300 likes | 459 Views
Privacy Legislation Update: Personal Information Protection and Electronic Documents Act (PIPEDA). Lynette D’Souza Associate Counsel & Policy Analyst. Background. Key Principle: “You own your own information” Modern consumer: -Less trusting
E N D
Privacy Legislation Update:Personal Information Protection and Electronic Documents Act (PIPEDA) Lynette D’Souza Associate Counsel & Policy Analyst
Background • Key Principle: “You own your own information” • Modern consumer: -Less trusting -Likely to challenge organizations if rights are/or appear to be breached
Background Key Points: • Accountability • you are accountable for the personal information you collect • Consent • you need consent to collect, use or disclose personal information • Information Stewardship • you must protect the personal information in your care
Status of Law Federal Law: • Effective: January 1st, 2004 • Applies by default if no provincial act in place Provincial Law in Ontario: • Future uncertain • not introduced in House of Commons before the fall election
Overview Federal Law: • Purpose: govern collection, use, disclosure in a way that protects individual privacy and recognizes organizations’ need for personal information s.3
Overview Application: • Organizations collecting, using, disclosing personal information in the course of commercial activities s.4.1 • Organizations: persons, associations, partnerships and trade unions s.2.1
Overview Application cont’d: • Collecting, Using, Disclosing: -Common Forms of Information Collection: • Special events: participants, volunteers, pledgers • Online donors • Public information sources • In memorium gifts • Customer lists • Door-to-door campaigns • Third-party lists
Overview Application cont’d -Common Uses of Personal Information: • Sell it/Barter it/Lease it (1-time use) • 3rd party access for affinity programs • Merge with 3rd party lists • Provide access to corporate sponsors • Subsequent fundraising request • Transfer to Major Gift/Planned Giving prospect lists
Overview Application cont’d: • Personal Information: information about an identifiable individual s.2.1 • does not include business information • For the first year after implementation, Act will not apply to personal health information s.30(1.1) and s.2.1
Overview Application cont’d • Commercial Activities: defd broadly s.2.1 -includes exchange of fundraising lists -Activities of Charities/Not-For-Profits can be caught by Act if activities characterized as commercial
Overview Key Obligations: • When collecting personal information, must identify purposes of collections.4.2 • Must give access to personal information upon request s.5.1 • Need knowledge and consent to: -collect information from a third party s.7.1 -use information s.7.2 -disclose information s.7.3
Overview Remedial Action: • Individual may file a complaint s.11(1) -may have an initial opportunity to redress complaint before it becomes public -whistle-blowing provision s.27.1 anyone with reasonable grounds to believe contravention occurring or occurred may complain • Commissioner may file a complaint s.11(2) • Investigative and Audit Powers of the Commissioner s.12-19 • Can go to Federal Court s. 14-17
Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure & Retention Accuracy Safeguards Openness Individual Access Challenging Compliance The 10 Principles
Principle 1: Accountability • The organization must designate an individual or individuals to be accountable for the organization’s compliance with the Act cl. 4.1 Sch. 1 Your organization is accountable for personal info in its possession
Principle 2: Identifying Purposes • Upon collection of personal information, the purposes for collection must be identified cl. 4.2 Sch. 1 • Use the reasonable person test to determine if a purpose has been adequately identified You must inform individuals why you’re collecting info.
Principle 3: Consent • Knowledge and consent are required cl. 4.3 Sch. 1 • Consent can be express or implied • Nature of consent required will depend on sensitivity of information • Reasonable efforts must be made to ensure that purposes are understood • Consent can be withdrawn • Exceptions: legal, medical, security reasons; law enforcement; a minor; seriously ill or mentally incapacitated (Also solely for journalistic, artistic or literary purposes) • Ensure sufficient consent
Principle 4: Limiting Collection • Collection must be limited to what is necessary for the purposes identified by the organization cl. 4.4 Sch. 1 • Use fair and lawful means to collect personal information Collect only what you need
Principle 5: Limiting Use, Disclosure and Retention • Personal Information should not be used or disclosed for purposes other than those specified upon collection, except with consent of the individual or as required by law • Personal information should be retained only as long as necessary for the fulfillment of those purposes cl. 4.5 Sch. 1 If information is not going to be used, destroy it
Principle 6: Accuracy • Personal information should be as accurate,complete, and up-to-date as is necessary for the purposes of use cl. 4.6 Sch. 1 Do what’s reasonable to keep data accurate
Information Accuracy • Indicate date of collection on file • Must not routinely update information unless necessary for purpose for which information was collected cl. 4.6.2 Sch.1 • Third party transactions: make sure you are getting/giving accurate information • Act reasonably for organization size
Principle 7: Safeguards • Security safeguards appropriate to the sensitivity of the information are required cl. 4.7, Sch. 1 • Need: adequate physical, organizational and technological measures • Pay attention to third party contracts Safeguarding should be systematic
Principle 8: Openness • Specific information on organization’s policies and practices relatingto the management of personal information must be readily available cl. 4.8 Sch.1 Explain your policies & access protocols to stakeholders
Principle 9: Individual Access • Upon request, an individual shall be informed of the existence, use, and disclosure of personal information and must be given access to that information cl. 4.9 Sch.1 • An individual can challenge the accuracy and completeness of information and have it amended as appropriate Individuals have access to their files
Principle 10: Challenging Compliance • Organizations must be able to respond to complaints or inquiries about compliance cl. 4.10 • Take all complaints seriously • Obligation to advise of the right to pursue complaint with Federal Privacy Commissioner Be prepared for compliance
Non-Compliance Results of Non-Compliance: • Any court action, regardless of the outcome, will likely cause significant harm to reputation • Negative publicity • Legal costs, damages • Loss of time and resources responding to the Privacy Commissioner
Implementation Strategies • Accountability: • Identify key staff person/team • Involve whole organization in process • Respect statutory time limits • Be as thorough as possible with respect to: policies & procedures • Be reasonable, resources devoted to this issue should be appropriate for the size of your organization and for the type and amount of personal information you collect
Implementation Strategies Safeguarding Information: • Physical measures: restrictions on access; disposal for confidential information disposal; safe and secure physical space • Organizational measures: security policy; training; periodic review of information handling; periodic audit of information held; riskmanagement • Technological measures: firewalls, virus protection; sufficient technology to protect the integrity of information; disaster recovery capacity • Third party contracts: verify consents or purposes of 3rd party; confidentiality agreements; ability to audit agreements; set out agency in contracts; address liability & indemnity in contracts
Implementation Strategies General Strategies: • Adopt best practice when not sure whether or not law applies • Consult with similar organizations to identify their practices/approaches and suitability for organization in questions • Best practices depend on facts • Seek legal advice
Resources Privacy Commissioner of Canada website: www.privcom.gc.ca (An electronic copy of federal Act plus guidance on the legislation and an implementation schedule) CCP website:www.ccp.ca (“Privacy 101” document)