1 / 38

Information Resource Management Association of Canada

This session provides an overview of privacy laws and corporate compliance strategies in Canada, focusing on the Personal Information Protection and Electronic Documents Act. Learn how to protect personal information and navigate privacy regulations.

dmaples
Download Presentation

Information Resource Management Association of Canada

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Resource Management Association of Canada Information Resource Management Association of Canada Privacy and Commerce March 2001 Privacy and Commerce March 2001

  2. Session Overview • A sense of Privacy • Privacy Law Framework • Canada's Personal Information Protection and Electronic Documents Act • Corporate Compliance Strategies

  3. A Sense of Privacy • What is it? • Personal information is any information about an identifiable individual e.g.: Information about physical or mental health, health services provided, donation of body parts or substance, social insurance number, name, address, telephone number, employment, criminal or educational history, travel or entertainment information, financial information, internet browsing stream data, location, family, fingerprints, blood type, opinions, DNA … • What is a record? • Any correspondence, memorandum, book, plan, map, drawing, diagram, pictoral or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form …

  4. A Sense of Privacy • “The right of individuals to determine for themselves when, how and to what extent information about them is communicated to others.” – Dr. Westin • “Privacy is an emotional reaction to an action” - Scott Crosby • “It’s about self-possession, autonomy and integrity. As we move into the computerized world of the twenty-first century, privacy will be one of our most important civil rights” - Simson Garfinkel

  5. A Sense of Privacy We have reached a point where we know less about ourselves than do the government, marketers, financial institutions, health care providers and entertainment and hospitality providers.

  6. A Sense of Privacy Taken to an extreme, which is where we seem to be going anyway, we will soon accept the word “surveillance” the way we do “pollution”, as if intrusions into our private lives are just a normal, and acceptable part of modern living.

  7. A Sense of Privacy “Privacy is perhaps the biggest social issue of the Internet age, and today’s practices don’t just suck, they’re downright unconstitutional” “There’s five billion dollars sitting on the table for the company that figures out how to give people control back over their information” – Fred Davis- founder and CEO Lumeria – Atlantic Monthly – March 2001

  8. A Sense of Privacy • Marissa Gluck, an analyst at Jupiter Research…’Privacy is the most over-hyped issue I’ve seen. It’s a way for politicians and gadflies to grandstand on an issue that the press love to hype. It gets everyone ink” Business 2.0, January 9, 2001

  9. A Sense of Privacy November 1999: Personalized Marketing and Privacy on the Net: What Consumers Want Privacy & American Business Key Messages of the Survey• A majority of Internet users (61%) say they would be positive toward receiving banner ads tailored to their personal interests rather than receiving random ads. This represents about 56 million adult users interested in such personalization. • More than two-thirds of Internet users (68%) say they would provide personal information in order to receive tailored banner ads, if notice and opt out are provided. This represents about 63 million adult users.

  10. A Sense of Privacy Privacy is not a component of Security, Security is one means of achieving Privacy

  11. Privacy Law Framework Based on Fair Information Practices Govern the: • Collection • Use • Disclosure • Retention

  12. Privacy Law Framework

  13. Privacy Law Framework • Two national laws in Canada • Provincial laws • US laws; 14 at national level and more coming • OECD Guidelines: Privacy protection laws have been introduced, or will be introduced shortly, in approximately one half of OECD Member countries (Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden and the United States have passed legislation. Belgium, Iceland, the Netherlands, Spain and Switzerland have prepared draft bills) to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data. OECD –www.oecd.fr

  14. Privacy Law Framework - OECD BASIC PRINCIPLES OF NATIONAL APPLICATION 1) Collection Limitation Principle (limits, lawful, fair and with knowledge) 2) Data Quality Principle (relevant to purpose, accurate and complete) 3) Purpose Specification Principle (at time of collection) 4) Use Limitation Principle (no disclosure or use other than original) 5) Security Safeguards Principle (against loss, access, destruction, use and modification) 6) Openness Principle (policies, practices and available) 7) Individual Participation Principle (access) 8) Accountability Principle (for measures to give effect) http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM

  15. Privacy Law Framework • Approximately 60 countries with data protection directives or laws • All cover basics, but some are sectoral or procedural • Laws often re-form themselves into industry sector-wide codes • Cover personal information, usually regardless of electronic transfer or hardcopy

  16. Information Resource Management Association of Canada Privacy and Commerce Canada’s Personal Information Protection and Electronic Documents Act • Result of consensus of industry-government working group of Canadian Standards Association • In response to increased public concern over technological advances intruding on privacy • The Act strikes a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes. • The Act establishes rules for the management of personal information by organizations involved in commercial activities

  17. Canada’s Personal Information Protection and Electronic Documents Act Purpose – to establish rules to govern the collection, use and disclosure of Personal Information to recognize the right of privacy and to recognize the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate

  18. Canada’s Personal Information Protection and Electronic Documents Act • Applies to • organizations that collect, use and disclose Personal Information in the course of commercial activity • Customer information • Employee information • Does not apply to: • Organizations covered by the Privacy Act • Collection, use and disclosure for domestic purposes • Journalistic, artistic and literary purposes • Takes precedence over subsequent laws unless they excuse themselves

  19. Canada’s Personal Information Protection and Electronic Documents Act Phased Application • 2001 – federal works and undertakings • Banks, inter-provincial transportation, radio broadcasters, cross-border disclosures • 2002 – personal health information • 2004 – every entity conducting commercial activity

  20. Canada’s Personal Information Protection and Electronic Documents Act Ten Principles: • Accountability • Identifying Purpose • Consent • Limiting Collection • Limiting Use, Disclosure and Retention • Accuracy • Safeguards • Openness • Access • Challenging Compliance

  21. Facts by design • Government of Canada 1998-99: • 36,000 requests, $15 million, $550. Each • Ontario 98-99: • 10,000 requests • US DOD FOIAP Requests 1999: • 97,000, $32 million, 776 staff • Office of the Privacy Commissioner of Canada • 99/00 complaints <1,600, 15 staff and $4.5 million • Ontario Privacy Commissioner • 1999 806 complaints, $6.5 million

  22. Canada’s Personal Information Protection and Electronic Documents Act Complaints filed with the Privacy Commissioner • complaints can be filed with the Commissioner against an organization for contravening privacy obligations under the Act or the ten principles • Commissioner may initiate an investigation upon reasonable grounds • Refusal complaints must be filed within 6 months, or as Commissioner sees fit, after the refusal or deemed refusal • Commissioner shall give notice to the institution

  23. Canada’s Personal Information Protection and Electronic Documents Act Investigation of Complaints • Commissioner must investigate • Has powers of summons, taking oaths, entering premises, obtain copies etc • May use dispute resolution mechanisms • Commissioner must report, within one year, his findings and recommendations, settlements, recourse • Only then can a complainant apply to Federal Court for a hearing

  24. Canada’s Personal Information Protection and Electronic Documents Act Remedies • Court can order organization to correct practices • Order an organization to publish a notice of any action taken or proposed • Award damages to complainant, including for humiliation

  25. Canada’s Personal Information Protection and Electronic Documents Act Audits • Commissioner may audit personal information management practices of an organization • Commissioner must provide a report to the organization • Commissioner may make audit results public • Commissioner may make public any information relating to the personal information management practices of an organization

  26. Canada’s Personal Information Protection and Electronic Documents Act Refusal of Access • Solicitor-client protected information • Confidential commercial information • Personal information about a third party • Personal information that could threaten the life or security of another individual • Information collected under 7 (1) (b) (collected without consent due to law enforcement) • Formal dispute resolution process information • Information can be severed

  27. Corporate Compliance Strategies • Recognize business value in privacy management • Privacy enhanced services and products • Corporate differentiator • Volvo- safety, ? - privacy • Can’t forget employees • Hire CPO’s • Wonder who let the dog’s out?

  28. Corporate Compliance Strategies The Public/Consumer… Develop common expectations • Lead the way for cultural change • Seek access • Fringe customer “Improved customer service will probably have to wait a decade for the realization that what the customer wants is fairness, efficiency and privacy.” MISS MANNERS– Time Canada

  29. Corporate Compliance Strategies • “54% of those polled decided not to use a company or buy because they were unsure of how their personal information would be used.” • Source: IBM-Harris 1999 Multi-National Consumer Privacy Survey • “31 % of respondents will not make online purchases this holiday season, and two out of five Internet users (38 %) will limit the amount they spend online because of concerns about security or privacy” •  Source: Fiderus/Yankelovich Survey , 2000

  30. Corporate Compliance Strategies http://www.pandab.org/

  31. Corporate Compliance Strategies Privacy Code • Introduction- purpose • Reference to authority, internal/external • Roles: CPO, IM, Legal, Point of contact • Scope • Principles - CSA etc • Definitions – personal information etc • Regular review • Collection –with consent, without, what is collected • Use – with consent, without • Disclosure – with, without • Requesting access, timing, refusals

  32. Corporate Compliance Strategies What should a Code do? • reassure • strike balance • build trust/partnership • engage customers • engage employees • enhance customer - company relationships • enhance employee – company relationships • meet any growing demand and customer expectations • competitive edge

  33. Corporate Compliance Strategies Corporate Roles and Responsibilities • Lead by a CPO • Product/services development • Human Resources • Information Management • Customer relations • Audit/internal review • Regional/International perspective • Legal Representative

  34. Corporate Compliance Strategies 10 Easy Steps • Be the Front Goose • Strategic Planning • Information Management • Change management • Customer Relations • Employees • Systems/Processes • Implementation • Analysis/Measurement • Inertia

  35. Corporate Compliance Strategies Privacy Strategy • Change Management • Leadership • Appoint a CPO • Build a team • Procedural infusion • Campaign for cultural change and perspective • Training plan • Training, training, training • Regional/functional/international components • Legal representative/Business development • Corporate Strategic initiatives

  36. Corporate Compliance Strategies Privacy and Commerce Strategy • Goals • Privacy Infrastructure impact analysis • Privacy Infrastructure’s impact on other business activities • CRM • Solid privacy infrastructure brings them back • Personalized services possible • Individual control is key • Corporate-wide approach • External/Internal Marketing of Privacy Management • Cost • Forecast/predict • Gap analysis – what needs to be done?

  37. Corporate Compliance Strategies

  38. Points to Take Home • Privacy is important • Accountable person (s) • Limits collection, use, disclosure and retention of personal information • Consent is required for collection, use and disclosure • Security and safeguards • Openness regarding policies and practices • Individuals have access (accuracy) • Individuals can complain • Privacy Commissioner can initiate a complaint, investigation and/or audit • Federal Court has final say

More Related