1 / 40

Operational Strategies for compliance with the new privacy legislation

Operational Strategies for compliance with the new privacy legislation. Excerpted from a Powerpoint presentation by Murray Long, Murray Long & Associates Inc. and Richard Shields, McCarthy Tétrault, Ottawa. PIPEDA – Personal Information Protection and Electronic Documents Act.

audra-velez
Download Presentation

Operational Strategies for compliance with the new privacy legislation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operational Strategies for compliance with the new privacy legislation Excerpted from a Powerpoint presentation byMurray Long, Murray Long & Associates Inc. andRichard Shields, McCarthy Tétrault, Ottawa

  2. PIPEDA – Personal Information Protection and Electronic Documents Act. Ground rules for how organizations may collect personal information in the course of conducting commercial activities. Compliance – January 1, 2004 Federal Legislation

  3. B.C –May 1, 2003 2nd Reading Personal Information Act – Jan. 2004, Federal Government must decide if provincial legislation is substantially similar as to preclude PIPEDA. Applies to private andnot-for-profit sector. Alberta –Enacted health information and protection law. Personal Information Protection Act – May 2003. Will apply to the private sector in Alberta and limited application tonot-for-profit sector. Both provinces have acts that cover information on the consumer and the employee. Overview of Provincial Legislation

  4. Saskatchewan –Province has enacted, but not enforced a health protection law that applies to private and public sector and amended in 2003 to include privacy legislation. Province has enacted a provincial privacy legislation separate from above. Manitoba –Province has enacted a health protection law covering the public and private sector, now enforced. No move made to introduce privacy legislation for the private or not-for-profit sector. Provincial Legislation

  5. An individual’s… Race Nationality Age Gender Marital Status Biometrics – fingerprints, blood type, genetic characteristics What is Considered Personal Information

  6. Personal health care history Financial history Educational history Criminal history Anyone’s opinion about the individual, i.e. reference checks The individual’s personal views What is Considered Personal Information

  7. Name Address Telephone Number Business Address Business Telephone Number (The public domain pertains to information available to the general public) Considered Private but – in the Public Domain

  8. Five Categories: Phone books (White Pages, CD Roms) Professional Directories (members of the Bar) Public databases (property tax rolls, licenses) Court records (divorce, bankruptcy, law suits) Information provided by an individual to a publication (want ads, interviews) Publicly Available Information

  9. Limits of Reasonableness Immediate sale obligations Related marketing Building marketing database Future sales calls Mergers & Acquisitions Sharing of data with affiliates Building customer profiles Disclosing data to third parties Completely unrelated uses Consent is always required!

  10. The law incorporates the CSA Model Code for the Protection of Personal Information. The 10 Principles reflect international fair information practices. They balance individual privacy rights with legitimate business interests. The Privacy Rules

  11. Principle 1 Accountability The person(s) responsible must be designated and identified. These persons must ensure training, communications and procedures documentation. Contracts and oversight of third party data processing required.

  12. Principle 2 Identifying Purposes Purposes must be identified before any personal information can be collected or used. Purposes must be what a reasonable person would expect in the circumstances.

  13. Principle 3 Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. There are exceptions – such as bill collection, crime investigation, etc. Consent must be obtained fairly – it can be withdrawn at any time.

  14. Principle 4 Limiting Collection Companies can only collect information specifically required for identified purposes. Purposes should not be identified too broadly. However, overly narrow purposes could require continuous new consents.

  15. Principle 5 Limiting Use, Disclosure and Retention New purposes require new consent. Data cannot be kept beyond the end date of the last specified purpose. A retention/disposal policy is required.

  16. Principle 6 Accuracy Information must be as accurate as necessary for the purposes. Decisions must not be made based on inaccurate information. Routine data updating without a purpose is not permitted.

  17. Principle 7 Safeguards Personal information must be protected appropriately. Employees must be made aware of the importance of maintaining confidentiality of this information. Care must be used in disposing of records to prevent unauthorized access.

  18. Principle 8 Openness Companies must communicate their privacy policies including: • what data is collected, • how it is used, • who it is disclosed to, • how to access it, and • who to make inquiries or complaints to

  19. Principle 9 Individual Access People have a right to find out what information you have about them, to know how it is used or disclosed, to access it, and to have it amended as appropriate. There are some allowable or required restrictions on access.

  20. Principle 10 Challenging Compliance People can challenge your compliance with any aspect of the CSA Code or the law. Companies must respond to all inquiries and complaints. Individuals can also go directly to the Privacy Commissioner. The law has whistleblower protection.

  21. Commissioner Powers Investigatory powers include the right to enter premises and obtain records. Powers of mediation and conciliation. Power to conduct audits of business practices. Power to publicize with impunity. No order-making powers.

  22. Reference Checks Only with knowledge and consent. Applies to both collecting and providing references.

  23. Employee Monitoring Employees must be informed. The use must be reasonable under the circumstances. Employees may have a right of access. This applies to phone, e-mail, video, etc.

  24. New Privacy Rights (Fed. & Prov. Laws) Knowledge and consent to collect, use or disclose employee personal information. Right to access and amend files, with some limited exceptions. Right to file a complaint with the Privacy Commissioner.

  25. Investigations Companies can collect personal information without knowledge or consent to investigate the breach of an agreement or the contravention of a law.

  26. Biometrics Information collection must be reasonable for the purposes. Privacy Commissioners are concerned about drug testing, fingerprinting, and biometrics-based technologies such as retinal scans, DNA, etc.

  27. Employee data not subject to the Act Business card-type data – except fore-mail addresses Joe Blow Sales Manager Sagamow Products 333 Main Street Sagamow Falls, ON (519) 555-8983

  28. Compliance The key steps to developing and implementing aPrivacy Policy

  29. Choosing a Chief Privacy Officer (CPO) It is a senior position with public visibility. The CPO needs authority to ensure the company is compliant. The CPO oversees training, developing and documenting procedures, communications, and privacy policy on third-party contracts. The CPO responds to inquiries and complaints and Privacy Commissioner investigations.

  30. Forming a Privacy Team Implementing a privacy policy requires cooperative team effort. Your privacy team should include customer service, marketing, information management, legal, human resource and security personnel. It could take several months to develop and implement policies.

  31. Start with an Audit Review your current data collection and handling practices. Look at the following: Purposes for collecting, using or disclosing personal information. What data is currently collected and used and who it is disclosed to. How consent is obtained. How data is stored and safeguarded.

  32. Develop a Privacy Code The CSA Model Code is a good starting point – it’s also built into the law. Review the 10 principles and how they apply to your circumstances. You may need some legal advice on additional points in the new privacy law. Avoid legal language. Keep it simple. Have it reviewed by a third party.

  33. Develop Procedures Develop and document procedures to help ensure employees follow your code – the Privacy Commissioner can ask for your documentation. You will need documented procedures for the following: New purposes, obtaining consent, limiting uses, third-party processing, records retention and disposal, individual access, inquiries and complaints, and more. These are legal obligations.

  34. What’s left? Employee communications and training Providing information about your privacy policy Dealing with inquiries and complaints Regular review of how you’re doing

  35. Communications and Training Front-line Employees and HR Managers need to know how to recognize and expedite an access request or inquiry/complaint under the law. Training is required on safeguards, retention periods, disposal, purpose limitations, etc. Use your operations procedures manual as a basis.

  36. Public Information about your Privacy Use the KISS principle. Avoid legalese and 20-page privacy agreements. Key information includes purposes, disclosures, who to contact, and a summary statement of your Code. On the Internet, include special issues such as cookies use, IP address tracking, etc. Provide privacy tools and guidance.

  37. Dealing with inquiries and complaints You have 30 days to respond to written access requests. You must respond to all inquiries and complaints (within 30 days). You must not destroy any information or hinder a Privacy Commissioner investigation.

  38. Age, name, ID numbers, income, ethnic origin or blood type. Opinions, evaluations, comments, social status, or disciplinary actions. Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (to acquire goods or services, or change jobs) Wrap-Up Points Views of the Privacy Commissioner Examples of Personal Information:

  39. Opening an account, verifying credit-worthiness, providing benefits to employees, processing a magazine subscription, sending out association membership information, guaranteeing a travel reservation, identifying customer preferences, establishing customer eligibility for special offers or discounts Wrap-Up Points More views of the PC Examples of Information Purposes:

  40. Contact Info Janet Emmett VP, Association Services & Leadership Development YMCA Canada (416) 967-9622 ext. 209 janet_emmett@ymca.ca

More Related