Tag Archives: pipeda

OPC gives guidance, argues for more enforcement power

24 Sep

It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.

It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.

This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.

The most significant new directions and practical guidance:

  • The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
  • The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
  • The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
  • The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
  • The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”

Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.

I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.

Advertisements

Two presentations all about information

5 Apr

Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.

 

SCC says PIPEDA does not constrain a court’s procedural power

19 Nov

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

Cybersecurity and data loss (short presentation)

8 Nov

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

The internet as a corporate security resource

22 Mar

Here’s a presentation I gave to a federally-regulated employer last week on use of internet-based information for security and other related purposes. Enjoy!

Court dismisses application for information about business partner’s employees

15 Apr

On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.

The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.

Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.

Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).

OPC issues important decision for federally-regulated employers on access to “mixed personal information”

1 Jan

Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”

The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”

This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:

  • The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
  • The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”

This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.

Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).