Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Cutting Edge – Update on Privacy Legislation

Published byJason Hunt Modified over 5 years ago

Similar presentations

Presentation on theme: "On the Cutting Edge – Update on Privacy Legislation"— Presentation transcript:

1 On the Cutting Edge – Update on Privacy Legislation
Presented to the CPBI 2007 National Conference Brian Bowman PITBLADO LLP June 15, 2007 © June 2007, PITBLADO LLP May be reproduced with credit to Brian Bowman and PITBLADO LLP

2 “Houston, we have a problem.”

3 “You have zero privacy anyway – get over it.”
Scott McNealy, CEO of Sun Microsystems, 1999

4 Scott McNealy, CEO of Sun Microsystems, 2006
“It’s going to get scarier if we don’t come up with technology and rules to protect appropriately, privacy and secure [sic] the data, and the most important asset we have is obviously the data of our people – our customers and employees and partners.” Scott McNealy, CEO of Sun Microsystems, 2006

5 Why should I care about privacy?

6 Good privacy is good business

7 What are we going to discuss?

8 LEGAL MINEFIELDS

9 SALE OF BUSINESS

10 INVESTIGATIONS

11 MANAGING RECORDS

12 ACCESS TO INFORMATION REQUESTS

13 OUTSOURCING

14 LEGAL MINEFIELDS Relevant Laws PIPEDA
Provincial Privacy Laws (British Columbia, Alberta and Quebec) Provincial Privacy Acts (i.e. Manitoba) Others?

15 LEGAL MINEFIELDS PIPEDA’s 10 Privacy Principles Accountability
Identifying purposes Consent Limiting collection Limiting use, disclosure and retention Accuracy Safeguards Openness Individual Access Challenging Compliance

16 LEGAL MINEFIELDS Privacy Commissioner of Canada Findings
PIPEDA Finding #364: Employer agrees to revise language of consent form regarding exchanges of health information PIPEDA Finding #358: Individual objects to insurance company’s consent requirements

17 LEGAL MINEFIELDS PIPEDA Finding #293
Commissioner considers access, correction and inappropriate disclosure allegations against insurance company PIPEDA Settled Case: Even a public record should be protected

18 LEGAL MINEFIELDS Other Legal Minefields
Dealing with sale of business or practice Carrying out investigations Effectively managing your records Responding to access to information requests Reconciling outsourcing matters and privacy law requirements

19 SALE OF BUSINESS Introduction Personal information is valuable asset.
PIPEDA lacks express provisions to allow organizations to disclose personal information to prospective purchasers or business partners without consent. Parliamentary Committee has recommended PIPEDA by amended to include provisions permitting organizations to collect, use and disclose personal information without consent for purposes of business transactions.

20 SALE OF BUSINESS PIPEDA requires knowledge and consent of individuals for any disclosure of personal information, subject to specific exemptions. Organizations must make reasonable effort to ensure individuals advised of purposes for which information will be used. Current legal uncertainty whether, and what form of, notification and consent required for certain business transactions.

21 SALE OF BUSINESS Recommendations Limit personal information transfers.
Consider restructuring transaction (i.e. share sale vs. asset sale). Consider obtaining opt-in consent. Consider relying on prior consent. Consider providing opt-out consent.

22 SALE OF BUSINESS In certain limited circumstances, may be able to rely on “transfer for processing” provision. Consider adopting approach similar to Alberta and BC’s PIPAs “business transaction” exemptions: Enter privacy agreements for due diligence investigations For closings, consider an agreement under which the use and disclosure of personal information only for certain purposes. If transaction not completed, personal information must either be destroyed or returned to transferor.

23 SALE OF BUSINESS Immediate Recommendations
Review and possibly amend your privacy policy. Review and possibly amend consent language. Inventory personal information holdings. Advise decision makers that purchase and sale agreements must consider privacy implications.

24 INVESTIGATIONS Basic Principle
Except as permitted, personal information cannot be collected, used or disclosed without the prior knowledge and consent of the individual, and then only for purposes that a reasonable person would consider appropriate in the circumstances

25 INVESTIGATIONS Under the Consent Principle - Principle 3, the knowledge and consent of an individual with respect to the collection, use and disclosure of personal information is required, except where inappropriate. One of the circumstances described as inappropriate relates to investigations.

26 INVESTIGATIONS PIPEDA provides that organizations
may conduct certain investigations without consent Disclosure to “third parties” without consent requires agency relationship or “investigative body” designation Disclosures to third party organizations without consent must be last resort Privacy agreements, privacy agreements, privacy agreements!

27 INVESTIGATIONS Consent obligation waived for “investigative bodies”
47 investigative bodies are identified in the regulation

28 MANAGING RECORDS Introduction
PIPEDA requires “personal information shall be retained only as long as necessary for the fulfillment of those purposes”.

29 MANAGING RECORDS PIPEDA further requires that “organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.”

30 MANAGING RECORDS PIPEDA further requires that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”

31 MANAGING RECORDS Recommendations
Consider retention and destruction a business issue. Limit personal information holdings to reduce administrative costs. Exercise care in destruction practices to mitigate complaints and negative headlines.

32 MANAGING RECORDS Consider electronic and paper records in relation to retention and destruction policies. Review and/or draft retention and destruction polices and procedures in accordance with PIPEDA and other legal and/or regulatory requirements.

33 ACCESS TO INFORMATION REQUESTS
Introduction New access to information obligations in private sector (similar to government body access to information obligations already in force)

34 ACCESS TO INFORMATION REQUESTS
Typical requirements: Access requests should be in writing Organizations should help individuals requiring assistance Organizations must respond no later than 30 days after receipt of request Extension of time limit exemptions exist

35 ACCESS TO INFORMATION REQUESTS
Failing to respond is deemed refusal Organizations may respond at a cost to individual Organizations must retain information to allow individual access Numerous and detailed exceptions to right of access

36 ACCESS TO INFORMATION REQUESTS
Key Issues Respond accordingly Third-party data? Report access request to privacy officer Document access request Request identification

37 ACCESS TO INFORMATION REQUESTS
Ensure sufficient identification Document identification Calculate fees for access (if applicable) Inform individual of cost (if applicable)

38 ACCESS TO INFORMATION REQUESTS
Propose alternatives to access if necessary Meet time requirements Request extension if necessary Clearly explain document reason for extension Send notice

39 OUTSOURCING Do you outsource?

40 Then you’re responsible.
OUTSOURCING Then you’re responsible.

41 OUTSOURCING Accountability for information provided to third parties
PIPEDA PIPA Agent vs. independent contractor? Privacy agreements required

42 OUTSOURCING Privacy agreements: Define objectives
Define service expectations Contemplate subcontractors

43 OUTSOURCING Identify and require security and privacy benchmarks
Establish monitoring and auditing rights

44 OUTSOURCING Clarify termination and transition rights
Identify other elements of relationship

45 CONCLUDING THOUGHTS Privacy compliance is a legal requirement that is here to stay. Public expectations regarding privacy are crucial. Privacy compliance, when managed properly, can be a competitive advantage.

46 QUESTIONS & ANSWERS

47 THANK YOU! BRIAN BOWMAN PITBLADO LLP pitblado.com
2500 – 360 Main Street, Winnipeg, MB, R3C 4H6 Tel: (direct)

Download ppt "On the Cutting Edge – Update on Privacy Legislation"

Similar presentations

Procedural Safeguards

Procedural Safeguards
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
The Problem Solvers TM www.singleton.com Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.

The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.

Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
McCarthy Tétrault McCarthy Tétrault LLP An Act respecting the protection of personal information in the private sector (Quebec): « Particularities of the.

McCarthy Tétrault McCarthy Tétrault LLP An Act respecting the protection of personal information in the private sector (Quebec): « Particularities of the.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.

6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.

1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson

Per Anders Eriksson
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Information Privacy Policy in Canada Presented By: Sue Wu.

Information Privacy Policy in Canada Presented By: Sue Wu.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Similar presentations

Ads by Google