Privacy Laws Flashcards
Charter of Rights and Freedoms
Section 7 - Everyone has the right to life, liberty and security of the person
Doesn’t mention privacy, but case law supports view that s. 7 serves as a source of constitutional protection of the right to privacy
Sources of Law
- Legislation (PIPEDA, PIPAs, etc.)
- Common law
- Contracts
- Charter
3 Canadian Perspectives on Privacy
- Privacy of the individual viz the state
- Privacy of the individual viz other individuals
- Privacy of the individual viz organizations
3 Canadian Classes of Privacy (as defined by Jurists)
- Information Privacy - claim to determine for yourself when/how/to what extent info is communicated to others
- Personal Privacy (bodily integrity)
- Territorial Privacy - limitations on ability of individual to intrude on physical environment
Models of Data Protection
Comprehensive (Canada, EU)
Sectoral (US)
Self-Regulatory (US, Japan, Singapore)
Seal Programs (TrustArc, BBBOnline, WebTrust, Digital Advertising Alliance)
Technology-Based Model
Seal Programs
TrustArc - founded in 1997, license agreement
BBBOnline - subsidiary of Better Business Bureaus, from 1999
WebTrust - AICPA and Canadian Institute of Chartered Accountants
Digital Advertising Alliance (DAA) - 2010 self-regulatory org
5 Key Concepts of Canadian Privacy
Personal Information
Employee and Work-Product Information
Public Records and Publicly Available Information
Private and Sensitive Information
General concepts of Fair Information Practices and General
Privacy Principles
Federal Privacy Act - Types of Personal Information
a) Info relating to race, ethnic origin, religion, age or marital status;
b) information relating to education or medical/criminal/employment history, or info relating to financial transactions
c) identifying number, symbol or particular;
d) address, fingerprints, blood type;
e) personal opinions of individual except when about another individual proposal for a grant, award or prize
f) correspondence sent by gov’t to individual that is of private or confidential nature;
g) Views of another individual about the individual;
h) The views or opinions of another individual about a proposal for a grant/award/prize made to the individual by an institution, but excluding the name of the other individual where it appears with the views or opinions of the other individual
i) The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
Federal Privacy Act - Job-Related Information (not personal information)
i. The fact the individual is or was an officer or employee of the institution
ii. Title, business address and telephone number
iii. Classification, salary range and responsibilities of the position
iv. The name of the individual on a document prepared by the individual in the course of employment
v. The personal opinions or views of the individual given the course of employment
Employee Information
Personal information that is collected/used for the purposes of establishing, managing, or terminating an employment or volunteer relationship.
Does not include personal information about the individual that is unrelated to that relationship.
(from Alberta PIPA)
Work-product Information
Information about an individual that is related to that individual’s position, functions, and/or performance of their job
Privacy Act - Publicly Available Informaiton
Restrictions on gov’t ability to use and disclose personal information does not apply if info is publicly available.
Obligation to collect info in accordance with the act still apply to publicly available info.
Total exception to any information found in a library or museum material, or placed in the Library and Archives of Canada, National Gallery, etc.”
PIPEDA - Publicly Available Information - Regs
Org can collect/use/disclose PI without knowledge and consent if it is publicly available and specified by regs:
a) Name, address, number appearing in telephone directory (where the subscriber can opt out)
b) Name, address, number appearing in professional or business directory (where use relates directly to the purpose for which info appears in the directory)
c) PI that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law (where use relates to purpose for which info appears)
d) PI in record or document of judicial or quasi-judicial body (where use relates to purpose…)
e) PI that appears in a publication, including a magazine, book or newspaper, in printed or electronic form (where individual has provided the information)
PIPEDA - General Principles re: Publicly Available
- merely because an individual appears in public doesn’t automatically forfeit their interest in retaining control over the PI exposed
- For an org to be exempted from consent requirement, PI must be both publicly available and specified by the regs
- The exception to the consent requirement doesn’t apply to org that initially collects info for the purposes of making it publicly available
OPC Findings - Telephone Directories
- Individual phone number considered PI, even if published in a telephone directory, and subject to the “reasonable person” test.
- Republishing personal white-pages telephone directory info in online format constitutes publicly available info
- Telecom can collect info from parent company’s white-pages directory, for its own purposes, without obtaining consent
OPC Findings - Professional and Business Directories
Information about a business collected from Yellow Pages (or other publicly available sources) does not constitute personal information
OPC Findings - Public Registries
- the purpose for which information is used is a key element in eval of whether exception to consent requirement applies
- purpose of use in a public registry must relate directly to the information’s purpose for being in that registry
- not enough that info is publicly available, must have been collected from source for specific purpose behind subsequent disclosure
OPC Findings - Court and Tribunal Records
- Court not required to disclose personal information that appears in publicly available court records where disclosure relates directly to advancing a claim in court
- PI found in court records of ongoing legal proceeding cannot be collected and used without individual consent for purposes unrelated to the legal proceedings
OPC Findings - Books, Magazines, and Newspapers
Publicly available PI can be collected from published books, magazines, and newspapers regardless of the purpose for which the info appears
- consent not required to use a business email for marketing purposes where email was posted on a publicly available website by the individual (decided before CASL that supersedes)
Private/Sensitive Info
PIPEDA doesn’t distinguish in definitions (although might in RROSH)
Some provincial statutes address the difference between all PI and info that deserves more protection because of its sensitive nature - typically applies when gov’t institutions are working through questions about whether info held by gov’t should be released.
Law (such as that in Nova Scotia) may enumerate types of information which would merit more or less protection
Nova Scotia Privacy Law - Unreasonable Invasion of Privacy Examples
a) medical information
b) PI related to possible violation of law
c) eligibility for income assistance or social service benefits
d) employment or educational history
e) tax returns or tax info
f) financial information
g) personal recommendations or evaluations
h) race/ethnicity, sexual orientation, religious or political beliefs
i) PI consists of name along with address and phone number and is to be used for mailing lists or solicitations by phone or other means
OECD Principles (1981) compared to CSA
Accountability
Purpose Specification -> Identifying Purposes
Collection Limitation -> Consent & Limiting Collection
Use Limitation -> Limiting Use, Disclosure and Retention
Data Quality -> Accuracy
Security Safeguards
Openness
Individual Participation -> Individual Access & Challenging Compliance
Canadian Standards Association (CSA) Principles - 1996
Model Code for the Protection of Personal Information
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure and Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
CSA Model Code Participants
Federal and Provincial Gov’ts
Consumer Advocates
Organized Labour
Security and IT Experts
Industries including:
Financial services
Telecommunications
Cable television
Direct Marketing
CSA Model Code Purpose
Balance between legitimate business interests and the individual right to privacy
CSA Principle - Accountability
- Org responsible for PI under its control
- Org shall designate individual accountable for org’s compliance
CSA Principle - Identifying Purposes
- Purpose for collection of PI identified before or at the time of collection
CSA Principle - Consent
Consent required for collection, use or disclosure of personal information (except where inappropriate)
CSA Principle - Limiting Collection
Collection shall be limited to that which is necessary for the purposes identified by the org.
Info shall be collected by fair and lawful means
CSA Principle - Limiting Use, Disclosure and Retention
PI shall not be used for purposes other than those for which it was collected (except with consent or required by law)
PI should be retained only as long as necessary
CSA Principle - Accuracy
PI shall be accurate, complete, up-to-date as necessary
CSA Principle - Safeguards
Security safeguards should be appropriate to sensitivity of the information
CSA Principle - Openness
Org shall make available specific info about its policies and practices
CSA Principle - Individual Access
Upon request, individual shall be informed of existence, use and disclosure of his/her personal information and shall be given access to that information.
Individual should be able to challenge accuracy and completeness of info and have it amended as appropriate.
CSA Principle - Challenging Compliance
Able to challenge org concerning compliance
Generally Accepted Privacy Principles (CICA)
Management
Notice
Choice and Consent
Collection
Use, Retention, Disposal
Access
Disclosure to Third Parties
Security for Privacy
Quality
Monitoring and Enforcement
Sensitive Personal Information
Information more significantly related to the notion of a reasonable expectation of privacy.
Medical or financial!
Information that could result in identity theft.
2016-2017 Parliamentary Report of OPC - Challenges to Consent
- Opaque nature of privacy policies that are the basis of consent
- Complex information flows
- Business processes that involve a multitude of third-party intermediaries
OPC stated that consent model needs to be updated and altered rather than replaced
Retention Period - 2 Points to Remember
- Personal information that has been used to make a decision about an individual should be retained long enough to allow the individual access.
- An org may be subject to legislative requirements w/r/t retention periods for certain types of information
PIPEDA - Accuracy Principle - Updating Personal Information
An org shall not routinely update personal info, unless necessary to fulfill the purposes for which the information was collected
PIPEDA - Openness Principle - Information Made Available
- Name of accountable person
- Means of gaining access to personal information
- Description of PI held and its use
- Brochure that explains policies/standards/codes
- The PI that is made available to related orgs
Time Limits for Access to Own Information Requests
PIPEDA, BC, QC - 30 Days
Alberta PIPA - 45 days with liimited right to extend
PIPEDA - Purpose of Legislation
Reconcile:
* Individual right to privacy
* Commercial need for access to personal information
Express recognition that right to privacy is not absolute
Last goal: ensure that Canadian org’s could receive data from the EU (which had passed the Directive on Data Protection in 1995)
PIPEDA - Application
Applies to the entire private sector - every org that collects/uses personal info in the course of commercial activity OR
- is about an employee of a federal work
Does not apply to:
* gov’t institutions covered by Privacy Act
* Individual that collects info for personal or domestic purposes
* Org that collects info for journalistic, artistic or literary purposes and no other
OPC - Federal Work, Business or Undertaking
“Any work that is under the legislative authority of Parliament”
Specific examples:
- interprovincial/international transport by air or water
- airports, aircraft, airlines
- telecomms
- radio and TV broadcasting
- banks
- grain elevators
- nuclear facilities
- offshore drilling
- any company subject to any part of the Canada Labour Code
NOT Federal:
- insurance companies
- credit unions
Substantially Similar to PIPEDA - 3 Requirements
- Consistent with the Schedule for PIPEDA
- Independent oversight body like the OPC
- Contain a redress mechanism for the aggrieved
PIPEDA - Substantially Similar Laws
- Alberta PIPA
- BC PIPA
- the Quebec Act
w/r/t Health Only
- Ontario Personal Health Information Protection Act
- NB Personal Health Information Privacy and Access Act (wrt health information custodians only)
- NL Personal Health Information Act (wrt health information custodians only)
- NS Personal Health Information Act (wrt health information custodians only)
PIPEDA - Commercial Activity
Transaction, Act or Conduct that is of a commercial character, including selling/buying donor lists
PIPEDA - Commercial Activity - Court Interpretatoin
- Taxable status is not relevant
- Mere contractual relationship is not enough
- information-gathering in preparation for civil tort action not commercial activity contemplated by PIPEDA
- information-gathering by insurance company to defend a lawsuit in part of obligations to insured not covered by PIPEDA
- Physician conducting independent medical exam on behalf of insurance company - this is commercial activity
Commercial Activity - OPC Interpretation
Broad! 2 Part test:
- What is the core activity of the institution (e.g. if educational, presumed not to have ‘commercial character’)
- Presumption against commercial character rebutted if one of the objectives is to earn profit for its owners
- emphasis is on transaction rather than enterprise
- for the most part, nonprofit associations (incl unions) and private schools operate outside of any commercial activity
In:
- relaying financial information into and out of Canada for international transactions with Canadian Bakns
- bankruptcy trustee collecting PI to be used in administering bankruptcy
- day care (even though a nonprofit)
- in certain cases, tort litigation, landlord-tenant relationships, online advertising and social networking
PIPEDA - Obligations
- Org can only collect/use info for purposes that a reasonable person would consider appropriate in the circumstances
- Burden on org to be prepared to demonstrate it is acting reasonably (even if they obtained consent!)
- In Sections 6 to 9 of PIPEDA, some CSA standards modified to be mandatory:
- Only collect with consent
- consent only valid if person would understand nature, purpose and consequence of PI collection and use
- obliged to provide access to personal information
PIPEDA - NOT Obligations
Where Schedule 1 says an org “should” do something, org is not obliged to follow that standard
PIPEDA - Consent Not Required
a) Collection clearly in the interests of the individual and consent cannot be obtained quickly
b) collection related to investigating a breach of agreement or law, and collection with consent of individual would compromise information
c) contained in a witness statement and collection necessary for adjudicating insurance claim
d) produced by the individual in the course of their employment and consistent with that purpose
e) journalistic/artistic/literary purposes
f) info publicly available and specified by regs
g) collection made for purpose of making a disclosure required by law
PIPEDA - Exceptions to Right to Access to PI
- if access would reveal info about a third party
- specified national security or law enforcement reasons
- solicitor-client information
- commercially sensitive information
- threaten the life or security of another
- info gathered as part of formal dispute resolution mechanism
- info collected without consent during investigation of a breach of agreement or law and obtaining consent would have compromised the availability or integrity of that information
PIPEDA - Right of Access - Cost Recovery
Orgs may provide access on a cost recovery basis, but cost must be “at minimal or no cost to the individual”
Any type of flat fee likely not acceptable; org ought to assess minimal fee and apply it only in exceptional cases