This paper is written to assist Clark Wilson LLP’s clients with taking proper steps to protect the privacy of the personal information they collect, store, use and disclose. Those clients whose industries are regulated by the federal government, such as banks, telecommunication and transportation companies will already be familiar with the Personal Information Protection and Electronic Documents Act which came into force on January 1, 2001. The British Columbia government is now consulting the public regarding new legislation expected to be put in place in mid-2003. By January 2004, every Canadian jurisdiction will have some form of personal information legislation in place. More important, all organizations, whether they be businesses or non-profit entities, are discovering that privacy protection is what customers and clients want and expect.
Personal information is information, both fact and opinion, regarding identifiable individuals. The information may be as straightforward as the name, home address, date of birth and blood type of a particular person or as complex as the opinions, evaluations and comments in medical records, employee records and loan applications. Credit ratings, records of disciplinary actions, job applications and consumer complaints all constitute personal information. The federal legislation excludes from its definition of personal information the name, title, business address and telephone number of an employee of an organization, and the British Columbia legislation will likely do the same. However, apart from this limited exception, any recorded information regarding a known individual is personal information.
Personal information is key to the operation of most organizations. It is the raw data that allows organizations to process transactions and provide services. Personal information assists organizations in determining who the customers are and how their needs are to be met. It is also the basis on which risks are assessed – whether to hire someone, grant a loan, launch a new product, obtain insurance.
Many organizations may not fully appreciate the extent to which they collect personal information, but almost every consumer transaction involves the transmission of some form of personal information. Whether an organization sells airline tickets, accepts charitable donations, records product warranties, issues a loan or provides medical information, it will be collecting personal information. The level of detail may vary but all that personal information must be protected.
The protection of personal information requires the implementation of a system to ensure that the information is properly obtained, fully protected, used for the purposes consented to, and disclosed only when appropriate. Certain basic principles must be adhered to. These principles, which focus on consent, access and security, are reflected in the systems that individual organizations and industries have developed, as well as the privacy legislation now being implemented across Canada. The principles are reviewed more fully below.
Most organizations already take great care to protect the personal information provided to them. They ensure that doors and cabinets are locked and old records are shredded. With their electronic databases they keep the personal information in separate databases, limit employee access to the information, implement “firewalls” to prevent external access and adopt secure encryption technologies for online business transactions. However, as the public becomes better educated about privacy issues, in part because of the new legislation, but also as a result of a more sophisticated knowledge of computers and electronics, there will be greater scrutiny. The public will be more critical of what personal information is collected, what is disseminated and how the information is stored and protected.
In the past, consumers may have been somewhat naïve or unconcerned regarding what sort of personal information they provided and when. However, as long as organizations were restricted to a paper environment, the opportunities for collecting information and the ways in which it could be manipulated and disseminated were limited. The use of the internet and the increasing sophistication of “data mining” has changed all that.
Organizations can now collect information in the absence of any specific request. Information is readily available every time a consumer collects points with a loyalty card, uses a credit card, banks at an instant teller, makes a phone call, sends an e-mail or visits a website. The internet presents numerous opportunities to track consumers and collect information. Many websites, when visited, will transfer “cookies” to a user’s computer. These “cookies” then track the user’s transactions and assist in providing useful information to the particular user. However, they also provide the operator of the website with information regarding its users, much of which constitutes personal information.
Computers also allow organizations to manipulate and analyze personal information in ever faster and more sophisticated ways. Companies collecting information from more than one source can often build profiles of individuals simply by organizing and matching the data.
Consumers are only now learning of the ways in which organizations collect and manipulate data electronically. However, as they learn, the demand for protection will increase. Those organizations that fail to assess their information systems and ensure that they have proper procedures in place, may very well find that their customers and clients are going elsewhere. A dentist’s or real estate broker’s office that loses files because they are not locked in a secure place, an insurance company that discovers a hacker has entered its database after figuring out an employee’s much too obvious password, the loan officer who seeks irrelevant information on an application form and the charity who sells its donor list without first obtaining permission will all lose clients.
It is also becoming increasingly clear that any business wishing to succeed in the global economy will have to ensure that it has a proper privacy regime in place. Some jurisdictions, including members of the European Union, prohibit the transfer of personal information to any other jurisdiction without adequate privacy legislation in place.
For a number of years, some industries have been developing their own privacy codes and encouraging or even requiring their members to implement them. For instance, the Insurance Bureau of Canada has developed the Model Personal Information Code, while the Canadian Marketing Association has a mandatory privacy code.
Privacy concerns are new. The legislation will require organizations to put systems into place, but even in the absence of a legislative regime, an organization cannot ignore the importance of protecting personal information.
The Legislative Framework
Legislation intended to protect personal information in the private sector must not be confused with the freedom of information and privacy legislation that applies to government. The latter was introduced by various jurisdictions in the 1980’s and 1990’s to enable public access to government information and protect personal information in the possession of government bodies. For example, the federal government introduced its Access to Information Act and its Privacy Act in 1983. The British Columbia Freedom of Information and Protection of Privacy Act came into force in 1993. Some of the principles underlying the protection of personal information by government bodies are similar to the principles applied to the private sector, but the legislative regimes are quite different.
Privacy legislation regarding personal information directed at the private sector parallels the development of the computer and the internet and only began to appear in the 1990’s. The Organization for Economic Cooperation and Development adopted its Guidelines for the Protection of Privacy and Transborder Flows of Personal Data in 1980. These set out minimum standards for the use of personal information and with time they became widely accepted. In the early 1990’s various industries began to develop their own privacy codes and in 1996 the Canadian Standards Association, after consulting extensively with business and consumers, adopted the CSA Model Code for the Protection of Personal Information. Quebec adopted personal information privacy legislation in 1994, but the real impetus for the federal government and the other provinces was the European Union’s 1998 Directive on the Protection of Personal Data with regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive requires that all transfers of personal information to and from the European Union countries meet certain basic requirements. Exchanges with states outside the European Union can only occur if those states have adequate data protection rules. Canada’s answer at the federal level is the Personal Information Protection and Electronic Documents Act.
The United States has resisted comprehensive legislation, but has reached an agreement with the European Union on a self-regulating regime for American companies, something which has become known as the “safe harbour principles”.
The Personal Information Protection and Electronic Documents Act is an odd piece of legislation in that it adopts the CSA Model Code, set out as a Schedule to the Act. The Act, by referencing the Schedule, sets out basic rules that must be complied with when personal information is collected, used and disclosed. Consent is key, although the Act specifies certain instances when collection, use or disclosure may occur without consent. The Act applies to all organizations under the legislative authority of the federal Parliament. It also governs the transfer of personal information across provincial and national boundaries. Thus, organizations which disclose information, such as mailing lists or credit ratings, across provincial boundaries must comply with the Act.
The Act also establishes an oversight mechanism and vests the Office of the Privacy Commissioner with the power to receive complaints, conduct investigations, audit organizations and make reports. The Privacy Commissioner has already published an extensive number of findings under the Act. Complainants may also proceed to the Federal Court of Canada, which can award damages to a complainant and order compliance with the Act.
The Personal Information Protection and Electronic Documents Act specifically provides that it will apply to commercial activities within the provinces as of January 1, 2004, unless the provincial legislatures adopt legislation that is substantially similar. A recent Regulation sets out what the federal government considers to be “substantially similar”. There are some interesting constitutional issues that could arise. However, it is clear that most provinces, including British Columbia, will have legislation in place prior to 2004.
British Columbia has expressed an intention to adopt legislation similar, although not identical, to the Personal Information Protection and Electronic Documents Act. British Columbia is concerned that there be considerable harmonization among the various privacy regimes in Canada.
Like other jurisdictions, British Columbia will seek to establish a balance between the right to privacy and the legitimate need of organizations to collect, use and disclose information for commercial purposes. The legislation will apply to all private organizations in British Columbia, including businesses, professional organizations, unions and non-profit groups. Employee information as well as medical information will be protected.
Most importantly, the British Columbia legislation will also encompass the same ten “fair information principles” set out in the CSA Model Code and incorporated in the Personal Information Protection and Electronic Documents Act. Thus, a basic understanding of these ten principles is essential, accompanied by the taking of certain steps to ensure compliance.
The Fair Information Principles
The CSA Model Code, adopted in part as Schedule 1 of the Personal Information Protection and Electronic Documents Act, encompasses ten “fair information principles”, namely: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance. These principles are fundamental to a system intended to protect the privacy of personal information. What follows is a brief overview of these principles. The paper then reviews how an organization can implement the principles.
This principle requires an organization to take responsibility for the personal information it collects, uses, retains and discloses. This is accomplished by designating an individual to oversee the compliance process and by implementing policies and practices that give effect to the principles.
2. Identifying the Purposes
Before collecting personal information an organization must identify the reason it requires the information and how the information will be used. Identification of the purposes gives an individual the opportunity to decide whether he or she wishes to provide the information. Both primary and secondary purposes must be identified. For example, a business distributing a loyalty card should explain that the address and telephone number will allow the business to mail information regarding rewards. However, if the information is also used to track customers and their preferences, the latter must also be communicated to the customer.
The most important fair information principle is consent. An individual must be given an opportunity to decide whether to provide personal information during the course of a transaction and his or her consent should be informed, voluntary and express. To give informed consent an individual must know what information is being collected, how it will be used and to whom it will be disclosed. Voluntary consent means that it is not, for instance, tied to the provision of a product or service. Express consent means that the customer agrees, at least orally, but preferably in writing, regarding the use, retention and disclosure of the information. Implied consent may be acceptable in some circumstances, but care should be taken when relying on it. For example, if an address is provided so that a newspaper subscription can be delivered to a particular home address, it is reasonable to imply that accounts may be sent to the same address. However, if an employee provides personal health information, under no circumstances can it be implied that a third party may receive the information.
The legislation sets out some exceptions to the consent requirement, but these are quite limited. For example, the Personal Information Protection and Electronic Documents Act allows for collection without knowledge or consent if, for example, it is in the interests of the individual and consent cannot be obtained in a timely way, or the collection is solely for journalistic, artistic or literary purposes. An organization may use information without consent if, for example, there is an emergency or the organization has reasonable grounds to believe the individual has acted illegally. Likewise, personal information may be disclosed without consent if, for example, the disclosure is made to a lawyer, it is for the purpose of collecting a debt or made to comply with a subpoena or warrant. The British Columbia legislation will likely provide similar exceptions.
4. Limiting Collection
Limiting collection means that only the data which is actually required for a specified purpose will be collected from an individual.
5. Limiting Use, Retention and Disclosure
This principle is closely tied to the consent principle. Personal information should only be used, retained and disclosed for the purposes for which consent was given. It is not appropriate for an organization to retain data and use it in future for a different purpose. The data must be destroyed or a new consent obtained. Thus, an organization cannot sell a client list or use the list to conduct research, unless consent for such purposes is obtained.
An issue arises regarding information collected without consent before any specific legislation takes effect. The federal Personal Information Protection and Electronic Documents Act, for example, governs all personal information that an organization has collected and will collect, including information obtained prior to the introduction of the Act. If no consent was obtained for a particular purpose, an organization must get a new consent. This may be onerous in some situations. However, it highlights the importance of introducing proper systems as soon as possible.
Note that this principle also requires organizations to develop policies regarding the destruction of data that is no longer being used.
Accuracy requires that personal information be as accurate and up-to-date as possible. This is particularly important with employment, health and financial records.
Proper measure must be taken to protect the security of personal information. Access must be limited, proper systems must be installed and staff must be properly trained.
The policies and practices that an organization has in place to protect personal information must be available to the persons from whom the information is collected. This allows employees and the public to monitor how their information is protected and, if necessary, lodge a complaint. Clearly the policies must be articulated and, in most organizations, written down.
9. Individual Access
This principle requires that an organization allow persons access to the personal information that has been collected from them. However, an organization must refuse access if it would reveal information about a third party that cannot be severed. The purpose of this principle is so persons can ensure their personal information is accurate and complete. As a consequence an organization must keep its records properly organized and in an accessible format.
10. Challenging Compliance
An organization must have a mechanism in place allowing an individual an opportunity to complain that his or her information is not being collected, used, disclosed or retained in accordance with the fair information principles. This compliance mechanism is, of course, distinct from any overseeing mechanism that the government may put into place. As noted above, the federal government has given its Privacy Commissioner and the Federal Court certain powers to ensure that the Personal Information Protection and Electronic Documents Act is implemented by private organizations.
Understanding the fair information principles is important, but equally important is the implementation of a proper system to ensure the protection of personal information in accordance with the principles. There are a number of steps an organization should take to ensure that it has a proper privacy regime in place. Each industry and each organization within an industry will also have its own unique circumstances that must be addressed.
1. Appoint a Responsible Person
Each organization must have at least one person who will oversee its privacy regime and ensure that personal information is properly protected. This person may, of course, have other duties within the organization. However, if the organization is large and the collection of personal information is a key activity, a full time privacy officer may be necessary. Human resources personnel are likely candidates since they may already have training and experience handling sensitive information relating to employees. The individual appointed must, however, be senior enough and have the clear support of management so as to ensure that proper procedures are put in place and staff is properly trained.
2. Conduct an Audit
It is important to review what information is collected by an organization and how that information is retained, used and disclosed. Many organizations may discover during the course of an audit that they collect considerably more personal information than was originally suspected.
It is important to consider all the contact points an organization may have with the public and whether personal information is requested. If there is a request, what sort of consent is being sought? How is the information recorded and where is it stored? Is the information regarding any single individual in one place or is it scattered in documents and databases throughout the organization?
Is all personal information secure? Who has access and is it being disclosed to any third party outside the organization? Is there a specific policy regarding the destruction of personal information once it is no longer useful to the organization?
A proper audit takes time and careful consideration, but it is important if an organization is to understand exactly what guidelines and procedures are required to satisfy clients and customers, as well as the legislative regimes.
3. Develop Guidelines and Procedures
Each organization should develop a comprehensive written policy setting out its privacy regime. This policy may adopt, for example, the guidelines in the CSA Manual, but those guidelines should be carefully tuned so they correspond to the unique inner workings of the particular organization. The size of the organization, as well as the extent and sensitivity of the personal information collected, will dictate the complexity of the guidelines and procedures. An organization that only collects names and home addresses for purposes of a mailing list will have a much simpler policy than an organization collecting sensitive health information.
The guidelines should specify what personal information is being collected and what consent is required. There should be specific statements as to where the information is stored and how security is maintained. A retention policy should be included, as well as specific statements regarding how information is to be shared with third parties.
It is also important to address how customers and clients may access their information, what they will be provided with when they do request access, and how complaints will be handled. Staff training and responsibility should also be outlined.
4. Obtain Consents
Specific attention must be paid to the type of consent obtained when personal information is requested. Consent statements, whether expressed orally or in a written contract, should be easy to understand, but fully inform the individual from whom information is being sought of the specific purposes for the collection, use and disclosure of the information. Consents are meaningful only if the individuals giving them fully understand what is being asked.
Consent must not involve any form of deception. Consent must also not constitute a condition for obtaining a service or product, unless the information requested is required for a legitimate purpose. For example, an insurer has a legitimate purpose for requesting health information before providing disability insurance. However, while a retailer may require an address to deliver merchandise, the retailer cannot refuse to sell or deliver the merchandise if the customer will not give his or her consent to use the address for future mailings of advertising material.
It is important that a consent not be overly broad. Otherwise, it may not amount to consent at all and will offend the principles governing limited collection, use, disclosure and retention.
A consent should be obtained at the time the personal information is collected and it should be recorded in some manner, whether by way of a signature, a box checked off by a customer or employee or some other reasonable means. It should be kept in mind that if an individual is a minor, seriously ill or mentally incapacitated, consent will have to be obtained form a legal guardian or a person with a power of attorney.
Employees collecting personal information and requesting consents should be trained regarding privacy issues and able to answer questions regarding why particular information is required.
5. Develop Retention Policies
An organization should carefully consider its policies regarding retention of personal information. Personal information should be kept only as long as necessary to satisfy the purpose for which it was obtained. If the information was obtained only for the purpose of providing a specific product or service, there is no reason to keep it once the product or service is delivered. If there is something in the nature of a return policy or warranty in place, the information must be kept longer, but only for the relevant period. However, if the customer also gave his or her consent to be added to a mailing list, information, at least in respect of the name and home address, could be kept longer. There is then an issue as to how long a name should remain on a mailing list before a further consent is sought.
For many organizations it may be appropriate to institute maximum and minimum retention periods for specific information.
Limits on retention imply destruction and an organization should ensure that destruction actually takes place and the records are physically destroyed, erased or rendered anonymous. In this regard, however, it is important that records not be destroyed if there is an outstanding request or challenge from an individual or an ongoing inquiry by a privacy commissioner. Databases of personal information will need to be set up with an eye to compliance with retention policies.
6. Impose Third Party Obligations
If personal information is being provided to third parties, steps should be taken to ensure that those third parties properly protect it. For example, one organization may need to provide personal information to another organization to have a mailout done or to obtain an extensive analysis of sensitive health information. Whatever the reason, the organization that is providing the information should ensure that the third party has a privacy regime in place, that the third party’s use of the personal information is limited and that the information will be returned or disposed of once the task is complete. Most organizations can ensure that these steps are taken by entering into a contract with the third party. Such a contract may need to include a clause permitting the disclosing organization to audit the steps being taken by the third party to protect the information.
7. Establish Security Safeguards
Most organizations are well aware of the security measures that must be taken to protect personal information. However, an ongoing review of such measures should form part of any privacy regime so as to preclude loss or theft. Physical measures such as locked filing cabinets and restricted access to premises are important. Likewise, for personal information stored electronically, passwords and encryption devices must be implemented. Staff must be properly trained regarding security issues and the need to ensure that policies are strictly adhered to.
8. Develop Guidelines for Individual Access
Openness and access are two of the fair information principles and organizations must consider how they will deal with requests from their customers and clients regarding personal information.
Individuals should be informed as to how they can make a request for their personal information, how soon they may expect a response and whether any costs are involved. Information being provided should be understandable which means that such things as abbreviations should be explained. If information is being withheld or refused the individual should be informed of the specific reasons and the basis for doing so in writing. Organizations with complex personal information databases will have to ensure that they have a comprehensive system in place so as to review and assemble the information requested. For example, information regarding third parties must be removed. An organization may also remove information that is protected by solicitor-client privilege or that constitutes confidential commercial information. The information must therefore be edited and the reasons for withholding any information set out in a cover letter.
As part of ensuring access, an organization should also inform its customers and clients how a complaint may be instituted and any right of appeal they may have to a privacy commissioner or other regulatory body. A process must also be put in place so as to respond to complaints in a timely and informative manner.
9. Train Staff
Properly trained staff will ensure that a privacy regime functions and that personal information is protected properly. Employees who collect information must be able to explain why information is requested and why a consent is being requested. As pointed out above, employees must also be trained regarding security issues.
Every organization that collects, stores, uses, and discloses personal information must ensure that it has proper policies and procedures in place to protect the privacy of that information. Not only is such a system necessary to comply with the legislation being introduced across Canada, but it is also expected by customers, clients, other organizations and the public in general. This paper sets out the basic concepts as well as certain practical steps that can be taken. Each organization will, however, have its own unique challenges. Privacy legislation and the protection of personal information is an integral part of Clark Wilson LLP’s practice and we would be pleased to assist you with auditing your organization’s practices, resolving privacy issues and ensuring that appropriate policies and procedures are in place.