Initial reflections of the privacy commissioner on Ontario

1
Initial reflections of the privacy commissioner
on Ontarios draft privacy bill

• Ann Cavoukian, Ph.D.
• Information and Privacy Commissioner/Ontario
• Toronto Board of Trade
• February 19, 2002

2
Background to the Bill

• European Union
• Directive on Data Protection
• Canadian Standards Association
• Model Code for the Protection of Personal
  Information
• Government of Canada
• Personal Information Protection and Electronic
  Documents Act
• Government of Ontario
• Privacy of Personal Information Act, 2002

3
Privacy of Personal Information Act, 2002

• Integrated health private sector privacy
  protection
• Guide to Ontarios Consultation on Privacy
  Protection
• www.cbs.gov.on.ca/mcbs/english/56Y2QL.htm
• Privacy of Personal Information Act, 2002
• www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm
• Consultation period
• Ends March 8, 2002

4
Scope of the Draft Bill

• Bill applies to
• Ontario businesses
• Ontario universities
• Ontario hospitals, doctors, pharmacies, clinics
• Ontario associations (incorporated or not)
• Ontario partnerships
• Ontario unions
• Does not apply to
• Individuals acting in a personal and
  non-commercial capacity
• Artistic, journalistic or literary exemption

5
Ontario Draft Bill

• Things we like
• Made in Ontario response to PIPEDA
• Scope of Bill extends beyond business sector
• Based on CSA Fair Information Practices
• Single oversight body for both public and private
  sector privacy
• Dramatic improvements to health component from
  earlier Bill 159

6
Striking the Right Balance?

• The government is working to find the
  appropriate privacy balance,
• But
• Concerns about the Bill 
• Permitted uses without consent
• Extensive use of Regulations
• Lack of full investigation powers

7
Simplify the Draft Bill

• Complex drafting
• Inconsistencies
• Redundancies
• Duplication

8
Complex and Confusing

• Personal Information

Personal Health Information
Organizations (non-health)
Health Information Custodians
9
Definition of Personal Information

• Personal Information covered
• Personal Health Information covered
• Business Information not covered
• Professional Information not covered

10
Exemptions to Consent

• Exemptions should be very limited regarding the
  collection, use and disclosure without consent
• Minimize exemptions
• Notice requirements
• If exemptions exist for use or disclosure without
  consent, notice should be provided

11
Procedures for Access

• Different procedures for accessing personal
  information vs. personal health information
• Will create confusion, without adequate
  justification for doing so
• Duplication between two access schemes completely
  unnecessary

12
Use of Regulations

• Use of Regulations too broad
• Section 80(1)(g) enables specific organizations
  or classes of organizations, to be pulled outside
  of the scope of the legislation without any
  public consultation or accountability.
• Section 80(1)(n) permits the government, without
  public consultation or accountability, to exempt
  organizations from acting in conformity with
  their information practices.

13
Commissioners Powers

• Lack of full investigation powers
• No power to compel witnesses to testify (risk of
  another POSO debacle)
• Privacy oversight bodies in virtually every other
  jurisdiction with similar legislation have the
  power to require testimony, including Canada
  (federal), Alberta, Saskatchewan, Manitoba,
  Quebec, Australia and New Zealand.

14
Other issues to consider

• Consent
• Express
• Implied
• Opt-in / Opt-out?
• Notice
• Sufficient?
• Harmonization with PIPEDA

15
EU Response to PPIA?

• EU Adequacy Decision
• Canada is considered as providing an adequate
  level of protection for personal data transferred
  from the Community to recipients subject to the
  Personal Information Protection and Electronic
  Documents Act.
• But
• This Decision may be amended at any time in the
  light of experience with its functioning or of
  changes in Canadian legislation, including
  measures recognizing that a Canadian province has
  substantially similar legislation.

16
The IPC PPIA, 2002

• Cooperation and mediation, not confrontation
• IPC has a long history of working collaboratively
  with the public and private sectors
• Learn from the experience of jurisdictions with
  private sector privacy laws
• We have never seen a business plan that could
  not be operated within the data privacy
  legislation.
• Elizabeth France, UK Commissioner
• Will produce guidelines for businesses and public
  outlining responsibilities and expectations

17
The Value of Privacy

• Complying with privacy regulations can be
  considered just a business cost, but many
  companies understand that a reputation for
  guarding privacy can also be a selling point.
  They need to be stewards, to the extent they can
  gain a competitive advantage from privacy.
• Ken DeJarnette, Deloitte Touche

18
How to Contact Us
Ann Cavoukian, Ph.D. Information Privacy
Commissioner/Ontario 80 Bloor St. W., Suite 1700,
Toronto, M5S 2V1 Phone (416) 326-3333 Web
www.ipc.on.ca E-mail commissioner_at_ipc.on.ca