Seamless Privacy Protection
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Meeting Your Obligations for Privacy Compliance Conference
The Canadian Institute
June 16, 2003
Privacy Commissioner of Canada
(Check against delivery)
I want to talk to you about the Personal Information Protection and Electronic Documents Act, or PIPED Act as we call it. This Act brings privacy protections to Canadians in their dealings with organizations engaged in commercial activities.
Beginning in January of next year, any organization conducting commercial activities in Canada will be subject either to the PIPED Act or a substantially similar provincial one. At that point, we will have seamless privacy protection in Canada. So, obviously, it's important that Canadians find out now about their rights and responsibilities under the Act.
Before I talk about the Act, though, I'd like to say a few words about privacy and its importance in a free and democratic society.
Privacy, which I define as the right to control access to one's person and information about oneself, is a fundamental human right, recognized as such by the United Nations. It's sometimes described as "the right from which all freedoms flow." Freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name-they're all based on the right to privacy, and they're unthinkable without it.
To me, that's almost self-evident: How can we be truly free if our every move is watched, our every activity known, our every preference monitored? It's easy to see why former Justice La Forest of the Supreme Court of Canada said that privacy is "at the heart of liberty in a modern state."
And yet, almost every day, in some new and creative way, this fundamental human right is being chipped away.
Your privacy is at risk when information about you gets out of your control. And in our world, increasingly, everyone wants information about you. The welfare state, law enforcement agencies, employers, marketers, fund-raising charities-there's an endless list of organizations that want to know who you are, where you are, what you earn, and what you do.
That's not exactly new, but it's taken on a powerful new dynamic.
Our privacy used to be protected more or less by default. Information about us was recorded on paper, and the records were scattered over various locations. To put together a dossier on you, bringing together all those disparate records to create a profile, would take a lot of work. No one bothered unless you were famous or had done something really bad.
That's all changed, with computerization, massive data bases, and increasingly invasive technology. Now some stranger sitting at a computer keyboard can assemble a profile of you in a matter of minutes. Now it is we-as individuals and as a society-who must go to considerable trouble to ensure that our privacy remains respected.
That's why I believe that privacy is the defining issue of this decade. We're at a crossroads. How we respond to this challenge will determine not just the kind of world we live in, but the kind of world we leave to our children and grandchildren.
One of the ways that Canadians have responded to the challenge is through legislation. We've had enforceable privacy rights in our dealings with federal government organizations for twenty years under the Privacy Act. And now we have the PIPED Act, which gives us similar rights in the private sector.
So let me turn now to an outline of the Act's purpose, provisions, and application.
The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
The heart of it is the Canadian Standards Association's Model Code for the Protection of Personal Information. This was originally a voluntary code put together by business, government, and consumers. It's now been incorporated into the Act.
The basic outlines of the Act look like this:
If an organization covered under the Act wants to collect, use, or disclose someone's personal information, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose personal information only for the purpose for which the person gave consent when the organization collected it.
Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that an organization holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is something I mentioned at the outset. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's collected, used, or disclosed across provincial or national boundaries.
I should caution you at this point about a frequent misunderstanding. While the application of the Act will expand in 2004 to commercial activities that normally fall under provincial jurisdiction, it won't extend to employment in those activities. The only place the Act will apply to employment will be in federal works, undertakings, or businesses. It's very likely, however, that provincial privacy laws will apply to employment. My view is that they will have to, or they won't be considered substantially similar to the PIPED Act.
Those are the broad outlines of the Act. I'll come back to the question of substantially similar provincial legislation in a moment, but first let me briefly describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, the legislation that applies to the federal public sector.
In my oversight role, I'm an ombudsman. That means I'm there to find solutions, not to blame or punish people.
I do have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in twenty years of overseeing the Privacy Act in the federal public sector, I and my predecessors have never had to use these powers. We've always been able to get voluntary cooperation. The same has been the case so far with the new private sector legislation, and I very much hope that it will continue to be so.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate under the PIPED Act is to educate Canadians about their privacy rights and promote respect for privacy. So, for example, we put summaries of all my findings on our website. We develop business guides and fact sheets. And I criss-cross the country meeting and addressing conferences like this.
I mentioned that the PIPED Act will apply to all commercial activities as of 2004, except where a province passes substantially similar legislation. That brings me to what's actually a third aspect of my mandate.
The Governor in Council, on the recommendation of the Minister of Industry, will ultimately make the determination as to whether to consider a given provincial law as substantially similar. But I have an obligation under the Act to review and comment on provincial privacy legislation and report annually to Parliament on the extent to which the provinces have enacted substantially similar legislation. I expect my recommendations to be a key factor in the Minister of Industry's determination.
So what does "substantially similar" mean? I interpret it as meaning equal or superior to the PIPED Act. In reviewing provincial legislation, I'll be looking for, at a minimum, the ten principles of the CSA's Model Code. I'll look particularly closely at consent, the reasonable person test, access and correction rights, oversight, and redress. Provincial privacy legislation will have to be as strong or stronger than the PIPED Act in those areas to be considered substantially similar.
That's a high standard, but it's quite attainable. In May 2002, I reported to Parliament that Quebec's Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act.
At present, only British Columbia and Alberta have introduced legislation intended to match the PIPED Act. It's worth looking at these, to see what is and is not likely to be considered substantially similar. Both Bills have many positive qualities. But they also have serious flaws, and unless those flaws are addressed, I will not be able to recommend that they be considered substantially similar.
Both Bills fail to recognize the importance of privacy rights in employment. They specifically allow the collection, use and disclosure of employee personal information without consent. This completely deprives an employee or a prospective employee of any control over his or her information.
The collection, use or disclosure has to be reasonable for the purposes of establishing, managing or terminating an employment relationship. But that's a low standard-it could mean almost anything-and, worse, it only operates after the fact, which is not much use.
Here's what I mean. An employer might think that it's reasonable to collect and disclose information about an employee's health, say, or religion, or sexual orientation. The Bills would allow the employer to do that, without consent.
The employee could complain that this wasn't reasonable-maybe file a grievance, maybe complain to the provincial privacy commissioner. But even if a grievance or complaint were successful, it wouldn't amount to much, because the information would have already been collected, used, and disclosed, against the employee's will. The employee's privacy would have been violated. The damage would have been done. You can't give someone back their violated privacy, any more than you can put toothpaste back in the tube.
These Bills also fail to ensure that their most important protections apply to personal information that was collected before they come into force. In other words, there's no need for consent to use or disclose information that has already been collected.
This is a serious weakness. The PIPED Act, in contrast, doesn't distinguish between personal information collected before and after its coming into effect. To use or disclose information collected before the Act came into force, organizations require consent-it's as simple as that.
Next, any good privacy law has to give individuals the right to find out what personal information organizations have about them and to correct any information that's incomplete or wrong. Both of these Bills fall short of the standard set by the PIPED Act.
Individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of the person who provided the information. Without access to this information, the individual wouldn't even know it existed, let alone be able to challenge its accuracy.
The Alberta Bill has some additional weaknesses with respect to access. Individuals can be denied access on the grounds that disclosure might result in that type of information no longer being provided to the organization. This is an amorphous basis for denying access, and it would be almost impossible for an individual to challenge. There's nothing like it in the PIPED Act.
The Alberta Bill also differs from the PIPED Act in that it allows an organization to charge an individual "reasonable" fees for access to his or her information. The PIPED Act requires that access be provided at "minimal or no cost."
The B.C. Bill has some particular problems about consent.
The concept of consent is at the heart of privacy law. It's through consent that individuals control personal information about themselves.
The B.C. Bill specifically refers to implicit consent-a weak form of consent that is acceptable only in certain limited circumstances-but says nothing about express or written consent.
This could lead an organization to assume that it can rely entirely on implicit consent. There is nothing in the legislation to prevent an organization from doing so, nor anything that the B.C. Commissioner, who would have oversight responsibility for the law, could use to require express consent.
The PIPED Act strongly recommends the use of express consent with respect to the collection, use or disclosure of sensitive information. A privacy law that allowed organizations to rely entirely on implicit consent would provide a significantly lower level of protection than the PIPED Act.
The Alberta Bill doesn't have this specific weakness, but it has another that could turn out to be even worse. It gives discretion to the Cabinet to issue regulations dealing with consent, as well as for procedures for access requests, collection, use or disclosure without consent, and the personal information to which the law doesn't apply.
This gives the Cabinet power to dramatically lower the level of protection provided by the Bill, without full and open public debate. Regulation-making authority should be limited to unforeseen housekeeping matters. No broad regulatory discretion of this sort exists in the PIPED Act.
The Alberta Bill would also permit the Cabinet to delay the application of the law to professional regulatory bodies and non-profit organizations, or even exempt them entirely. At first glance that might not seem to be a problem. But some non-profit organizations collect highly sensitive information, including information about medical conditions. The obvious solution is for the Bill to apply to them to the extent that they engage in commercial activities. That would be consistent with the PIPED Act. But to exempt them entirely is another matter.
Finally, both Bills would allow collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy law, but the wording of the Bills is far too open-ended. They define the terms "investigation" and "proceedings" very broadly, and in doing so, they give a discretion that's much wider than what's found in the PIPED Act. The result is that they allow too many situations in which personal information can be collected, used or disclosed without consent.
In short, these two Bills simply don't afford Canadians privacy protection at a level they are entitled to expect. If the legislatures of Alberta and B.C. enact these Bills without addressing these weaknesses, I will not be able to recommend that they be considered substantially similar to the PIPED Act.
That doesn't invalidate the Bills, of course. If the Governor in Council doesn't find them to be substantially similar, they'll remain in effect. But effective January 1, 2004, they'll operate concurrently with the federal law. The PIPED Act will take precedence to the extent of any inconsistency, and all organizations carrying out commercial activities will have to comply with its provisions.
Whether it's the PIPED Act itself that applies or substantially similar provincial laws, the PIPED Act's principles will be part of the business environment throughout Canada as of January. At that point, regardless of what the provinces do, privacy protection in Canada will be seamless.
Many businesses have brought their practices into line with these principles already. That's partly because they know that they have to be in compliance. But it's also because they recognize that respecting and protecting privacy is a significant element of competitive advantage. Their customers want privacy, their employees need it-and, most importantly, their competitors are going to provide it.
Businesses rely on personal information to identify and stay in touch with their customers. They use it to seek out new customers who might be interested in their products. They want to find out what the market is looking for and what it will bear. And they want information about their employees, so that they can administer benefits and ensure a safe and productive workplace.
Getting and using that personal information in ways that don't offend the fundamental human right of privacy-that's the challenge for modern businesses. And they have to rise to that challenge, or they will alienate their workforces and drive away their customers.
It's complicated by the fact that people more than ever insist on control over their personal information.
In a world where so much is taken out of our control, one of the few things that people still feel that they can control is their personal information. So they're sensitive on the subject of businesses collecting it. They want to know what happens to it and how it's used.
When businesses don't respect people's rights, it strikes at their sense of control over their lives.
Think about what that means for a company that's seeking a competitive edge.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
That, to my mind, is the largest single reason why respecting privacy is good business. It's a key element of good customer relations-and that makes it a key element of competitive advantage. Conversely, there's a distinct competitive disadvantage in being known as a company that violates privacy.
Adjusting to this isn't a cakewalk, and part of my job is to give businesses a helping hand with it. So I encourage consultation between my Office and the business community, and I've met with many business organizations. We've produced a business guide, a backgrounder to the Act, and a number of fact sheets. Summaries of my findings under the Act are put up on our Web site to help with interpretation.
So let me just conclude by saying that I look forward to working with all of you in the months and years ahead. I and my Office are always here to help.
- Date modified: