The Personal Information Protection and Electronic Documents Act Report

Introduction

The miracles of computers and Internet communications have transformed this world into a global village in the true sense of the term. Today, just at the click of a button we can cross the barriers of time and distance and get in touch with our friends and relatives staying abroad, carry out online business transactions, real-time banking, and many more functions. All these functions require us to pass on personal & confidential information, which may be misused by hackers or frauds if not protected through proper data protection legislation and data usage protocols. Many countries around the world have developed privacy policies and laws to protect an individual’s information in the realm of electronic communication (Green Ashley, 2003). Universal enforcement gets complicated because the Internet is not restricted to one country; it’s worldwide. As a result, concerns arise regarding the compatibility of various countries’ privacy policies. This paper will discuss the current legislation in place in Canada, the silent features of the Canadian data protection Act, the existing conflicts and gaps if any, and the implications these may have for the protection of privacy on the Internet.

Internet Privacy Concerns & Laws

Most countries around the world are toady concerned about Internet privacy. They protect an individual’s right to privacy in some respects, because “privacy is a fundamental human right that has become one of the most important human rights of the modern age” (privacyinternational.org). Definitions for privacy vary according to context and environment. For example, in the United States Justice Louis Brandeis defined privacy as the “right to be left alone” (Privacy and Human Rights, 2003). In the United Kingdom, privacy is the right of an individual to be protected against intrusion into his personal life or affairs by direct physical means or by the publication of information. Australian legislation states that privacy is a basic human right and the reasonable expectation of every person. Regardless of varying definitions of privacy, the importance of an individual’s privacy is recognized on some level.

Every country in the world has a provision for privacy, even if it is as simple as the right to privacy in one’s home or the right to secrecy of communication. On a more global level, international agreements such as the International Covenant on Civil and Political Rights and the European Convention on Human Rights protect the privacy of individuals around the world. We see that in order to protect the fundamental privacy rights of individuals, laws have been established on both local and global scales (TRUSTe, 2003). Therefore, it follows that laws are also necessary to protect the information of individuals in the electronic environment.

Various countries to protect the sensitive information of individuals on the web adopt two types of laws. The first kind, comprehensive laws, are laws “that govern the collection, use, and dissemination of personal information by both the public and private sectors” (Dr. Armgard, 2004). These general laws do not deal with individual areas like health care or educational systems. Instead, they establish standards for use of private information for all entities. Comprehensive laws are usually adopted for one of three reasons: to remedy past injustices, to promote electronic commerce, or to ensure that laws are consistent with Pan-European laws. In addition, comprehensive laws often require the establishment of an independent commissioner to oversee the enforcement of the law. Unfortunately, problems arise because either a lack of resources hinders enforcement or the “independent” commissioner is under the control of the government. The second set of laws is characterized as sectoral laws. These laws avoid broad, extensive legislation and instead target various sectors. The implied advantage of sectoral laws is their enforceability. Since they are so specific in nature, one would think that they would be easier to enforce than broad, comprehensive laws. On the other hand, introducing sectoral laws is difficult because legislation has to be passed for each new sector. While these two types of laws have their advantages and disadvantages, countries have formed a sharp divide by choosing one type of law or the other (Green Ashley, 2003).

Comprehensive laws remain the main choice of many countries around the world. All countries in the European Union, Canada, Australia, and the United Kingdom have chosen to implement legislation that is not sector-specific. For example, the European Union adopted the Privacy and Electronic Communications Directive to prohibit the secondary use of all data without the informed consent of the individual. Some of the details of this directive include the requirement of opt-in personally identifiable online profiles, upfront notice when data is collected from data collectors, and the prohibition of data transference to any country that is not a member of the European Union. Although these details hold promising potential for privacy protection, they could present problems for European businesses. Specifically, the prohibition of data transfer to countries other than those in the European Union holds implications for international business.

Data Protection Act of Canada

Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act Ottawa, October 17, 2007 — Canadians overwhelmingly feel their personal information is less well protected than it was a decade ago, and they are right to be worried, says the Privacy Commissioner of Canada, Jennifer Stoddart (Annual Report, 2006-07). Seven in ten Canadians feel their personal information is less protected than it was ten years ago. A bare majority of Canadians agree that they have enough information to know how new technologies might affect their personal privacy. About seven in ten Canadians believe that they are doing a relatively good job of protecting their own personal information (Backgrounder, 2007). Despite this, almost half of Canadians (46 percent) carry a Social Insurance Number (SIN) card in their wallet, although this number is a key piece of information used by identity thieves (EKOS Survey, 2007).

Canada has enacted a Federal law for data protection called the “Personal Information Protection and Electronic Documents Act (PIPEDA)” which is implemented in three stages, beginning January 1, 2001and fully implemented as of January 1, 2004. This law is based on the ten principles set forth in the Canadian Standards Association’s Model Code on the Protection of Personal Information and is similar to the eight principles established under the EU Directive. This is also similar to the U.S. Safe Harbor principles (Boschee Kate, 2004).

Objectives & Functioning of PIPEDA

The main purposes of PIPEDA are:

• To balance the privacy rights of individuals with respect to their personal data against the need of organizations to collect, use or disclose personal information in the course of commercial activities.
• To satisfy the “adequacy” requirement under European data protection laws and thereby permit the free flow of personal information from countries within the EEA to organizations in Canada.

Just as the United States has federal and state laws, Canada has federal and provincial laws. Each province is expected to adopt its own general data protection laws. To date, however, only Quebec, British Columbia, and Alberta have passed general data protection laws. The Governor in Council has the authority to declare that a provincial law is “substantially similar” to PIPEDA and to issue an “exemption order”. If the Governor in Council declares that a provincial law is “substantially similar” to PIPEDA, then that provincial law will govern the collection, use, and disclosure of personal information by private sector organizations within that province. To date, only Quebec’s data protection law has been declared “substantially” similar to PIPEDA.

Application of PIPEDA

As of January 1, 2004, PIPEDA applies to every “organization” with respect to the “personal information” it collects, uses, or discloses in the course of its “commercial activities” – unless the collection, use, or disclosure of the personal information takes place wholly within a Canadian province that has adopted “substantially similar” legislation. However, PIPEDA does not apply to:

• Personal information collected, used, or disclosed by a private sector organization wholly within a province that has adopted “substantially similar” legislation.
• Personal information collected, used, or disclosed by a private sector organization in connection with an employment relationship.
• Public bodies, at both the federal and provincial level.
• Personal information collected, used, or disclosed for purely personal, domestic, journalistic, literary, or artistic purposes.

As used in PIPEDA, the term “organization” includes- Corporations, Associations, Partnerships, Trade unions, and Persons. Under this law, the term “commercial activities” means any transaction, act or conduct or any regular course of conduct that is of a commercial nature which

• Does not include charitable activities.
• But does include selling, bartering, or leasing donor, membership, or other fundraising lists.

Here, the term “personal information” means any information about an identifiable individual. Personal information may include an individual’s name, age, gender, race, marital status, home address, credit rating, medical information, criminal history, purchasing history, and so on. Information is deemed to be “personal information” if the information identifies a particular individual either on its own or in combination with other information available to the organization, such as a table of customer ID numbers. “Personal information” does not include the name, title or business address, or telephone number of an employee of an organization.

The ten principles

PIPEDA establishes ten principles governing the collection, use, and disclosure of personal information in the course of commercial activities. These ten principles are set out in Schedule 1 of PIPEDA. Limited exceptions are set out in Sections 6-9 of PIPEDA. The ten principles are:

• Accountability.
• Accuracy.
• Identifying purposes.
• Safeguards.
• Consent.
• Openness.
• Limiting collection.
• Individual access.
• Limiting use, disclosure, and retention.
• Challenging compliance.

Accountability/Essence of PIPEDA

The central theme of PIPEDA is that organizations may not collect, use or disclose personal information in the course of commercial activities without the knowledge and informed consent of the individual. Principles 2-5 (“identifying purposes,” “consent,” “limiting collection,” and “limitations on use, disclosure, and retention”) each develop different aspects of this central theme.

Organizations are responsible for the information they transfer to a third party for processing (e.g., a third-party vendor), and must use contractual or other means to provide a comparable level of protection for the information being processed by the third party. Organizations must make reasonable efforts to make sure that information is accurate, complete, and up-to-date for the purposes for which it is to be used.

Identifying purposes

An organization must identify and document the purposes for which personal information are collected at or before the time the information is collected. The organization must inform the individual of the purposes for which the information will be used at or before the time of collection. If the organization later wishes to use the information for another purpose, the organization must first obtain the consent of the individual.

Consent

Organizations may collect, use and disclose personal information only with the knowledge and consent of the individual. Consent is not valid unless the individual knows- What personal information the organization is collecting; How it will be used and to whom it will be disclosed. This means that the organization must identify (or it must be clear under the circumstances):

• What personal information the organization is collecting.
• The specific purposes for which the information will be used.
• The third parties (or types of third parties) to whom it will be disclosed.

Thus the principle of “consent” is closely related to the principles of “identifying purposes” and “limiting use, disclosure, and retention”.

Limiting collection

An organization may not collect more information than is necessary for the purposes identified by the organization. Information may not be collected by unfair or deceptive means.

Limiting Use, Disclosure, and Retention

Organizations may not collect, use or disclose personal information for purposes other than those for which the information was collected, except with the consent of the individual or as required by law. Organizations may not retain information longer than necessary for the fulfillment of the purposes for which it was collected or as required by law.

Accuracy

Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. It should be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make decisions about the individual. On the other hand, an organization must not routinely update personal information, unless it needs to be updated to fulfill the purposes for which it was collected.

Safeguards

Personal information must be protected by security safeguards appropriate to the sensitivity of the information:

• Physical measures (e.g., locks).
• Organizational measures (e.g., security clearances, limiting access on “need-to-know basis).
• Technological measures (e.g., encryption and passwords).

These safeguards must protect information against loss, theft, unauthorized access, disclosure, copying, use, and modification. Organizations must train their employees so that their employees understand the importance of maintaining the confidentiality of personal information.

Openness

Organizations must be open about their policies and practices with respect to the management of personal information. Organizations must make this information readily available to individuals, in a form that is generally understandable. This requirement may be met, for example, by publishing the information on the organization’s website or by making brochures available at the organization’s offices.

The information made available must include- The name or title and address of the person who is accountable for the organization’s compliance and to whom inquiries and complaints may be addressed; The means of gaining access to personal information held by the organization; A description of the personal information held by the organization and a general account of its use; A description of personal information made available to related organizations, such as subsidiaries.

Individual Access

Individuals have the right, with limited exceptions:

• To know what personal information an organization holds about them.
• To know to whom it has been disclosed and for what purpose.
• To access their personal information.
• To challenge the accuracy and completeness of the information and have it amended if it is inappropriate.

Challenging Compliance

Organizations must develop a complaint process for receiving and resolving complaints regarding the organizations’ data practices. An organization must inform individuals who make inquiries of the existence of these procedures. These procedures should be easily accessible and easy to use.

PIPEDA’s Affect on Trade

PIPEDA contains no provision to allow an organization to disclose personal information – about customers, for example – to prospective purchasers or business partners without the consent of the individual affected. They may need to review this information (such as client lists) for their “due diligence” evaluation of whether to proceed with the transaction – perhaps a merger, acquisition, or sale of business. Such transactions may range from the relatively modest – sale of a dental practice, including its patient lists – to very large corporate takeovers.

Other laws the Alberta and British Columbia Personal Information Protection Act (PIPA) allow disclosures without the individual’s consent, subject to stringent confidentiality agreements. If a sale or merger occurs, some individuals may not want their personal information transferred as part of that sale or merger. In such cases, should individuals have the opportunity to opt-out of the transfer of their personal information? This happens to be an important issue that is under review in context with the application of PIPEDA in Canada. Another issue for the PIPEDA review, very topical in light of growing concern about identity theft is what we term the “duty to notify.” Some argue that organizations that suffer security breaches or the outright theft of their personal information holdings should be required to mitigate the risk of identity theft to the individuals involved. Mitigation after a security breach could involve notifying the individuals whose information is at stake, credit agencies, relevant government agencies (for example, those that administer welfare benefits), and other commercial entities, such as banks.

By the end of 2005, roughly half of U.S. states had passed laws requiring customers to be notified when their personal information is compromised. As well, several bills have been introduced, but none yet passed, at the federal level in that country. These laws typically provide for large fines for failure to notify. For example, legislation in New York State provides for penalties of up to $150,000 for knowingly or recklessly violating the reporting requirements. Some argue that PIPEDA should include a similar duty to notify the individuals affected after a security breach. Of Canadian data protection laws, Ontario’s Personal Health Information Protection Act is the only one requiring notification after a security breach. The Act requires health information custodians to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or accessed by unauthorized persons.

The current business climate often favors the outsourcing of data processing. Some outsourcing results in the transfer of personal information to organizations in Canada that are themselves subject to PIPEDA or substantially similar provincial data protection legislation. Outsourcing may also involve transferring personal information outside Canada, a process described as the transborder flow of personal information. PIPEDA currently imposes responsibility on an organization for information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. This principle applies to any transfer, whether the receiving company is in Canada or abroad. Still, the growing concern about the loss of control over the personal information of Canadians when it crosses borders has led to a discussion about several possible options to enhance respect for this accountability principle. Among the other means to protect personal information are provisions that might be placed in contracts between an organization in Canada subject to PIPEDA and the receiving company. These could include provisions allowing the organization in Canada to inspect and audit the information management practices of the company processing the data abroad, including security practices and disposal procedures, and how the receiving company will enforce these practices and procedures. The contract could also require the company abroad to provide individuals with access to the personal information it holds about them.

Since PIPEDA was enacted, a series of Acts have gradually whittled away at its protections, dangerously blurring the distinction between the public and private sectors and, in effect, deputizing the business community to act as the agent of the government. First, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act was amended to require financial institutions and other organizations to disclose personal information to the Financial Transactions Reports Analysis Centre of Canada. Then, amendments to the Aeronautics Act allowed Canadian air carriers to disclose passenger information to the customs and immigration authorities of foreign states. The Public Safety Act allows the Minister of Transport, the RCMP, and CSIS to require air carriers and operators of aviation reservation systems to provide them with information about the passengers and crew of airlines and other modes of commercial transport. As well, it amended PIPEDA to allow organizations to collect personal information, without consent, for the purposes of disclosing this information to the government, law enforcement, and national security agencies. This incremental weakening of PIPEDA is very disturbing to a Privacy Commissioner.

Impact of PIPEDA on Security of Organizations

This law applies to every organization with regard to the use of personal information that it collects, uses, or discloses in the course of commercial activities as well as its employee’s personal information. Under this law, IT leaders need to:

• Establish safeguards for personal information to ensure only those with a business need can gain access to it.
• Establish retention practices to ensure personal information is retained for as long as is necessary to allow individuals access to it for pursuing actions related to PIPEDA violations.

As noted in the majority report, PIPEDA only fully came into effect on January 1, 2004. The Conservative members wish to emphasize the majority report’s focus on fine-tuning PIPEDA, rather than prescribing wholesale changes. The business community, privacy stakeholders and officials, including the Office of Privacy Commissioner of Canada, are facilitating PIPEDA’s adoption. The Conservative members of the Committee support those efforts. The Conservative members do not support efforts that would unduly increase the compliance burden on the small business community through, for example, changes that would make PIPEDA unnecessarily prescriptive. The Conservative members applaud the work of those business groups, including the Canadian Federation of Independent Business, helping small and medium-sized businesses comply with PIPEDA and protect Canadians’ personal information (House of Commons Review, 2000).

The use of personal information in Canadian commercial activities is now protected by federal legislation under the Personal Information Protection and Electronic Documents Act (PIPEDA), or by provincial legislation that is “substantially similar” to the federal legislation. PIPEDA applies to both traditional, paper-based business as well as on-line commercial activities. Privacy is a deeply-rooted, strongly-held public value. PIPEDA was enacted to alleviate consumer concerns about privacy and to allow Canada’s business community to compete in the global digital economy. Organizations able to demonstrate their respect for, and protection of, personal information will gain a cutting edge on the competition. Complying with PIPEDA will build trust in the digital marketplace and create opportunities for Canadian businesses. As a result, Canadian organizations need to develop and implement privacy policies now. This site aims to provide them with information that will assist them in doing so.

Conclusions

PIPEDA Provides “Adequate” Protection for Personal Data Transferred from EEA. In January, 2002, European Commission officially recognized that PIPEDA provides “adequate protection” for personal data transferred from countries within the EEA to Canada — provided the personal data is covered by PIPEDA. If the data is not covered by PIPEDA, the parties must take other steps to ensure the data will be adequately protected, such as executing a transborder data flow agreement before exporting the data.

References

Green Ashley, Sensitive Information in a Wired World, Professor Joan Feigenbaum, Yale University, 2003.

Privacy and Human Rights 2003: Overview. page 1. Web.

TRUSTe Unveils European Union Safe Harbor Privacy Seal Program. Dave Steer. 2003. Web.

Dr. Armgard von Reden, Data Protection Activities In The Private Sector, Manager, Government Programs – Europe, Middle East and Africa, IBM, Belgium, 2004.

Annual Report to Parliament 2006-2007 – Report on the Privacy Act (Adobe format).

Backgrounder: Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner of Canada.

2007 EKOS Research Associates survey: Canadians and the Privacy Landscape.

Assessing the Privacy Impacts of Programs, Plans, and Policies (Adobe Format).

Boschee Kate, Canadian Data Protection Law:The Personal Information Protection and Electronic Documents Act (PIPEDA), The American Bar Association, 2004.

House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “Committee”), Statutory Review of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (“PIPEDA”).