An overview of Canada's new private sector privacy law
The Personal Information Protection and Electronic Documents Act
Jennifer Stoddart
Privacy Commissioner of Canada
Introduction
My name is Jennifer Stoddart. I became Privacy Commissioner of Canada in December 2003. An important part of my work is to oversee the operation of Canada's new private sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, for short. It's our job to ensure that the law is respected and that people have redress if their rights under the Act are violated.
The Act — PIPEDA — establishes rules for organizations involved in commercial activities to manage personal information. It attempts to strike a balance between the right of individuals to protect their personal information and the need of organizations to obtain such information for legitimate purposes.
In this session, I would like to help organizations understand their responsibilities under PIPEDA. I will explain where the Act came from and why, and what organizations need to do to comply with the Act. I'll also discuss the role of my office in overseeing compliance, and ultimately why the Act is good for both organizations and consumers.
What is privacy?
Before I explain the Act in detail, I would like to discuss what privacy is, and why it is important for us. Privacy is a fundamental and necessary right in a democracy. Privacy is often described as the right to be let alone — or the right to control access to one's person and information about oneself.
In essence, people who are asking for privacy are asking to be let alone, but it's much more than that. In modern society, it's impossible to have complete privacy, but it is important for us to limit intrusions into our privacy. There are many kinds of privacy intrusions from which people may want to be protected. In a world where technology can monitor our activities day in and day out, rules to limit interference with our privacy are essential.
Another kind of activity can also seriously violate your privacy. That is the collection, use and disclosure of information about you — or "personal information," as we call it — without your consent. How many of us, for example, would want medical information about us freely available to others? How many of us would want our financial affairs, or intimate details about our personal lives, made public?
The purpose of many of the privacy laws we have in Canada, including PIPEDA, is to help Canadians prevent improper interference with their privacy. The role of PIPEDA in particular is to help Canadians exercise their right to privacy of information — that is, to help them control access by organizations engaged in commercial activities to personal information about them.
In the past, your personal information was protected almost by default. Information was often stored in paper files, and could not easily be shared with others. Today, however, technology has eliminated that protection. Information that even a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard. That information can now easily be shared with others, and combined with other information to make a comprehensive profile of you. That is why rules protecting the collection, use and disclosure of your personal information are so important.
How PIPEDA came to be
The enactment of PIPEDA is part of a broader international movement to give individuals better control over their personal information in the hands of business. Since the 1970s, several countries of the European Union have passed legislation regulating the collection, use and disclosure of their personal information. International bodies such as the United Nations, the Organisation for Economic Cooperation and Development and the Council of Europe have also produced international agreements on the protection of personal information in the hands of the private sector.
In Europe, the European Union Data Protection Directive requires countries that are members of the European Union to limit the sharing of information about citizens of EU countries with businesses in other countries. In general, the Directive requires EU countries to refuse to allow transfers personal information to countries outside the EU unless those countries adequately protect the information.
That, in part, is why PIPEDA was enacted — to assure the European Union that Canada was serious about protecting personal information from Europe that comes into the hands of Canadian businesses. Unless Canada was able to give this assurance, businesses in the European Union would have great difficulty sharing personal information with Canadian organizations. This could have seriously hurt these Canadian organizations. Fortunately, the European Commission decided in 2001 that PIPEDA provided an adequate level of protection to personal information. As a result, EU countries and businesses are free to transfer personal information to organizations in Canada that are subject to PIPEDA or other Canadian laws such as the Privacy Act federally, various public sector laws provincially, and some provincial private sector laws.
PIPEDA helps both organizations and consumers in another way. Clear rules to protect the handling of personal information will build consumer trust and confidence in participating in the growing amount of e-business in Canada. For example, banking customers want to know that their privacy is protected when they're banking on-line — not just when they're making a transaction at their local branch. PIPEDA will help the new marketplace by increasing the confidence of consumers that their privacy is being protected online.
PIPEDA serves a third purpose - to complete the circle of protection of personal information in Canada. Before PIPEDA, individuals had some protection for their personal information that was in the hands of governments, and there was also very limited protection for information that was in the hands of the private sector. However, except in Quebec, there was no general protection of personal information held by organizations carrying out commercial activities. PIPEDA fills that gap.
The privacy protections in PIPEDA are largely based on a code for the protection of personal information that was developed by Canadian businesses, academics, consumers and government through the Canadian Standards Association. That code was called the Model Code for the Protection of Personal Information. We call this the CSA Model Code for short. PIPEDA therefore reflects the consensus of several groups within Canadian society. In fact, the CSA Model Code forms the most critical part of PIPEDA and is found in the Schedule to the Act.
Implementation of PIPEDA
PIPEDA has come into effect in stages. Beginning January 1, 2001 it applied to personal information about customers and employees in the federally-regulated sector — for example, banks, telecommunications, and transportation — in the course of commercial activities. It applied to personal information sold across provincial or territorial boundaries by any organization. It applied to all private sector organizations in Canada's three territories.
Since January 1, 2004, PIPEDA has applied across the board — to all personal information collected, used or disclosed by organizations in the course of commercial activities, except in two situations. The first exception relates to provinces which have enacted legislation deemed to be substantially similar to PIPEDA. Where this has occurred, the provincial legislation will apply to organizations that are normally regulated by provincial law. As of March 2004, only Quebec has legislation deemed to be substantially similar to PIPEDA. However, by the beginning of 2004, Alberta and British Columbia had also enacted legislation that will likely be deemed substantially similar, and other provinces may follow suit. Even where provincial legislation has been enacted, organizations' sharing of personal information across provincial or international borders will be governed by PIPEDA.
There is a second commercial situation where PIPEDA does not apply. PIPEDA does not extend to personal information about employees unless the organization involved is a federal work, undertaking or business. Employers in federal works, undertakings or businesses must ensure that they collect, use, and disclose employees' personal information only for purposes that a reasonable person would consider appropriate in the circumstances. However, personal information about employees of provincially-regulated organizations is not covered by PIPEDA, although it may be covered by provincial legislation such as that of Quebec.
Basic Outline of PIPEDA
It is important to understand some of the main concepts behind PIPEDA. PIPEDA applies to organizations engaged in commercial activities that collect, use or disclose personal information. PIPEDA describes personal information as "information about an identifiable individual," but this does not include the name, title or business address or telephone number of an employee of an organization. The Act describes "commercial activity" as "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."
PIPEDA ensures that organizations respect the fair information principles of the CSA Model Code that I described earlier. There are ten principles. I will outline them briefly here.
The first fair information principle is accountability. If your organization is covered by the Act, someone in your organization must be responsible for ensuring compliance with the Act. If you are a larger organization, you may want to appoint a Chief Privacy Officer to be responsible for compliance. Your organization must develop policies and procedures to ensure compliance — for example, policies about protecting the security of personal information.
The second fair information principle requires you to identify the purposes for which you want to collect personal information, and how it will be used. You must identify these purposes and uses at or before the time the information is collected, and it must be done for purposes that a reasonable person would consider appropriate in the circumstances.
The third principle is consent. If you want to collect, use, or disclose personal information about individuals, you must obtain their consent. Consent is the fundamental principle on which PIPEDA is based. The consent may be implied or express, depending on the reasonable expectations of the individual and the type of information involved. You should generally get express consent for sensitive information — for example, a person's financial or medical records.
The fourth principle is limiting collection: Your collection of personal information must be limited to what is necessary for the purposes that you have identified, and the information must be collected by fair and lawful means.
The fifth principle is limiting use, disclosure and retention of personal information. You can collect personal information only for the purpose for which an individual gave consent when it was collected. However, the individual can later consent to the use of the information another purpose, and other laws may also require that the information be used for another purpose — mandatory reporting of some financial transactions by banks, for example. Even if you have obtained consent, you must limit your collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances. And personal information must be retained only as long as is necessary to meet those purposes.
The sixth principle is accuracy. The personal information your organization holds must be as accurate, complete and as up-to-date as is necessary for the purposes for which it is being used. This does not mean information must be routinely updated unless it is necessary to fulfil the purposes for which it was collected.
The seventh principle is safeguarding personal information. Organizations must ensure that personal information is protected by the appropriate security safeguards, no matter what its format — video tapes, paper records or computer files. You must protect this information from unauthorized access, disclosure, copying, use or modification.
The eighth principle is openness. Organizations must ensure that information is available to customers and employees clearly explaining personal information practices and procedures.
The ninth principal is individual access. Individuals have the right to see the personal information that organizations hold about them. They also have a right to correct any inaccuracies.
The tenth, and final, fair information principle is challenging compliance. Organizations must develop simple and easily accessible complaint procedures. They must tell people who complain about the handling of their personal information what recourse is available. Organizations must investigate all complaints they receive and take appropriate measures to correct improper information handling practices and procedures.
Role, mandate and approach of the OPC
Individuals may sometimes challenge how an organization handles their personal information. Normally, the individual should first raise this with the organization.
The individual can also complain to our Office about several matters relating to the handling of personal information. These include allegations that an organization has denied them access to their personal information, that it improperly collects, uses or discloses personal information, or that it refuses to correct inaccurate or incomplete information or does not use appropriate safeguards to protect personal information. As Commissioner, I may also initiate a complaint in some circumstances.
As an Officer of Parliament, I report directly to the House of Commons and to the Senate. This independence ensures my impartiality and open-mindedness in exercising my role as an ombudsman for privacy matters.
We seek whenever possible to resolve disputes through investigation, persuasion, mediation and conciliation. Ideally, this approach to resolving disputes can be less intimidating to complainants and less costly to business than recourse through the courts.
When an investigation of a complaint begins, our office will notify the organization of the substance of the complaint and identify the investigator responsible for the case. The organization can make representations to the Privacy Commissioner at any time during the process. We intend to encourage complaints to be resolved through negotiation and persuasion, and we may suggest using alternate dispute resolution processes such as mediation or conciliation. We are also looking at early resolution and other ways of settling complaints, and minimizing the number of complaints we receive.
If the complaint is not resolved informally, the investigator assigned to the case will contact the person designated by the organization to indicate how the investigation will proceed and, if possible, which records need to be reviewed and which staff members may be interviewed.
In conducting investigations, we can summon witnesses, compel evidence under oath, compel the production of records, administer oaths, receive and accept any evidence or information, and enter premises.
Before the investigation is concluded, the results are disclosed to the organization and the complainant. Both can make additional representations at that time if they wish. This also gives them another opportunity to resolve the matter before the report on the complaint is completed.
We will then consider the case and issue a report to the parties. The report includes the results of the investigation, any settlement reached by the parties, recommendations such as suggested changes in information management practices, and what steps the organization has taken or will take to address these recommendations.
As Privacy Commissioner, I have no power to make binding orders, but we do have two other important powers under the Act. We have the power of disclosure, which is the right to make public information about the practices of an organization. We can also take matters to the Federal Court of Canada.
We can request that an organization notify us of any action taken or proposed to be taken to implement the recommendations made in the report, or explain why no action has or will be taken.
Besides overseeing the operation of PIPEDA and dealing with complaints, I can conduct audits into organizations' personal information-handling practices, if we have reasonable grounds. I also have a more general responsibility to conduct research and foster understanding of privacy issues. As an Officer of Parliament, reporting directly to the House of Commons and the Senate, I also have a responsibility to report to Parliament on the operation of legislation and other important privacy issues.
Why is good privacy good news for both individuals and organizations?
While many people may fear having the government limit their freedom by collecting too much information about them, they should also worry about the impact that business can have on them by collecting excessive amounts of personal information. Through PIPEDA, individuals have better control over their personal information in the hands of organizations that carry out commercial activities. Being able to control the sharing of personal information is an important part of protecting one's rights.
Organizations subject to PIPEDA should not see it as just one more regulatory burden. PIPEDA reflects the new realities of the business world. It ensures that Canadian organizations will not suffer because businesses in other countries are unwilling to transfer personal information to them. And Canadian organizations that respect the provisions of PIPEDA, and that more generally seek to respect the privacy of their customers, will find that it pays dividends through improved customer relations. This in turn can increase their competitive advantage. For e-businesses in particular, good policies and practices on the handling of personal information can build strong trust among customers.
A review of your information handling practices may also expose inefficiencies, such as the money wasted in collecting and maintaining large amounts of personal information that are not really needed for the operation of the organization.
Conclusion
I have given you a brief overview of PIPEDA, the reasons behind its enactment, and your responsibilities under it. The Act is more detailed than I can describe in this short time, but I have tried to explain its main features.
It is not my intention as Privacy Commissioner to use a heavy hand in promoting compliance with this law. This is a relatively new law, and it will take time for organizations and citizens alike to fully understand and comply with it. Our goal is to encourage Canadian organizations to act in good faith and incorporate sound privacy practices into their operations by complying with PIPEDA. We will work with these organizations to improve their personal information-handling practices.
In preparing to comply with PIPEDA, it is important for you to review your current practices for handling personal information. What personal information do you now collect? Do you really need that information to operate your organization? What use will you make of it? To whom do you disclose information? How long do you keep it? How effectively do you safeguard it?
My office has published a range of materials, which I encourage you to review. They are designed to explain the Act more fully and help organizations comply with it.
For more information, you can contact our office at 1-800-282-1376. You can also visit our web site at www.privcom.gc.ca.
Thank you for watching. |
