraw-Hill Ryerson Limited 10-3

 Act covers all personal information collected, used and retained by an organization in commercial activity Businesses held accountable if they use or disclose personal information for purposes other than those for which consent was given Personal information includes but not limited to: name, date of birth, medical facts, ethnicity, personal description, employee records, earnings, credit and loan files, survey responses, beliefs, opinions or intentions Application of the Act and Personal Information © 2015 McGraw-Hill Ryerson Limited 10-4

 1. Accountability – Someone must have delegated personal responsibility at each business.  2. Identifying Purposes – Reason for collection shall be documented before collection and use of info.  3. Consent – Use of Personal Info. (P.I.) requires consent of individuals concerned.  4. Limited to Necessary Info. – Fair and lawful.  5. Limited Use, Disclosure and Retention  6. Accuracy – Accurate, complete and up-to-date.  7. Safeguards Required – Appropriate to sensitivity. PIPEDA COMPLIANCE REQUIREMENTS © 2015 McGraw-Hill Ryerson Limited 10-5

 8.Openness – about P.I. policies and practices.  9. Individual Access – Individuals may request disclosure of their P.I. and may challenge its accuracy and completeness; having it amended where appropriate.  10. Challenging Compliance - May challenge parties responsible under the legislation where there is non-compliance with the requirements of the Act. PIPEDA COMPLIANCE REQUIREMENTS cont’d © 2015 McGraw-Hill Ryerson Limited 10-6

 Privacy commissioner oversees private sector compliance with PIPEDA, and compliance by the federal government with the Privacy Act Investigate complaints, conduct audits and pursue action under two federal laws Publicly report on personal information handling practices Support, undertake and publish research into privacy issues Promote public awareness and understanding of privacy issues Privacy Commissioner © 2015 McGraw-Hill Ryerson Limited 10-7

 Chief Privacy Officer’s (CPO) role to ensure compliance with legislation Safeguard client’s personal information Physical safeguards such as locks, containers and access control Organizational safeguards such as restricting access to employees with a true “need to know” Technological safeguards such as security features, password protection, and data encryption Managing Privacy and Personal Information © 2015 McGraw-Hill Ryerson Limited 10-8

 2014 amendment to PIPEDA Obligation to notify Commissioner of material breach of security has occurred around personal information holdings Individuals concerned must be notified where the breach of security creates a real risk of significant harm Harm not limited to bodily harm, but includes humiliation, damage to credit records, reputation and relationships, financial loss and identity theft Digital Privacy Act © 2015 McGraw-Hill Ryerson Limited 10-9

 Tort of physical, or non-physical into a person’s private places and/or affairs, by way of listening or looking with or without mechanical aids Separate from a violation of the legislation under PIPEDA Factors assessed by court in determining liability: ○ the reckless or intentional conduct of the defendant ○ the unlawful invasion of the plaintiff’s privacy ○ the harm caused as a reasonable consequence of the conduct Intrusion Upon Seclusion © 2015 McGraw-Hill Ryerson Limited 10-10

 July 1, 2014 Canada’s Anti-Spam Legislation (CASL) came into force Intent is to control electronic spam messages Spam is considered to be an annoyance, a vehicle to introduce viruses or malware to computer systems, steal a person’s identity or money from bank accounts CASL regulates the sending of Commercial Electronic Messages (CEMs) Anti-Spam Legislation © 2015 McGraw-Hill Ryerson Limited 10-11

 Any electronic message that has as its purpose encouraging participation in a commercial activity Includes s or messages sent to social media accounts and texts to mobile devices CASL prohibits address harvesting and unauthorized collection of personal information from a computer system Commercial Electronic Messages (CEMs) © 2015 McGraw-Hill Ryerson Limited 10-12

CASL requires the sender to receive express consent from the recipient to receive the CEM CEM must contain contact information of sender, including its address and telephone contacts, as well as website and electronic information CEMs must set out a straightforward mechanism for unsubscribing from receiving future CEMs Commercial Electronic Messages (CEMs) © 2015 McGraw-Hill Ryerson Limited 10-13

 Privacy Legislation  Responsibility of businesses to be accountable for personal information they collect, hold, and use in the course of commercial activity  Concept of privacy based on consent of individual, minimal use, and commitment to safeguard information  CASL  Rigorous new rules in place for sending electronic messages that have a commercial purpose  Express consent required, identify sender’s information, allow recipient to unsubscribe SUMMARY © 2015 McGraw-Hill Ryerson Limited 34-14