News Release

Privacy Commissioner's 2004 Annual Report on the Personal Information Protection and Electronic Documents Act tabled in Parliament — Commissioner reports on the first year of full implementation of Canada's private sector privacy law

Ottawa, October 6, 2005 – Much of the essential framework for protecting individuals' privacy rights in Canada's private sector is now in place, according to the Privacy Commissioner of Canada, Jennifer Stoddart, in her 2004 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today in Parliament. The Privacy Commissioner's 2004-2005 Annual Report on the Privacy Act, Canada's public sector privacy law, was also tabled today.

In her 2004 Annual Report on PIPEDA, the Commissioner discusses some of the most significant issues her Office faced last year. These include advances in surveillance and data-handling technologies, global competition in business which drives companies to collect and use more personal information, and the transborder flow of personal information. She also gives prominence to her Office's experience with the first year of full implementation of PIPEDA.

"The maturing of PIPEDA is cause for some celebration," states Ms. Stoddart in her report. "Canadians now have comprehensive rights relating to personal information in the private sector in Canada through PIPEDA and substantially similar legislation in several provinces."

PIPEDA has been coming into effect in stages since 2001. The year 2004 saw PIPEDA extend across Canada to all commercial activities, except in provinces with legislation deemed to be substantially similar to the federal law, such as British Columbia, Alberta and Quebec. PIPEDA continues to apply to federal works, undertakings and businesses across the country, as well as to interprovincial and international transactions. Over the past year, the Commissioner's Office has worked closely with provincial counterparts to develop fair, consistent and clear rules of enforcement, which have helped to eliminate any confusion regarding jurisdiction.

In 2004, the number of complaints received under PIPEDA increased by more than 100 per cent over the previous year, showing a growing interest in consumers wishing to assert their privacy rights. As in previous years, financial institutions were the most frequent object of these complaints. Most complaints — 39.6 per cent — related to use and disclosure: when personal information is used or disclosed for purposes other than those for which it was collected or without the consent of the individual.

The year 2004 saw a new emphasis on settling complaints, and organizations and individuals welcomed the opportunity to resolve matters expeditiously and pragmatically. Although 17 per cent of complaints were well-founded, some 45 per cent were settled or resolved through mediation and early resolution, without the need to complete a formal investigation.

The report highlights a number of key investigations under PIPEDA which offer a sense of how the law works, for example:

• There have been several opportunities for the Office to work with its provincial counterparts. There was an incident in which a couple was receiving faxes containing other individuals' personal health information. Though Alberta privacy legislation applied to some of the information transmitted in the faxes, some fell under federal jurisdiction. This resulted in a joint investigation into the matter by the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for Alberta.
• An example of a "settled" case involves a woman whose laptop was replaced by a computer store when it was not repaired within a certain time limit. She then received a call from a stranger telling her that the laptop he had just purchased contained her personal information. The store retrieved the laptop and significantly improved its safeguarding policy and practices.
• Another case involves a complaint about video surveillance in the workplace. A complainant alleged that his employer had collected his personal information by way of video surveillance without his knowledge or consent, and had used that information to terminate his employment. Although the complaint into this particular situation was ultimately not well-founded, given the intrusive nature of video surveillance technology, the Commissioner's Office made a number of recommendations to the company, and it is pleased to report that these recommendations were fully implemented.

In 2004, the Office introduced a number of innovations to increase its ability to ensure compliance with PIPEDA. It initiated a follow-up procedure to monitor the progress of organizations in implementing the Commissioner's recommendations. The Office also worked to strengthen its future capacity to audit organizations subject to PIPEDA. One project will help the Office determine and test a process for establishing "reasonable grounds" to select subjects for audits. Another project to develop a self-assessment tool will help organizations ensure compliance with PIPEDA, and promote good personal information management practices.

A review of PIPEDA is planned for 2006 — the Commissioner is also calling for reform of the Privacy Act — and the Office of the Privacy Commissioner will seize this opportunity to make recommendations about how to improve and better enforce the law, and to ensure that it responds effectively to current threats.

This year, for the first time, the Commissioner published two separate Annual Reports, dividing PIPEDA from the Privacy Act. PIPEDA requires the Office to report on the calendar year (2004), while under the Privacy Act, it must report on the fiscal year (2004-2005). As well, each Act provides a separate framework for investigations and audits. There is much overlapping between the reports because many of the Office's activities are not particular to one law or another and, increasingly, the policy issues are common across the two regimes.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the annual reports:

• Annual Report to Parliament 2004 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)
• Annual Report to Parliament 2004-2005 — Report on the Privacy Act (Adobe format)

For more information, please contact:

Anne-Marie Hayden
Director, Public Education and Communications
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
E-mail: ahayden@privcom.gc.ca
www.privcom.gc.ca