Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates

Operational Strategies for Operational Strategies for compliance with the new compliance with the new

privacy legislationprivacy legislation

Excerpted from a Powerpoint presentation by

Murray Long, Murray Long & Associates Inc. and

Richard Shields, McCarthy Tétrault, Ottawa

Federal LegislationFederal Legislation

PIPEDA –

• Personal Information Protection and Electronic Documents Act.

• Ground rules for how organizations may collect personal information in the course of conducting commercial activities.

• Compliance – January 1, 2004

Overview of Provincial Overview of Provincial LegislationLegislation

• B.C – May 1, 2003 2nd Reading Personal Information Act – Jan. 2004, Federal Government must decide if provincial legislation is substantially similar as to preclude PIPEDA. Applies to private andnot-for-profit sector.

• Alberta – Enacted health information and protection law. Personal Information Protection Act – May 2003. Will apply to the private sector in Alberta and limited application tonot-for-profit sector.

• Both provinces have acts that cover information on the consumer and the employee.

Provincial LegislationProvincial Legislation• Saskatchewan – Province has enacted, but not

enforced a health protection law that applies to private and public sector and amended in 2003 to include privacy legislation.

• Province has enacted a provincial privacy legislation separate from above.

• Manitoba – Province has enacted a health protection law covering the public and private sector, now enforced. No move made to introduce privacy legislation for the private or not-for-profit sector.

What is Considered What is Considered Personal InformationPersonal Information

An individual’s…• Race• Nationality• Age• Gender• Marital Status• Biometrics – fingerprints, blood type,

genetic characteristics

What is Considered What is Considered Personal InformationPersonal Information

• Personal health care history• Financial history• Educational history• Criminal history• Anyone’s opinion about the

individual, i.e. reference checks• The individual’s personal views

Considered Private but –Considered Private but – in the Public Domain in the Public Domain

• Name• Address• Telephone Number• Business Address• Business Telephone Number

(The public domain pertains to information available to the general public)

Publicly Available Publicly Available InformationInformation

Five Categories:

1. Phone books (White Pages, CD Roms)2. Professional Directories (members of the

Bar)3. Public databases (property tax rolls,

licenses)4. Court records (divorce, bankruptcy, law

suits)5. Information provided by an individual to a

publication (want ads, interviews)

Limits of ReasonablenessLimits of Reasonableness

Consent is always required!

Immediate sale obligations

Related marketing

Building marketing database

Building customer profiles

Disclosing data to third parties

Completely unrelated uses

Future sales calls

Mergers & Acquisitions

Sharing of data with affiliates

The Privacy RulesThe Privacy Rules

The law incorporates the CSA Model Code for the Protection of Personal Information.

The 10 Principles reflect international fair information practices.

They balance individual privacy rights with legitimate business interests.

Principle 1Principle 1

The person(s) responsible must be designated and identified.

These persons must ensure training, communications and procedures documentation.

Contracts and oversight of third party data processing required.

Accountability


Purposes must be identified before any personal information can be collected or used.

Purposes must be what a reasonable person would expect in the circumstances.

Identifying Purposes


The knowledge and consent of the individual are required for the collection, use or disclosure of personal information.

There are exceptions – such as bill collection, crime investigation, etc.

Consent must be obtained fairly – it can be withdrawn at any time.

Consent


Companies can only collect information specifically required for identified purposes.

Purposes should not be identified too broadly.

However, overly narrow purposes could require continuous new consents.

Limiting Collection


New purposes require new consent.

Data cannot be kept beyond the end date of the last specified purpose.

A retention/disposal policy is required.

Limiting Use, Disclosure and Retention


Information must be as accurate as necessary for the purposes.

Decisions must not be made based on inaccurate information.

Routine data updating without a purpose is not permitted.

Accuracy


Personal information must be protected appropriately.

Employees must be made aware of the importance of maintaining confidentiality of this information.

Care must be used in disposing of records to prevent unauthorized access.

Safeguards


Companies must communicate their privacy policies including:

Openness

• what data is collected,• how it is used,• who it is disclosed to,• how to access it, and• who to make inquiries or complaints

to


People have a right to find out what information you have about them, to know how it is used or disclosed, to access it, and to have it amended as appropriate.

There are some allowable or required restrictions on access.

Individual Access


People can challenge your compliance with any aspect of the CSA Code or the law.

Companies must respond to all inquiries and complaints.

Individuals can also go directly to the Privacy Commissioner.

The law has whistleblower protection.

Challenging Compliance

Commissioner PowersCommissioner Powers

Investigatory powers include the right to enter premises and obtain records.

Powers of mediation and conciliation.

Power to conduct audits of business practices.

Power to publicize with impunity.

No order-making powers.

Reference ChecksReference Checks

Only with knowledge and consent.

Applies to both collecting and providing references.

Employee MonitoringEmployee Monitoring

Employees must be informed.

The use must be reasonable under the circumstances.

Employees may have a right of access.

This applies to phone, e-mail, video, etc.

New Privacy Rights New Privacy Rights (Fed. & Prov. Laws)(Fed. & Prov. Laws)

Knowledge and consent to collect, use or disclose employee personal information.

Right to access and amend files, with some limited exceptions.

Right to file a complaint with the Privacy Commissioner.

InvestigationsInvestigations

Companies can collect personal information without knowledge or consent to investigate the breach of an agreement or the contravention of a law.

BiometricsBiometrics

Information collection must be reasonable for the purposes.

Privacy Commissioners are concerned about drug testing, fingerprinting, and biometrics-based technologies such as retinal scans, DNA, etc.

Employee data not Employee data not subject to the Actsubject to the Act

Business card-type data – except fore-mail addresses

Joe BlowSales Manager

Sagamow Products333 Main StreetSagamow Falls, ON(519) 555-8983

ComplianceCompliance

The key steps to developing and implementing a

Privacy Policy

Choosing a Chief Privacy Choosing a Chief Privacy Officer (CPO)Officer (CPO)

It is a senior position with public visibility. The CPO needs authority to ensure the company is compliant.

The CPO oversees training, developing and documenting procedures, communications, and privacy policy on third-party contracts.

The CPO responds to inquiries and complaints and Privacy Commissioner investigations.

Forming a Privacy TeamForming a Privacy Team

Implementing a privacy policy requires cooperative team effort.

Your privacy team should include customer service, marketing, information management, legal, human resource and security personnel.

It could take several months to develop and implement policies.

Start with an AuditStart with an Audit

Purposes for collecting, using or disclosing personal information.

What data is currently collected and used and who it is disclosed to.

How consent is obtained.

How data is stored and safeguarded.

Review your current data collection and handling practices. Look at the following:

Develop a Privacy CodeDevelop a Privacy Code

Review the 10 principles and how they apply to your circumstances.

You may need some legal advice on additional points in the new privacy law.

Avoid legal language. Keep it simple.

Have it reviewed by a third party.

The CSA Model Code is a good starting point – it’s also built into the law.

Develop ProceduresDevelop Procedures

You will need documented procedures for the following:

New purposes, obtaining consent, limiting uses, third-party processing, records retention and disposal, individual access, inquiries and complaints, and more.

These are legal obligations.

Develop and document procedures to help ensure employees follow your code – the Privacy Commissioner can ask for your documentation.

What’s left?What’s left?

Employee communications and training

Providing information about your privacy policy

Dealing with inquiries and complaints

Regular review of how you’re doing

Communications and Communications and TrainingTraining

Front-line Employees and HR Managers need to know how to recognize and expedite an access request or inquiry/complaint under the law.

Training is required on safeguards, retention periods, disposal, purpose limitations, etc. Use your operations procedures manual as a basis.

Public Information about Public Information about your Privacyyour Privacy

Use the KISS principle. Avoid legalese and 20-page privacy agreements.

Key information includes purposes, disclosures, who to contact, and a summary statement of your Code.

On the Internet, include special issues such as cookies use, IP address tracking, etc. Provide privacy tools and guidance.

Dealing with inquiries and Dealing with inquiries and complaintscomplaints

You have 30 days to respond to written access requests.

You must respond to all inquiries and complaints (within 30 days).

You must not destroy any information or hinder a Privacy Commissioner investigation.

Wrap-Up PointsWrap-Up Points

Age, name, ID numbers, income, ethnic origin or blood type.

Opinions, evaluations, comments, social status, or disciplinary actions.

Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (to acquire goods or services, or change jobs)

Views of the Privacy Commissioner

Examples of Personal Information:

Wrap-Up PointsWrap-Up Points

Opening an account, verifying credit-worthiness, providing benefits to employees, processing a magazine subscription, sending out association membership information, guaranteeing a travel reservation, identifying customer preferences, establishing customer eligibility for special offers or discounts

More views of the PC

Examples of Information Purposes:

Contact InfoContact Info

Janet EmmettVP, Association Services& Leadership DevelopmentYMCA Canada

(416) 967-9622 ext. [email protected]