How Canada's New Privacy Legislation will affect your business
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Whitehorse Chamber of Commerce
October 1, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I'm glad to have this opportunity to talk with you about Canada's new privacy law, the Personal Information Protection and Electronic Documents Act, or PIPED Act as it's known, and how it will affect your businesses.
I've given speeches about the new legislation in every part of the country, but I particularly welcome the chance to talk to people here in the north. When it comes to privacy protection in commercial activities, people in the three territories are well ahead of the game in the rest of the country.
There's been some confusion about how the Act applies to businesses in northern Canada. In fact, the Whitehorse Star reported that someone gave a speech to you earlier this year and urged you all to get ready for the new Act. That was great, except he got one thing wrong-he said that the Act would come into force on January 1, 2004.
As I pointed out to the editor of the paper, it's later than you think-in the Yukon, Northwest Territories and Nunavut, the PIPED Act applies now to all businesses and organizations that collect, use or disclose personal information in the course of commercial activities. That's because under the constitution all businesses in the north are considered to be "federal works, undertakings and businesses."
I hope you see this as good news. I do. I've often heard people in the north complain-with some justification-that it takes a long time for positive developments in the rest of the country to make their way up here. Well, for once, people in the north are the first to get something beneficial-extended protection for the fundamental human right of privacy. In the rest of Canada, the Act only applies to a limited number of federally-regulated business sectors, and to personal information held by provincially-regulated organizations when it's sold, leased, or bartered across provincial borders or outside the country. That's what will change in 2004, when all commercial activities in Canada become subject to the Act. When that happens, businesses in the rest of Canada are going to have to live up to the standard you're setting here in the north.
While I'm here, let me assure you that people aren't rushing to file complaints about businesses in the north. In fact, we've only received two so far. You may have read about one of them-it involved a Yellowknife business that installed four video cameras on the roof of its office building.
Some of you will already be familiar with the Act. For those of you who aren't, let me start with its purpose, provisions, and application.
The Act's purpose is to balance the privacy rights of individuals with the needs of businesses to collect, use, and disclose personal information.
The heart of it is the Canadian Standards Association's Model Code for the Protection of Personal Information. That's an important point, because that code was put together jointly by business, government, and consumers. We all have an interest in protecting privacy, and the process that led to the CSA Model Code reflects that.
In a nutshell, what the Act says is this:
If you're an organization covered under the Act and you want to collect, use, or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
You can use or disclose people's personal information only for the purpose for which they gave consent when you collected it.
Even with consent, you've got to limit your collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that you hold about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. For the rest of Canada, that means primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. In the north, it means all organizations that collect, use or disclose personal information in the course of commercial activities. The Act also applies to the personal information of employees in federal works, undertakings, and businesses. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across interprovincial or international boundaries. So, for instance, credit rating agencies are covered.
Beginning in January 2004, the Act will apply everywhere in Canada right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses, and to personal information when it's collected, used or disclosed across provincial or national boundaries.
So that's the Act, in broad strokes. Now let me describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation that has already applied to the federal public sector for almost twenty years.
In my oversight role, I'm an ombudsman. That means I'm here to find solutions, not to blame or punish people.
I have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in almost twenty years of overseeing the Privacy Act in the federal public sector, we've never had to use these powers. We've always been able to get voluntary cooperation. So far, this has also been the case with the PIPED Act, and of course I'm hopeful that it will continue to be that way.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and that my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate is education and promotion. Under the PIPED Act, I have a mandate to educate Canadians about their privacy rights and promote respect for privacy.
The principles of the PIPED Act are going to be part of the business environment throughout Canada very soon-as I mentioned a moment ago, as of 2004 either the PIPED Act or substantially similar provincial legislation will apply to commercial activities everywhere in the country. Most of you, I hope, have brought your practices into line with these principles already. That's probably about more than just a concern to be in compliance. My guess is that it's because you recognize that respecting and protecting privacy is a significant element of competitive advantage. You know that your customers want privacy, your employees need it-and, most importantly, your competitors are going to provide it.
Nothing this important is easy. It takes time and attention-and resources.
The effort and resources are worth it, though, because privacy is a fundamental human right. I think it's fair to call it "the right from which all freedoms flow." Things like freedom of conscience, of association, of speech, or of thought are all grounded in our right to privacy. Those things are at the heart of a free society-and it seems to me that they're worth a little effort.
Part of my job is to help you with that effort. There's a lot of consultation between my office and the business community, and I've met with a lot of business organizations. We've undertaken a number of initiatives to help businesses-things like factsheets, a business guide, and a backgrounder to the Act, for example. Summaries of all my findings under the Act are put up on our website to help you with interpretation.
Let me move on now to a few of my findings under the Act, because there's quite a bit about the Act that businesses can learn from them. They'll give you some idea of things you want to look for in examining your own practices for compliance with the Act.
One complaint came from a fellow in a small community who had a heated argument one morning with an employee at his bank about a cheque charge on his personal account. Afterward, he went to work-and his employer confronted him about the argument. The bank manager, it turned out, had called the employer and told him about the argument, including a description of what he called the complainant's rude and inappropriate behaviour.
I don't imagine it will come as a surprise to you that I concluded that this complaint was well-founded.
This wasn't a casual or inadvertent disclosure, and it wasn't small-town gossip. This was a deliberate and unjustified disclosure of personal information.
And what does it tell you about the Act? Well, there's a couple of fundamental privacy principles here.
The bank didn't have the complainant's consent to disclose the information. And the disclosure went beyond the reasonable expectations of the complainant.
A reasonable person wouldn't have considered it appropriate.
This is simple enough, isn't it? Sometimes people think that you need a lot of detailed, esoteric knowledge to comply with privacy law. That might be true occasionally, but most of the time it's just good common sense, simple decency, and responsible business practice.
Here's another example. An international trucking company required its drivers to fill out registration forms for the Canada Customs and Revenue Agency's new Customs Self-Assessment Program, and return them to the company.
One driver complained to me. He didn't want his employer to have access to the personal information he was required to provide on the application. He wanted to provide the CCRA form directly to CCRA. So he refused to return the form to the company. The employer told the driver, return the form to us or we terminate your employment. And that's how it ended up, with the company terminating his employment.
I concluded that the complaint was well-founded. The Act requires that collection of information be limited to what's necessary for the organization's purposes. Was that the case here? Sure, it was necessary for a driver to complete an application for the program. But it was Canada Customs that needed the form, not the employer. So there was no need for the information to be returned to the employer, as long as it was returned to the CCRA.
And the Act requires that information be collected by fair and lawful means. Well, the company threatened the employee with dismissal if he didn't hand the information over. That doesn't meet any kind of fairness test, when the employer has no right to the information in the first place. Fortunately, the employee was reinstated after I made my finding.
Another complaint involved that frequent privacy problem, the Social Insurance Number. I'm sure you know that the SIN was intended to be an account number for government benefits and services. It wasn't intended for any other use, certainly not by the private sector. Unfortunately, some organizations still use it to identify clients.
A woman complained to me that a telecommunications company had asked her for her SIN in signing her up for internet connection. She said she understood that it was being made a condition of her receiving the service.
She wasn't entirely wrong about that. It was the company's written policy to collect SINs from people requesting services, to avoid confusion over similar names among customers. The company didn't insist on obtaining the SIN if the customer refused, and in fact it told its employees that the collection was not obligatory. But it was evident to me from the investigation that the complainant had clearly got the impression that giving her SIN was a condition of service.
I concluded that the complaint was well-founded. Fortunately, it was resolved, since the company had removed the complainant's SIN from her file and changed its policy so that SINs wouldn't be requested any more.
If there's something for you to learn from this complaint, it's that you need to wean yourselves from the SIN, if you haven't already.
I want to wrap up with some thoughts on consent. Consent is simple enough: if you want to collect, use, or disclose someone's personal information, you need their permission. That's fundamental to privacy. Most of the important provisions of the PIPED Act relate to consent.
There are different ways someone can give consent. The PIPED Act recognizes that consent doesn't have to be explicit in absolutely every case. But like most people who think carefully about privacy, I believe that explicit consent should be used wherever possible.
And like most, I'm not a fan of opt-out consent. That's where someone who wants to collect, use, or disclose our personal information gives us the option to say we don't want them to-and if we don't take them up on the option, they proceed as though they have our consent.
That puts the onus on the wrong party. Someone who wants to use my personal information should seek my permission. Telling me that I've consented and leaving it to me to object-that's pretty poor privacy.
And I think it's bad for business. You show respect for your customers by inviting them to actively opt in to something, not by requiring them to opt out of it or suffer the consequences.
My suggestion to you would be, if you want to satisfy the expectations of your customers, use opt-in-be up-front about what you're doing.
If your customers are likely to approve of what you want to do with their personal information, they'll be gratified if you show them the respect of asking them anyway. There's a competitive advantage in being known as a company that respects privacy.
If they're unlikely to approve, you simply shouldn't be doing it. On occasion, I see what looks like companies using opt-out consent as a way of sneaking something by the customers. I presume that's driven by some short-term vision of the bottom line. But if you're genuinely concerned about the bottom line, resist that temptation, because there's a distinct competitive disadvantage in being known as a company that violates privacy.
I'm mandated to protect privacy, and I've been talking to you this morning from that perspective. But if I can put myself in your shoes, let me also present it from the perspective of a businessperson.
An organization is not going to get far sneaking something by its customers, relying on opt-out consent because it isn't confident that opt-in will give it what it thinks it needs. If customers won't accept something when it's made clear to them, you shouldn't do it. To put it bluntly, maximizing profits by violating a fundamental human right is a recipe for disaster.
And, anyway, why would any marketer want a list of potential customers made up of people who may not want to be marketed to? That's not going to be a very useful list of prospects.
The whole reason for collecting and analyzing personal information is to find out who is going to want your products and promotions. The key to that is getting people's solid, affirmative consent to the use of their personal information.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably assuming it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
Once again: the competitive advantage goes to the firm that respects privacy. Good privacy is, in the end, good business.
So these are some aspects of what the PIPED Act means for you as businesspeople. There's a lot more that I could say by way of general introduction to the Act, but it's probably just as useful if we move on to the question-and-answer session.
Let me just conclude by saying that we're available to help you in the months and years ahead. I look forward to working with you.
- Date modified: