© 2003, Deeth Williams Wall LLP. All Rights Reserved. By: Amy-Lynne Williams (September 25, 2003)

Introduction

Beginning January 1, 2004, the Federal government's personal privacy protection legislation will come into full force. By that date, most organizations in Canada will either be subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA") or subject to substantially similar provincial privacy legislation.

This cannot be ignored any longer. Companies must get their "privacy houses" in order by the deadline or face potentially damaging consequences.

  1. PIPEDA
    PIPEDA was enacted by the Federal government and is administered by the Office of the Privacy Commissioner of Canada. It regulates the way in which commercial organizations collect, use, and disclose personal information. Businesses, which for the most part, have had little or no restriction on the manner with which they dealt with personal information, will now have a legal obligation to ensure that personal information about an individual is not collected, used or disclosed without the individual's knowledge and consent and is handled legally.
  2. Timing & Application of PIPEDA
    Despite coming into force on January 1, 2001, PIPEDA was not universally applied at first.

    Instead, a three year phase-in approach was adopted in order to give the provincial governments sufficient time to devise their own personal privacy protection legislation. As a result, PIPEDA only applied on January 1, 2001, to businesses that: i) collect, use or disclose personal information on an interprovincial basis or that were federally regulated; or ii) disclose personal information outside of a province or outside of Canada for consideration.

    Effective January 1, 2004, PIPEDA will apply to the collection, use or disclosure of personal information in the course of any commercial activity within a province, except where a province has passed privacy legislation that is "substantially similar" to the federal Act. In interpreting "substantially similar", the federal Privacy Commissioner has indicated that the term means "equal or superior" to PIPEDA in the degree and quality of privacy protection provided. Thus, PIPEDA sets out minimum privacy standards and a provincial law must provide equal or better protection to be substantially similar.

    At present, only Quebec's Act Respecting the Protection of Personal Information in the Private Sector (which has been in force for several years) meets the minimum standard. British Columbia and Alberta could also be exempt from PIPEDA's application, provided that each province's proposed privacy legislation can be sufficiently modified in the eyes of the federal Privacy Commissioner by the January 1, 2004 deadline. 1

    If a province enacts privacy legislation that is not found to be substantially similar to PIPEDA, the provincial law will remain in effect, but will operate concurrently with PIPEDA. In the event of a conflict, where PIPEDA sets higher standards for privacy protection than the provincial legislation, the federal provisions will take precedence and all organizations carrying out commercial activities within the province and elsewhere will have to comply.

    PIPEDA's application is limited by a number of key exceptions. First, PIPEDA does not apply to uses of personal information that are not "commercial" in nature. Second, PIPEDA does not apply to the collection, use and disclosure of personal information by an individual for "personal or domestic purposes" or for "journalistic, artistic, or literary purposes". Third, where PIPEDA applies to provincially-regulated organizations after January 1, 2004, there will be no PIPEDA restrictions on the collection, use and disclosure of employee personal information. Companies should not, however, think "Great - my employee information is not covered." Eventually, there will be provincial legislation that will cover employee information and companies might as well start now and do it right from the beginning.

  3. "Personal Information" Under PIPEDA
    PIPEDA defines "personal information" as "information about an identifiable individual, but does not include the name, title or business address of an employee of an organization". From a practical perspective, this definition would include most of the information which an organization, collects, uses, or discloses about an identifiable individual regardless of whether it is obtained in the ordinary course of business through customers, employees, or third parties or made available to employees, suppliers, contractors or any other service provider. Examples of personal information would include such things as medical records, credit reports, customer contracts, membership in customer reward programs, credit card and account numbers, etc.

    There are two important exclusions from the definition of personal information. First, the information collected, used or disclosed must be about an identifiable individual. Second, under what is commonly known as the "business card exemption", the name, position, business address, and telephone number of an employee does not qualify as "personal information".

    PIPEDA does not provide for the "grandfathering" of pre-existing information. As a result, owners of pre-PIPEDA databases either have to obtain consent from each of the individuals listed in the databases or "anonymize" the information so that it no longer constitutes "personal information".

  4. Your Obligations for the Collection, Use or Disclosure of Personal Information
    Every organization must meet the obligations set out in Schedule 1 to the Act. Schedule 1 is composed of 10 principles:
    1. Accountability
    		 (Clause 4.1 of Schedule 1)
    1. Identifying Purpose
    		 (Clause 4.2 of Schedule 1)
    1. Consent
    		 (Clause 4.3 of Schedule 1)
    1. Limiting Collection
    		 (Clause 4.4 of Schedule 1)
    1. Limiting Use, Disclosure, and Retention
    		 (Clause 4.5 of Schedule 1)
    1. Accuracy
    		 (Clause 4.6 of Schedule 1)
    1. Safeguards
    		 (Clause 4.7 of Schedule 1)
    1. Openness
    		 (Clause 4.8 of Schedule 1)
    1. Individual Access
    		 (Clause 4.9 of Schedule 1)
    1. Challenging compliance
    		 (Clause 4.10 of Schedule 1)
    1. Principle 1: Accountability
      An organization is responsible for personal information under its control and must designate an individual or group who will be accountable for compliance with the principles.
      • The designated individual or group must be made known to those requesting it.
      • An organization is responsible for personal information in its possession or custody, including information transferred to a third party for processing and must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
      • Organizations must implement policies and practices:
        • implementing procedures to protect personal information;
        • establishing procedures to deal with complaints and inquiries;
        • training and communicating to staff information about the organization's policies and practices; and
        • developing information to explain the organization's policies and procedures
    2. Principle 2: Identifying Purposes
      The purpose for which the personal information is collected must be identified to the individual before or at the time the information is collected.
      • The organization must document the purposes for which personal information is collected.
      • The organization must identify the purposes for collection at or before the time of collection in order to determine the information they need to collect to fulfill the purposes and must collect only the information necessary for the purposes that have been identified.
      • The identified purposes should be specified, orally or in writing, at or before the time of collection.
      • If personal information is collected for a purpose not previously identified, the new purpose must be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before the information can be used for that purpose.
    3. Principle 3: Consent
      With certain narrow specific exceptions, a person's knowledge and consent are required for the collection, use, or subsequent disclosure of personal information. 2
      • Generally, consent will be obtained at the time of collection. However, consent for use and disclosure can be obtained following collection but prior to use, provided that the information is used in a manner that was previously identified.
      • Organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To ensure meaningful consent, the purpose must be stated clearly and simply.
      • Consent cannot be used as a condition of the supply of the organization's product or service beyond what is explicitly specified.
      • The form of the consent can may vary depending on the circumstances and type of information collected.
      • In obtaining consent, the reasonable expectations of the individual are relevant. For instance, an individual would not reasonably expect information given to a health care professional would be given to a company selling health care products unless consents were obtained.
      • Individuals can give consent in many ways. For example:
        • an application form which informs the individuals of the collection and specified uses could be employed;
        • a checkoff box can be used as a means to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are presumed to have consented to the transfer of the information to third parties;
        • orally when information is collected over the telephone;
        • or given when using a product or service.
      An individual may withdraw consent at any time subject to reasonable notice and any other legal or contractual obligations. The implications of withdrawing consent must be explained.
    4. Principle 4: Limiting Collection
      Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the individual's consent or as required by law. Personal information should be retained only as long as necessary to fulfill those purposes.
      • Information must not be collected indiscriminately.
      • The information and consent cannot be obtained through deception.
    5. Principle 5: Limiting Use, Disclosure, and Retention
      Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the individual's consent or as required by law. Personal information should be retained only as long as necessary to fulfill those purposes.
      • Organizations using personal information for a new purpose must document the purpose.
      • Organizations should develop guidelines and implement procedures for the retention of personal information and include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual must be retained long enough to allow the individual access to the information after the decision has been made.
      • Personal information should be destroyed or made anonymous, once it is no longer required to fulfill the identified purposes.
    6. Principle 6: Accuracy
      Personal information must be as accurate, complete, and up-to-date as is necessary for the purpose for which it is used.
      • The extent of the accuracy and completeness of the personal information will depend upon the use of the information.
      • An organization must not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
      • Personal information that is used on an ongoing basis, including information disclosed to third parties, should generally be accurate and current.
    7. Principle 7: Safeguards
      Personal information must be guarded by security safeguards appropriate to the sensitivity of the information.
      • The security safeguards must protect against loss, theft, unauthorized access, disclosure, copying, use, or modification.
      • The nature of safeguards will vary depending on the sensitivity of the information collected, the amount, distribution, format, and method of storage.
      • Methods of protection should include:
        • physical measures (locked filing cabinets, limiting access to offices and alarm systems);
        • organizational measures (security clearances, limiting access on a "need-to-know" basis, staff training, and confidentiality agreements); and
        • technological measures (passwords, firewalls, anonymizing software and encryption).
      • Organizations must make their employees aware of the importance of maintaining the confidentiality of personal information.
      • When disposing of or destroying personal information, care must be taken to ensure that unauthorized parties do not get access to the information.
    8. Principle 8: Openness
      An organization must make information about its policies and practices readily available.
      • The information is to include
        • the name or title, and address of the person accountable for the policies and practices and to whom the complaints or inquiries should sent;
        • the means to access personal information held by the organization;
        • a description of the type of personal information held and a general account of its use;
        • a copy of brochures or other information that explain the organizations policies, standards or codes; and
        • what personal information is made available to related organizations (i.e. subsidiaries).
      • An organization may make this information available in a variety of ways such as brochures, mailings, online access, or a toll-free telephone number.
    9. Principle 9: Individual Access
      Upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and given access to that information. An individual must be entitled to challenge the accuracy and completeness of the information and have it amended. If an organization is not able to provide access to the information requested, the reasons for denying access must be provided.
      • Upon request, an organization must inform individuals whether or not they hold their personal information. The organization must allow individual access to this information and provide an account of third parties to whom it has been disclosed.
      • An organization must respond to requests within a reasonable time in understandable language and at minimal or no cost.
      • When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization must amend the information as required.
    10. Principle 10: Challenging Compliance
      An individual must be able to challenge an organization's compliance with the above principles.
      • Organizations must put easy to use procedures in place to receive and respond to complaints or inquiries.
      • An organization must investigate all complaints. If a complaint is found to be justified, the organization must take all appropriate measures to correct the problem.
  5. Consequences Of Non-Compliance
    Failing to comply with PIPEDA could have serious implications. Non-compliance could expose a business or organization to:
    • an investigation or audit by the Privacy Commissioner into the organization's privacy practices;
    • a public report detailing Privacy Commissioner's investigation and findings;
    • litigation in the Federal Court of Canada with the prospect of fines, sanctions, and/or criminal liability;
    • substantial legal and privacy compliance costs.
    1. The Powers of the Commissioner
      If privacy issues do arise, organizations must be aware of the Privacy Commissioner's broad powers. The Commissioner has the power to summon witnesses, require the production of any documents, administer oaths and receive evidence, and to enter premises. In addition, although there is no power to make binding orders on the organization being investigated, the Commissioner has the ability to audit a corporation's privacy practices and make any information their privacy practices public. For many companies, this may be the most powerful weapon available.
    2. Remedies - Audits, Investigations, & The Federal Court
      While PIPEDA requires organizations to comply with Schedule 1, there is no specified penalty for non-compliance. Instead, there is three branches of enforcement: i) audits by the Privacy Commissioner; ii) complaints by individuals and investigations by the Privacy Commissioner; and iii) applications to the Federal Court - Trial Division either by an individual or by the Privacy Commissioner on behalf of the individual.
    3. Offences
      Failure to comply with PIPEDA is a criminal offence in three specific circumstances:
      • where an individual has requested access to personal information held by an organization and the organization fails to retain the requested information for as long as necessary to allow the individual to exhaust his or her recourse;
      • where an organization contravenes the "whistleblower" provisions. Typically, this would involve "disadvantaging" any employee within an organization who reports a contravention of PIPEDA; or
      • where a person obstructs the investigation of a complaint or the conduct of an audit under PIPEDA.
    All three offences are considered "hybrid" offences, thereby allowing the Crown to proceed summarily or by way of indictment. If an organization is convicted of an offence on summary conviction, it may be fined up to $10,000. If the proceedings are by way of indictment, the organization may be fined up to $100,000.
  6. Key Steps For PIPEDA Compliance
    In order to comply with PIPEDA, the Privacy Commissioner has recommended that an organization complete the following steps before the January 1, 2004, deadline:
    • appoint at least one individual who will be responsible for the organization's privacy compliance;
    • determine the types of personal information collected, used, and or disclosed by the organization through a privacy audit (known generally as a "PIA" or "privacy impact assessment");
    • create and implement a Privacy Policy to govern the organization's collection, use, and disclosure of personal information;
    • if personal information about identifiable individuals is in the custody of the organization, disclose the purposes that the personal information will be used for and obtain consent for its continued use; and
    • develop training programs to familiarize employees with the organization's privacy compliance obligations.
  7. Conclusion
    Organizations must be aware their obligations under PIPEDA regarding the collection, use and disclosure of personal information. If your business or organization is not privacy compliant, steps should be taken to rectify the situation as soon as possible.
 

Endnotes

  1. The Privacy Commissioner's evaluation of British Columbia's and Alberta's proposed substantially similar privacy legislation can be found at http://www.privcom.gc.ca/media/nr-c/2003/02_05_b_030508_e.asp and http://www.privcom.gc.ca/media/nr-c/2003/02_05_b_030527_e.asp, respectively.
  2. However, PIPEDA acknowledges that, in certain circumstances, consent may be inappropriate, for instance, legal (i.e. detection or prevention of fraud), medical (i.e. ill or mentally incapacitated), security reasons, where the individual is a minor, or where there is no direct relationship with the individual may make it impossible or impractical to seek consent.
 

Contact Amy-Lynne Williams or Michael Erdle for additional information on PIPEDA.

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

By Editors
Deeth Williams Wall September 25, 2003 September 25, 2003 February 8, 2017
Privacy