Privacy - Federal

Photo by tupungato/iStock / Getty Images

On April 4, 2000, the federal government of Canada finally passed Bill C-6, otherwise know as the Personal Information Protection and Electronic Documents Act.

For the three-year period from the date the legislation came into force, it did not apply to businesses under provincial jurisdiction, although the legislation purports to cover businesses engaged in the extra-provincial exportation of information. Provinces which enact similar legislation during the three-year period can expect to be exempted from the operation of the Act.

While billed as a necessary cornerstone to encourage use of the Internet by Canadians, the Act now also now places Canada firmly onside in compliance with the EC privacy directive of 1998 regulating the collection and export of personal data from the European Community.

Passage of the legislation furthers the federal government’s declared intention to establish Canada as a world leader in the use of electronic commerce through tax neutrality, cryptography, consumer protection, digital signatures, standards, secure electronic commerce, and privacy.

For the time being, privacy concerns have outweighed the convenience of government and business. The willingness of individuals to continue to sacrifice privacy for convenience remains a significant concern, however.

To the extent that the legislation is thought of as e-commerce enabling, the inclusion of Parts II and III dealing with electronic documents and amendments to the Canada Evidence Act can be rationalized. Part II facilitates the use of electronic alternatives to paper records and communications under federal laws. Regulations governing implementation of this part are required. Stay tuned for a future.

The Act effectively mandates a national standard for the protection of personal information. The 10 principals of the code have been enshrined in the legislation as a schedule to it.

Briefly, the Model Code mandates:

1. Organizational accountability for compliance;

2. The need to specify the purposes for which information is being collected, before collection;

3. The requirement for personal knowledge and consent by persons to the collection of information;

4. That the collection of information must be limited to that necessary for the purposes identified by the organization;

5. That the information can only be used, disclosed and retained as long as necessary for the stated purposes

6. That the information must be accurate;

7. That safeguards appropriate to the sensitivity of the information be in place;

8. Open access to organization policies and practises relating to management of information;

9. Individual access to personal information; and

10. The right to challenge organizational compliance.

This legislation is not to be confused with various provincial statutes with titles such as the Freedom of Information and Protection of Privacy Act (British Columbia), the primary purpose of which is to mandate government disclosure of information it might otherwise keep secret. Sidebar - these statutes can have application to businesses contracting with government to the extent that the parties wish to keep their arrangements private. For example, the University of British Columbia has refused to provide details of an exclusive marketing arrangement with Coca-Cola. The case is now under appeal. Prudence dictates that contracts with government contemplate this legislation, in order to strengthen the claim that such arrangements should be kept confidential.

The possibility exists that substantial costs could be incurred in complying with the legislation. In light of the significant value associated with databases, compliance with the legislation can be argued to be a mandatory part of an organization’s business strategy in order to maintain the value of this asset. Organizations subject to the legislation would be wise to implement compliance procedures in anticipation of the January proclamation if they wish to be able to continue to collect and use the personal data that is at the heart of their business in a cost effective manner. Compliance items include:

1. Restrictions on the collection of personal information;

2. Restrictions on the use of personal information;

3. Restrictions on the disclosure of personal information.

The impact on small business (for implementation and administration) remains to be seen.

The Federal government is limited in its ability to pass privacy legislation to those matters coming within its legislative prerogative. These areas include telecommunications, banking, inter-provincial transportation, defence, implementation of treaty obligations, trade and commerce, immigration, criminal law, and intellectual property.

While public support for the legislation was almost unanimous, the Canadian Security Intelligence Service (CSIS) objected to the legislation for reasons of law enforcement. CSIS felt that the legislation could have “an undue impact” on “day-to-day” operations of the agency. As a result of its concerns, amendments provide that private sector organizations can still disclose personal information without consent to government agencies for law enforcement and national security purposes. And in a similar vein, agencies are not obligated to disclose personal information to persons under investigation.

The Canadian medical establishment also presented disparate views to parliament, with some groups arguing that the standard of consent required in the legislation is too soft, with other groups arguing that the need for consent will impede medical research and that the requirements of the legislation will greatly increase the costs of healthcare. The upshot is that the legislation will not apply to the healthcare industry for an additional one-year transitional period following its proclamation. Further exemptions are unlikely.

The Act relieves organizations from the obligation to disclose information in a select number of situations, such as where the disclosure would violate solicitor-client privilege, where to do so would reveal confidential commercial information, or where the disclosure of the information could endanger a person’s life. Additionally, there are safeguards in the Act for “whistle blowers” who complain about an organization’s failure to comply with the legislation.





+1 604-739-7011