250 likes | 351 Views
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments. March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton County. Presented by. Jeffrey H. McCully, B.A., LL.B. PrivacyConsult 613-230-1070 - phone 613-230-2422 - fax
E N D
A NEW GOVERNANCE PARADIGM:Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton County
Presented by Jeffrey H. McCully, B.A., LL.B. PrivacyConsult 613-230-1070 - phone 613-230-2422 - fax jmccully@privacy-consulting.com www.privacy-consulting.com
Agenda • Overview of private sector privacy legislation in Canada • PIPEDA - Application of the law • Definitions - what is “personal information”? “governance”? • Why privacy protections? • Privacy Principles - the heart of PIPEDA • Role of Privacy Commissioner & Remedies • Privacy Management / Governance • Privacy Compliance - Third Party Relations, Employees, Professionals
Agenda (continued) • Conclusion Good Governance = Mitigation of Risk = Added Value • Question & Answer Session
Overview of Legislation • 2 federal privacy laws Privacy Act (1983) & PIPEDA (2001) • Privacy Act - imposes obligations on federal departments - gives Canadians protections re collection, use, disclosure, access - covers tax records, military records, security clearances, etc.
Overview of Legislation (continued) • PIPEDA - in force in stages from 2001 - fully in force on January 1, 2004 • Provincial laws - only Quebec (1994), BC, Alberta
PIPEDA: Application • Jan 1, 2001 - Federal work, undertaking or business collecting, using, disclosing personal information in the course of commercial activities. - Organizations that trade in information for consideration across a national border or provincial border. • Jan 1, 2004 - All organizations collecting, using or disclosing personal information in the course of commercial activities (excluding those subject to “substantially similar” provincial privacy laws).
Definitions • Commercial Activity - means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. • Governance - authoritative care/control over an organization; relates to accountability for the activities of an organization. • Organization - association, partnership, person (corporation) and trade union.
Definitions(continued) • Grandfathering (retroactivity) - refers to the treatment of information already in the organization’s possession pre-PIPEDA. Data already there is subject to the same rules. • Personal Information - information that relates to an identifiable individual, but does NOT include the name, title and business address or telephone number of an employee of an organization. • Privacy - the right of individuals to control the collection, use and disclosure of their own information.
Definitions (continued) • Whistleblowing - section 27 of the PIPEDA protects persons who inform the Commissioner that a person or organization has or intends to contravene the Act. Such persons cannot be retaliated against.
Why Privacy Protection? • To avoid cost of non-compliance • legal violations and damages/costs flowing from them (unlimited punitive damages; costs of litigation; court fines of $10,000, $100,000) • reputation, goodwill and brand image damage • psychological, economic harm to clients • consumer flight - loss of revenue • public companies - will a violation or a delay in compliance result in a loss of share value?
1. Accountability 2. Identifying purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual access 10. Challenging Compliance PIPEDA’S 10 Principles • The heart of the law. Based on Canadian Standards Association Model Code. Each principle may require organizational changes.
Role of Privacy Commissioner (PC) • PC has substantial powers - that of a Superior Court • investigate complaints • summon and question under oath • receive and consider evidence • search business premises • examine records found therein. • PC may try to resolve complaints through mediation or conciliation. • PC will issue a report, usually within 1 year.
Federal Court • Persons may seek a hearing in Federal Court Trial Division if dissatisfied by the PC’s Report. • Court may: • order correction of practices • order publication of actions taken • award substantial damages. • Obstruction or punishing whistleblowers - up to $100,000 fine.
Privacy Management / Governance • Organizations must ask questions: • Does PIPEDA apply? (collect personal information for commercial purposes) • Do we have an individual responsible for compliance (CPO)? • Have we conducted a privacy assessment? An audit periodically? • Have we obtained appropriate consent? • Have we identified use? • Do we have a procedure for access to information? • Have our front line staff and junior managers been educated?
Privacy Management / Governance • Have we reviewed documentation for necessary consents, confidentiality agreements, indemnities, audits? • Have we reviewed the information practices of third party data processors?
Privacy Compliance - Third Parties • Liability can result if a business partner or a mere third party outsourcing arrangement violates PIPEDA. • Commercial printers, payroll outsourcers, information technology companies (website designers) are a source of liability for you. • An organization cannot avoid its privacy obligations by outsourcing. • Set out adequate security measures: • confidentiality agreements • encryption technology
Privacy Compliance - Third Parties(continued) • “Chinese walls” and other good practices • proper consents • indemnities • privacy audit rights for you.
Privacy Compliance - Employees • PIPEDA applies to employee information in federal works, undertakings and businesses only - NOT to provincially regulated businesses. • Balance is required - what does an employer really need to know? (pay, benefits, records, health records, resumes). • Question: What about psychological tests, keystroke monitoring, email?
Privacy Compliance - Employees(continued) • Collect, use, disclose only with consent (#3). • Disclose what information is collected, why, what is done with the information (#2, 4, 5). • Collect only what is necessary for stated purpose (#4). • Collect by fair/lawful means. • Ensure that any consents given by employees are real, and not forced as a condition of employment. • Keep information accurate and up to date (#6). • Give employees access to it and allow them to challenge or correct it (#6, 9, 10).
Privacy Compliance - Professionals • Lawyers, accountants, financial advisors will receive much information on third parties, collected by their clients: • payroll information • rent rolls • life insurance information with respect to claims. • In an assurance contract, the professional does not have direct access to third parties. The client has the link to the third party. The client should obtain the appropriate consents.
Privacy Compliance - Professionals • Mere transfers of information for processing (eg. preparation of tax returns) are non-assurance contracts. No further consent is necessary. Consent is implied when, for example, a CA is hired to prepare a tax return. Third parties not involved.
Wording in Assurance Contract • “It is acknowledged that we will have access to all personal information in your custody that we require to complete our engagement. Our services are provided on the basis that: • you represent to us that you have obtained the required consents for the collection and use of personal information under PIPEDA; and • we will hold all personal information in compliance with our Privacy Policy.”
Conclusion • Good privacy practice is good information management. • Good information management gives a competitive advantage. • Governance is enhanced when an organization’s “directing mind” identifies potential business risks and implements systems to mitigate those risks. • Privacy is now key to good governance. Good Governance = Mitigation of Risk = Added Value