Guidelines on the protection of privacy and transborder data flows of personal data

Law & Technology Institute of Dalhousie University Privacy Symposium

March 22, 2002
Halifax, Nova Scotia

Heather Black
General Counsel

(Check Against Delivery)

I: Background

In 1980 the OECD developed a set of guidelines concerning privacy - the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Canada adhered to the OECD guidelines in 1984 and the federal government began to promote voluntary compliance in the private sector. Those efforts, however, met with very little success. This sporadic and uneven protection for personal information began to be seen by the federal government as inadequate, particularly in the face of new developments in technology and the growing role of information in the economy as a valuable commodity.

In the early 1990s, the Canadian Standards Association ("CSA") gathered together representatives from the public sector, business, consumer groups and unions to begin work on a code to protect personal information. Its 1996 Model Code for the Protection of Personal Information represents a consensus among those stakeholders. The Code addresses two main concerns: the way in which organizations collect, use, disclose and protect personal information; and the right of individuals to have access to personal information about themselves and to have it corrected if necessary.

II: CSA Code

The CSA Code rests on 10 interrelated principles. Each principle, in turn, has attached to it a commentary which must be read in conjunction with the principle.

The 10 principles are:

1. Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

III: The Act

The CSA Code forms the heart of Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The 10 principles and accompanying commentary are reproduced in Schedule 1 of the Act.

A schedule is admittedly a strange place to find the heart of any law, but the policy imperative was to maintain the integrity of the CSA Code and use it as the basis for the Act so no other alternative seemed possible.

The challenge, from a policy and drafting perspective, was how to adapt the CSA Code to a law. The Code was drafted as a voluntary compliance code and contains language that does not lend itself to legal or judicial interpretation. However, by combining the principles of the Code with interpretative and regulatory provisions, we believe we have done so effectively.

IV: Application

Paragraph 4(1)(a) of the Act provides that PIPEDA applies to any organization in respect of personal information that the organization collects, uses or discloses in the course of a commercial activity.

This provision brings together three of the key definitions in the Act, namely that:

"commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists;

"organization" includes an association, a partnership, a person and a trade union; and

"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

The definition of "commercial activity" has attracted a lot of attention because of its breadth and, according to some, its circularity. I must say, I don't believe it's circular. What it does is to characterize the activity (be it a specific activity or a regular course of them), by reference to its nature being of a commercial character.

It is broad, however, and deliberately so because the exercise of the authority of Parliament over the subject of privacy is based upon the trade and commerce power, section 91(2) of the Constitution Act, 1867. Parliament's reach into what is clearly the provincial jurisdiction over property and civil rights is limited by the nature of the activity, that is, it must be commercial and must meet the tests set out by the Supreme Court of Canada in General Motors of Canada Ltd. v. City National Leasing (1989), 1 S.C.R. 641.

Section 91(2) itself has been acknowledged by the courts as having two branches - the interprovincial/international branch and the general branch. The general branch was essentially dormant for about 50 years until it was revived in the late 1980s by the Supreme Court of Canada in the General Motors case. The Court set out five criteria to assist in evaluating whether a valid exercise of this branch exists:

1. The impugned legislation must be part of a general regulatory scheme.
2. The scheme must be monitored by the continuing oversight of a regulatory agency.
3. The legislation must be concerned with trade as a whole rather than with a particular industry.
4. The legislation should be of a nature that the provinces jointly or severally would be constitutionally incapable of enacting.
5. The failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.

The Court cautioned, however, that these five criteria are not exhaustive, nor will any one of them be determinative in and of itself.

In the government's view each of the five conditions is satisfied in Part 1 of PIPEDA.

1. Part 1 qualifies as a "general regulatory scheme".
2. The role of the Privacy Commissioner provides the necessary oversight.
3. The CSA Code in Schedule 1, which is binding on all organizations that collect, use or disclose personal information in the course of commercial activities is concerned with trade as a whole.
4. As in the case of the competition law, although the provinces could enact similar rules, the rules would not be effective if enacted only on a provincial basis, because the flow of information cannot be contained for regulatory purposes within any one province.
5. The failure to include a province or locality in Part 1 would cause information to flow and leak out of the regulated area, thereby undermining the scheme in the regulated area.

Part 1 of the Act also applies to personal information about the employees of a federal work that is collected, used or disclosed in connection with the operation of the federal work. Employee information in the context of the employer/employee relationship is not considered to be collected, used or disclosed in the course of a commercial activity. Only the personal information of those employees over whom Parliament has jurisdiction, that is, those in federal works, could be covered by the law and had to be specifically mentioned.

The Act does not, however, apply to:

• Government institutions subject to the federal Privacy Act.
• Individuals in respect of personal information collected, used or disclosed for purely personal or household purposes.
• Organizations in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes only; other commercial uses of the personal information are caught by the Act.
• Her Majesty in right of a province and agents of Her Majesty in right of a province.
• Any organization that collects, uses or discloses personal information in the course of a non-commercial activity such as a public hospital, a charity engaged in fundraising, a university in respect of information about its students, and so on.

V: Oversight

The CSA Code provides individuals with a right to challenge an organization's compliance (or lack thereof) with the principles. Clause 4.10 states that "an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance."

Certainly an individual who has a complaint about an organization's compliance with the law should begin with the organization. However, the CSA Code, being a voluntary code, did not provide an individual with further recourse in the event that an organization did not deal satisfactorily with the complaint.

When it came time to draft the Act, an oversight regime was added to the scheme to provide individuals with meaningful redress. This oversight scheme is set out in sections 11 through 17 of the Act.

After an individual unsuccessfully (or unsatisfactorily) complains to an organization, the next step is a complaint to the Privacy Commissioner of Canada under section 11. The subject matter of the complaint can be any contravention by an organization of sections 5 through 10 of the Act or the failure of an organization to follow a recommendation in the Schedule.

The right to complain about the failure to follow a recommendation has attracted some criticism, but the drafters believed that the recommendations flow from the obligations, explain how they can be met, and essentially set the "rules" for fair information practices. In many cases it would be difficult to meet the obligations without following the recommendations.

The Commissioner may also initiate a complaint if he is satisfied that there are reasonable grounds to investigate any matter under the Act.

The Commissioner must investigate complaints, and he has extensive powers in carrying out that investigation. Either personally or through a delegate he can:

• Summon persons to appear before him.
• Compel persons to give evidence and produce records.
• Administer oaths.
• Receive and accept evidence.
• Enter any premises occupied by an organization (except a swelling-house).
• Having entered the premises, speak privately with any person.
• Obtain copies of records.
• Attempt to resolve complaints through mediation and conciliation.

Within one year of the initiation of a complaint (by filing or via the Commissioner himself) the Commissioner generally must prepare a report setting out his findings and recommendations. The report is sent to the complainant and the organization. The Commissioner, being an ombudsman, does not have the power to make Orders, only recommendations.

In some circumstances, the Commissioner is not obliged to make a report. These are where:

• The complainant ought first to exhaust grievance or other available remedies.
• The complaint could more appropriately be dealt with under another law.
• The complaint is stale-dated - too long a time has elapsed to make a report useful.
• The complaint is trivial, frivolous, vexatious or made in bad faith.

The Commissioner's report triggers the right of the complainant (or the Commissioner) to apply to the Federal Court under section 14 for a hearing in respect of the matter complained of or any matter referred to in the Commissioner's report that is referred to specified clauses of the Schedule and sections of the Act.

Section 16 of PIPEDA sets out the remedies that may be granted by the Federal Court, in addition to any remedies it may grant under the Federal Court Act. The Court can:

• Order an organization to correct its practices with respect to personal information to comply with sections 5 through 10 of the Act;
• Order an organization to publish notice on an action taken by the organization or which the organization proposes to take to correct its practices;
• Award damages to the complainant, including damages for humiliation the individual may have suffered.

Under section 17, the Court is required to hear these applications in an expedited manner and must take the appropriate measures to avoid disclosure of information, including representations in camera and ex parte.

VI: PIPEDA in Action

In this first year of PIPEDA, various complaints have amply demonstrated both the need for PIPEDA's protection and the proactive role which the Privacy Commissioner can play in not only resolving complaints but in ensuring that similar situations are prevented.

For instance, the limits of knowledge and consent. In one situation, a complainant had gone to his bank branch to cash a personal cheque received from a third party. The bank teller wrote the complainant's account number on the back of the cheque. The complainant was concerned that the third party who had written the cheque could now have access to the account number. In that case, the Commissioner determined that recording the account number was reasonable, and it was reasonable for a customer to expect such a practice. The Commissioner was satisfied therefore that the complainant had thus given implied consent to the collection, use and disclosure of the personal information, and found the complaint not well founded.

Implied consent isn't an automatic finding, however. In another situation, the complainant alleged that her employer had, without her consent, disclosed to three third parties her personal information in the form of copies of a letter of response to access to information requests she had made. The three individuals copied on the letter had some previous knowledge of the file, and on the grounds of this prior involvement the employer argued that the complainant had implicitly consented to the disclosures. The Commissioner's decision on this was split - on the disclosure to union representatives, he found that implied consent would have existed only if the complainant had indicated that she had copied them on her access requests. A reasonable person would have considered the disclosure to the union representatives unacceptable, therefore, and the Commissioner concluded that this aspect of the complaint was well-founded. However, the disclosure to the employee relations coordinator was not well-founded. Here, the coordinator had been directly involved in the access request and the Commissioner determined therefore that it had been appropriate for the employer to inform him of its decision.

I should mention as well that this complainant has applied to Federal Court for a judicial review of Aéroport de Montréal's handling of her information and an Order that (a) Aéroport de Montréal revise its information handling practices to conform with PIPEDA and (b) it publish a notice detailing what actions have been undertaken to achieve such conformity.

Collection too may be an issue. One complainant, in signing up for Internet service, had been asked for her Social Insurance Number and told "No SIN, no connection". She provided the SIN because she felt obliged to do so. Investigating, the Commissioner learned that the company's own policy did not require the provision of a SIN. Since the SIN was, therefore, not necessary to fulfil explicitly specified and legitimate purposes, he found that the collection was indiscriminate and contravened the principles. The complainant having clearly received a message that the provision of SIN was a condition of service was also a contravention of the principles. In investigating this complaint and making his report, the Commissioner was able to (a) reiterate this office's longstanding position that the SIN should not be used as a universal identifier; (b) find the complaint well founded and resolved; (c) commend the company for removing the SIN from the complainant's file and working to change its policy so SIN would no longer be requested; and (d) recommend that the company take steps to review its files and remove any other unnecessary SINs collected from other customers.

Another incident where the Privacy Commissioner was able to make some extra recommendations to resolve the systemic nature of the offence occurred after a complaint was made against a bank for improper retention of information. The complainant had applied in person for a credit card. The bank representative typed her information into the computer at the branch and forwarded it for adjudication at the loan processing centre. After the application was declined, the information was not purged from the system. Therefore, unless the unsuccessful applicant made a special request for removal, the personal information remained in the bank's computer system and was accessible at the branch level. The Commissioner considered it unreasonable that, after the information had been used for the purpose for which it was collected (assessment of credit worthiness) the information would remain accessible at the branch level. Again, in his report the Commissioner was able to (a) find the complaint well-founded and resolved; (b) note that the bank had deleted the complainant's personal information and confirmed that it had not been communicated to any third party; and (c) reveal an agreement with the bank whereby they would undertake an extensive review of its practices for retention of personal information and an education program on privacy for employees and customers.

It isn't always what an organization is doing that is at issue either - sometimes it is what is not being done! One complainant, an executor of an estate, had suspicions that there had been unauthorized access to a safety deposit box and requested from the bank the signature card and copies of any correspondence between the bank and the estate. The bank was unable to locate either the card or any such correspondence. The Commissioner determined that this information should have been retained or should not have been lost, in accordance with the principles. The Commissioner found the complaint to be well-founded, and further recommended that the bank revise its practices concerning the destruction of documents containing personal information and develop a written policy on the retention of documents, in conformance with the Act.

Finally, sometimes it is a simple lack of understanding of the capabilities of one's own systems that results in a PIPEDA complaint. One complainant notified the Commissioner that a broadcaster's Web site had attempted, through its advertising server, to collect his personal information, specifically the NETBIOS on his computer, without his consent. After conducting internal inquiries, the organization confirmed that this was true. It turned out that the network administrator, on installing Windows NT had neglected to deactivate certain default settings. One feature, known as Internet Name Services, enables a server to collect the NETBIOS information of Web site users. Once informed that this feature was on, the network administrator promptly turned it off. The Commissioner found that in some circumstances, notably the complainant's, NETBIOS might be used to obtain information traceable to an identifiable individual. He determined, therefore, that the information at issue was personal information for purposes of the Act. The Commissioner also found that the broadcaster had failed to meet its obligation to obtain knowledge and consent before collecting information, though he did to dispute the explanation that the failure had been unintentional and he noted that the response was satisfactory. The complaint was well-founded and resolved.

The Commissioner's findings (in appropriately non-identifying language) are available on the Privacy Commissioner of Canada Web site. You can either go to www.priv.gc.ca and select "Commissioner's Findings" from the menu, or go directly to www.priv.gc.ca/cf-dc/index_e.cfm.

In addition, though they won't be found on our Web site, those who are interested might pay attention to the Federal Court of Canada where the first judicial reviews of PIPEDA decisions are being undertaken. You may or may not have encountered some media coverage of the issues - regardless, these early judicial decisions will be integral to the interpretation and scope of PIPEDA.

I have already mentioned Aéroport de Montréal, which will be the courts preliminary statement on the limits of implied consent under PIPEDA.

Personal information and the distinction between personal and professional information comes to the fore in IMS Health. There, a complaint was filed that IMS Health improperly disclosed personal information by gathering and selling data about physician's prescribing patterns without consent. The Commissioner found that prescription information, whether in the form of an individual prescription or patterns discerned from many prescriptions, is not personal information about a physician. The complainant has now made application in Federal Court for a judicial review of IMS's disclosure of the prescribing information. This case may be especially interesting to watch simply because Quebec, perhaps in response to this situation, has amended its private sector privacy law to recognize that professional information is a subset of personal information but also to set out rules and processes whereby professional information may be collected and disclosed without individual consent.

Another interesting judicial review of a PIPEDA issue is that involving TELUS Communications. Issues complained of there were: (1) that the publishing of customer's personal information in the White Pages telephone book was an inappropriate collection, use and disclosure of personal information; (2) whether TELUS had the authority to charge a fee for non-published telephone service; and (3) whether charging such a fee contravenes PIPEDA. The Privacy Commissioner found that TELUS's practices did not contravene PIPEDA, but the complainant has applied for judicial review of TELUS's decision not to modify its practices.

VII: Transition

PIPEDA has a staggered implementation system set out in section 30 of the Act. That section reads:

"30. (1) The Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses outside the province for consideration.

(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force."

Thus, on January 1, 2001 PIPEDA applied to:

• Federal works, undertakings and businesses that collect, use or disclose personal information in the course of commercial activities;
• Personal information about the employees of a federal work, undertaking or business that is collected, used or disclosed in connection with the operation of the federal work;
• Interprovincial/international disclosures of personal information, for consideration, made by an organization in the course of a commercial activity. This provision relies on the interprovincial/international branch of the trade and commerce power. It is quite narrow in that the information itself must be the subject of the transaction and the consideration is for the information.

In addition, as of January 1, 2002 PIPEDA began to apply to personal health information in connection with any of the organizations or activities already in force.

Finally, on January 1, 2004 PIPEDA will be fully in force, applying to organizations under provincial jurisdiction with respect to personal information collected, used or disclosed within the province unless the province has enacted substantially similar legislation and the Governor in Council has passed an order exempting organizations or activities from the application of the federal law for those intraprovincial collections, uses and disclosures. This is the essence of the exercise of the general branch of the trade and commerce power. It also brings with it a broader scope for federal jurisdiction over all interprovincial and international collections, uses or disclosures of personal information by all organization in the course of commercial activities.

VII: Substantially Similar

As I just said, when fully in force, PIPEDA will apply to organizations under provincial jurisdiction unless the province has enacted "substantially similar" legislation and as a result the Governor in Council has passed an order exempting these organizations or activities from the application of PIPEDA. This power is set out in section 26(2) of the Act, which provides:

26. (2) The Governor in Council may, by order,

...

(b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.

The effect of this provision is to enable provinces and territories to regulate the personal information practices of organizations operating within their borders and to minimize the imposition of a dual regulatory regime on these organizations. In those areas of activity under provincial or territorial jurisdiction where substantially similar legislation is in effect, only cross border transfers of personal information will be subject to the PIPEDA requirements.

Former Industry Minister John Manley described legislation which would be substantially similar to PIPEDA as "legislation that provides a basic set of fair information practices which are consistent with the CSA Standard, oversight by an independent body and redress for those who are aggrieved."

In order to further clarify the process of classifying something as "substantially similar", on September 22, 2001 the Department of Industry published its Process for the Determination of "Substantially Similar" Provincial Legislation by the Governor in Council. Basically, a province, territory or organization itself would advise the Minister of Industry of the existence of provincial or territorial legislation (either in force or to come into force at a future date) which it believes is substantially similar to the federal law. When provided with such notification, the Minister of Industry will write to the Minister responsible for the relevant legislation in order to seek that Minister's views. The Minister of Industry may also act on his own initiative to recommend to the Governor in Council that provincial or territorial legislation be designated as substantially similar. The recommendation itself is not determinative - no organization or activity can be exempted from the application of PIPEDA, pursuant to section 26(2)(b) unless the Governor in Council has made the appropriate Order.

Obviously the Privacy Commissioner does not make the final determination as to substantially similar status. However, under section 25(1) of PIPEDA he is required to report annually to Parliament and to report specifically on "the extent to which the provinces have enacted legislation that is substantially similar...and the application of any such legislation." The Privacy Commissioner is to be informed when a request for substantially similar status is received and the Minister of Industry will seek the Commissioner's view on whether the legislation at issue is, in fact, substantially similar.

The Privacy Commissioner has said that the test he will apply to the determination of "substantially similar" is to interpret the phrase as meaning equal or superior to the federal law in the degree and quality of privacy protection. PIPEDA is the threshold or floor - a provincial or territorial law must be at least as good or it will not be held to be substantially similar.

To date, only one province - Quebec - has private sector privacy legislation that has been (informally) recognized as substantially similar.

It must be emphasized that it is important for provinces to enact their own privacy legislation, not only

What are the OECD guidelines?

What is the protection of privacy?

What is the data Protection Law of China termed as?

What is OECD stands for?