Opportunities For Improvement

On Jan. 1, 2001, Canada’s new private-sector privacy legislation took effect. The legislation, called the Personal Information Protection and Electronic Documents Act, or "PIPEDA" for short, complemented Canada’s public-sector legislation, called the Privacy Act and the Access to Information Act.

PIPEDA protects personal information that is collected, used and disclosed in the course of commercial activities. PIPEDA defines "personal information" broadly to include any information about an identifiable individual. This includes information such as age, race, marital status, religion, employment history, credit history, assets, home address, home telephone number, opinions about other individuals and other information about an individual.

PIPEDA applies throughout Canada; however, the law does not apply to the collection, use and disclosure of personal information within a province that has private-sector privacy legislation that is "substantially similar" to PIPEDA. Currently, only the provinces of British Columbia, Alberta and Quebec have "substantially similar" privacy legislation. The province of Ontario has "substantially similar" health records privacy legislation.

In 2006, the Office of the Privacy Commissioner of Canada started a five-year review of PIPEDA to assess how well the legislation was working. As part of this review, the commissioner asked for input on the following issues:

The privacy commissioner received many submissions in response to the above request, including a submission from the Canadian Legislative and Regulatory Affairs Committee (CLARA) of ARMA International, the nonprofit professional association for information management.

In its submission, CLARA addressed four of the above issues, namely: (1) the extent of the privacy commissioner’s powers; (2) the role of consent in the employer/employee relationship; (3) the duty to notify when personal information is lost or stolen; and (4) transborder flows of personal information.

I will discuss each of these briefly.

Privacy Commissioner’s Powers—PIPEDA is based on an ombudsman model. This means that the privacy commissioner has the authority to investigate complaints, make findings and issue non-binding recommendations, but cannot award damages or order an organization to change its practices.

In its submission, CLARA argued that the ombudsman model is "ineffective" and needs to be "significantly strengthened." CLARA targeted the enforcement provisions of PIPEDA, arguing that the privacy commissioner should be able to impose binding arbitration on parties, rather than to force them to resolve matters in court, which can be a time-consuming and expensive process.

CLARA also argued that under a vigorous privacy regime, the privacy commissioner should have the power to order penalties that could result in loss of reputation or significant financial loss.

In short, CLARA argued that the privacy commissioner should be given a larger stick with which to enforce PIPEDA. This makes sense: There is little point in having strong legislative protection of privacy if that protection is difficult to enforce.

Privacy in the Employment Context—PIPEDA does not protect the personal information of all employees in Canada, it only protects the personal information of employees of "federal works and undertakings," such as banks, telecommunications companies and airlines. The reason for this is that the Canadian constitution gives provincial governments (rather than the federal government) the exclusive right to legislate over employment matters in all industries that are not federal works and undertakings. Some provinces, such as Alberta and British Columbia, have filled this void and enacted privacy legislation that protects employees’ personal information.

PIPEDA’s approach to protecting the privacy of employees differs from Alberta and British Columbia’s approaches. PIPEDA requires employers to obtain their employees’ consent before collecting, using or disclosing their personal information. In contrast, Alberta and British Columbia allow employers to collect, use and disclose employee personal information without their employees’ consent, as the collections, uses and disclosures are reasonably necessary to establish, manage or terminate the employment relationship.

The privacy commissioner questioned whether PIPEDA should follow the Alberta and British Columbia approaches to employee privacy. In response, CLARA argued that the scope of PIPEDA should be extended to protect employees’ personal information in all industries across Canada and not just those that fall under federal jurisdiction (though, as mentioned, constitutional law issues make this difficult to accomplish).

CLARA also argued that the employee consent requirements in PIPEDA should be abandoned and that employers should be able to collect employee personal information where reasonably required to establish, manage or terminate an employment or volunteer relationship. This reflects the business reality that it can be onerous, time-consuming and counter-productive to require businesses to gather consents from their employees regarding reasonable and necessary collections, uses and disclosures of their employment-related information.

Duty to Notify—According to one statistic, ID theft has risen more than 600 percent since the year 2000. Some recent high-profile information security breaches have brought information security breaches squarely into the public eye. As a result, by the end of 2005, approximately half of the states in the United States had passed laws requiring customers to be notified when the security of their personal information has been compromised.

Canada has been slow off the mark in this regard. In fact, the only Canadian legislation creating a duty to report information security breaches is Ontario’s Personal Health Information Protection Act.

The privacy commissioner wrestled with whether a mandatory duty to notify should be placed in PIPEDA, and if so, what that duty should entail. CLARA supported the idea of imposing a legally enforceable duty to notify. CLARA suggested that where personal information is lost or stolen, the individuals concerned and the privacy commissioner should be informed and that third parties such as credit agencies should also be notified where there is a risk of fraud.

This new legislative requirement, coupled with diligent document destruction and records management practices, can help minimize the damage and costs caused by identity theft and fraud.

Transborder Flows of Personal Information—The trend of outsourcing data processing has increased flows of personal information across borders. PIPEDA currently requires organizations that transfer information to third parties to use contractual or other measures to make sure that those third parties protect that information, regardless of whether those third parties are in Canada or elsewhere.

CLARA argued that the current accountability provisions of PIPEDA are sufficient, but CLARA also suggested that outsourcing contracts should include a provision that allows the Canadian organization to inspect and audit the third party’s information management practices and prohibit the use or disclosure of personal information by third parties except where required by their local law.

The privacy commissioner appears to agree with this suggestion, but thinks that rather than amending PIPEDA, the best way to address this issue is by offering further guidance on contracts governing accountability where personal information flow across borders. Incidentally, the privacy commissioner is currently working on international privacy frameworks with OECD and APEC countries relating to transborder flows of personal information.

At the time that this article was being written, the Standing Committee on Access to Information, Privacy and Ethics was nearing the end of its hearings on PIPEDA. It is unknown exactly what changes to PIPEDA will be recommended to Parliament, if any.

There appears to be a general agreement on what aspects of PIPEDA need to be addressed, but there is no clear consensus on how to address them. An ever-changing technological landscape ensures the next five-year review of PIPEDA will involve a host of new and interesting privacy issues. As Jennifer Stoddart, Canada’s privacy commissioner, said: "When we first started talking about this law in 1998, the Information Highway was a catchphrase, now it is a reality. Transborder flows of personal information were a trickle. Now they are a flood. New and emerging technologies such as location tracking devices and radio frequency identification threaten privacy in ways that were unimaginable a decade ago."

Clearly, information security and personal information management practices ought to be high priorities for all North American businesses, and those businesses will need to adapt their privacy practices to comply with PIPEDA as it evolves through the review process. This is particularly true for members of the information management industry, who are ideally positioned to help businesses adapt to the changing privacy landscape.