Presentation is loading. Please wait.

Presentation is loading. Please wait.

A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.

Published byOctavia Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton."— Presentation transcript:

1 A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton County

2 2 March 11, 2004 2 Presented by Jeffrey H. McCully, B.A., LL.B. PrivacyConsult 613-230-1070 - phone 613-230-2422 - fax jmccully@privacy-consulting.com www.privacy-consulting.com

3 3 March 11, 2004 3 Agenda Overview of private sector privacy legislation in Canada PIPEDA - Application of the law Definitions - what is “personal information”? “governance”? Why privacy protections? Privacy Principles - the heart of PIPEDA Role of Privacy Commissioner & Remedies Privacy Management / Governance Privacy Compliance - Third Party Relations, Employees, Professionals

4 4 March 11, 2004 4 Agenda (continued) Conclusion Good Governance = Mitigation of Risk = Added Value Question & Answer Session

5 5 March 11, 2004 5 Overview of Legislation 2 federal privacy laws Privacy Act (1983) & PIPEDA (2001) Privacy Act - imposes obligations on federal departments - gives Canadians protections re collection, use, disclosure, access - covers tax records, military records, security clearances, etc.

6 6 March 11, 2004 6 Overview of Legislation (continued) PIPEDA - in force in stages from 2001 - fully in force on January 1, 2004 Provincial laws - only Quebec (1994), BC, Alberta

7 7 March 11, 2004 7 PIPEDA: Application Jan 1, 2001 - Federal work, undertaking or business collecting, using, disclosing personal information in the course of commercial activities. - Organizations that trade in information for consideration across a national border or provincial border. Jan 1, 2004 - All organizations collecting, using or disclosing personal information in the course of commercial activities (excluding those subject to “substantially similar” provincial privacy laws).

8 8 March 11, 2004 8 Definitions Commercial Activity - means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Governance - authoritative care/control over an organization; relates to accountability for the activities of an organization. Organization - association, partnership, person (corporation) and trade union.

9 9 March 11, 2004 9 Definitions (continued ) Grandfathering (retroactivity) - refers to the treatment of information already in the organization’s possession pre-PIPEDA. Data already there is subject to the same rules. Personal Information - information that relates to an identifiable individual, but does NOT include the name, title and business address or telephone number of an employee of an organization. Privacy - the right of individuals to control the collection, use and disclosure of their own information.

10 10 March 11, 2004 10 Definitions (continued) Whistleblowing - section 27 of the PIPEDA protects persons who inform the Commissioner that a person or organization has or intends to contravene the Act. Such persons cannot be retaliated against.

11 11 March 11, 2004 11 Why Privacy Protection? To avoid cost of non-compliance –legal violations and damages/costs flowing from them (unlimited punitive damages; costs of litigation; court fines of $10,000, $100,000) –reputation, goodwill and brand image damage –psychological, economic harm to clients –consumer flight - loss of revenue –public companies - will a violation or a delay in compliance result in a loss of share value?

12 12 March 11, 2004 12 PIPEDA’S 10 Principles 1. Accountability 2. Identifying purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual access 10. Challenging Compliance Each principle may require organizational changes. The heart of the law. Based on Canadian Standards Association Model Code.

13 13 March 11, 2004 13 Role of Privacy Commissioner (PC) PC has substantial powers - that of a Superior Court –investigate complaints –summon and question under oath –receive and consider evidence –search business premises –examine records found therein. PC may try to resolve complaints through mediation or conciliation. PC will issue a report, usually within 1 year.

14 14 March 11, 2004 14 Federal Court Persons may seek a hearing in Federal Court Trial Division if dissatisfied by the PC’s Report. Court may: –order correction of practices –order publication of actions taken –award substantial damages. Obstruction or punishing whistleblowers - up to $100,000 fine.

15 15 March 11, 2004 15 Privacy Management / Governance Organizations must ask questions: –Does PIPEDA apply? (collect personal information for commercial purposes) –Do we have an individual responsible for compliance (CPO)? –Have we conducted a privacy assessment? An audit periodically? –Have we obtained appropriate consent? –Have we identified use? –Do we have a procedure for access to information? –Have our front line staff and junior managers been educated?

16 16 March 11, 2004 16 Privacy Management / Governance –Have we reviewed documentation for necessary consents, confidentiality agreements, indemnities, audits? –Have we reviewed the information practices of third party data processors?

17 17 March 11, 2004 17 Privacy Compliance - Third Parties Liability can result if a business partner or a mere third party outsourcing arrangement violates PIPEDA. Commercial printers, payroll outsourcers, information technology companies (website designers) are a source of liability for you. An organization cannot avoid its privacy obligations by outsourcing. Set out adequate security measures: –confidentiality agreements –encryption technology

18 18 March 11, 2004 18 Privacy Compliance - Third Parties (continued) –“Chinese walls” and other good practices –proper consents –indemnities –privacy audit rights for you.

19 19 March 11, 2004 19 Privacy Compliance - Employees PIPEDA applies to employee information in federal works, undertakings and businesses only - NOT to provincially regulated businesses. Balance is required - what does an employer really need to know? (pay, benefits, records, health records, resumes). Question: What about psychological tests, keystroke monitoring, email?

20 20 March 11, 2004 20 Privacy Compliance - Employees (continued) Collect, use, disclose only with consent (#3). Disclose what information is collected, why, what is done with the information (#2, 4, 5). Collect only what is necessary for stated purpose (#4). Collect by fair/lawful means. Ensure that any consents given by employees are real, and not forced as a condition of employment. Keep information accurate and up to date (#6). Give employees access to it and allow them to challenge or correct it (#6, 9, 10).

21 21 March 11, 2004 21 Privacy Compliance - Professionals Lawyers, accountants, financial advisors will receive much information on third parties, collected by their clients: –payroll information –rent rolls –life insurance information with respect to claims. In an assurance contract, the professional does not have direct access to third parties. The client has the link to the third party. The client should obtain the appropriate consents.

22 22 March 11, 2004 22 Privacy Compliance - Professionals Mere transfers of information for processing (eg. preparation of tax returns) are non-assurance contracts. No further consent is necessary. Consent is implied when, for example, a CA is hired to prepare a tax return. Third parties not involved.

23 23 March 11, 2004 23 Wording in Assurance Contract “It is acknowledged that we will have access to all personal information in your custody that we require to complete our engagement. Our services are provided on the basis that: –you represent to us that you have obtained the required consents for the collection and use of personal information under PIPEDA; and –we will hold all personal information in compliance with our Privacy Policy.”

24 24 March 11, 2004 24 Conclusion Good privacy practice is good information management. Good information management gives a competitive advantage. Governance is enhanced when an organization’s “directing mind” identifies potential business risks and implements systems to mitigate those risks. Privacy is now key to good governance. Good Governance = Mitigation of Risk = Added Value

Download ppt "A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.

Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Data Protection and Records Management

Data Protection and Records Management
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC.

Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.

1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Using Technology in Nursing Practice: Part 1: Complying with Policy 1.

Using Technology in Nursing Practice: Part 1: Complying with Policy 1.
Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates.

Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates.

Similar presentations

Ads by Google