1 / 29

Privacy Legislation Update: Personal Information Protection and Electronic Documents Act (PIPEDA)

Privacy Legislation Update: Personal Information Protection and Electronic Documents Act (PIPEDA). Lynette D’Souza Associate Counsel & Policy Analyst. Background. Key Principle: “You own your own information” Modern consumer: -Less trusting

step
Download Presentation

Privacy Legislation Update: Personal Information Protection and Electronic Documents Act (PIPEDA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Legislation Update:Personal Information Protection and Electronic Documents Act (PIPEDA) Lynette D’Souza Associate Counsel & Policy Analyst

  2. Background • Key Principle: “You own your own information” • Modern consumer: -Less trusting -Likely to challenge organizations if rights are/or appear to be breached

  3. Background Key Points: • Accountability • you are accountable for the personal information you collect • Consent • you need consent to collect, use or disclose personal information • Information Stewardship • you must protect the personal information in your care

  4. Status of Law Federal Law: • Effective: January 1st, 2004 • Applies by default if no provincial act in place Provincial Law in Ontario: • Future uncertain • not introduced in House of Commons before the fall election

  5. Overview Federal Law: • Purpose: govern collection, use, disclosure in a way that protects individual privacy and recognizes organizations’ need for personal information s.3

  6. Overview Application: • Organizations collecting, using, disclosing personal information in the course of commercial activities s.4.1 • Organizations: persons, associations, partnerships and trade unions s.2.1

  7. Overview Application cont’d: • Collecting, Using, Disclosing: -Common Forms of Information Collection: • Special events: participants, volunteers, pledgers • Online donors • Public information sources • In memorium gifts • Customer lists • Door-to-door campaigns • Third-party lists

  8. Overview Application cont’d -Common Uses of Personal Information: • Sell it/Barter it/Lease it (1-time use) • 3rd party access for affinity programs • Merge with 3rd party lists • Provide access to corporate sponsors • Subsequent fundraising request • Transfer to Major Gift/Planned Giving prospect lists

  9. Overview Application cont’d: • Personal Information: information about an identifiable individual s.2.1 • does not include business information • For the first year after implementation, Act will not apply to personal health information s.30(1.1) and s.2.1

  10. Overview Application cont’d • Commercial Activities: defd broadly s.2.1 -includes exchange of fundraising lists -Activities of Charities/Not-For-Profits can be caught by Act if activities characterized as commercial

  11. Overview Key Obligations: • When collecting personal information, must identify purposes of collections.4.2 • Must give access to personal information upon request s.5.1 • Need knowledge and consent to: -collect information from a third party s.7.1 -use information s.7.2 -disclose information s.7.3

  12. Overview Remedial Action: • Individual may file a complaint s.11(1) -may have an initial opportunity to redress complaint before it becomes public -whistle-blowing provision s.27.1 anyone with reasonable grounds to believe contravention occurring or occurred may complain • Commissioner may file a complaint s.11(2) • Investigative and Audit Powers of the Commissioner s.12-19 • Can go to Federal Court s. 14-17

  13. Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure & Retention Accuracy Safeguards Openness Individual Access Challenging Compliance The 10 Principles

  14. Principle 1: Accountability • The organization must designate an individual or individuals to be accountable for the organization’s compliance with the Act cl. 4.1 Sch. 1 Your organization is accountable for personal info in its possession

  15. Principle 2: Identifying Purposes • Upon collection of personal information, the purposes for collection must be identified cl. 4.2 Sch. 1 • Use the reasonable person test to determine if a purpose has been adequately identified You must inform individuals why you’re collecting info.

  16. Principle 3: Consent • Knowledge and consent are required cl. 4.3 Sch. 1 • Consent can be express or implied • Nature of consent required will depend on sensitivity of information • Reasonable efforts must be made to ensure that purposes are understood • Consent can be withdrawn • Exceptions: legal, medical, security reasons; law enforcement; a minor; seriously ill or mentally incapacitated (Also solely for journalistic, artistic or literary purposes) • Ensure sufficient consent

  17. Principle 4: Limiting Collection • Collection must be limited to what is necessary for the purposes identified by the organization cl. 4.4 Sch. 1 • Use fair and lawful means to collect personal information Collect only what you need

  18. Principle 5: Limiting Use, Disclosure and Retention • Personal Information should not be used or disclosed for purposes other than those specified upon collection, except with consent of the individual or as required by law • Personal information should be retained only as long as necessary for the fulfillment of those purposes cl. 4.5 Sch. 1 If information is not going to be used, destroy it

  19. Principle 6: Accuracy • Personal information should be as accurate,complete, and up-to-date as is necessary for the purposes of use cl. 4.6 Sch. 1 Do what’s reasonable to keep data accurate

  20. Information Accuracy • Indicate date of collection on file • Must not routinely update information unless necessary for purpose for which information was collected cl. 4.6.2 Sch.1 • Third party transactions: make sure you are getting/giving accurate information • Act reasonably for organization size

  21. Principle 7: Safeguards • Security safeguards appropriate to the sensitivity of the information are required cl. 4.7, Sch. 1 • Need: adequate physical, organizational and technological measures • Pay attention to third party contracts Safeguarding should be systematic

  22. Principle 8: Openness • Specific information on organization’s policies and practices relatingto the management of personal information must be readily available cl. 4.8 Sch.1 Explain your policies & access protocols to stakeholders

  23. Principle 9: Individual Access • Upon request, an individual shall be informed of the existence, use, and disclosure of personal information and must be given access to that information cl. 4.9 Sch.1 • An individual can challenge the accuracy and completeness of information and have it amended as appropriate Individuals have access to their files

  24. Principle 10: Challenging Compliance • Organizations must be able to respond to complaints or inquiries about compliance cl. 4.10 • Take all complaints seriously • Obligation to advise of the right to pursue complaint with Federal Privacy Commissioner Be prepared for compliance

  25. Non-Compliance Results of Non-Compliance: • Any court action, regardless of the outcome, will likely cause significant harm to reputation • Negative publicity • Legal costs, damages • Loss of time and resources responding to the Privacy Commissioner

  26. Implementation Strategies • Accountability: • Identify key staff person/team • Involve whole organization in process • Respect statutory time limits • Be as thorough as possible with respect to: policies & procedures • Be reasonable, resources devoted to this issue should be appropriate for the size of your organization and for the type and amount of personal information you collect

  27. Implementation Strategies Safeguarding Information: • Physical measures: restrictions on access; disposal for confidential information disposal; safe and secure physical space • Organizational measures: security policy; training; periodic review of information handling; periodic audit of information held; riskmanagement • Technological measures: firewalls, virus protection; sufficient technology to protect the integrity of information; disaster recovery capacity • Third party contracts: verify consents or purposes of 3rd party; confidentiality agreements; ability to audit agreements; set out agency in contracts; address liability & indemnity in contracts

  28. Implementation Strategies General Strategies: • Adopt best practice when not sure whether or not law applies • Consult with similar organizations to identify their practices/approaches and suitability for organization in questions • Best practices depend on facts • Seek legal advice

  29. Resources Privacy Commissioner of Canada website: www.privcom.gc.ca (An electronic copy of federal Act plus guidance on the legislation and an implementation schedule) CCP website:www.ccp.ca (“Privacy 101” document)

More Related