The Personal Information Protection and Electronic Documents Act: Corporate Obligations and Opportunities
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Institute of Corporate Directors breakfast seminar
Privacy & Security: Emerging Corporate Risk Management Challenges
April 24, 2003
Privacy Commissioner of Canada
(Check against delivery)
I'm very pleased to have this opportunity to meet with you today to talk about the Personal Information Protection and Electronic Documents Act, or PIPED Act as we call it, and its implications for corporate governance.
As corporate directors, you do more than just ensure that your companies are well-managed. You also have a role to play in setting the tone, influencing corporate culture, and ensuring that your organizations operate ethically.
One of an organization's most important ethical responsibilities is the duty to protect the privacy of its customers, clients and employees. As it happens, that's also a key element of good management.
Many of you will be familiar with the PIPED Act already, especially if you're working in one of the areas of commercial activity that has been covered since the Act started coming into force in 2001. If you're not, you're showing good leadership by looking into it now. As of next January, either this Act or substantially similar provincial laws will apply to all commercial activities in Canada. In other words, in a few months this will be the business environment in which you'll all be operating.
Before I talk about the Act, let me say a word or two about the meaning and importance of privacy.
First, what exactly is this "privacy" that I'm talking about? It's often called "the right to be let alone." That's a good enough definition, as far as it goes. It reflects people's visceral reaction to being monitored or scrutinized or bothered. That's what "invasion of privacy" means to many people.
But there's another kind of privacy invasion that's less obvious, and that's the collection, use and disclosure of information about us without our knowledge or consent.
In fact, I define privacy as the right to control access to one's person and information about oneself. This broader, informational concept of privacy is useful for understanding how privacy is threatened.
Our privacy used to be protected pretty much by default-because as long as our information was in paper records scattered over a lot of locations, someone would have had to go to a great deal of trouble to systematically invade the privacy of any one of us. Unless you were famous or important, or notorious, your privacy was pretty safe.
But the barriers of time, distance and cost that once guarded our privacy are gone. Technological advances - in information technologies, surveillance technologies, biometrics, genetics - are increasingly capable of eradicating our privacy. Now a stranger at a computer can compile a detailed dossier on our whole life in minutes.
Now it is we - as individuals and as a society - who must go to considerable trouble to ensure that our privacy remains respected. The choices we make in facing this challenge will determine not only what kind of society we live in, but what kind of society we leave to our children and grandchildren.
Why, you might ask, do I say that? What's so important about privacy?
To begin with, privacy is a fundamental human right, recognized as such by the United Nations. Indeed, many people argue that it is the right from which all our freedoms flow-freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name.
To me, that's almost self-evident: How can we be truly free if our every move is watched, our every activity known, our every preference monitored? As former Justice La Forest of the Supreme Court of Canada once wrote, privacy is "at the heart of liberty in a modern state."
Privacy is also an innate human need. When you go home at night, you probably close the blinds. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.
If you're on a bus or a plane, and someone starts reading over your shoulder, you probably feel uncomfortable. What you're reading isn't secret-it's just that your privacy is being invaded.
If you've ever had your home or even your car broken into, you'll know that the sense of intrusion, of having your privacy violated, can be even more painful than the loss of whatever was stolen.
And yet, almost every day, in some new and creative way, this innate human need, this fundamental human right-the right to privacy-is being chipped away. Sometimes the diminution is subtle, sometimes it's a full frontal attack. In either case, it is a challenge we must answer.
Which brings me to the PIPED Act, because one of the ways that Canadians have responded to the challenge is to legislate to protect privacy.
I said at the outset that if you conduct commercial activities in Canada, either this Act or a substantially similar provincial one will apply to you.
I wouldn't be surprised if some of you are groaning at the thought of one more regulatory burden.
I can understand that concern, that you're going to be overwhelmed by privacy regulators, privacy problems, and privacy complaints.
Let me set you at ease, by pointing out two things.
First, the PIPED Act reflects the realities of the business world, rather than some abstract Ottawa thinking. It has its roots in the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. And it's even more directly based on the Canadian Standards Association's Model Code for the Protection of Personal Information. That Code, which is actually incorporated into the legislation, was developed in a collaborative effort by representatives of government, consumers, and business groups. It's very much based on the recognition that good privacy practice is good business.
Second, if you're subject to the PIPED Act, then yes, you will be subject to oversight by me and my Office-but we're here to help business, not to hinder it. The Act ensures that your legitimate needs for personal information can be balanced with the privacy rights of individuals. My role in that is to be an ombudsman, not an enforcer. I'm interested in finding solutions to privacy problems, not in finding someone to blame for them.
So let's move on to the Act's purpose, provisions, and application. The basic outlines of the Act look like this:
An organization that wants to collect, use, or disclose personal information about people needs their consent, except in a few specific and limited circumstances.
It can use or disclose people's personal information only for the purpose for which they gave consent.
Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. Those are primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across interprovincial or international boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is where provinces have passed privacy legislation that's "substantially similar" to the PIPED Act. Where that's happened, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses, and to personal information that's collected, used, or disclosed across provincial or national boundaries.
I should caution you at this point about a frequent misunderstanding. While the application of the Act will expand in 2004 to commercial activities that normally fall under provincial jurisdiction, it won't extend to employment in those activities. The only place the Act will apply to employment will be in federal works, undertakings, or businesses. It's very likely, however, that provincial privacy laws will apply to employment. My view is that they will have to, or they won't be considered substantially similar to the PIPED Act.
So those are the broad outlines of the Act. I'll come back to this question of substantially similar provincial legislation in a moment, but first let me briefly describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation that has applied to the federal public sector for almost twenty years.
In my oversight role, I'm an ombudsman. That means I'm here to find solutions, not to blame or punish people.
I have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in two years of overseeing the PIPED Act, and in almost twenty years of the Privacy Act, we've never had to use these powers. We've always been able to get voluntary cooperation. I very much hope that this will continue to be the case.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and that my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate is education and promotion. Under the PIPED Act, I have a mandate to educate Canadians about their privacy rights and promote respect for privacy.
So, for example, we put summaries of all my findings on our website. We develop business guides and fact sheets. And I criss-cross the country meeting and addressing groups like yours.
I mentioned that the Act will apply to all commercial activities as of 2004, unless a province passes substantially similar legislation. Since several provinces have begun legislative initiatives in this area, you probably want to know what substantially similar means.
The Governor in Council, on the recommendation of the Minister of Industry, will ultimately make the determination and the appropriate Order as to what's substantially similar. But it's actually a third aspect of my mandate to review and comment on provincial privacy legislation and the degree to which it's substantially similar. The Minister of Industry will consider my opinion and include my views in any assessment of a provincial act.
In assessing provincial legislation, I will interpret "substantially similar" as meaning equal or superior to the PIPED Act. I'll be looking for, at a minimum, the ten principles of the CSA's Model Code. I'll look particularly closely at consent, the reasonable person test, access and correction rights, oversight, and redress. Provincial privacy legislation will have to be as strong or stronger than the PIPED Act in protecting privacy to be considered substantially similar.
The outcome of this will be that the principles of the PIPED Act will be part of the business environment throughout Canada. Many of you will have brought your practices into line with them already. That's probably about more than just a concern to be in compliance. My guess is that it's because you recognize that respecting and protecting privacy is a significant element of competitive advantage. You know that your customers want privacy, your employees need it-and, most importantly, your competitors are going to provide it.
Nothing this important is easy. It takes time, attention, and resources. So let me emphasize that part of my job is to help you with your efforts to respect privacy. I encourage consultation between my Office and the business community, and I've met with many business organizations.
The PIPED Act came about because the government recognized that the lifeblood of modern business is personal information. In an increasingly competitive globalized marketplace, businesses rely on personal information to identify and stay in touch with their customers. They use it to seek out new customers who might be interested in their products. They want to find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Getting and using that personal information in ways that don't offend the fundamental human right of privacy-that's the challenge for modern businesses. And they have to rise to that challenge, or they will alienate their workforces and drive away their customers.
This challenge is complicated by the fact that people more than ever insist on control over their personal information.
In a world where so much is taken out of our control, one of the few things that people still feel that they can control is their personal information. So they're sensitive on the subject of businesses collecting it. They want to know what happens to it and how it's used when they deal with businesses.
When businesses don't respect people's rights, it strikes at their sense of control over their lives. And people respond very, very negatively to that. Let me give you a couple of examples.
Take the Aeroplan program, where people earn and redeem points every time they fly on Air Canada planes or do business with partners in the program. Some six million people participate. In June 2001, Aeroplan sent 60,000 of them-about one per cent-a brochure called "All about your privacy."
That brochure caused Aeroplan a lot of problems.
It didn't communicate clearly, simply, in plain language what Aeroplan would do with members' personal information. It was vague about what information was to be shared, with whom, and for what purpose. It appeared to say that potentially highly sensitive information about personal and professional interests, use of products and services, and financial status would be shared.
Members could opt out, by indicating each situation where they did not want their information shared, and then mailing the brochure back to Aeroplan. If they didn't opt out, Aeroplan would consider them to have consented.
Not surprisingly, members objected when they received Aeroplan's brochure.
In fact, my Office was flooded with e-mails and letters from people objecting. As a result of the overwhelming public interest, I had to publicly state my own concerns about the program. That didn't make things pleasant for the people at Aeroplan.
The good news is that Aeroplan was able to work with my Office to remedy the situation. But it was a painful lesson for them. In spite of all their efforts to ensure that they were respecting privacy, they fell down on this very basic requirement-the requirement to communicate their practices clearly to their members and get their informed consent.
A similar situation happened with Canada Post's change of address service. Canada Post, for a fee, will redirect people's mail from their old address to their new one. That's a useful service, but until recently, it came with a significant privacy price-tag.
The problem was that, unless people had read the fine print, they wouldn't know that Canada Post did more with their names and addresses than just redirect their mail. It sold their new addresses, and the buyers included list brokers, mass mailers, and direct marketers.
So when they moved to their new addresses and asked Canada Post to redirect their mail, they would get their mail, alright-along with marketing brochures, junk mail, and telephone solicitations. To avoid this, they had to opt out in writing.
When this came to light, the public was utterly indignant. As had been the case with Air Canada, corporate good sense eventually prevailed. Canada Post moved to make the process more transparent and switch to a system of opt-in consent.
Incidents like these can plague a company that trips up on privacy. People are getting angrier and angrier. They want control over their personal information.
Think about what that means for a company that's seeking a competitive edge.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
That, to my mind, is the largest single reason why respecting privacy is good business. It's a key element of good customer relations-and that makes it a key element of competitive advantage. Conversely, there's a distinct competitive disadvantage in being known as a company that violates privacy.
And what, fundamentally, is respect for privacy? In the business world, it's really nothing more complicated than respect for the golden rule-do unto others as you would have them do unto you. It's not an abstract legal concept. It's simple consideration, respect, and courtesy-the essence of a good relationship with your customers and employees.
My view is that the competitive advantage goes to the firm that respects privacy. Good privacy is, in the end, good business.
These are some of the important implications of Canada's privacy law for you as businesspeople. Let me conclude by saying that I look forward to working with you in the months and years ahead, and I and my Office are always here to help.
Report a problem or mistake on this page
- Date modified: