privacy: it’s just good business tom mitchinson assistant commissioner ipc/ontario sault ste marie...
TRANSCRIPT
Privacy: It’s just good business
Tom Mitchinson
Assistant Commissioner
IPC/Ontario
Sault Ste Marie Chamber of Commerce
Wednesday, September 11, 2002
Why Privacy?
“Complying with privacy regulations can be considered just a business cost, but many companies understand that a reputation for guarding privacy can also be a selling point. They need to be stewards, to the extent they can gain a competitive advantage from privacy.”
Ken DeJarnette, Deloitte & Touche
Ontario Privacy Legislation
Public Sector: Freedom of Information and Protection of Privacy Act (1988) and Municipal Freedom of Information and Protection of Privacy Act (1991)
Private Sector: Proposed Privacy of Personal Information Act, 2002 (“PPIA”)
The Information and Privacy Commissioner/Ontario (IPC)
Resolves appeals from access decisions by government organizations;
Investigates privacy complaints about government-held information;
Conducts research on access and privacy issues and advise on proposed government legislation and programs; and
Educates the public about access and privacy.
What is Privacy?
In 1890, U.S. Supreme Court Justices Brandeis and Warren defined privacy as “the right to be let alone”
Warren & Brandeis,
“The Right to Privacy”
PIAC/Ekos Survey
2001 survey of Canadian opinion by Ekos for the Public Interest Advocacy Centre (PIAC) – 85% of respondents received unsolicited
advertising material in the previous month; of which 74% express moderate or high concern;
– 61% prefer no more telemarketing calls even if it means missing opportunities;
– 82% say they should be asked for permission before their information is used for marketing.
Court Comments on Privacy
“Privacy is at the heart of liberty in the modern state.” (Alan Westin)
Interest in being left alone includes the right to control the dissemination of confidential information.
Privacy is necessarily related to many fundamental human functions.
Voluntary Privacy Codes
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
Canadian Standards Association Model Code (1996)
EU Data Protection Directive
Adopted by European Union in 1995.
Restricts flow of personal information outside member states to countries that have adequate privacy protection in place.
Legislative action by Canada (PIPEDA) and proposed Ontario bill are designed in part to facilitate business with EU firms.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s federal private sector privacy law– Incorporates CSA Code as a schedule;– Since January 1, 2001 has applied to commercial
activities; – Until January 1, 2004 applies only to federally
regulated undertakings (banks, airlines, etc.) and to sales of personal information across provincial borders; and
– As of January 1, 2004, will apply within any province that has not passed a “substantially similar” law.
CSA Model Code - 10 Privacy Principles
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, Retention
AccuracySafeguardsOpennessIndividual AccessChallenging
Compliance
The Privacy Diagnostic Tool
Produced in partnership with Guardent and PricewaterhouseCoopers
Takes your company’s “privacy pulse”
Available on IPC Web site www.ipc.on.ca
Ontario’s Draft Privacy of Personal Information Act, 2002
Consultation Draft released by Ministry of Consumer and Business Services on February 4, 2002;
Available on Web sites of the IPC (www.ipc.on.ca) and the Ministry of Consumer and Business Services (www.cbs.gov.on.ca).
PPIA : Background
Joins provisions formerly planned for two separate Acts – one for health and one for rest of private sector.
Replaces former Bill 159, the Personal Health Information Privacy Act, which never became law.
Some other provinces have health privacy acts, but only Quebec has a private sector privacy law.
PPIA - Purposes
Recognizes the “… privacy right of individuals to control the collection, use and disclosure of their personal information by organizations and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.” (s. 1(c))
Does Proposed PPIA Apply to You?
Proposed bill applies to:– Ontario businesses, partnerships, unions– Ontario associations (incorporated or not)– Ontario universities– Ontario hospitals, doctors, pharmacies, clinics…
Does not apply to:– Federally regulated businesses– Institutions regulated under public sector legislation– Individuals acting in a personal non-commercial capacity– Artistic, journalistic or literary exemption
Consent
Organizations shall not collect, use or disclose personal information about an individual without consent, except in specific circumstances laid out in the Act.
EXPRESS OR IMPLIED CONSENT
IMPLIED CONSENT – Purchase of a television might imply consent to
share the customer’s address with delivery firm.
EXPRESS CONSENT– Consent may require a positive action by an
individual where sensitive information is concerned.
OPT-OUT CONSENT
Sufficient circumstances for opt-out:– Customers consent to receive marketing materials or
fundraising solicitations.
How is opt-out consent obtained?– Provide customers with clearly understood, easily
exercised opportunity to opt-out.
Proposed legislation balances individual privacy rights and legitimate business need to use personal information.
No Consent or Withdrawal of Consent
Circumstances for disclosure of personal information without consent:– Where required by law; or– As part of a law enforcement investigation.
Proposed legislation will provide that consent may be withdrawn.NB: If withdrawal would frustrate a business agreement or agreement to provide goods or services, it will NOT be permitted.
When in Doubt
If an organization is in doubt as to whether or not it has consent to the collection, use or disclosure of personal information, it shall obtain express consent.
Accountability & Access
Duties and obligations for organizations addressed in the consultation draft include:– Accuracy– Security– Destruction
Permitted collection, use and disclosure without consent.
Individuals, including employees, will have a right of access.
Complaints & Appeals
Right to complain to Commissioner– Improper collection, use, or disclosure
Right of appeal– If access request is denied
OFFENCES & FINES
The proposed legislation includes offence provisions as well as fines
– no prosecution launched except by someone acting on behalf of Attorney General;
– fines $50,000 for individuals; $250,000 for organizations;
– officer/employee personal liability for fines; and
– whistleblower protections.
Current Status of PPIA
Areas of focused attention:– Simplification of wording / reduced overlap;– Harmonizing wording/approaches with
PIPEDA;– Framework for use of opt-out notices in
obtaining consent;– Effective transition rules for personal
information in existing databases; and– Creating open / consultative regulation-making
process.
IPC Approach
Co-operative, non-confrontational approach to businesses while ready to enforce the law
Published orders
Clear directions to organizations subject to the law
Culture of Privacy
Establish your privacy regime
Then move beyond issues of compliance to embrace a culture of privacy
Privacy in Business
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”
Forrester Research, March 5, 2001
How to Contact the IPC
Information & Privacy Commissioner/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]