Understanding the New Private Sector Privacy Law
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Keynote Address to the B.C. Freedom of Information and Privacy Association Conference
March 11, 2002
Vancouver, British Columbia
Privacy Commissioner of Canada
(Check Against Delivery)
Good morning. You're here to talk about the Personal Information Protection and Electronic Documents Act. That's an important task. It's a relatively new act, and anything that increases awareness of it is going to make it a more effective means of protecting privacy.
You'll be hearing a lot of opinions this weekend about what the Act means and how it works. As interesting as those may be, it's important to always keep in mind that, because of the role given to me under the Act, I and my Office are really the only authority who can give you definitive readings on the Act.
What I want to do today is, first, lay out in broad terms what the Act is, and what organizations and activities it applies to. Then I'll describe my role under it, and my approach to interpreting it.
And I'll talk a bit about how this Act and other privacy laws are an important element in establishing a healthy business climate and a strong economy. As more and more jurisdictions pass privacy legislation, you're going to be hearing some people and organizations complaining that such laws are too restrictive, that they're a hindrance on business and so forth. I'm here to set that record straight: The PIPED Act strikes, in my view, a very good balance between the legitimate information needs of the private sector and the fundamental privacy rights of individuals.
The Act, as you probably know, is based on the Canadian Standards Association's Model Code for the Protection of Personal Information. What the Act says is best summed up as follows:
Apart from limited exceptions, no private sector organization can collect, use, or disclose personal information about an individual without the individual's consent.
An organization can collect, use or disclose that information only for the purpose for which the individual gave consent.
Even with consent, an organization can only collect information that a reasonable person would consider appropriate under the circumstances.
Individuals have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected. And there is redress if people's rights are violated.
The Act applies to personal information collected, used or disclosed in the course of commercial activities. In federal works, undertakings and businesses-primarily the banks, airlines, telecommunications companies, broadcasters, and transportation companies-it also applies to the personal information of employees.
The Act is being implemented in stages, over a period of three years.
For the first year after it came into force in January, 2001, the PIPED Act applied, with one big exception, to federal works, undertakings, or businesses, and to provincially-regulated organizations when they sold, traded, or bartered personal information across provincial or national boundaries.
The big exception was personal health information. It was excluded for the first year of the operation of the Act.
That came to an end when we entered the Act's second stage on January 1 of this year. So now the Act applies to all personal information, including personal health information, in federal works and in cross-boundary disclosures for consideration.
The third and final stage of the Act begins as of January 2004, when, except in a circumstance that I'll come to in a minute, it will apply across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations.
The exception is this: In provinces where privacy legislation that is deemed "substantially similar" to the PIPED Act is in force, the federal government can exempt all or part of the private sector in those provinces from the application of the Act for intraprovincial activities. The PIPED Act will continue to capture interprovincial transfers, but the provincial law will capture transactions within provincial boundaries (except those conducted by federal works, undertakings, and businesses, which will remain subject to the PIPED Act).
It's important to note that any extension of the PIPED Act to provincially regulated businesses and organizations will not apply to personal information about employees. The only employee information covered by the PIPED Act, now or in the future, is information about employees in federal works, undertakings, or businesses.
I mentioned earlier that the Act is based on the CSA Model Code. But there are a number of ways in which it's stronger than the Code. One of them is that organizations need to restrict their collection, use, and disclosure of personal information to "purposes that a reasonable person would consider appropriate in the circumstances."
This provision of the Act, as loosely worded as it may seem, is very important. Under the CSA Model Code, an organization only has to identify, and stick to, its stated purpose for collecting, using, and disclosing personal information. Under the Act, an organization needs to justify that purpose. It needs to ensure that it collects, uses, and discloses personal information for reasonable purposes only.
Let me give you a couple of examples.
Suppose I'm buying a computer for several thousand dollars, and I'm taking advantage of an offer of no payments for one year. The seller has a good reason to collect personal information from me-where I live, my credit card number, where I work-to ensure that I am a good credit risk.
But if I'm buying a twenty-dollar hand calculator from that store and paying cash, the seller doesn't need to know anything about me, and a reasonable person is not going to consider any demand for personal information to be appropriate, in these circumstances.
Or take an example from employment. An employer obviously needs to know things like an employee's address, social insurance number, education, work experience, and so on. There's a legitimate need for information about the employee's performance, attendance, and potential for advancement.
But a reasonable person would not consider it appropriate for an employer to collect personal information such as an employee's sexual orientation, for instance, or personal financial circumstances.
The point about the reasonable person test is that it's not enough to tell someone why you're collecting, using, or disclosing personal information about them. You have to justify it. That's an important check on what might be called "coercive consent," where your right to consent is reduced to a formality-consent or you don't get the loan, consent or go and work someplace else, consent or we won't sell you the calculator.
Let me turn now to my role under the Act.
I'm an independent Officer of Parliament, appointed to champion the privacy rights of all Canadians. My mandate has two major facets.
First, oversight: It's my duty to ensure respect for the rights of all Canadians under the PIPED Act, and under the Privacy Act, which governs the federal public sector. That means investigating and adjudicating complaints when people believe that their privacy rights are being violated.
Second, education and promotion: The PIPED Act gives me an express mandate to educate Canadians about their privacy rights, and to promote respect for privacy and an understanding of responsibilities for its protection.
In my oversight role, I'm an ombudsman.
I do have full investigative powers under both Acts. I can order the production of documents, enter premises, and compel testimony. But neither I nor my predecessors have ever had to use these powers. We've always been able to get voluntary cooperation. I'm hopeful that such voluntary cooperation will continue, with both the public and the private sector.
When an organization and its customers or employees get into a dispute about privacy rights and responsibilities, my objective is to find a solution that works for everyone.
If I find that an organization is violating privacy, I'll suggest how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal in the event that an organization is violating privacy rights and refuses to mend its ways.
I can make the problem known publicly-and then rely on publicity and public opinion to move things forward.
That's one of the most effective enforcement mechanisms I know of. It helps to educate everyone-the organization that's directly involved, other organizations, consumers, employees and the public at large-about what privacy means and what their rights and responsibilities are.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The educational and promotional part of my mandate under the Act is very important. It's crucial that I inform Canadians about their legislated privacy protections, and remind private sector organizations of their responsibilities under the Act. That's part of the reason I'm here today.
One further aspect of my mandate that I want to talk about today concerns "substantially similar" provincial legislation. As I said earlier, the Act will apply to all commercial activities as of 2004, unless a province passes substantially similar legislation that would allow provincially regulated businesses and organizations in that province to be exempted from the provisions of the PIPED Act for intraprovincial activities.
Under the Act, the Governor in Council makes the final determination as to what is substantially similar. But I have a mandate under the Act to report to Parliament each year on the extent to which I consider provinces to have passed substantially similar legislation. My report won't be just one of many submissions under review by the Federal cabinet. It will play a key role.
Industry Canada and I have agreed on the approach that will be taken in assessing provincial legislation. I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial privacy law must be at least as good as the PIPED Act, or I will not report that I consider it to be substantially similar.
Any provincial legislation will have to contain, at a minimum, the ten principles set forth in the CSA Model Code. While I consider all ten principles of this code to be interrelated and equally important, there are five key components in making an assessment of whether a provincial law is substantially similar.
First, consent. The provincial legislation must stipulate that an organization may only collect, use, or disclose personal information about an individual with the individual's informed consent, except in specified and limited circumstances. After collection, personal information can only be used or disclosed for the purpose for which consent was given, again except in specified and limited circumstances.
Second, the reasonable person test. The collection, use, and disclosure of personal information must be limited to purposes that a reasonable person would consider appropriate in the circumstances.
Third, access and correction rights. Individuals must have the right to access personal information that organizations have about them and to correct any information that is incorrect (or to have any disagreement noted and provided to any party who received the information).
Where an individual is of the opinion that his or her privacy rights have been violated or that the law has not been respected, the individual must have the ability to complain to a fully independent oversight body. The oversight body must have the specific mandate to resolve complaints, thoroughly investigate, mediate, conciliate, and make recommendations or issue orders. It must also have the full range of investigative powers to seize documents, enter premises and compel testimony, and the power to initiate audits of an organization's practices.
Finally, redress. Under the PIPED Act, following my finding on a complaint, the complainant or I may, if necessary, apply for a hearing in the Federal Court of Canada. The complainant or I can ask the court to order the organization in question to correct its information-handling practices and make public the steps it has taken to do so. The court can be asked to award damages to the complainant.
Decisions of the Federal Court can be appealed to the Federal Court of Appeal, and, with leave, to the Supreme Court of Canada.
There must be corresponding redress provisions in any provincial legislation.
So those are the five principal criteria I will apply when determining whether provincial privacy legislation is substantially similar to the PIPED Act: consent, the reasonable person test, access and correction rights, oversight, and redress.
I want to turn now to a discussion of the need for flexibility in the interpretation of the Act. As I mentioned at the outset, there are always going to be parties complaining that privacy legislation is too restrictive, that it's unrealistic, or that it hampers business or research. You can hear them in Ontario now, in the debate over its proposed privacy legislation, and you'll hear them as other jurisdictions begin to legislate. I want to show you how an ombudsman, with the flexibility to differentiate between real privacy harms and abstract violations of the letter of the law, can alleviate those concerns.
When the PIPED Act was before Parliament, some of the most vigorous opposition to it came from members of the health research sector. Their concern was that the Act would restrict legitimate health research. It was partly their intervention that resulted in the exclusion of personal health information from the coverage of the Act for the first year that it was in force.
I understand why they were concerned. Personal health information is perhaps the most sensitive of all personal information. As a general rule, individuals must have the right to control who can collect, use, or disclose it, and for what purpose.
At the same time, however, our society has a vital interest in the continuation and development of health research.
So, the challenge is to ensure that bona fide health research, carried out with appropriate sensitivity to the fundamental privacy rights of Canadians, is not hindered by the PIPED Act. I've taken a position that I'm confident will do that.
The Act permits an organization to use and disclose personal information without the knowledge or consent of the individual, if it's for statistical or scholarly study or research. But there are stringent limitations on this. First, the information must be vital to the research-in other words, the research could not be conducted without it. Second, its confidentiality must be assured. Third, obtaining consent must be impracticable. And fourth, the organization must inform me before the information is used or disclosed.
As I stated in my first Annual Report to Parliament last December, my interpretation of the Act is that bona fide health research carried out by duly accredited organizations under appropriate safeguards does in fact constitute statistical or scholarly study or research.
And I accept the view of the health research community that exclusive reliance on consent is, for many health research studies, impracticable.
My interpretation of the Act is that personal health information can be disclosed and used without consent for health research, provided that it remains strictly within the confines of the research project-and, most importantly, that it can in no way harm the individual to whom it pertains.
The information must under no circumstances whatsoever find its way to third parties, such as the individual's employers, insurers, relatives or acquaintances, governmental or law enforcement authorities, or marketers. Nor may the individual be contacted as a result of this information by anyone other than his or her primary health care provider.
I will be paying close attention to this requirement, and I will consider any breach of it an extremely grave violation of the Act.
I'm convinced that this approach will fully meet the intent of the Act, effectively protect the genuine privacy rights of Canadians, and permit all legitimate health research to proceed without impediment.
Now let me give you a few examples of my findings with regard to formal complaints I have received. They're a further illustration of how an oversight model based upon an ombudsman, using a combination of principles and flexibility, works better than black-letter law as a means of advancing privacy rights.
Consent is probably the most important principle underlying our privacy-our right to control access to our person and information about ourselves.
But consent can mean many different things. There are a lot of different ways that people claim that they have our consent.
With "opt-out" consent, individuals are told that their information will be collected, used, or disclosed unless they object. Instead of being asked to consent, they're required to show that they do not. Their consent is assumed unless they demonstrate otherwise.
Opt-out consent is pretty poor privacy. Telling people that they can object to a violation of privacy hardly justifies it.
But if an organization is going to use opt-out, it should at the very least use it clearly. We don't always read the fine print. Few of us read those very detailed agreements when we're adding software to our computers or filling in warranty cards or entering contests.
Because the PIPED Act is so new, there aren't a lot of examples yet of findings on opt-out consent. So let me draw on one from the Privacy Act, since the same principles apply.
I don't normally speak about matters that are before the courts. But as Canada Post-which is trying to challenge one of my findings in the courts-has already spoken to the media about this, let me use that example.
Canada Post offers the National Change of Address service, for a fee, to people who want their mail redirected from their old address to their new one.
The fine print on the back of the form that they fill out to order the service tells them that Canada Post will "help" them advise businesses and other organizations of their new address, if the organizations request it and already have their name and old address.
If customers don't want this added service, they have to notify Canada Post in writing within seven days.
Other than what's written on the back of the form, nothing in Canada Post's literature or its Web site informs its customers that they may opt-out from having their information shared this way.
The beneficiaries of this information could be any organization-including list brokers, mass mailers, or direct marketers. Canada Post sells the individual's personal information to these organizations. None of Canada Post's literature tells customers that, either.
Is this consent? Frankly, no. A reasonable person, on reading the application form for this service, would not read it as consent for the sale of personal information to mass mailers and direct marketers.
Our address is our personal information. Users of this service are giving Canada Post their personal information, and on top of that paying a fee for the service-in exchange for which Canada Post sells their personal information to third parties without their consent.
What's needed is for Canada Post to ensure that users of this service are able to exercise their right of informed consent. That's why I recommended that Canada Post add a check-off box on the face of the form that would allow individuals to consent. And I further recommended that Canada Post make that consent properly informed, by spelling out clearly that the individual's personal information could be sold to list brokers, mass mailers, or direct marketers.
Canada Post agreed to make the process more transparent. But it is still refusing to implement the fundamental recommendation-to obtain consent.
I am continuing to deal with this matter, and you can be assured that I will not let it rest until I am satisfied that Canada Post has ceased breaking the law.
As I said, this finding involved the Privacy Act, but the same principles apply as in the PIPED Act: the requirement for plain and full identification of purpose, and the need to obtain proper consent.
Another complaint, this time under the PIPED Act, raised the question of what constitutes personal information. The Act is open-ended on this point, defining it as "information about an identifiable individual." Here's how my finding put some reasonable limits on the definition.
A physician complained to me that an information broker-a company that gathers, buys, and sells information-was improperly disclosing his personal information by gathering and selling data on his prescribing patterns without his consent.
The information broker gathers information about prescriptions from pharmacies and other sources. It uses the information to produce customized information products, which identify physicians and rank them by prescribing activity for various drugs. That information is then sold to pharmaceutical sales representatives.
Clearly, there was no consent. But is this personal information within the meaning, scope, and purpose of the Act?
My finding was that, no, it's not. Personal information must be about an individual. It's not enough for it to be merely associated with the individual by name. A prescription is not in any meaningful sense information "about" the physician.
A prescription might best be called a "work product"-the outcome of the professional interaction between the physician and the patient. It's not about the physician as a person but about the professional process that led to its issuance.
If the prescribing patterns of a physician were considered to be information about the physician, then we would logically have to say the same thing about identifiable patterns regarding the work products in a whole lot of other activities. Does the chef in a restaurant mainly focus on cooking fish, or have a heavy hand with the tarragon, or use very little salt? Does a contractor use the newest roofingmaterials, or stick with what was popular 10 years ago? Does a garage mechanic tend to fix only the problem that was reported, or is there a pattern of discovering other purported problems that run up the bill? To regard such things as "personal information" could have been the end of all sorts of legitimate commercial consumer reporting.
In short, a strict and literal reading of "personal information" could have had the effect of blocking legitimate public interests. The overall objectives of the PIPED Act demanded a flexible and sensible interpretation.
Another complaint I received raised an interesting issue about our right of access to information that financial agencies hold about us. My finding in this case clarifies a particular aspect of the Act. Perhaps more importantly, it illustrates again the distinction between real harm and abstract violations.
A person complained to me that a bank refused to grant her access to her credit score.
Credit scoring is a method of assessing an individual's likelihood of repaying debt on time. It's a significant factor in a bank's decision whether or not to extend credit. A credit score is determined by means of an algorithm-a mathematical formula that "runs" an individual's personal information against a credit scoring model.
Each financial institution develops and uses its own unique credit scoring model. A particular bank's model is shaped by factors such as its corporate policies, business strategies, and corporate and product objectives.
The bank in this complaint would not release the individual's credit score because it argued that such a disclosure could allow a competitor to deduce the model it used to generate that score. That wouldn't happen if just the one score were released. But the bank provided a study showing that it could happen if as few as 24 individual credit scores were obtained.
The Act specifically allows organizations to refuse to disclose personal information that would reveal confidential commercial information. This exception to the right of access makes good sense, of course. It was never the intent of the Act that individuals would be able to exercise their privacy rights to gain access to the trade secrets of their competitors.
It seemed highly unlikely to me that a competitor could or would crack the scoring model if the complainant's credit score were released, even if somehow it assembled another 23 individual credit scores. But I had an expert in algorithms look at it, and he confirmed that technically it would be possible. And I had assurances from all of the bank's competitors that this was indeed how they would do business.
In the end, I couldn't dismiss the argument. I found that these scoring models qualified as confidential commercial information and, accordingly, the Act permitted the institution to refuse the complainant access to her score.
It's important to note that one of the considerations that influenced my thinking on this case was the purpose of the Act.
The Act is intended to recognize both the privacy rights of individuals and the need of organizations to collect, use, or disclose personal information. How privacy rights and information needs coexist requires weighing tangible benefits against reasonable apprehensions of harm.
Inability to obtain access to internal credit scores is not a significant harm to the complainant's privacy rights or those of Canadians at large. Financial institutions need to give individuals an explanation of how their credit standing is perceived, or why credit has been denied or limited. But a credit score is not necessary to do that.
In short, there would not be any real, bona fide benefit to the individual in releasing the credit score. On the other hand, the bank could suffer significant harm by its disclosure.
Let me conclude by reiterating what I think these findings show about the Act and the approach I'm taking to it.
As an ombudsman, I'm able to bring an approach that combines principles and flexibility in a way that black-letter law cannot. I can look at the information needs of businesses and researchers and the privacy rights of individuals with a flexibility that's not available to black-letter law. I can make the distinction between abstract violations of rights and real harms, and between genuine information needs and casual information wish-lists.
The scaremongers who oppose privacy legislation as an unreasonable restraint on business or research will find no support for their arguments in my findings or my interpretation of the Act. But, at the same time, no one should misread me on this.
My role is to protect the genuine, legitimate privacy rights of Canadians. I will be vigilant in protecting those rights. And where there are real privacy violations with real harms, I will pursue them with the utmost vigour, and with all the tools at my disposal.
That is the most effective way I know to protect this most fundamental of rights, privacy, and that is how I will continue to exercise the mandate that I have been given by the Parliament of Canada on behalf of all Canadians.
- Date modified: