1 / 30

New Privacy Rules for Alberta

New Privacy Rules for Alberta . Liz Denham, Private Sector Lead Office of the Information and Privacy Commissioner of Alberta January 2004. What is privacy?. “…the right to be let alone -- the most comprehensive of rights and the right most valued by civilized men.”

matty
Download Presentation

New Privacy Rules for Alberta

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Privacy Rules for Alberta Liz Denham, Private Sector Lead Office of the Information and Privacy Commissioner of Alberta January 2004

  2. What is privacy? “…the right to be let alone -- the most comprehensive of rights and the right most valued by civilized men.” U.S. Supreme Court Justice Louis Brandeis,1928

  3. Why Privacy? • The Information Age. We have the technology: what are the rules? • World-wide action on privacy • OECD Guidelines • CSA Code • EU Directive • US legislative “patchwork” – safe harbours • Federal Personal Information Protection and Electronic Documents Act • Quebec, Alberta and B.C. legislation

  4. Why Privacy? • It’s the law. • International transactions. • Accountability. • Reputation/brand. • Profitability: RBC Financial estimates privacy drives 6.9% of customer demand. • Risk management. • Employee trust and morale.

  5. Fair Information Practices Be accountable Identifying purposes for collecting PI Obtain consent Limit collection Limiting use, disclosure and retention Be accurate Use reasonable safeguards Be open about info management practices Individual access Means to challenge compliance

  6. Personal Information Protection Act -PIPA- • Personal Information Protection Act given Royal Assent, Dec. 4, 2003 • Proclamation date was January 1, 2004

  7. PIPA - application • Sections 3, 6, and 9. • The Act applies to the • collection, • useand • disclosureof • personal informationby • organizations.

  8. PIPA - application • “Organizations” are Corporations, unincorporated associations, trade unions (Labour Relations Code), partnerships (Partnerships Act), individuals acting in a commercial capacity, persons acting on behalf of an organization. • BUT NOT an individual acting in a non-commercial activity. • “Personal information” means information about an identifiable individual

  9. Non-profit organizations • “Non-profit” includes: • Societies incorporated under the Societies Act, Agricultural Societies Act, Part 9 of the Companies Act or otherwise defined in regulation • Act applies to personal information collected, used or disclosed in connection with a commercial activity carried out by the non-profit organization

  10. PIPA – application - section 4 Some personal information is excluded: • Personal or domestic purposes of an individual • Artistic, literary or journalistic purposes • In a record that is at least 100 years old, or of an individual dead for at least 20 years • Personal information protected under FOIP Act • Personal information that is health information (as defined in HIA) collected, used or disclosed for health care purposes

  11. PIPA – Pre-PIPA information: section 4 • Grandfathering allowed • Personal information collected before January 1, 2004, is deemed to have been collected with consent • It may be used and disclosed by an organization for the purpose for which it was collected • General rules in the Act regarding safeguards, access, correction, etc. still apply to this information

  12. PIPA – a note on what is reasonable • PIPA requires a lot of “reasonableness”. • Section 2 refers to reasonableness. • Organizations must act reasonably: section 5(4). • “Due diligence” • You have turned your mind to it, considered it and have a logical reason for doing it • Industry standards are evidence of reasonableness

  13. PIPA – General rules • Generally an organization needs to get consent for collection, use and disclosure of personal information: section 7. There are exceptions. • If an organization collects personal information directly from a person, the person has to be told the purpose of the collection and the name of someone who can answer questions: section 13.

  14. PIPA – Consent • A person is deemed to have consented to collection, use and disclosure for a purpose when they voluntarily give their information for that purpose: section 8. • Implied and express (opt-in and opt-out) forms of consent are allowed under the Act • The level of sensitivity of personal information may determine the form of consent.

  15. PIPA – Consent is not needed (section 14): • If the collection is clearly in the interests of the person and consent can’t be obtained in a timely way. • Pursuant to statute. • Investigations, legal proceedings. • Publicly available. • Debt collection.

  16. PIPA – General rules continued • Collect, use and disclose for reasonable purposes: sections 11, 16, 19. • Collect, use and disclose the least amount of information necessary for the business purpose • Give people notice of the purposes of collection: this is important because it establishes the “baseline” - must be somewhat specific.

  17. Collect, use or disclose information without consent in some cases: • When clearly in interests of individual and timely consent cannot be obtained and someone would not reasonably be expected to withhold consent: sections 14, 17, 20. • When another act or reg authorizes it • To or from a public body if authorized • For an investigation or legal proceeding • If p.i is publicly available • To determine individual’s suitability for an honour, award or benefit • To create a credit report • To collect a debt or repay monies owed • For archival or research purposes

  18. Disclose personal information without consent: section 20. • To comply with a subpoena or court order • If necessary to respond to an emergency • To contact next of kin • To a surviving spouse or related of a deceased individual, if reasonable • To protect against fraud or unfair trading practices • P.I. is needed in acquisition/sale of a business • If the disclosure meets the requirements for archival purposes or research and it is not possible to obtain consent

  19. Access to personal info: section 24 • Give people access to their personal information with specific exceptions: • If Information would reveal the p.i. of another individual • If information reveals the identity of an individual who has provided an opinion in confidence • If giving access could threaten the life or security of someone • Legal privilege • Proprietary information • Investigation or legal proceeding • If giving access may result in that type of information no longer being provided • If collected by a mediator or arbitrator

  20. Employee info: sections 15, 18, 21 • Treated differently from “customer” info • Organizations will have to determine what info is reasonably required for establishing, managing or terminating employment relationships • Don’t assume anything just because it has been done in the past • The burden of proof will likely be on the organization

  21. Employee info • Employee information s.1(d) • “Employee” includes an individual employed by the organization who performs a service for an organization, including: • Apprentice • Volunteer • Participant • Student • Under contract or agency relationship

  22. Collection, use or disclosure of employee information without consent : sections 15, 18, 21. • If individual is an employee of the organization, OR • If the collection, use or disclosure is for the purpose of recruiting a potential employee. • However, • The collection, use or disclosure must be reasonable, • The information relates to the employment relationship.

  23. Looking after personal information. • Organizations are responsible for the personal information in their custody or under their control: section 5. • Organizations have to designate someone to be responsible for compliance: section 5. PICK THE RIGHT PERSON. • Organizations have to use reasonable efforts to ensure personal information collected , used or disclosed is accurate and complete: section 33. • Organizations have to make reasonable security arrangements: section 34.

  24. Information and Privacy Commissioner • Same Commissioner for the FOIP Act and the Health Information Act • The Commissioner can: • refer an individual to another grievance, complaint or review process before dealing with the complaint • authorize mediation to settle a complaint • conduct an inquiry • issue binding orders • authorize an organization to disregard requests

  25. Penalties and damages: sections 59, 60 • It is an offence to destroy or conceal a record to avoid a request for access to it. • If convicted of an offence fines are (section 59): • Up to $10,000 for individuals • Up to $100,000 for businesses • An individual can pursue damages for loss or injury suffered as a result of breach of privacy: section 60.

  26. Ten Steps to Compliance • Obtain executive support within your organization & appoint a privacy lead – a privacy committee can help • Conduct a corporate wide assessment of compliance • Develop a plan to address compliance gaps • Evaluate information management and security policies and practices • Develop privacy policies and procedures including a records retention policy

  27. 10 Steps continued… • Review & revise third party agreements • Develop and deliver privacy & security training for employees • Establish procedures to allow access to individual’s own information • Implement a process for handling privacy complaints • Ensure all information & privacy policies meet ongoing objective of privacy compliance (e.g. annual audits)

  28. Dealing with the Commissioner’s office • We want this to work • Organizations get first chance to resolve complaints • We mediate (assist us) • Sometimes an inquiry will be necessary • Advance rulings

  29. PIPA/PIPEDA • Both based on fair info practices • “Substantially similar”, but not necessarily the same • There will be issues and conflicts and we will have to work them out • Federal and Provincial Commissioners are working to harmonize practices and protocols • If an organization is compliant with PIPEDA, prima facie, it is compliant with PIPA

  30. Privacy HelpResources and Guides available: Office of the Information and Privacy Commissioner 780 422-6860 (Edmonton) 403 297-7247 (Calgary) www.oipc.ab.ca Information Management, Access & Privacy Branch 780-644-7472 www.psp.gov.ab.ca Privacy Commissioner of Canada www.privcom.gc.ca

More Related