Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates.

Published byMay Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates."— Presentation transcript:

1 Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates Inc. and Richard Shields, McCarthy Tétrault, Ottawa

2 Federal Legislation PIPEDA – Personal Information Protection and Electronic Documents Act. Ground rules for how organizations may collect personal information in the course of conducting commercial activities. Compliance – January 1, 2004

3 Overview of Provincial Legislation B.C – May 1, 2003 2 nd Reading Personal Information Act – Jan. 2004, Federal Government must decide if provincial legislation is substantially similar as to preclude PIPEDA. Applies to private and not-for-profit sector. Alberta – Enacted health information and protection law. Personal Information Protection Act – May 2003. Will apply to the private sector in Alberta and limited application to not-for-profit sector. Both provinces have acts that cover information on the consumer and the employee.

4 Provincial Legislation Saskatchewan – Province has enacted, but not enforced a health protection law that applies to private and public sector and amended in 2003 to include privacy legislation. Province has enacted a provincial privacy legislation separate from above. Manitoba – Province has enacted a health protection law covering the public and private sector, now enforced. No move made to introduce privacy legislation for the private or not-for-profit sector.

5 What is Considered Personal Information An individual’s… Race Nationality Age Gender Marital Status Biometrics – fingerprints, blood type, genetic characteristics

6 What is Considered Personal Information Personal health care history Financial history Educational history Criminal history Anyone’s opinion about the individual, i.e. reference checks The individual’s personal views

7 Considered Private but – in the Public Domain Name Address Telephone Number Business Address Business Telephone Number (The public domain pertains to information available to the general public)

8 Publicly Available Information Five Categories: 1.Phone books (White Pages, CD Roms) 2.Professional Directories (members of the Bar) 3.Public databases (property tax rolls, licenses) 4.Court records (divorce, bankruptcy, law suits) 5.Information provided by an individual to a publication (want ads, interviews)

9 Limits of Reasonableness Consent is always required! Immediate sale obligations Related marketing Building marketing database Building customer profiles Disclosing data to third parties Completely unrelated uses Future sales calls Mergers & Acquisitions Sharing of data with affiliates

10 The Privacy Rules The law incorporates the CSA Model Code for the Protection of Personal Information. The 10 Principles reflect international fair information practices. They balance individual privacy rights with legitimate business interests.

11 Principle 1 The person(s) responsible must be designated and identified. These persons must ensure training, communications and procedures documentation. Contracts and oversight of third party data processing required. Accountability

12 Principle 2 Purposes must be identified before any personal information can be collected or used. Purposes must be what a reasonable person would expect in the circumstances. Identifying Purposes

13 Principle 3 The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. There are exceptions – such as bill collection, crime investigation, etc. Consent must be obtained fairly – it can be withdrawn at any time. Consent

14 Principle 4 Companies can only collect information specifically required for identified purposes. Purposes should not be identified too broadly. However, overly narrow purposes could require continuous new consents. Limiting Collection

15 Principle 5 New purposes require new consent. Data cannot be kept beyond the end date of the last specified purpose. A retention/disposal policy is required. Limiting Use, Disclosure and Retention

16 Principle 6 Information must be as accurate as necessary for the purposes. Decisions must not be made based on inaccurate information. Routine data updating without a purpose is not permitted. Accuracy

17 Principle 7 Personal information must be protected appropriately. Employees must be made aware of the importance of maintaining confidentiality of this information. Care must be used in disposing of records to prevent unauthorized access. Safeguards

18 Principle 8 Companies must communicate their privacy policies including: Openness what data is collected, how it is used, who it is disclosed to, how to access it, and who to make inquiries or complaints to

19 Principle 9 People have a right to find out what information you have about them, to know how it is used or disclosed, to access it, and to have it amended as appropriate. There are some allowable or required restrictions on access. Individual Access

20 Principle 10 People can challenge your compliance with any aspect of the CSA Code or the law. Companies must respond to all inquiries and complaints. Individuals can also go directly to the Privacy Commissioner. The law has whistleblower protection. Challenging Compliance

21 Commissioner Powers Investigatory powers include the right to enter premises and obtain records. Powers of mediation and conciliation. Power to conduct audits of business practices. Power to publicize with impunity. No order-making powers.

22 Reference Checks Only with knowledge and consent. Applies to both collecting and providing references.

23 Employee Monitoring Employees must be informed. The use must be reasonable under the circumstances. Employees may have a right of access. This applies to phone, e-mail, video, etc.

24 New Privacy Rights (Fed. & Prov. Laws) Knowledge and consent to collect, use or disclose employee personal information. Right to access and amend files, with some limited exceptions. Right to file a complaint with the Privacy Commissioner.

25 Investigations Companies can collect personal information without knowledge or consent to investigate the breach of an agreement or the contravention of a law.

26 Biometrics Information collection must be reasonable for the purposes. Privacy Commissioners are concerned about drug testing, fingerprinting, and biometrics-based technologies such as retinal scans, DNA, etc.

27 Employee data not subject to the Act Business card-type data – except for e-mail addresses Joe Blow Sales Manager Sagamow Products 333 Main Street Sagamow Falls, ON (519) 555-8983

28 Compliance The key steps to developing and implementing a Privacy Policy

29 Choosing a Chief Privacy Officer (CPO) It is a senior position with public visibility. The CPO needs authority to ensure the company is compliant. The CPO oversees training, developing and documenting procedures, communications, and privacy policy on third-party contracts. The CPO responds to inquiries and complaints and Privacy Commissioner investigations.

30 Forming a Privacy Team Implementing a privacy policy requires cooperative team effort. Your privacy team should include customer service, marketing, information management, legal, human resource and security personnel. It could take several months to develop and implement policies.

31 Start with an Audit Purposes for collecting, using or disclosing personal information. What data is currently collected and used and who it is disclosed to. How consent is obtained. How data is stored and safeguarded. Review your current data collection and handling practices. Look at the following:

32 Develop a Privacy Code Review the 10 principles and how they apply to your circumstances. You may need some legal advice on additional points in the new privacy law. Avoid legal language. Keep it simple. Have it reviewed by a third party. The CSA Model Code is a good starting point – it’s also built into the law.

33 Develop Procedures You will need documented procedures for the following: New purposes, obtaining consent, limiting uses, third-party processing, records retention and disposal, individual access, inquiries and complaints, and more. These are legal obligations. Develop and document procedures to help ensure employees follow your code – the Privacy Commissioner can ask for your documentation.

34 What’s left? Employee communications and training Providing information about your privacy policy Dealing with inquiries and complaints Regular review of how you’re doing

35 Communications and Training Front-line Employees and HR Managers need to know how to recognize and expedite an access request or inquiry/complaint under the law. Training is required on safeguards, retention periods, disposal, purpose limitations, etc. Use your operations procedures manual as a basis.

36 Public Information about your Privacy Use the KISS principle. Avoid legalese and 20-page privacy agreements. Key information includes purposes, disclosures, who to contact, and a summary statement of your Code. On the Internet, include special issues such as cookies use, IP address tracking, etc. Provide privacy tools and guidance.

37 Dealing with inquiries and complaints You have 30 days to respond to written access requests. You must respond to all inquiries and complaints (within 30 days). You must not destroy any information or hinder a Privacy Commissioner investigation.

38 Wrap-Up Points Age, name, ID numbers, income, ethnic origin or blood type. Opinions, evaluations, comments, social status, or disciplinary actions. Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (to acquire goods or services, or change jobs) Views of the Privacy Commissioner Examples of Personal Information:

39 Wrap-Up Points Opening an account, verifying credit- worthiness, providing benefits to employees, processing a magazine subscription, sending out association membership information, guaranteeing a travel reservation, identifying customer preferences, establishing customer eligibility for special offers or discounts More views of the PC Examples of Information Purposes:

40 Contact Info Janet Emmett VP, Association Services & Leadership Development YMCA Canada (416) 967-9622 ext. 209 janet_emmett@ymca.ca

Download ppt "Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates."

Similar presentations

31511230/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.

/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
Data Protection.

Data Protection.
Christian Vargas. Also known as Data Privacy or Data Protection Is the relationship between collection and spreading or exposing data and information.

Christian Vargas. Also known as Data Privacy or Data Protection Is the relationship between collection and spreading or exposing data and information.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.

1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
2/16/2010 The Family Educational Records and Privacy Act.

2/16/2010 The Family Educational Records and Privacy Act.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
1 FERPA and Student Privacy in Records of University Research ECURE March 1, 2005 Richard Rainsberger, Ph.D. Consultant, Education Records Law and Privacy.

1 FERPA and Student Privacy in Records of University Research ECURE March 1, 2005 Richard Rainsberger, Ph.D. Consultant, Education Records Law and Privacy.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.

1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.

A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Similar presentations

Ads by Google