Anthony Morris
For Business Edge
In my last column, I outlined features of the federal government’s newly enacted Personal Information Protection and Electronic Documents Act (PIPEDA) — the first federal privacy legislation to affect the private sector.
This act sets forth rules to govern the collection, use and disclosure of personal information in a manner that attempts to balance the rights of the privacy of an individual’s personal information and the need for organizations to collect, use or disclose that information for purposes “that a reasonable person would consider appropriate in the circumstances” (Section 3 of PIPEDA).
The 10 principles for privacy protection enshrined in PIPEDA are:
* accountability of the party dealing with personal information;
* identifying purposes for collection, use or disclosure;
* consent to collection, use or disclosure of information;
* limiting collection;
* limiting use, retention and disclosure;
* ensuring accuracy;
* implementing safeguards;
* openness;
* individual access to their personal information; and
* implementing procedures for challenging compliance.
PIPEDA currently applies to the federally regulated private sector (eg. airlines, banking, broadcasting) but will, by 2004, extend to every organization that collects, uses or discloses personal information in the course of a “commercial activity” (with some exceptions).
The act also applies to all organizations that collect, use or disclose personal information for profit or gain across a provincial border.
The threshold questions that any organization must ask in addressing PIPEDA include:
* are we covered by this law?
* what personal information do we collect?
* why do we collect it?
* how do we collect it?
* what do we do with it?
* where do we keep it?
* when is it used or disposed of?
* to whom is it given?
Businesses will have to consider PIPEDA’s exemptions, which place certain information outside its scope.
For example, the law applies only to personally identifiable information, so that if the data cannot be traced to a particular individual, it is probably exempt. Further, if the personal information lies in the public domain (e.g. telephone, professional or business directories, court records), it may well be exempt from the act.
PIPEDA also contains a series of exemptions directed at specific professions or classifications of data, including journalistic, artistic or literary purposes and scholarly study and research.
Every business should develop a privacy policy. A central obligation under PIPEDA is the need for data collectors to provide transparent privacy policies so that individuals are accurately informed about who is collecting their personal information, why it is being collected and how it will be used.
These policies should be posted on an organization’s Web site. In a recent study conducted by professor Michael Geist of the University of Ottawa, a surprising 51 per cent of nearly 300 of Canada’s leading Web sites did not post a privacy policy.
One of the most difficult issues for all organizations will be identifying the uses to which personal information is being put.
Organizations will often be unaware of the many ways in which personal information that they collect ultimately gets used or disclosed. If an organization subsequently changes the purpose, or adds a new purpose, for the use of personal information, it will have to go to the individual and get a new consent.
That leads to the thorny issue of obtaining user consent for collecting, using or disclosing personal information (subject to the exceptions in PIPEDA).
Interesting questions will arise as to whether the degree of informed consent required will vary with the nature of information being requested. For example, collecting personal information for the purpose of a magazine subscription may not require any specific consent beyond that person forwarding the subscription form, as that very act may imply consent for the purpose of the legislation.
However, if that personal information is then sold or otherwise used by the magazine company for any other purpose, detailed consent for that use and purpose would be required. All businesses must closely scrutinize how they should obtain consent to ensure the method is commensurate with both the type of data being collected and PIPEDA’s standards.
PIPEDA also requires each organization to appoint a person to address all privacy-related inquiries. These inquiries may come from the organization’s own employees or from members of the public. One of the principals of PIPEDA is to provide individual access to the information, and so an organization will have to build in responsibility for dealing with requests for access, and for dealing with the Privacy Commissioner of Canada if an investigation by the commissioner is undertaken.
PIPEDA puts into place a fairly elaborate system of appeals for an individual who is not satisfied that an organization has complied with its requirements.
The organization must have a procedure to receive and respond to complaints or inquiries, and if an individual is not satisfied with an organization’s response, he or she may complain to the Privacy Commissioner.
The commissioner has wide-ranging investigative powers and may even enter premises (in some instances) without court order. The commissioner has no order-making power, but can engage in mediation and dispute-resolution processes and may issue a report setting out the findings of any investigation undertaken.
If an individual is still not satisfied at that point, he or she may apply to the federal court for further hearing. The court can make orders to an organization to correct its handling of any personal information that is offside PIPEDA and can also award damages in certain circumstances.
With the introduction of PIPEDA, the government hopes to sensitize all organizations to the thoughtful collection, use and disclosure of personal information in this age of such easy access to information of all types.
(Anthony Morris is the practice group leader of McCarthy Tetrault’s Technology Law Practice Group in Calgary, and can be reached at 260-3527 or amorris@mccarthy.ca. The comments herein should not be construed as legal advice, and the reader is encouraged to seek the advice of counsel for any specific question.)
