Privacy: It’s just good business

Tom Mitchinson

Assistant Commissioner

IPC/Ontario

Sault Ste Marie Chamber of Commerce

Wednesday, September 11, 2002

Why Privacy?

“Complying with privacy regulations can be considered just a business cost, but many companies understand that a reputation for guarding privacy can also be a selling point. They need to be stewards, to the extent they can gain a competitive advantage from privacy.”

Ken DeJarnette, Deloitte & Touche

Ontario Privacy Legislation

Public Sector: Freedom of Information and Protection of Privacy Act (1988) and Municipal Freedom of Information and Protection of Privacy Act (1991)

Private Sector: Proposed Privacy of Personal Information Act, 2002 (“PPIA”)

The Information and Privacy Commissioner/Ontario (IPC)

Resolves appeals from access decisions by government organizations;

Investigates privacy complaints about government-held information;

Conducts research on access and privacy issues and advise on proposed government legislation and programs; and

Educates the public about access and privacy.

What is Privacy?

In 1890, U.S. Supreme Court Justices Brandeis and Warren defined privacy as “the right to be let alone”

Warren & Brandeis,

“The Right to Privacy”

PIAC/Ekos Survey

2001 survey of Canadian opinion by Ekos for the Public Interest Advocacy Centre (PIAC) – 85% of respondents received unsolicited

advertising material in the previous month; of which 74% express moderate or high concern;

– 61% prefer no more telemarketing calls even if it means missing opportunities;

– 82% say they should be asked for permission before their information is used for marketing.

Court Comments on Privacy

“Privacy is at the heart of liberty in the modern state.” (Alan Westin)

Interest in being left alone includes the right to control the dissemination of confidential information.

Privacy is necessarily related to many fundamental human functions.

Voluntary Privacy Codes

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

Canadian Standards Association Model Code (1996)

EU Data Protection Directive

Adopted by European Union in 1995.

Restricts flow of personal information outside member states to countries that have adequate privacy protection in place.

Legislative action by Canada (PIPEDA) and proposed Ontario bill are designed in part to facilitate business with EU firms.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Canada’s federal private sector privacy law– Incorporates CSA Code as a schedule;– Since January 1, 2001 has applied to commercial

activities; – Until January 1, 2004 applies only to federally

regulated undertakings (banks, airlines, etc.) and to sales of personal information across provincial borders; and

– As of January 1, 2004, will apply within any province that has not passed a “substantially similar” law.

CSA Model Code - 10 Privacy Principles

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, Retention

AccuracySafeguardsOpennessIndividual AccessChallenging

Compliance

The Privacy Diagnostic Tool

Produced in partnership with Guardent and PricewaterhouseCoopers

Takes your company’s “privacy pulse”

Available on IPC Web site www.ipc.on.ca

Ontario’s Draft Privacy of Personal Information Act, 2002

Consultation Draft released by Ministry of Consumer and Business Services on February 4, 2002;

Available on Web sites of the IPC (www.ipc.on.ca) and the Ministry of Consumer and Business Services (www.cbs.gov.on.ca).

PPIA : Background

Joins provisions formerly planned for two separate Acts – one for health and one for rest of private sector.

Replaces former Bill 159, the Personal Health Information Privacy Act, which never became law.

Some other provinces have health privacy acts, but only Quebec has a private sector privacy law.

PPIA - Purposes

Recognizes the “… privacy right of individuals to control the collection, use and disclosure of their personal information by organizations and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.” (s. 1(c))

Does Proposed PPIA Apply to You?

Proposed bill applies to:– Ontario businesses, partnerships, unions– Ontario associations (incorporated or not)– Ontario universities– Ontario hospitals, doctors, pharmacies, clinics…

Does not apply to:– Federally regulated businesses– Institutions regulated under public sector legislation– Individuals acting in a personal non-commercial capacity– Artistic, journalistic or literary exemption

Consent

Organizations shall not collect, use or disclose personal information about an individual without consent, except in specific circumstances laid out in the Act.

EXPRESS OR IMPLIED CONSENT

IMPLIED CONSENT – Purchase of a television might imply consent to

share the customer’s address with delivery firm.

EXPRESS CONSENT– Consent may require a positive action by an

individual where sensitive information is concerned.

OPT-OUT CONSENT

Sufficient circumstances for opt-out:– Customers consent to receive marketing materials or

fundraising solicitations.

How is opt-out consent obtained?– Provide customers with clearly understood, easily

exercised opportunity to opt-out.

Proposed legislation balances individual privacy rights and legitimate business need to use personal information.

No Consent or Withdrawal of Consent

Circumstances for disclosure of personal information without consent:– Where required by law; or– As part of a law enforcement investigation.

Proposed legislation will provide that consent may be withdrawn.NB: If withdrawal would frustrate a business agreement or agreement to provide goods or services, it will NOT be permitted.

When in Doubt

If an organization is in doubt as to whether or not it has consent to the collection, use or disclosure of personal information, it shall obtain express consent.

Accountability & Access

Duties and obligations for organizations addressed in the consultation draft include:– Accuracy– Security– Destruction

Permitted collection, use and disclosure without consent.

Individuals, including employees, will have a right of access.

Complaints & Appeals

Right to complain to Commissioner– Improper collection, use, or disclosure

Right of appeal– If access request is denied

OFFENCES & FINES

The proposed legislation includes offence provisions as well as fines

– no prosecution launched except by someone acting on behalf of Attorney General;

– fines $50,000 for individuals; $250,000 for organizations;

– officer/employee personal liability for fines; and

– whistleblower protections.

Current Status of PPIA

Areas of focused attention:– Simplification of wording / reduced overlap;– Harmonizing wording/approaches with

PIPEDA;– Framework for use of opt-out notices in

obtaining consent;– Effective transition rules for personal

information in existing databases; and– Creating open / consultative regulation-making

process.

IPC Approach

Co-operative, non-confrontational approach to businesses while ready to enforce the law

Published orders

Clear directions to organizations subject to the law

Culture of Privacy

Establish your privacy regime

Then move beyond issues of compliance to embrace a culture of privacy

Privacy in Business

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

How to Contact the IPC

Information & Privacy Commissioner/Ontario

80 Bloor Street West, Suite 1700

Toronto, Ontario M5S 2V1

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: info@ipc.on.ca