Upload
lan
View
34
Download
0
Tags:
Embed Size (px)
DESCRIPTION
UVIC. Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak. I. Privacy Legislation in Canada. A.Federal Privacy Act , R.S. 1985. c.P-21 Personal Information Protection and Electronic Documents Act (PIPEDA) , S.C.2000, c.5 B.Provincial - PowerPoint PPT Presentation
Citation preview
Internet and Internet and Information Technology Information Technology
LawLawSeptember 18September 18thth – Privacy Law – Privacy Law
Allyson Whyte NowakAllyson Whyte Nowak
UVICUVIC
A.A. Federal Federal Privacy ActPrivacy Act, R.S. 1985. c.P-21, R.S. 1985. c.P-21 Personal Information Protection and Electronic Personal Information Protection and Electronic
Documents Act (PIPEDA)Documents Act (PIPEDA), S.C.2000, c.5, S.C.2000, c.5B.B. Provincial Provincial
Personal Information Protection ActPersonal Information Protection Act, S.B.C. , S.B.C. 2003, c.63 (PIPA) 2003, c.63 (PIPA)
Freedom of Information and Protection of Freedom of Information and Protection of Privacy ActPrivacy Act, R.S.B.C. 1996, c.165 (FIPPA), R.S.B.C. 1996, c.165 (FIPPA)
Privacy Privacy Legislation in Legislation in CanadaCanada
I.I.
The The Privacy ActPrivacy Act
enacted July 1, 1983enacted July 1, 1983 public sector legislation public sector legislation
affecting federal government affecting federal government departments and agenciesdepartments and agencies
October 6, 2005 Privacy October 6, 2005 Privacy Commissioner’s 2004-2005 Commissioner’s 2004-2005 Annual Report criticized the ActAnnual Report criticized the Act
PIPEDAPIPEDA
Section 3: PurposeSection 3: Purpose
The balance between recognition ofThe balance between recognition of the right the right of privacy of individuals of privacy of individuals with respect to their with respect to their personal information and the personal information and the need of need of organizationsorganizations to collect, use or disclose to collect, use or disclose personal information.personal information.
PIPEDA: StatisticsPIPEDA: Statistics In the Annual Report to Parliament In the Annual Report to Parliament
(2005), the Privacy Commissioner (2005), the Privacy Commissioner acknowledged:acknowledged:
– there is a “significant backlog of there is a “significant backlog of complaints”complaints”
– there was a “large drop” in 2005 in the there was a “large drop” in 2005 in the number of complaints filed under number of complaints filed under PIPEDA PIPEDA
PIPEDA: StatisticsPIPEDA: Statistics In 2005 the largest number of complaints In 2005 the largest number of complaints
were against financial institutions BUTwere against financial institutions BUT The number of complaints was just over half The number of complaints was just over half
of what they were in 2004of what they were in 2004 In 2005 the most common complaints were In 2005 the most common complaints were
with respectwith respect to the inappropriate use or to the inappropriate use or disclosure of personal information (followed disclosure of personal information (followed by refusals of access and inappropriate by refusals of access and inappropriate collection)collection)
PIPEDAPIPEDASection 4(1)Section 4(1):PIPEDA applies to :PIPEDA applies to everyevery organization in respect of personal information organization in respect of personal information that,that,4(1)(a)4(1)(a) the organization “collects, uses or the organization “collects, uses or discloses” in the course of commercial activitiesdiscloses” in the course of commercial activities
4(1)(b) 4(1)(b) is about an employee that an is about an employee that an organization collects, uses or discloses in organization collects, uses or discloses in connection with the operation of a federal work, connection with the operation of a federal work, undertaking or businessundertaking or business
PIPEDAPIPEDAPIPEDA does not apply to:PIPEDA does not apply to: any government institution to which the any government institution to which the Privacy Act Privacy Act
appliesapplies any individual in respect of personal information any individual in respect of personal information
that the individual collects, uses or discloses for that the individual collects, uses or discloses for personal or domestic purposes and does not personal or domestic purposes and does not collect, use or disclose for any other purposecollect, use or disclose for any other purpose
any organization in respect of personal information any organization in respect of personal information that the organization collects, uses or discloses for that the organization collects, uses or discloses for journalistic, artistic, or literary purposes (s.4(2))journalistic, artistic, or literary purposes (s.4(2))
Substantially similar legislation (B.C., Alta, Quebec)Substantially similar legislation (B.C., Alta, Quebec) Sector-specific legislation (Alta, Sask, Mtba, Sector-specific legislation (Alta, Sask, Mtba,
Ontario)Ontario) Provincial Human Rights legislationProvincial Human Rights legislation Common law right to privacyCommon law right to privacy
How are employees’ privacy How are employees’ privacy rights protected in the private rights protected in the private sector?sector?
Statutory right to PrivacyStatutory right to Privacy
A statutory tort of invasion of A statutory tort of invasion of privacy has been created in:privacy has been created in:– B.C.B.C.– SaskatchewanSaskatchewan– ManitobaManitoba– NewfoundlandNewfoundland– QuebecQuebec
Common LawCommon Law Ontario residents do not have a Ontario residents do not have a
statutory remedy for unreasonable statutory remedy for unreasonable intrusion into an individual’s private intrusion into an individual’s private affairs, BUTaffairs, BUT
a recent decision recognized that the a recent decision recognized that the tort of invasion of privacy may exist:tort of invasion of privacy may exist:– Somwar v. McDonald’sSomwar v. McDonald’s (2006), 79 O.R. (2006), 79 O.R.
(3d) 172(3d) 172
i)i) EU DirectiveEU Directiveii)ii) Model CodeModel Codeiii)iii) E-com StrategyE-com Strategyiv)iv) Bill C-54Bill C-54v)v) OECD GuidelinesOECD Guidelines
A. Sources of PIPEDAA. Sources of PIPEDA
CUDCUD FWUBFWUB Personal InformationPersonal Information OrganizationOrganization Commercial activityCommercial activity
B. DefinitionsB. Definitions
defined to mean information about defined to mean information about an identifiable individualan identifiable individual
exclusions: name, title, or business exclusions: name, title, or business address or telephone number of an address or telephone number of an employee of an organizationemployee of an organization
““Personal Personal Information” (s.2(1))Information” (s.2(1))
defined to include an defined to include an association, a partnership, a association, a partnership, a person and a trade unionperson and a trade union
corporations are “persons” corporations are “persons” pursuant to s. 35(1) of the pursuant to s. 35(1) of the Interpretation ActInterpretation Act
““organizations” organizations” (s.2(1))(s.2(1))
definition: “means any particular definition: “means any particular transaction, act or conduct or any transaction, act or conduct or any regular course of conduct that is regular course of conduct that is of a commercial character, of a commercial character, including the selling, bartering or including the selling, bartering or leasing of donor, membership or leasing of donor, membership or other fundraising lists”.other fundraising lists”.
““commercial activity” commercial activity” (s.2(1))(s.2(1))
Protection of Personal InformationProtection of Personal Information Subsection 5(1):Subsection 5(1):
““Subject to sections 6 to 9, every Subject to sections 6 to 9, every organization shall comply with the obligations organization shall comply with the obligations set out in Schedule 1.”set out in Schedule 1.”
Schedule 1 enacts the 10 general principles and Schedule 1 enacts the 10 general principles and commentaries contained in the commentaries contained in the Model CodeModel Code
Subsection 5(2): mandatory obligations Subsection 5(2): mandatory obligations versus recommendations in Schedule 1versus recommendations in Schedule 1
PIPEDAPIPEDAPart 1, Division 1Part 1, Division 1
C.C.
1.1. Accountability Accountability 2.2. Identifying purposesIdentifying purposes3.3. ConsentConsent4.4. Limiting CollectionLimiting Collection5.5. Limiting use, disclosure and retentionLimiting use, disclosure and retention6.6. AccuracyAccuracy7.7. SafeguardsSafeguards8.8. OpennessOpenness9.9. Individual accessIndividual access10.10. Challenging complianceChallenging compliance
The 10 PrinciplesThe 10 Principles
PIPEDAPIPEDA
s.7(1): Collection without Knowledge s.7(1): Collection without Knowledge or consentor consentAn organization may collect personal An organization may collect personal information without the knowledge or information without the knowledge or consent of the individual where,consent of the individual where,
collection is clearly in the individual’s collection is clearly in the individual’s interest and consent cannot be obtained interest and consent cannot be obtained in a timely way (s.7(1)(a))in a timely way (s.7(1)(a))
PIPEDAPIPEDA
in the context of an investigation of a in the context of an investigation of a breach of an agreement or a breach of an agreement or a contravention of the law, it is contravention of the law, it is reasonable to expect that if knowledge reasonable to expect that if knowledge or consent were obtained it would or consent were obtained it would compromise the availability or the compromise the availability or the accuracy of the information (s.7(1)(b))accuracy of the information (s.7(1)(b))
the collection is solely for journalistic, the collection is solely for journalistic, artistic or literary purposes (s.7(1)(c))artistic or literary purposes (s.7(1)(c))
PIPEDAPIPEDAs.7(2): Use without Knowledge or Consents.7(2): Use without Knowledge or Consent
An organization may use personal An organization may use personal information without the knowledge or information without the knowledge or consent of the individual only if,consent of the individual only if,
the organization reasonably believes the the organization reasonably believes the information could be useful in the information could be useful in the investigation of a contravention of the laws investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction of Canada, a province or a foreign jurisdiction (s.7(2)(a))(s.7(2)(a))
PIPEDAPIPEDA It is used for the purpose of acting in It is used for the purpose of acting in
respect of an emergency that threatens the respect of an emergency that threatens the life, health, or security of an individual life, health, or security of an individual (s.7(2)(b))(s.7(2)(b))
It is used for statistical, or scholarly study or It is used for statistical, or scholarly study or research purposes where it is impracticable research purposes where it is impracticable to obtain consent and where: confidentiality to obtain consent and where: confidentiality is maintained and the Commissioner is is maintained and the Commissioner is informed prior to its use (s.7(2)(c)) informed prior to its use (s.7(2)(c))
PIPEDAPIPEDASubsection 7(3): Disclosure without KnowledgeSubsection 7(3): Disclosure without Knowledge
An organization may disclose personal information An organization may disclose personal information without the knowledge or consent of the individual without the knowledge or consent of the individual only if the disclosure is,only if the disclosure is,
made to a notary (Quebec) or lawyer representing made to a notary (Quebec) or lawyer representing the organization (s.7(3)(a))the organization (s.7(3)(a))
for the purpose of collecting a debt owed (s.7(3)for the purpose of collecting a debt owed (s.7(3)(b))(b))
compelled by law (s.7(3)(c))compelled by law (s.7(3)(c))
RemediesRemedies filing of complaints (s.11)filing of complaints (s.11) the Commissioner’s powers (s.12)the Commissioner’s powers (s.12) the Commissioner’s Report (s.13)the Commissioner’s Report (s.13) application to the Federal Court (s.14)application to the Federal Court (s.14)
PIPEDAPIPEDAPart 1, Division 2Part 1, Division 2
D.D.
Complaints (s. 11)Complaints (s. 11)
Individuals may complain toIndividuals may complain to(a)(a) the organizationthe organization(b)(b) the Office of the Privacy the Office of the Privacy
CommissionerCommissioner the Commissioner may also initiate a the Commissioner may also initiate a
complaint (“reasonable grounds”)complaint (“reasonable grounds”)
Types of ComplaintsTypes of Complaints
an individual may complain to the an individual may complain to the Commissioner about any matter:Commissioner about any matter:(a) specified in sections 5 to 10 of the (a) specified in sections 5 to 10 of the Act Act OR OR(b)(b) in the recommendations in the recommendations OROR obligations set out in Schedule 1.obligations set out in Schedule 1.
Powers of the Privacy Powers of the Privacy Commissioner (s. 12)Commissioner (s. 12) PC obliged to investigate complaint PC obliged to investigate complaint
(s.12(1))(s.12(1)) PC must give notice to the organization PC must give notice to the organization
complained of (s.11(4))complained of (s.11(4)) Powers include:Powers include:(a)(a) Summons to compel the giving of evidence under Summons to compel the giving of evidence under
oathoath(b)(b) Production of documentsProduction of documents(c)(c) Power of entryPower of entry(d)(d) Mediation/conciliationMediation/conciliation(e)(e) AuditsAudits
The Commissioner’s The Commissioner’s Report (s.13)Report (s.13)
1 year to prepare a written report1 year to prepare a written report Confidentiality of the reportConfidentiality of the report Where no report requiredWhere no report required Disposition of complaintsDisposition of complaints
i)i) Not well foundedNot well foundedii)ii) Well foundedWell foundediii)iii) ResolvedResolvediv)iv) DiscontinuedDiscontinued
Broad investigatory Broad investigatory powers vs. ….powers vs. …. No power to compel compliance with No power to compel compliance with
PIPEDA (compare to B.C. PIPA, s. 58)PIPEDA (compare to B.C. PIPA, s. 58) No sanctions for failing to follow No sanctions for failing to follow
recommendations recommendations Only real power is the “power of Only real power is the “power of
embarrassment”embarrassment” Fines for obstructing an investigation Fines for obstructing an investigation No power to order costs of the investigationNo power to order costs of the investigation
Application to the Application to the Federal Court (s.14)Federal Court (s.14)
Complainant or PC may applyComplainant or PC may apply Subject matter restricted but always Subject matter restricted but always
open for parties (including the open for parties (including the organization) to seek judicial revieworganization) to seek judicial review
Application must be made within 45 Application must be made within 45 days after Report is sentdays after Report is sent
Remedies more expansiveRemedies more expansive
1.1. OutsourcingOutsourcing2.2. M&A issuesM&A issues3.3. Privacy in the workplacePrivacy in the workplace4.4. WhistleblowingWhistleblowing
Key Issues in Privacy Key Issues in Privacy LawLawII.II.
no exemption for disclosure no exemption for disclosure between subsidiary, affiliated, or between subsidiary, affiliated, or related companiesrelated companies
Implications of the U.S. Implications of the U.S. Patriot ActPatriot Act The B.C. response (The B.C. response (FIPPAFIPPA)) PIPEDA case summary #313PIPEDA case summary #313
OutsourcingOutsourcing
M&A IssuesM&A Issues Asset sale = commercial activityAsset sale = commercial activity SolutionsSolutions
i)i) privacy policies need to address the privacy policies need to address the possibility of a sale of the businesspossibility of a sale of the business
ii)ii) “anonymize” the information“anonymize” the informationiii)iii) contractual safeguardscontractual safeguardsiv)iv) review all personal information and review all personal information and
disclose only what is “necessary” to disclose only what is “necessary” to closeclose
Monitoring employees’ in the workplaceMonitoring employees’ in the workplace– Biometric authentication devicesBiometric authentication devices– Video surveillanceVideo surveillance
Employee complaints represent 20% Employee complaints represent 20% of complaints filed in 2004of complaints filed in 2004
Privacy in the Privacy in the WorkplaceWorkplace
(1)(1) Is it demonstrably necessary to meet Is it demonstrably necessary to meet a specific need?a specific need?
(2)(2) Is it effective in meeting that need?Is it effective in meeting that need?(3)(3) Is the loss of privacy proportional to Is the loss of privacy proportional to
the benefit gained?the benefit gained?(4)(4) Are there less invasive alternatives?Are there less invasive alternatives?
PCC’s 4-step analysis PCC’s 4-step analysis of a privacy-invasive of a privacy-invasive measuremeasure