How Canada's New Privacy Legislation will affect your business
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Toronto Board of Trade
April 18, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
If the title of my talk sounds forbidding, let me put you at ease. What I'll be talking about is how we can work together.
I appreciate this opportunity to talk about Canada's new privacy law, the Personal Information Protection and Electronic Documents Act, or PIPED Act as it's known, and how it will affect your businesses.
Some of you are probably pretty familiar with the Act. Those of you who aren't will be soon enough, because within the next couple of years, if you conduct commercial activities in Canada, either this Act or a substantially similar provincial one will apply to you.
So let me start with the Act's purpose, provisions, and application.
The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
The heart of it is the Canadian Standards Association's Model Code for the Protection of Personal Information. That's an important point, because the code was put together jointly by business, government, and consumers. We all have an interest in protecting privacy, and the process that led to the CSA Model Code reflects that.
The basic outlines of the Act look like this:
If you're an organization covered under the Act and you want to collect, use, or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
You can use or disclose people's personal information only for the purpose for which they gave consent when you collected it.
Even with consent, you've got to limit your collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that you hold about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across interprovincial or international boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's sold, leased, or bartered across interprovincial or international boundaries.
So those are the broad outlines of the Act. I'll come back to this question of substantially similar provincial legislation in a moment, but first let me briefly describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation that has already applied to the federal public sector for almost twenty years.
In my oversight role, I'm an ombudsman. That means I'm there to find solutions, not to blame or punish people.
I have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in almost twenty years of overseeing the Privacy Act, which covers the federal public sector, we've never had to use these powers. We've always been able to get voluntary cooperation. I very much hope that the same will be the case with the new private sector legislation.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate is education and promotion. Under the PIPED Act, I have a mandate to educate Canadians about their privacy rights and promote respect for privacy.
I mentioned a moment ago that the PIPED Act will apply to all commercial activities as of 2004, except where a province passes substantially similar legislation. You may be wondering what "substantially similar" means, exactly. That brings me to what's actually a third aspect of my mandate, to review and comment on provincial privacy legislation and the degree to which it's substantially similar.
I'll interpret "substantially similar" as meaning equal or superior to the PIPED Act. I'll be looking for, at a minimum, the ten principles of the CSA's Model Code. I'll look particularly closely at consent, the reasonable person test, access and correction rights, oversight, and redress. Provincial privacy legislation will have to be as strong or stronger than the PIPED Act in those areas to be considered substantially similar.
The upshot of this will be that the principles of the PIPED Act will be part of the business environment throughout Canada. Many of you may have brought your practices into line with them already. That's probably about more than just a concern to be in compliance. My guess is that it's because you recognize that respecting and protecting privacy is a significant element of competitive advantage. You know that your customers want privacy, your employees need it-and, most importantly, your competitors are going to provide it.
Nothing this important is easy. It takes time and attention-and resources.
The effort and resources are worth it, though, because privacy is a fundamental human right. I think it's fair to call it "the right from which all freedoms flow." Things like freedom of conscience, of association, of speech, or of thought are all grounded in our right to private spheres of thought and action. That, it seems to me, is at the heart of a free society-and worth a little effort.
Part of my job is to help you with that effort. I encourage consultation between my office and the business community, and I've met with many business organizations. We've undertaken a lot of initiatives to help businesses. We've produced a business guide and a backgrounder to the act, for example, and a number of factsheets. Summaries of all my findings under the Act are put up on our website to help you with interpretation.
I want to talk briefly about a few of my findings, and point out what businesses can learn about the Act from them. These should give you an idea of some of the things you want to look for in examining your own practices for compliance with the Act.
One complaint came from a resident of a small community who had a heated argument with an employee at his bank about a cheque charge on his personal account. Later the same morning, his employer confronted him about the argument. The bank manager, it turned out, had called the employer and told him about the argument, including what he described as the complainant's rude and inappropriate behaviour.
I don't imagine it will come as a surprise to you that I concluded that this complaint was well-founded.
This wasn't a casual or inadvertent disclosure, and it wasn't small-town gossip. This was a deliberate and unjustified disclosure of personal information.
And what does it tell you about the Act? Well, there's a couple of fundamental privacy principles here.
The bank didn't have the complainant's consent to disclose the information. And the disclosure went beyond the reasonable expectations of the complainant.
A reasonable person wouldn't have considered it appropriate.
You can see that this is simple enough.
People sometimes think that complying with privacy law requires detailed and arcane knowledge. Sometimes it does, but most of the time it's just good common sense, simple decency, and responsible business practice.
Here's another example. A truck driver was required by his employer, an international trucking company, to fill out a registration form for the Canada Customs and Revenue Agency's new Customs Self-Assessment Program, and return it to the company.
The driver didn't want his employer to have access to the personal information he was required to provide on the application. He wanted to provide the CCRA form directly to CCRA. So he refused to return the form to the company. The employer told the driver, return the form to us or we terminate your employment. And that's how it ended up, with the company terminating his employment.
I concluded that the complaint was well-founded. The Act requires that collection of information be limited to what's necessary for the organization's purposes. Was that the case here? Sure, it was necessary for a driver to complete an application for the program. But it was Canada Customs that needed the form, not the employer. So there was no need for the information to be returned to the employer, as long as it was returned to the CCRA.
And the Act requires that information be collected by fair and lawful means. Well, the company threatened the employee with dismissal if he didn't hand the information over. That doesn't meet any kind of fairness test, when the employer has no right to the information in the first place.
Now a complaint that involves a perennial privacy headache, the Social Insurance Number. The SIN, as I'm sure you know, was introduced as an account number for specific government benefits and services. It was never intended for any other use, certainly not by the private sector. Of course, as we all know, some organizations still rely on it as a personal identifier.
A woman complained to me that a telecommunications company had asked her for her SIN in signing her up for internet connection. She said she understood that it was being made a condition of her receiving the service.
She wasn't entirely wrong about that. It was the company's written policy to collect SINs from people requesting services, to avoid confusion over similar names among customers. The company didn't insist on obtaining the SIN if the customer refused, and in fact it advised its employees that the collection was not obligatory. But the investigation satisfied me that the complainant had clearly received the impression that giving her SIN was a condition of service.
I concluded that the complaint was well-founded. But I also was happy to conclude that it was resolved, since the company had removed the complainant's SIN from her file and changed its policy so that they would no longer be requested.
And, of course, if there's something for you to learn from this complaint, that's it: wean yourselves from the SIN.
I want to wrap up with some thoughts on consent. Consent is simple enough: if you want to collect, use, or disclose someone's personal information, you need their permission. That simple concept is fundamental to privacy. Most of the important provisions of the PIPED Act relate to consent.
There are different ways consent can be given. The PIPED Act recognizes that consent doesn't have to be explicit in absolutely every case. But like most privacy advocates I believe that explicit consent should be used wherever possible.
And like most privacy advocates, I'm not a fan of opt-out consent, where someone who wants to collect, use, or disclose our personal information gives us the option to say we don't want them to. If we don't taken them up on this offer to opt out, they proceed as though they have our consent.
This puts the onus on the wrong party. Someone who wants to use my personal information should seek my permission. Telling me that I've consented and leaving it to me to object-that's pretty poor privacy.
And I think it's also bad for business. You show respect for your customers by inviting them to actively opt in to something, not by requiring them to opt out of it or suffer the consequences.
My suggestion to you would be, if you want to satisfy the expectations of your customers, use opt-in-be up-front about what you're doing.
If your customers are likely to approve of what you want to do with their personal information, they'll be gratified if you show them the respect of asking them anyway. There's a competitive advantage in being known as a company that respects privacy.
If they're unlikely to approve, you simply shouldn't be doing it. On occasion, I see what looks like companies using opt-out consent as a way of sneaking something by the customers. I presume that's driven by some short-term vision of the bottom line. But if you're genuinely concerned about the bottom line, resist that temptation, because there's a distinct competitive disadvantage in being known as a company that violates privacy.
You may have heard about the complaint I received involving Canada Post. Canada Post is covered by the Privacy Act, rather than the PIPED Act, but the principles are the same. Let me say even before I describe the complaint to you that the good sense of the CEO of Canada Post prevailed in this case, and we've now been able to get a resolution of the issue. But the story is instructive.
Canada Post offers a change of address service, for a fee, if you want your mail redirected from your old address to your new one. That's a useful service, but until we got this sorted out, it came with a significant privacy price-tag.
The problem was that, unless you read the fine print on the form you filled out to get this change of address service, you wouldn't know that Canada Post does more with your name and address than just redirect your mail. It also has a service that sells businesses and other organizations your new address, if they request it and already have your name and old address.
Even that sounds innocuous enough, if you don't know that what it means is that Canada Post sells your personal information to a host of organizations, including list brokers, mass mailers, or direct marketers.
So the marketing brochures, and the junk mail, and the telephone solicitations, follow you to your new address.
If you didn't want this little extra, you had to notify Canada Post in writing within seven days.
That's not consent. A reasonable person would not have read the application form for this service as consent for the sale of personal information to mass mailers and direct marketers.
As I said, we have a happy ending to this one. Canada Post has agreed to make the process more transparent, and to switch to a system of opt-in consent.
I've been talking about this today from the perspective of someone who is mandated to protect privacy.
But if I can put myself in your shoes, let me also present it from the perspective of a businessperson.
An organization is not going to get far sneaking something by its customers, relying on opt-out consent because it isn't confident that opt-in will give it what it thinks it needs. If customers won't accept it when it's made clear to them, you shouldn't do it. To put it bluntly, maximizing profits by violating a fundamental human right is a recipe for disaster.
And, anyway, why would any marketer want a list of potential customers made up of people who may not want to be marketed to? That's not going to be a very useful list of prospects.
The whole reason organizations collect and analyze personal information is to find out who is going to want their products and promotions. The key to that is getting people's solid, affirmative consent to the use of their personal information.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
So, once again: the competitive advantage goes to the firm that respects privacy. Good privacy is, in the end, good business.
These are some of the important implications of Canada's privacy law for you as businesspeople. There is a lot more that i could say by way of general introduction to the PIPED Act, but I think we might be better served by passing now to the question-and-answer session.
So let me just conclude by saying that I look forward to working with you in the months and years ahead, and I and my office are always here to help.
- Date modified: