The privacy net
Since January 1, you’ve been caught in the privacy net, and so have most of your clients. The Personal Information Protection and Electronic Documents Act is in force — here’s what you should have done by now to comply with the law, and what you still need to do.
By Jean Cumming
Midnight has struck. Judgment day is upon us. Have you prepared yourself?
|
“This is really ethics legislation.”
Priscilla Platt, Management Board Secretariat, Toronto |
On January 1, the use of personal information in Canadian commercial activities officially became the responsibility of the Personal Information Protection and Electronic Documents Act (PIPEDA), federal legislation dealing with personal information.
"Substantially similar" legislation in British Columbia and Alberta, which also took effect New Year’s Day, should apply in those provinces. Quebec has had its own privacy legislation in place for about ten years.
But even now, several weeks after PIPEDA came into force, many businesses are still scrambling to figure out their responsibilities under the Act — or in some cases, are just now hearing about the legislation. Law firms across the country are still fielding phone calls from clients about compliance; at a few of those firms, the realization is just now setting in that they’re captured by the legislation, too.
Heightening the pressure on both clients and lawyers is the fact that when the legislation took effect, so did the right of aggrieved parties to lay complaints under either the federal or applicable provincial legislation. The clock is already ticking.
What’s it all about?
|
More Privacy Resources on CBA PracticeLink
Law Firm Privacy Compliance in 10 Steps
Concise and easy-to-follow guidelines prepared by Jeffrey Kaufman, Co-Chair of the Privacy Section Executive of the OBA and executive member of the CBA's National Privacy Section Branch. The article also includes links to other valuable privacy-related resources for law firms. |
According to the federal government’s PIPEDA Website, the legislation was enacted to alleviate consumer concerns about privacy and to allow Canada’s business community to compete in the global digital economy.
"Organizations able to demonstrate their respect for, and protection of, personal information will gain a cutting edge on the competition," says the Website. "Complying with PIPEDA will build trust in the digital marketplace and create opportunities for Canadian businesses."
Indeed, with the implementation of PIPEDA, Canadian firms can now do business seamlessly with the European Union (EU), which recognizes PIPEDA as providing adequate privacy protection. The EU’s laws prohibit the flow of personal information to countries without such legislation. (Although the U.S. does not have federal all-inclusive legislation, it does have several state and industry rules and regulations on privacy.)
"This is really ethics legislation," says Ontario Management Board Secretariat Priscilla Platt, Chair of the CBA’s National Privacy Law Section. She points out that since various governments (including Ontario’s) have already implemented public-sector legislation on privacy, their precedents and practices might be useful to law firms and other private-sector businesses looking to set up their own.
The impetus for PIPEDA also came from citizens’ concerns about online security and technological data. As Canadians expand our technological capacity to share information, we increasingly turn to governments to impose non-technological limits on that capacity.
So is the private sector ready for the impact of PIPEDA? Are law firms ready? Answers to these questions are mixed.
Be prepared
Law firms are accustomed to working with the principle of confidentiality, says Platt, and that will help them adapt to change. Other businesses, says privacy lawyer David Fraser of McInnes Cooper in Halifax, are also "dealing in a pretty fair way with personal information, as this law requires them to do.
"It’s a customer relationship issue," he says. "Customers ask about their information: why is it being collected? What’s being done with it? Businesses needed to become proactive in response to these questions."
Some businesses will already be ahead of the curve. Because PIPEDA adopted the Canadian Standards Association’s (CSA) Model Code for the Protection of Personal Information, businesses with a history of following the Code in its pre-statutory voluntary stage will find preparing for PIPEDA that much easier.
Few law firms are unprepared, either. After chairing two conferences on the subject, technology lawyer Martin Kratz of Bennett Jones in Calgary says that "most law firms are reasonably well-prepared, and many in the private sector are coming to grips" with the privacy challenge.
Larger companies, he notes, that have been doing business in other jurisdictions have already implemented satisfactory privacy procedures. However, adds Kratz, since PIPEDA "applies to almost all private-sector organizations, it is smaller businesses, such as a pizza parlour or a dry-cleaner, that are struggling to understand why they have to do anything."
PIPEDA applies to more than business corporations; it can also apply to charitable organizations carrying on commercial activities. These organizations may not be ready for PIPEDA because of the additional resources required to implement appropriate procedures.
And then, says Saskatchewan Privacy Commissioner Gary Dickson, "there’s a school of thought that says, ‘Let’s wait and see how strictly this legislation will be enforced.’" This would be foolish advice to provide to clients. Preparing for PIPEDA compliance requires training, self-education, new procedures and, therefore, expense. Procrastination could prove even more costly.
As set out on the Privacy Commissioner’s Website: "A firm that fails to protect the privacy of personal information faces significant risks, including:
• damage to reputation, brand and business relationships,
• charges of deceptive business practices,
• legal liability and industry or regulatory sanctions,
• customer, employee and stockholder distrust,
• reduced revenue, market share and shareholder value, and
• customer refusal to provide personal information."
Provincial initiatives
There are reasonable explanations for why some organizations, perhaps even law firms, procrastinated in their preparation for PIPEDA or similar provincial legislation — particularly in Western Canada.
In B.C. and Alberta, the development of their respective provincial legislation eclipsed preparation for PIPEDA. Who could be sure until the last minute which statute would apply?
Gary Dickson, who was a privacy law practitioner in Alberta before his appointment to the Saskatchewan Privacy Commissioner’s Office, says the drafters of B.C.’s and Alberta’s statutes were very careful in their work and consulted Industry Canada along the way. It seems unlikely that the legislation would be declared not "substantially similar," so these provincial statutes ought to remain in effect.
It is still possible that the provincial statutes might be challenged pursuant to the procedure set out by Industry Canada in the Canada Gazette. But as Kratz asks: "Who would make that challenge? Who would want to be responsible for the chaos that would create?"
On the brighter side, law firms and businesses that have been busily preparing for privacy legislation have had various tools at their disposal. Kratz in particular commends B.C. and Alberta’s governments for providing Websites (www.psp.gov.ab.ca; www.gov.bc.ca/com/priv) with useful preparation advice. And the CBA’s Privacy Law Section (www.cba.org/CBA/Sections/privacy) has been busy producing educational material for practitioners.
As for the Quebec statute, the Loi sur les renseignements personnels dans le secteur privé (completing the protection offered by article 5 of the Charte québécoise and ss. 35 to 41 of the Civil Code) has already been officially recognized as "substantially similar" to the federal statute.
However, the Loi sur les renseignements personnels only covers private entities created under provincial law. All privacy matters related to an organization created under federal legislation — or any communication of personal information taking place on an international or inter-provincial level — will be dealt with by the federal legislation.
|
Technoprivacy
Here are just a few of the many technology tools available for ensuring compliance with new privacy laws.
In many ways, it was the growth of the Internet and rapid expansion of online information storage and communication that inspired new privacy legislation such as PIPEDA. It only seems appropriate, then, that technology is also poised to help businesses and organizations cope with the new legislative requirements.
Indeed, Canadian technology companies have responded quickly by introducing many new products. Here’s a quick look at just three of them.Online consent
Talk about new business: it was just last spring when Brampton, Ontario-based eQuest Systems was launched "with the specific intent to help businesses manage PIPEDA," says co-founder Kathy Tuitt. "The burden on organizations is huge," she says, "and awareness of what PIPEDA’s going to mean is abysmal." She hopes to change all that.
Her company offers "e-consent," a three-part Web-based application. First, it provides an online form with which to define the reasons and purposes for collecting, using, and disclosing information, and how long it will be retained.
Secondly, it provides an online facility for obtaining consents. For example, a client could sign on to a lawyer’s Website using an individual user name and password, then read all the different purposes for which various types of information are required and provide consent for any or all of them.
Thirdly, a client can question a lawyer’s use of information using eQuest, employing the system’s "challenge management facility." A client sends an online enquiry to a firm’s privacy officer, which must receive a response within 30 days (www.equestsystems.com.)
Secure collaboration
"E-mail alone just won’t cut it anymore," says Daniel Gagnier, Business Development Manager for The Data Corporation of Windsor, Ontario. His firm’s "secure desktop collaboration tool," Tenix, is a software application that allows users to collaborate on projects both within and outside their organization.
For lawyers, says Gagnier, Windows-based Tenix can secure and protect client information shared between two offices of the same firm, between two law firms, between a lawyer’s office and a client’s, or between a lawyer and third parties such as experts.
Tenix provides "custom workspaces" that are stored either on the user’s server, Data Corporation’s server, or a third-party outsourcer. Also in the works, the company is researching a product to ensure privacy on handheld computers, and much sooner, the company is about to release a Web-based version of Tenix
Online certification
Preventing online theft of credit or other identity information is a key goal for privacy legislators. In this regard, IDScript Digital Credentials Inc. offers an online certificate program that law firms and their clients might well find helpful. The certificate "allows you to encrypt e-mail, digitally sign e-mail, and electronically sign documents," says company spokesperson Gail Michel.
IDScript works in conjunction with Juricert Services Inc, an initiative of the Law Society of British Columbia and other law societies. A lawyer or other businessperson applies to Juricert for authentication of his or her identity; Juricert obtains the necessary paper signature and witness documentation. IDScript then verifies the lawyer’s identity with Juricert.
IDScript also offers Web server certificates that can verify the identity of your server. This certificate is issued to your Web server, not to you personally; it confirms to an online visitor that he or she is corresponding with your Website and not with a fraudulent page. The certificate also encrypts data exchanged between your Website and a visitor’s browser — a particularly helpful asset when credit card information is required (www.idscript.com). |
The three provincial Acts are remarkably similar to one another. But according to Raymond Doray, a privacy law practitioner with Lavery de Billy in Montreal, sufficiently significant differences between these statutes and PIPEDA could create difficulties related to the concurrent application of federal and provincial laws.
"Incoming obligations might be difficult to identify," says Doray, "when, for example, in the same transaction, a [federally incorporated] bank is involved with a provincial business." Kratz adds that PIPEDA does not have a "grandfathering" provision with respect to the consent necessary for obtaining information; the provincial statutes do.
A PIPEDA guide
For those not yet familiar with the basics of PIPEDA, here is the federal government’s online description, "PIPEDA in a Nutshell."
Under PIPEDA, personal information must be:
• collected with consent and for a reasonable purpose,
• used and disclosed for the limited purpose for which it was collected,
• accurate,
• accessible for inspection and correction, and
• stored securely.
PIPEDA defines personal information as "information about an identifiable individual" that includes any factual or subjective information, recorded or not, in any form. For example, the following would be considered personal information:
• name, address, telephone number, gender;
• identification numbers, income or blood type;
• credit records, loan records, the existence of a dispute between a consumer and a merchant, and
• intentions to acquire goods or services.
Under PIPEDA, personal information does not include the name, business title, business address, or business telephone of any employee — that is, information on a business card. But the legislation does cover sensitive personal information, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership, financial information and sexual preference.
To comply with PIPEDA or provincial legislation, law firms and their clients will need to do at least the following:
1. Analyze and understand the life-cycle of information in your business or organization, especially at these six stages: collection, use, disclosure, retention, security, and disposal.
2. Develop a privacy policy statement that reflects the development of sound information management practices, and make this statement available for all to see.
3. Appoint a Chief Privacy Officer (CPO) in your firm or organization. Privacy lawyer Jeffrey Kaufman of Fasken Martineau in Toronto recommends this officer be a senior figure in the organization, to encourage "buy-in" by others. Naturally, this officer will have to delegate responsibilities to other employees, but that in turn will reinforce buy-in around the shop.
4. Develop policies and procedures (pursuant to your policy statement) that provide for the life-cycle of information in your firm.
5. Keep apprised of amendments and precedents to the privacy statutes. The government Websites will be particularly helpful in this regard.
6. "Understand what types of technology are available" to assist in protecting information, says Priscilla Platt, who points out that procedures need to be developed to cover both technological and paper information (see sidebar).
Issues to resolve
While these fundamentals for compliance may seem fairly straightforward, and in some cases may already be in place, there remain several issues for law firms that will not be as easy to resolve. These include:
1. What will be the impact of privacy legislation upon Knowledge Management (KM) systems? KM is premised upon the importance of sharing information, whereas privacy legislation is based on a strict "need to know" level of access. Kaufman provides a hypothetical: if a law firm prepared the will of a firm employee’s father, could every staff person read its contents in the KM system? Even if the name was concealed, would other factors help identify that will and its contents?
Kratz points out that all firm employees will need to exercise care and common sense when synthesizing privacy principles with their KM systems. In this example, says Kratz, names and other identifying factors, including dollar amounts, could be concealed in the KM system, especially those that do not impact on the legal principles germane to the system.
2. The absence of a grandfathering provision in PIPEDA could well prove challenging to law firms with volumes of information that were likely gathered without the level of consent contemplated by the Act.
3. Lawyers will need to pay special attention to their retainer/engagement letters. Do these include consent provisions with respect to the collection, use and disposal of personal information by third parties?
4. According to Kaufman, the "intersection between access to personal information and privilege" is not clear in PIPEDA. The Act provides an exception to access for solicitor-client privilege, he says. But its Schedule (also adopted from the CSA Model Code for the Protection of Personal Information) includes a broader exception to access for solicitor-client and litigation privilege.
5. According to David Fraser, "lawyers will need to be aware of whether they’re acting for themselves or for their client. If it is for their client, they need the client’s consent. But when I as a lawyer am acting for myself, [obtaining, using and disposing of information] for business development purposes, I am doing so on behalf of the firm. I need to do that properly, or the firm is responsible."
6. According to Kaufman, retaining private investigators and experts is not adequately covered in PIPEDA, and at least one amendment has already been proposed in that regard. Litigators of all stripes will need to monitor that development.
Finally, PIPEDA and the provincial privacy laws will have a real impact on individual lawyers and on the profession, because they will dramatically codify and develop the discipline of privacy law.
Both Kratz and Kaufman work with firm colleagues from various legal disciplines — technology, banking, and employment, for instance — who are practising privacy law in part. As time goes on, we’ll hear more practitioners refer to themselves exclusively as "privacy lawyers" — especially as we turn to them for help navigating these potentially turbulent new waters.
Jean Cumming is a freelance legal affairs writer in Toronto.
Photo: Alena Gedeonova
|
english
Renseignements protégés
Depuis le 1er janvier, toutes les entreprises canadiennes se doivent d’être plus vigilantes quant à la protection de la vie privée. Êtes-vous au diapason?
Aux premières heures de 2004 entrait en vigueur la Loi sur la protection des renseignements personnels et sur les documents électroniques (LPRPDE). De création fédérale, elle a eu pour effet d’imposer aux sociétés privées canadiennes (dont les cabinets d’avocats) des obligations précises en matière de protection de certaines données sensibles. Pourtant, nombre d’entreprises méconnaissent toujours ces obligations ou ne savent comment les respecter. Voici par où commencer.
Plus qu’un acronyme
Le site gouvernemental consacré à la LPRDE nous enseigne qu’elle protège les renseignements personnels « recueillis par les organismes du secteur privé et établit des lignes directrices relatives à la cueillette, l’utilisation et la divulgation de ces renseignements dans le cadre d’activités commerciales. » Par renseignement personnel, on entend « tout renseignement factuel ou subjectif, consigné ou non, concernant un individu identifiable. » Par, exemple, seront non seulement considérés comme des renseignements personnels, le nom, l’adresse, le numéro de téléphone et le sexe d’une personne mais aussi son groupe sanguin et son dossier de crédit.
En vertu de la LPRPDE, ces renseignements devront être :
· recueillis avec le consentement de l’intéressé et à des fins raisonnables;
· utilisés et communiqués uniquement aux fins pour lesquelles ils ont été recueillis;
· exacts
· accessibles pour inspection et correction;
· conservés dans un endroit sûr
En somme, « [i]l s’agit d’une question de relation avec les consommateurs », commente David Fraser de McInnes Cooper à Halifax.
« Les consommateurs s’interrogent quant au pourquoi de la collecte d’informations à leur sujet. Le monde des affaires se doit de devenir proactif en réponse à ces questions. »
Essentiellement similaire
Pour les Québécois habitués depuis déjà 10 ans à la Loi québécoise sur la protection des renseignements personnels dans le secteur privé (et aux articles 35 à 41 du Code civil), l’arrivée de la LPRDE n’aura pour effet que d’assurer une protection quasi-similaire aux renseignements personnels recueillis par une organisation sous juridiction fédérale ou dans le cadre d’opérations interprovinciales. C’est que la LPRDE s’applique aux organisations provinciales que dans la mesure où il n’existe pas de législation « essentiellement similaire ».
Pour l’instant, seule la législation québécoise a été officiellement reconnue comme étant « essentiellement similaire ». Par contre, la Colombie-Britannique et l’Alberta
voyaient entrer en vigueur, au 1er janvier 2004, leur propre régime de protection des renseignements personnels dans le secteur privé qui devrait subir le même sort.
L’application concurrente des lois provinciales et fédérale ne se fera pas sans heurts, selon Raymond Doray, avocat chez Lavery de Billy à Montréal. « Malgré que les lois émergent de la même logique, de petites différences au niveau des exceptions pourront créer de réelles difficultés d’interprétation. » Il offre pour exemple, une transaction où une banque [de création fédérale] et une entreprise de création provinciale seraient impliquées.
En pratique, toutefois les réalités étant les mêmes, il appert que les diverses législations emportent essentiellement les mêmes gestes à entreprendre pour le cabinet d’avocat averti et pour ses clients.
Adoptez une politique
Les cabinets d’avocats ont l’habitude de travailler avec les concepts de confidentialité et ils ne devraient pas avoir de problémes à s’adapter au changement, soutient Priscilla Platt, présidente de la nouvelle Section du droit relatif au respect de la vie privée de l’ABC. Une opinion que partage son collègue Martin Kratz de chez Bennett Jones à Calgary. « La plupart des cabinets d’avocats sont bien préparés et plusieurs grandes entreprises du secteur privé s’attaquent au problème. » Reste le défi d’adaptation des petites entreprises et des organismes à but lucratif qui disposent de moins de ressources pour implanter les procédures nécessaires à l’observation de la loi.
Pour vous assurer de respecter la LPRDE ou la législation provinciale, les experts sont d’avis que vous devrez:
1. Analyser et comprendre le cycle de vie de l’information à l’intérieur de votre organisation.
2. Développer et faire circuler une politique qui reflète l’existence d’un système de gestion adéquat pour protéger les informations sensibles.
3. Adopter des procédures précises pour vous assurer de suivre cette politique.
4. Nommer un responsable de la protection de la vie privée au sein de votre entreprise.
5. Vous tenir informé des nouveaux développements législatifs et jurisprudentiels sur la question. Les sites Internet gouvernementaux se révèleront particulièrement utiles pour se faire.
6. Connaître les moyens technologiques disponibles pour vous aider.
D’autres instruments tels que des logiciels de gestion de consentement par Internet, de chiffrement ou d’authentification de votre serveur pourront vous aider à vous conformer à vos obligations en plus de rassurer vos clients.
Plus de questions que de réponses demeurent quant à l’application et l’impact de la LPRPDE. Quel sera l’effet des législations relatives au respect de la vie privée sur les systèmes de gestion du savoir? Qu’en est-il de la communication à des tiers dans le cadre de l’exécution d’un mandat pour un client? Une chose est sûre, toutefois, la LPRPDE contribuera largement au développement d’un nouveau domaine de pratique et à la naissance de spécialistes du droit relatif à la protection de la vie privée. |
