Initial reflections of the privacy commissioner on Ontario - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Initial reflections of the privacy commissioner on Ontario

Description:

Canadian Standards Association: Model Code for the Protection of Personal Information ... hospitals, doctors, pharmacies, clinics... Ontario associations ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 19
Provided by: ipc12
Category:

less

Transcript and Presenter's Notes

Title: Initial reflections of the privacy commissioner on Ontario


1
Initial reflections of the privacy commissioner
on Ontarios draft privacy bill
  • Ann Cavoukian, Ph.D.
  • Information and Privacy Commissioner/Ontario
  • Toronto Board of Trade
  • February 19, 2002

2
Background to the Bill
  • European Union
  • Directive on Data Protection
  • Canadian Standards Association
  • Model Code for the Protection of Personal
    Information
  • Government of Canada
  • Personal Information Protection and Electronic
    Documents Act
  • Government of Ontario
  • Privacy of Personal Information Act, 2002

3
Privacy of Personal Information Act, 2002
  • Integrated health private sector privacy
    protection
  • Guide to Ontarios Consultation on Privacy
    Protection
  • www.cbs.gov.on.ca/mcbs/english/56Y2QL.htm
  • Privacy of Personal Information Act, 2002
  • www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm
  • Consultation period
  • Ends March 8, 2002

4
Scope of the Draft Bill
  • Bill applies to
  • Ontario businesses
  • Ontario universities
  • Ontario hospitals, doctors, pharmacies, clinics
  • Ontario associations (incorporated or not)
  • Ontario partnerships
  • Ontario unions
  • Does not apply to
  • Individuals acting in a personal and
    non-commercial capacity
  • Artistic, journalistic or literary exemption

5
Ontario Draft Bill
  • Things we like
  • Made in Ontario response to PIPEDA
  • Scope of Bill extends beyond business sector
  • Based on CSA Fair Information Practices
  • Single oversight body for both public and private
    sector privacy
  • Dramatic improvements to health component from
    earlier Bill 159

6
Striking the Right Balance?
  • The government is working to find the
    appropriate privacy balance,
  • But
  • Concerns about the Bill 
  • Permitted uses without consent
  • Extensive use of Regulations
  • Lack of full investigation powers

7
Simplify the Draft Bill
  • Complex drafting
  • Inconsistencies
  • Redundancies
  • Duplication

8
Complex and Confusing
  • Personal Information

Personal Health Information
Organizations (non-health)
Health Information Custodians
9
Definition of Personal Information
  • Personal Information covered
  • Personal Health Information covered
  • Business Information not covered
  • Professional Information not covered

10
Exemptions to Consent
  • Exemptions should be very limited regarding the
    collection, use and disclosure without consent
  • Minimize exemptions
  • Notice requirements
  • If exemptions exist for use or disclosure without
    consent, notice should be provided

11
Procedures for Access
  • Different procedures for accessing personal
    information vs. personal health information
  • Will create confusion, without adequate
    justification for doing so
  • Duplication between two access schemes completely
    unnecessary

12
Use of Regulations
  • Use of Regulations too broad
  • Section 80(1)(g) enables specific organizations
    or classes of organizations, to be pulled outside
    of the scope of the legislation without any
    public consultation or accountability.
  • Section 80(1)(n) permits the government, without
    public consultation or accountability, to exempt
    organizations from acting in conformity with
    their information practices.

13
Commissioners Powers
  • Lack of full investigation powers
  • No power to compel witnesses to testify (risk of
    another POSO debacle)
  • Privacy oversight bodies in virtually every other
    jurisdiction with similar legislation have the
    power to require testimony, including Canada
    (federal), Alberta, Saskatchewan, Manitoba,
    Quebec, Australia and New Zealand.

14
Other issues to consider
  • Consent
  • Express
  • Implied
  • Opt-in / Opt-out?
  • Notice
  • Sufficient?
  • Harmonization with PIPEDA

15
EU Response to PPIA?
  • EU Adequacy Decision
  • Canada is considered as providing an adequate
    level of protection for personal data transferred
    from the Community to recipients subject to the
    Personal Information Protection and Electronic
    Documents Act.
  • But
  • This Decision may be amended at any time in the
    light of experience with its functioning or of
    changes in Canadian legislation, including
    measures recognizing that a Canadian province has
    substantially similar legislation.

16
The IPC PPIA, 2002
  • Cooperation and mediation, not confrontation
  • IPC has a long history of working collaboratively
    with the public and private sectors
  • Learn from the experience of jurisdictions with
    private sector privacy laws
  • We have never seen a business plan that could
    not be operated within the data privacy
    legislation.
  • Elizabeth France, UK Commissioner
  • Will produce guidelines for businesses and public
    outlining responsibilities and expectations

17
The Value of Privacy
  • Complying with privacy regulations can be
    considered just a business cost, but many
    companies understand that a reputation for
    guarding privacy can also be a selling point.
    They need to be stewards, to the extent they can
    gain a competitive advantage from privacy.
  • Ken DeJarnette, Deloitte Touche

18
How to Contact Us
Ann Cavoukian, Ph.D. Information Privacy
Commissioner/Ontario 80 Bloor St. W., Suite 1700,
Toronto, M5S 2V1 Phone (416) 326-3333 Web
www.ipc.on.ca E-mail commissioner_at_ipc.on.ca
Write a Comment
User Comments (0)
About PowerShow.com