Private Sector Privacy

1
Private Sector Privacy

• What FOIP Coordinators
• Need to Know
• June 12, 2003

2
Overview Bill 44Personal Information
Protection Act

• Key definitions
• Purpose and application
• Protection of personal information
• Access, correction and care of personal
  information
• Role of Commissioner
• Professional regulatory organizations and
  non-profit organizations
• General provisions

3
Personal Information Protection and Electronic
Documents Act (PIPEDA)

• In effect for federally-regulated organizations
  in January 2001.
• Will apply to provincially-regulated
  organizations in January 2004, unless
• Provinces enact substantially similar
  legislation, to apply to activities within the
  province.
• PIPEDA will still apply to cross-border
  commercial transactions.

4
Timing

• Introduced in the Alberta Legislature on May 14,
  2003.
• Expect the Bill to pass in the fall 2003.
• Proclamation date would be January 1, 2004.
• PIPA regulation will be developed over the summer.

5
What is privacy?

• The right to control access to ones person and
  information about oneself.
• George Radwanski
• Privacy Commissioner of Canada

6
Personal information s.1

• Personal information
• Information about an identifiable individual but
  does not include business contact information.
• Business contact information
• An individuals name, position name or title,
  business telephone number, business address,
  business e-mail, business fax number and other
  similar business information.

7
Organizations s.1(h)

• Organization includes
• A corporation
• An unincorporated association
• A trade union (Labour Relations Code)
• A partnership (Partnerships Act)
• An individuals acting in a commercial capacity
• Any person acting on behalf of an organization
• But not an individual acting in a personal or
  domestic capacity.

8
What is reasonable? s.2

• When reasonable is used in the Act it means
• What a reasonable person
• would consider appropriate in the circumstances

9
Purpose s.3
PART 1

• The Act governs the collection, use and
  disclosure of personal information by
  organizations in a manner that recognizes both
• The right of an individual to have his or her
  personal information protected, and
• The need of organizations to collect, use or
  disclose personal information for purposes that
  are reasonable.
• The Act also provides a right of access to ones
  own personal information.

10
Application s.4

• The Act applies to every organization and all
  personal information.
• Some specific exclusions are included in the Act
  and there is a regulation-making power respecting
  the application of the Act to a public body.

11
Exclusions s.4

• When collected/used/disclosed solely for
• Personal or domestic purposes of an individual or
• Artistic, literary or journalistic purposes
• The Act does not apply to public bodies, or
  personal information protected by the Freedom of
  Information and Protection of Privacy Act or the
  Health Information Act .

12
Exclusions s.4

• When a record containing personal information
• Is at least 100 years old or
• Relates to an individual who has been dead for a
  least 20 years
• Personal information is excluded when
• In court records, judicial records
• Collected/used/disclosed by an Officer of the
  Legislature exercising statutory duties
• Created by or for a MLA or an elected or
  appointed member of a public body

13
Paramountcy s.4(6)

• If there is a conflict between the FOIP Act and
  PIPA, FOIP is paramount.
• If there is a conflict between PIPA and another
  Alberta Act or regulation, PIPA is paramount.
• The need for additional paramountcies will be
  reviewed over the summer.

14
Grandfathering s.4(4)

• Personal information collected before January 1,
  2004, is deemed to have been collected with
  consent.
• It may be used and disclosed by the organization
  for the purpose for which it was collected.
• The general rules in the Act regarding
  safeguards, access, correction etc. still apply
  to this information.

15
Compliance with Act s.5
PART 2

• The organization is responsible for personal
  information in its custody or control.
• Must designate one or more individuals
  responsible for compliance with the Act.
• Designates may delegate duties to others.
• In meeting responsibilities, organizations must
  act in a reasonable manner.

16
Policies and practices s.6

• Develop and follow policies and practices to meet
  responsibilities under the Act.
• Make information about policies and practices
  available upon request.

17
Consent s.7(1)

• Unless Act allows otherwise, organizations need
  consent
• To collect personal information,
• To collect personal information from anyone other
  than the individual,
• To use personal information, or
• To disclose personal information.

18
Form of consent s.8

• Express consent An individual may provide
  consent orally, in writing, or electronically.
• Implied consent permitted for a purpose when
  reasonable and individual has voluntarily
  provided the information.
• Opt-out consent permitted when notice is given,
  individuals have reasonable opportunity to
  decline and the process is reasonable considering
  the sensitivity of the information.
• Consent in writing includes by electronic means.

19
Withdrawal of consent s.9

• An individual may withdraw/vary consent when
  reasonable notice is given
• Except when doing so would frustrate a legal
  obligation between the parties.
• When the consequences are not obvious, the
  organization must advise the individual of likely
  consequences.

20
Consent - by deception s.10

• Consent is negated when obtained by
• Providing false or misleading information or
• Using deceptive or misleading practices.

21
Limitations on collection s.11

• An organization may collect personal information
  only for purposes that are reasonable.
• May only collect what is reasonable for meeting
  the purposes for which the information is
  collected.

22
Source of collection s.12

• Indirect collection without consent is permitted
  in accordance with
• s.14 collection without consent,
• s.15 collection of personal employee
  information, or
• s. 22 business transactions.

23
Notification s.13(1)

• Before or at the time of collection, an
  organization must notify the individual, in
  writing/orally
• As the purpose for collection, and
• The name of a person able to answer questions.
• Notification not required when there is implied
  consent for the collection under s. 8(2).

24
Collection from another organization with consent
s.13(2)

• An individual can consent to an organization
  collecting their personal information from
  another organization.
• The collecting organization must demonstrate that
  it has obtained consent.
• The disclosing organization must be satisfied
  that the consent complies with the Act.

25
Collection without consent s.14

• The Act permits collection without consent for
  purposes including
• Clearly in the interests of the individual
• Required or authorized by law
• Investigation or legal proceedings
• Determining suitability for an honour or award
• Credit reporting or debt collection
• Archival purposes or research
• Information may also be collected without consent
  when the information
• Is publicly available
• May be disclosed under s. 20

26
Limitations on use s.16

• An organization may use personal information only
  for purposes that are reasonable.
• May only use what is reasonable for meeting the
  purposes for which the information is used.

27
Use without consent s.17

• The Act permits use without consent for purposes
  including those listed under collection without
  consent plus
• To respond to a life threatening emergency

28
Limitations on disclosure s.19

• An organization may disclose personal information
  only for purposes that are reasonable.
• May only disclose what is reasonable for meeting
  the purposes for which the information is
  disclosed.

29
Disclosure without consent s.20

• The Act permits disclosure without consent for
  purposes including those listed under use without
  consent plus
• In accordance with a treaty
• To comply with a subpoena, warrant or court order
• To a public body or law enforcement agency to
  assist in an investigation
• To contact next of kin in an emergency or a
  relative of a deceased individual
• To protect against fraud, to an agency empowered
  by legislation in this area

30
Employee information s.1(i)

• Personal employee information includes personal
  information
• Reasonably required for purposes of establishing,
  managing or terminating an employment or
  volunteer work relationship.
• Does not include personal information unrelated
  to the employment or volunteer relationship.

31
Employee information s.1(d)

• Employee includes an individual employed by the
  organization who performs a service for an
  organization, including
• Apprentice
• Volunteer
• Participant
• Student
• A person under a contract or agency relationship

32
Employee information ss.15,18, 21

• An organization may collect/use/disclose personal
  employee information without consent when
• The individual is an employee or
• The purpose of collection is to recruit a
  potential employee
• The collection/use/disclosure must be reasonable
  for the purpose, and the personal information
  must be limited to the work or volunteer
  relationship.

33
Employee information ss.15,18, 21

• Organization A may disclose personal employee
  information to Organization B, without consent,
  when
• The individual is employed by Organization B or
• Organization B is collecting for the purpose of
  recruiting a potential employee. If the
  individual is not hired, the information must be
  destroyed or turned over to the individual,
  unless the individual consents to some other
  arrangement.

34
Business transactions s.22

• Business transaction includes
• Sale, lease, merger, amalgamation, other
  acquisition or disposal, or taking of security
  interest in respect of
• An organization, portion of an organization or
  any business or activity or business asset of an
  organization
• Includes a prospective transaction of this nature.

35
Business transactions s. 22

• For the purpose of a business transaction the
  parties may collect/use/disclose personal
  information without consent if
• The parties agree to restrict to purposes related
  to the transaction and
• The information is necessary to decide whether to
  proceed and to complete the transaction.
• This section does not apply if the primary
  purpose or result of the transaction is the
  purchase, sale, lease, transfer, disposal or
  disclosure of personal information.

36
Business transactions s. 22

• When the transaction is completed, the parties
  may collect/use/disclose personal information
  without consent if
• The parties agree to restrict to purposes for
  which the information was initially collected
  about the individual and
• The information relates solely to carrying on the
  business or the object of the transaction.
• Consent is needed to collect/use/disclose the
  information for new purposes.
• If the transaction is not completed, the party
  that received the information must either return
  the information or destroy it.

37
Access and Correction ss.24,25,61
PART 3

• Individuals can request access to their own
  personal information.
• Organizations may charge a reasonable fee.
• Individuals can request correction of an error or
  omission in the personal information in the
  control of an organization.
• Organizations have a duty to assist.
• Any right under the Act may be exercised by
  another person on an individuals behalf.

38
Accuracy, Protection and Retention of information
s.33,34,35

• An organization must make a reasonable effort to
  ensure that personal information is accurate and
  complete.
• An organization must protect personal information
  against such risks as unauthorized access,
  collection, use, disclosure, copying,
  modification, disposal or destruction.
• An organization may for legal or business
  purposes retain personal information as long as
  is reasonable.

39
Information andPrivacy Commissioner
PARTS 45

• Same Commissioner as the FOIP Act and Health
  Information Act
• The Commissioner can
• refer an individual to another grievance,
  complaint or review process before dealing with
  the complaint
• authorize mediation to settle a complaint
• conduct an inquiry
• issue binding orders
• authorize an organization to disregard requests

40
Professional Regulatory Organizations s.55
PART 6

• Are organizations under the Act.
• Will have the option of creating a personal
  information code governing the
  collection/use/disclosure of personal information
  consistent with ss.1-35.
• An individual would still be able to request a
  review or complain to the Commissioner.
• Details will be in regulation, to developed over
  the summer in consultation with stakeholders.

41
Non-profit organizations s.56

• The Act applies only to the personal information
  collected/used/disclosed in connection with a
  commercial activity carried out by a non-profit
  organization.
• Non-profit organizations include societies
  incorporated under the
• Societies Act,
• Agricultural Societies Act, or
• Part 9 of the Companies Act.

42
Non-profit organizations s.56

• Commercial activity means
• Any transaction, act or conduct, or any regular
  course of conduct, that is of a commercial
  character, and includes
• The selling, bartering or leasing of membership
  lists or donor or other fund-raising lists
• Operation of a private school or early childhood
  services program (School Act)
• Operation of a private college (Colleges Act)

43
General provisions
PART 7

• Organizations and individuals are protected when
  acting in good faith.
• Employees are protected when acting in good faith
  to disclose information to the Commissioner or
  acting to avoid a contravention of the Act.

44
Penalties and damages s.59, 60

• If convicted of an offence, fines are
• up to 10,000 for individuals
• up to 100,000 for businesses.
• An individual can pursue damages for loss or
  injury suffered as a result of breach of privacy.

45
Tips for public bodies

• When disclosing personal information to a
  contractor, ensure the public body retains
  control over the information.
• Arrangements between contracted companies and
  public bodies will remain the same. Information
  that is under the control of public body
  currently, will still be when PIPA is in force.
• Private companies will have new responsibilities
  in regard to personal information under PIPA.

46
Privacy Help

• Information Management, Access Privacy
• Alberta Government Services
• 3D, Commerce Place, 10155 102 Street
• Edmonton, AB T5J 4L4
• Web site www.psp.gov.ab.ca
• Help Desk 780-644-PIPA (7472)
• Toll free dial 310-0000 first
• E-mail privacyhelpdesk_at_gov.ab.ca

47
Privacy Help

• Office of the Information and Privacy
  Commissioner
• 410, 9925 109 Street
• Edmonton, AB T5K 2J8
• Web site www.oipc.ab.ca/pipa/
• Phone 780-422-6860
• Toll free dial 310-0000 first
• E-mail generalinfo_at_oipc.ab.ca