Title: Initial reflections of the privacy commissioner on Ontario
1Initial reflections of the privacy commissioner
on Ontarios draft privacy bill
- Ann Cavoukian, Ph.D.
- Information and Privacy Commissioner/Ontario
- Toronto Board of Trade
- February 19, 2002
2Background to the Bill
- European Union
- Directive on Data Protection
- Canadian Standards Association
- Model Code for the Protection of Personal
Information - Government of Canada
- Personal Information Protection and Electronic
Documents Act - Government of Ontario
- Privacy of Personal Information Act, 2002
3Privacy of Personal Information Act, 2002
- Integrated health private sector privacy
protection - Guide to Ontarios Consultation on Privacy
Protection - www.cbs.gov.on.ca/mcbs/english/56Y2QL.htm
- Privacy of Personal Information Act, 2002
- www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm
- Consultation period
- Ends March 8, 2002
4Scope of the Draft Bill
- Bill applies to
- Ontario businesses
- Ontario universities
- Ontario hospitals, doctors, pharmacies, clinics
- Ontario associations (incorporated or not)
- Ontario partnerships
- Ontario unions
- Does not apply to
- Individuals acting in a personal and
non-commercial capacity - Artistic, journalistic or literary exemption
5Ontario Draft Bill
- Things we like
- Made in Ontario response to PIPEDA
- Scope of Bill extends beyond business sector
- Based on CSA Fair Information Practices
- Single oversight body for both public and private
sector privacy - Dramatic improvements to health component from
earlier Bill 159
6Striking the Right Balance?
- The government is working to find the
appropriate privacy balance, - But
- Concerns about the Bill
- Permitted uses without consent
- Extensive use of Regulations
- Lack of full investigation powers
7Simplify the Draft Bill
- Complex drafting
- Inconsistencies
- Redundancies
- Duplication
8Complex and Confusing
Personal Health Information
Organizations (non-health)
Health Information Custodians
9Definition of Personal Information
- Personal Information covered
- Personal Health Information covered
- Business Information not covered
- Professional Information not covered
10Exemptions to Consent
- Exemptions should be very limited regarding the
collection, use and disclosure without consent - Minimize exemptions
- Notice requirements
- If exemptions exist for use or disclosure without
consent, notice should be provided
11Procedures for Access
- Different procedures for accessing personal
information vs. personal health information - Will create confusion, without adequate
justification for doing so - Duplication between two access schemes completely
unnecessary
12Use of Regulations
- Use of Regulations too broad
- Section 80(1)(g) enables specific organizations
or classes of organizations, to be pulled outside
of the scope of the legislation without any
public consultation or accountability. -
- Section 80(1)(n) permits the government, without
public consultation or accountability, to exempt
organizations from acting in conformity with
their information practices.
13Commissioners Powers
- Lack of full investigation powers
- No power to compel witnesses to testify (risk of
another POSO debacle) - Privacy oversight bodies in virtually every other
jurisdiction with similar legislation have the
power to require testimony, including Canada
(federal), Alberta, Saskatchewan, Manitoba,
Quebec, Australia and New Zealand.
14Other issues to consider
- Consent
- Express
- Implied
- Opt-in / Opt-out?
- Notice
- Sufficient?
- Harmonization with PIPEDA
15EU Response to PPIA?
- EU Adequacy Decision
- Canada is considered as providing an adequate
level of protection for personal data transferred
from the Community to recipients subject to the
Personal Information Protection and Electronic
Documents Act. - But
- This Decision may be amended at any time in the
light of experience with its functioning or of
changes in Canadian legislation, including
measures recognizing that a Canadian province has
substantially similar legislation.
16The IPC PPIA, 2002
- Cooperation and mediation, not confrontation
- IPC has a long history of working collaboratively
with the public and private sectors - Learn from the experience of jurisdictions with
private sector privacy laws - We have never seen a business plan that could
not be operated within the data privacy
legislation. - Elizabeth France, UK Commissioner
- Will produce guidelines for businesses and public
outlining responsibilities and expectations
17The Value of Privacy
- Complying with privacy regulations can be
considered just a business cost, but many
companies understand that a reputation for
guarding privacy can also be a selling point.
They need to be stewards, to the extent they can
gain a competitive advantage from privacy. - Ken DeJarnette, Deloitte Touche
18How to Contact Us
Ann Cavoukian, Ph.D. Information Privacy
Commissioner/Ontario 80 Bloor St. W., Suite 1700,
Toronto, M5S 2V1 Phone (416) 326-3333 Web
www.ipc.on.ca E-mail commissioner_at_ipc.on.ca