Notifications under PHIPA By Elaine Ashfield Steps to take in ensuring that proper notices are given to individuals whose personal information has been subject to a privacy breach.
Ontario Bar Association | Association du Barreau de l'Ontario The Ontario branch of the Canadian Bar Association | La division ontarienne de l'Association du Barreau canadien
Eye on Privacy:The OBA Privacy Law Review is published by the Privacy Law Section of the Ontario Bar Association. The Editors welcome submissions on privacy law matters of interest to our members.
The articles that appear in this publication represent the opinions of the authors. They do not represent or embody any official position of, or statement by, the OBA except where this may be specifically indicated; nor do they attempt to set forth definitive practice standards or to provide legal advice. Precedents and other material contained herein are intended to be used thoughtfully, as nothing in the work relieves readers of their responsibility to consider it in the light of their own professional skill and judgment.
Message from the Chair Mark S. Hayes*
Anyone reviewing the recent issues of Eye on Privacy cannot help but be struck by the ever-increasing complexity of privacy law issues in Canada and the rapid acceleration of the importance of privacy issues in the business environment. From the almost daily media attention to privacy security breaches to the impact of compliance on transactions, contracts and corporate organization, privacy has gone from a curiosity championed by a small number of knowledgeable advocates to a mainstream part of the business environment.
As can be seen from some of the articles in this month’s issue, much of the complexity in the privacy field arises from the nature of the Canadian federation. Even though many provinces did not take up the federal government’s invitation to enact “substantially similar” privacy legislation, the web of federal and provincial laws relating to privacy in the public and private sectors is so complex that, as Bonnie Freedman demonstrates in her useful survey of offshore outsourcing issues, it is very difficult to properly advise clients faced with a specific problem. As the case law in this area continues to develop, we will certainly see more issues of process arise, as Kris Klein and Megan Brady discuss in their article on the role of the federal Commissioner in PIPEDA Federal Court applications. The recent PIPEDA hearings have shown the importance of privacy breach notifications and the differing opinions on their usefulness; Elaine Ashfield brings us an interesting analysis of this issue in the context of Ontario’s PHIPA and Corinne Leon from Visa Canada provides a very useful guide to advising clients who believe that they have been the victim of identity theft.
We are fast approaching the time for Executive elections at the OBA, and I encourage all of the members of the Privacy Law Section to consider getting involved in the Executive for the 2007-2008 year. There are many exciting and interesting projects in the works, and we are always looking for new faces.
* Mark S. Hayes, Blake, Cassels & Graydon LLP, (416) 863-2279, mark.hayes@blakes.com.
The PIPEDA Review Will Lead to Changes in the Act, but What Will They Look Like? Murray Long*
I am keenly aware, in writing an article for Eye on Privacy, that this is an audience that truly cares about the details of Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), and is keenly interested in the current review of the Act and the likely outcomes.
At this juncture, writing on February 5 (the day prior to my own appearance as a witness), it seem fairly clear that the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Ethics Committee) will be recommending a number of changes to PIPEDA and that these changes will include at least one significant new obligation for business, as well as a number of housekeeping changes.
It is important to keep in mind that no member of this committee (except for Liberal MP Marlene Jennings, who sat in from time to time but has now dropped out of sight on this study), had background expertise in the rationale for PIPEDA, how the Act was drafted, how it works in practice and what are its shortcomings. Committee members are, for the most part, brand new to this legislation and this field, with many being at the same time newly minted Members of Parliament. This, in itself, raises the question of who will actually guide decision-making within the Committee and how comfortable the members will feel as they begin work on their report.
Nevertheless, Chair Tom Wappel and the other Committee members know they must generate something of substance from their deliberations, including recommendations to amend PIPEDA to incorporate necessary, practical and useful improvements. The following article is an attempt to sort out which issues will be uppermost in the minds of Committee members as they deliberate on what to report back to the House of Commons.
Commissioner Powers While privacy advocates have decried the lack of order-making powers for the Privacy Commissioner and have recommended various solutions to this perceived problem, the Commissioner herself advised the Committee that now is not the time to change the enforcement model.
Her office finally having emerged from the turmoil of the Radwanski era, Commissioner Stoddart stated that a better use of existing enforcement tools – most notably the threat to take an organization to the Federal Court when it refuses to abide by recommendations – is sufficient. She also argued that more time is required for serious study of the advantages and disadvantages of various enforcement models before a new one is recommended, thus leaving the door open for a new model to be reconsidered at the next five year review.
The Committee is in a weak position to second guess the Commissioner’s reasoning, and with industry groups largely supporting this view, the Committee may have little choice but to recommend that no change be made at present to enforcement powers.
Naming of Names This is a companion issue to enforcement powers that gets raised again and again. The Committee has, in my view, largely accepted a well articulated rationale proposed by MP Marlene Jennings that naming of organizations would never occur where mediation was underway or successful, leaving open only the prospect of naming organizations where no mediation occurs, organizations are recalcitrant to adopt the Commissioner’s recommendations, or where there is a public interest in naming the company. In other words, naming names will likely occur in situations where the Commissioner could already exercise her discretion to identify organizations. This would maintain the status quo and, for advocates of mandatory naming, will continue their level of frustration on this issue. However, among Committee members, you can expect any serious proposals that all organizations be named routinely in complaint findings to fall on deaf ears.
Breach Disclosure Requirement All industry groups who have appeared before the Committee, with the exception of the Marketing Research and Intelligence Association (MRIA), have opposed mandatory breach disclosure obligations. In his testimony, BC Information and Privacy Commissioner David Loukidelis also said he would adopt a “wait and see” attitude on mandatory disclosure requirements as the practical implications of U.S. state-level breach notification laws become more apparent.1
The federal Commissioner and privacy advocates, including the Public Interest Advocacy Centre (PIAC) and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) have expressed support for adding a breach notification requirement to PIPEDA, and several Committee members have embraced the need for some form of notification. In fact, the tone of discussion on this issue has migrated towards a virtual demand that the business community accept a legislated responsibility of some type to notify the public and the Commissioner in the event of a breach. The recent appearance of Canadian Life and Health Insurance Association (CLHIA) and Canadian Chamber of Commerce representatives before the Committee led to a virtual showdown, with Chairman Tom Wappel attempting to pin witnesses to a position of accepting at least a duty to notify the Commissioner in the event of a breach.
There are problems with breach disclosure requirements that will need to be ironed out – for example: what constitutes a breach; whether the California model which is restricted to hard data items associated with identity theft is the right approach; and, whether there is a role for some discretionary analysis by businesses about the types of data breaches that should trigger public notification?
In addition to the foregoing, there are enforcement issues. With greater recognition by the Committee that breach disclosure is a matter of public interest, there may be a corresponding recognition that some penalties should be invoked where companies fail to notify the public about breaches, especially serious ones.
Whatever the detail problems, it seems increasingly likely that the Committee will recommend some form of mandatory breach notification in the Act, and that Parliament is likely to respond.
Transborder Flows of Data Virtually all business groups appearing before the Committee have stated their views that there is no need to alter the current provisions of the law that permit organizations to outsource data processing operations, subject to contractual measures and other safeguards. Groups have seemed concerned that the Commissioner or privacy advocates will propose new controls or obligations on businesses and they are anxious to stave off any such action. In her discussion guide of PIPEDA Reform, the Commissioner had raised the concept of additional controls, including audit rights by the contracting organization, requirements that enforcement of contracts take place in suitable jurisdictions and binding arbitration on contracts in accordance with international rules of arbitration.2
This issue has not gained much traction, however, despite some Committee members voicing their concerns about personal information being processed in the United States. This may be due to a recognition that transborder data flow is a fact of life in a global economy and that personal information about Canadians will be subject to access under U.S. laws, just as personal information about Americans will be subject to access under Canadian laws when data processing goes the other way.
Two other factors may come into play here. The first, likely understood by most Committee members, is the desire not to offend NAFTA rules, interfere with free trade or spark loud cries of protest by recommending measures that unduly restrict commercial data flows. The second, hardly understood by anybody, is whether the USA PATRIOT Act a) has ever been used to obtain information about Canadians; b) actually represents a substantially different standard than those under which Canadian national security agencies can already secretly obtain information under domestic anti-terrorism laws; or c) meet the threshold of U.S. Constitutional standards.3
Such interpretative matters are beyond the mandate of the Committee. Moreover, the Committee is likely to agree with industry views that outsourcing of data processing to other countries is entirely permissible, as long as organizations take steps, as recommended by the Commissioner, to inform customers when their personal information is being processed outside of Canada and to adequately protect the data according to its sensitivity. Thus, the standards currently set by the Commissioner in her advice to the marketplace are likely to be seen as sufficient.4
Expanding the scope of employee contact information In its first meeting, the Committee heard from Industry Canada officials that there have been calls to remove privacy protection for employee e-mail and fax numbers, as these could be considered business contact numbers much like a telephone number. Exempting employee fax numbers from the definition of personal information seems a simple and practical change and one the Committee will likely recommend.
Employee e-mail addresses are a somewhat different matter. The fact that employee e-mail addresses are not specifically listed as exempted information has led Assistant Commissioner Black to conclude this information is personal information, a determination that factored large in at least two findings concerning spam e-mail sent to individuals at business e-mail addresses.5 This determination, in fact, has become one legal tool in the war against unsolicited spam.
Fortunately, the Alberta Personal Information Protection Act (“Alberta PIPA”) has a useful model which the Committee can propose and which resolves any concerns. This Alberta PIPA permits use of “business contact information” without consent for the purposes of contacting an individual in that individual’s capacity as an employee or an official of an organization and for no other purpose.
Employment Consent The employment consent issue has not received much serious discussion so far, although I plan to address this topic further in my own evidence. Federally Regulated Employers - Transportation and Communication, an organization of major employers and employer associations in the transportation and communications sectors, did raise concerns about the challenges placed on employers due to the employee consent requirements in PIPEDA. It has recommended that Parliament adopt the Alberta and BC approach (where no consent is required within the context of managing the employment relationship).
Assistant Commissioner Black, in addressing the consent issue within the workplace has recently provided more detailed legal analysis of how she has determined that a condition of implied consent exists in the employment relationship that enables an employer to collect, use or disclose employment information for reasonable business purposes without the need for an express consent.6 In the Commissioner’s view, there is no need to remove the consent obligations from PIPEDA – at least a complete removal – as the interpretative approach used by the OPC is sufficient to resolve any problems with consent.
As the Commissioner will have a second opportunity to meet with the Committee before it completes its deliberations, this is one area where the last at bat may win the game.
Business Transfers and other expanded collection, use and disclosure with out consent Parliament benefits from the ability to play leapfrog with the newer provincial private-sector privacy laws and to incorporate some of the improvements made in the provinces. One example would be an exception to permit organizations to collect personal information without consent in the process of a business transfer or acquisition. It is well recognized that some access to customer or employee data is necessary to do due diligence on a prospective target company’s assets, liabilities, etc. The provincial laws provide clear and fair rules under which such review can occur.
The Committee may also recommend other housekeeping changes to the Act to permit disclosures of employee or customer information, for example, to permit the contacting of next of kin or a friend or an injured, ill or deceased individual.
Attempted collection of information without consent This issue has been raised by the Commissioner and others who have appeared before the Committee and the Committee seems to have recognized that this is an important loophole in the Act. It will likely recommend a new provision that any attempt to collect personal information in contravention of the Act would be a breach of the Act. If so, this would bring PIPEDA into congruity with the Alberta Act which makes it an offence to wilfully attempt to gain or to gain access to personal information in contravention of the Act.
Work Product Work product is that category of information that is created by an individual in the furtherance of duties or obligations. In a 2001 finding, former Commissioner George Radwanski derived the definition in considering whether doctor prescriber information (the type and number of drug prescriptions authorized by doctors) constituted personal information about the doctor or another class of information known as a work product.7
The current Commissioner believes there is no real need to incorporate a definition of “work product” into the Act, as the law can be interpreted on a case-by-case basis to address non-personal, work-generated information. The Canadian Medical Association (CMA) made a request that any definition of work product not extend to physician-generated information in order not to undermine the confidence patients have in their doctors’ ability to safeguard their health data. The CMA could not come up with any specific examples of how the flow of physician prescription data to commercial entities harmed the doctor-patient trust relationship.
More recently, however, representatives of the Insurance Bureau of Canada told the Committee that it was essential for the Act to include a definition of work product information, similar to the BC law to provide legal certainty about the right to continue to collect this type of information about workers without any legal uncertainties.
We can expect the Committee to either propose that a definition of work product information be added to the Act or to make a statement that the status quo should be preserved.
Solicitor-Client Privilege This may be one of the more interesting issues for Eye on Privacy readers, and has become an issue of great concern to some industry groups – particularly the property and casualty insurance industry, which strongly supports amendment to the Act to clarify that the Commissioner does not have the power in investigations to obtain information subject to solicitor-client privilege.
In her prior testimony before the Committee, Commissioner Stoddart had expressed her dismay with the Federal Court of Appeal decision in the Blood Tribe8 case in which the Appeal Court determined that the Federal Court Judge had erred in applying a liberal interpretation to Commissioner powers and should have adopted a standard in which the Court, not the Commissioner, considers any information subject to a claim of solicitor-client privilege. The Commissioner has sought leave for this issue to now be heard by the Supreme Court. Her concerns are that, following the Appeal Court decision in Blood Tribe, organizations may expand the ambit of solicitor-client privilege (for example, to include information gathered pre-litigation) in ways that harm legitimate individuals access rights.
The Appeal Court decision, in practice, also creates a conundrum as the Commissioner cannot apply to the Federal Court for a hearing on any matter until an investigation is completed and a report issued, while the inability to examine information for which a claim of solicitor-client privilege has been asserted might mean that the investigation cannot be completed.
The Committee, however, seems disposed to a view that solicitor-client privilege is a fundamental underpinning of the legal system and should not be whittled away via legislative provisions. As a result, the Commissioner may have a hard time convincing the Committee that it must amend PIPEDA to clarify her right to examine any information in an investigation, including documents for which a claim of solicitor-client privilege is asserted.
What happens after the report is submitted? The Committee’s report is only the first stage of what could be a lengthy process in amending PIPEDA. All recommendations will have to be considered by the Justice Department and Industry Canada, with perhaps further consultation with stakeholders before a proposed amending bill is tabled in Parliament. Any amending bill would likely be referred back to the Ethics Committee, before being put to a vote in the House of Commons and the Senate. The Senate Social Affairs, Science and Technology Committee might also be inclined to hold its own review. If you throw an election into the mix, we may not see Parliament pass amending legislation before 2009, with amendments coming into force possibly in 2010.
* Murray Long is an Ottawa-based privacy consultant and an acknowledged Canadian authority on PIPEDA. He is the editor/publisher of PrivacyScan, a privacy law resource for businesses. He can be reached at murraylong@privacyscan.ca.
1 Commissioner Loukidelis is already interpreting section 34 of the BC Personal Information Protection Act as incorporating a de facto obligation to notify individuals in the event of an unauthorized disclosure of personal information. 2 See PIPEDA Review Discussion Document: Protecting Privacy in an Intrusive World, July 2006. 3Eye on Privacy Editor Jason Young has expressed the view that the USA PATRIOT Act contains powers of “summary and secret compulsion” that have no equivalent in Canadian laws and that these powers are more likely to be abused. In an article on cross-border outsourcing (Privacy Commissioner gives Green Light to Cross-Border Outsourcing of Personal Information; Raises Questions – Canadian Privacy Law Review, Volume 3, Number 2, November 2005), Mr. Young stresses that the use of National Security Letters (NSLs) by the FBI has multiplied 100 times over pre-PATRIOT Act levels. NSLs do not require judicial review and can be issued quickly by designated FBI agents to facilitate investigations, using a standard for authorization that has now slipped from a cautionary requirement that agents use “least intrusive means” to obtain information to a more expansive standard of using any lawful techniques to further anti-terrorism investigations. In a 2004 Decision, a U.S. District Court Judge rules that the NSL provision for telephone and Internet records was unconstitutional, because the gag order that accompanies it is so draconian as to effectively bar recipients of such requests from challenging them in court without first violating the order. Doe v. Ashcroft, No. 04-CIV-2614 (S.D.N.Y. Sept 29, 2004). See the discussion of this in Terrorism and the Constitution, 3rd Edition, David Cole and James X. Dempsey, The New Press, 2006, p. 216. 4 These standards were first articulated in Transferring Personal Information about Canadians Across Borders — Implications of the USA PATRIOT Act, the federal Commissioner’s response to the BC Commissioner’s inquiry into the implications of the USA PATRIOT ACT, August 2004. The CIBC finding summary (#313) further solidified the Office’s views on transborder data processing to the U.S. 5 See PIPEDA finding #297, Unsolicited e-mail for marketing purposes (two separate complaints on the same subject, dated Dec. 1, 2004 and March 31, 2005. 6 See PIPEDA finding #351, Use of personal information collected by Global Positioning System considered, Nov. 9, 2006. 7 See PIPEDA finding #15, Privacy Commissioner releases his finding on the prescribing patterns of doctors, Oct. 2, 2001. 8 Blood Tribe Department of Health v. Privacy Commissioner of Canada, 2006 FCA 334, October 18, 2006.
Binding Corporate Rules Justification and Practicalities
Eduardo Ustaran*
The information that organisations hold about customers, employees and other individuals is a very valuable asset. Exploiting this information correctly is crucial for their operations, but its use on a global basis is strictly regulated by EU data protection law, which does not allow the transfer of personal information to countries outside Europe that do not have an adequate level of data protection.
Countries where a legislation-free approach to personal privacy is preferred, such as the USA, are not regarded by the European Union as providing an adequate level of protection for individuals’ data privacy rights. Therefore, in order to process personal information lawfully on a global basis, organisations must find a way to legitimise transfers of this information from the EU to other countries.
Article 26(2) of the Directive provides that EU member states may authorise a transfer, or a set of transfers, of personal data to third countries which do not ensure an adequate level of protection where the organisation wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals. Article 26(4) goes on to say that such safeguards may result from certain standard contractual clauses approved by the European Commission. Accordingly, the use of standard contractual mechanisms is one of the most widely used mechanisms to legitimate global data flows.
The Binding Corporate Rules route
Where data transfers are made to third party vendors dotted around the world, it may be possible to ensure that those vendors are bound by the standard contractual clauses approved by the European Commission for these cases under Article 26(4) of the Directive. However, using ad-hoc contractual arrangements is not a suitable way of legitimizing international transfers for data-reliant organizations operating on a worldwide basis. In the context of many global organizations, using personal data is all about sharing information without having to pay attention to borders and national regulatory differences. Therefore, a flexible, tailor-made solution that does away with the inconvenience of having to enter into innumerable contracts among subsidiaries is likely to be the only lawful option.
On 3 June 2003, the Article 29 Working Party published its Working Document (WP74) on Binding Corporate Rules (“BCR”) for international data transfers.1 According to this Working Document, as long as such corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified in the Working Document (WP12) of 24 July 1998, there is no reason why national regulators should not authorize multinational transfers within a group of companies following Article 26(2) of the Directive.
In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism (WP107)2 that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities. This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union.
Whilst for some organisations it may be obvious which data protection authority should have jurisdiction, where it is not clear which authority should become the entry point, organisations must consider the following factors to determine the most appropriate data protection authority:
The location of the corporate group’s European headquarters or office with data protection responsibilities.
The location of the company which is best placed to lead the BCR application and, eventually, enforce compliance.
The place where any key operational decisions in terms of the purposes and means of the data processing are made.
The EU country from which most international transfers originate.
Evidencing the binding nature of the BCR
In order to standardise the application process across the European Union as much as possible, the Article 29 Working Party has also published its Working Document WP1083 which contains a checklist of requirements. This checklist requests applicants to submit a concise background paper summarising how certain elements of the Article 29 Working Party’s Working Document (WP74) of 3 June 2003 are satisfied. One of the most important aspects that needs to be evidenced in the background paper is the binding nature of the organisation’s BCR.
The binding nature must be evidenced from several points of view, as follows:
Binding between the component parts of the organisation (e.g. by means of an internal code of conduct backed by a multi-party agreement, or via a unilateral declaration given by the parent company).
Binding on employees (e.g. by adding the BCR to the staff handbook which all employees are required to abide by).
Binding on subcontractors (e.g. by incorporating the BCR as an annex to the services agreement in place).
Binding externally for the benefit of individuals (e.g. by publicising a complaints handling process that allows individuals to enforce compliance).
Documentation required for BCR approval
The precise nature and amount of information that is required for the purposes of the submission to be made to the relevant data protection authority can be ascertained from paragraphs 4.1.1. to 4.1.3. of the checklist in WP108, as set out below.
A. Bundle 1 – Factual details
Paragraph 4.1.1 of WP108 refers to a note containing:
contact details of the responsible person within your organisation to whom queries may be addressed; and
all the relevant information to justify the choice of data protection authority including the basic structure of your group and the nature and structure of the processing activities in the EU/EEA with particular attention to the place/s where decisions are made, the location of affiliates in the EU, the means and purposes of the processing, the places from which the transfers to third countries are being made and the third countries to which those data are transferred (this is needed so that the ‘entry point data protection authority’ can circulate it to the data protection authorities concerned).
The purpose of the note referred to in paragraph 4.1.1 of WP108 is to justify the choice of the authority that will act as the lead authority during the approval process. This lead authority will guide the organisation seeking BCR approval through the process and act as an introducer to the other data protection authorities from which BCR approval will be required. In order to avoid a “forum shopping” situation, where BCR candidates select as their lead authority an authority perceived as more lenient or less likely to scrutinise their operations, the Article 29 Working Party established certain objective criteria that apply to the selection of the relevant lead authority.
Accordingly, in practice, the first bundle of information should include factual details comprising the following:
A chart or diagram showing the organisation’s corporate structure (including all European affiliates and any entity that receives personal information collected in the European Union).
Addresses of all group companies established in the EU.
A description of the data processing activities that take place in the EU, including the flows of personal data.
A description of the purposes for which personal information is used within the group of companies.
A description of the type of personal information that is transferred to any other country outside the EU and the mechanisms employed for the transfer.
Confirmation of the group companies that receive personal information from the EU.
3. Bundle 2 – Background paper
Paragraph 4.1.2 of WP108 refers to:
A background paper summarising how the required elements of WP74 have been satisfied (this will help the data protection authorities to identify the relevant sections of the documents you are providing).
All EU data protection authorities regard this background paper as the most important element during the submission process, since the information provided via this paper is the clearest indicator of how the BCR system will work in practice and whether it is likely to achieve its goals.
In practice, the second bundle of information should include the following:
A succinct description of the BCR system
This is meant to be a very brief summary (i.e. not more than two pages) of how the BCR system works within the organisation and should describe in simple terms the structure of the system and how it fits in within the organisation’s corporate governance.
Evidence of the binding nature of the BCR
Information on the following procedural requirements:
Internal awareness mechanism – How the system guarantees awareness and implementation of the compliance procedures in place both inside and outside the European Union. This should also include information on any data protection training procedures adopted by the organization.
Internal audit process – How the organization operates a programme of either self-audits of the BCR system and/or external supervision by accredited auditors, including any mechanisms to report the outcome of such audits to the organization’s top management.
Complaint handling mechanism – How individuals' complaints are dealt with by a clearly identified complaint handling department (including service levels and response times-type information where appropriate).
Cooperation with data protection authorities – How the organization intends to make itself available to the data protection authorities. Whilst a detailed cooperation programme will not be required, all of the authorities from which approval is sought will expect a degree of availability by the relevant individuals with responsibility for the operation of the BCR system.
Responsibility of EU-based headquarters – A description of the privacy management resources at the EU-based entity that will be taking primary responsibility for the BCR system in order to facilitate supervision by the authorities and the practical exercise of individuals’ rights.
Redress for individuals – To what extent the organization accepts that individuals will be entitled to take action against the group, as well as to choose the jurisdiction.
System transparency – How the organization allows individuals to have readily accessible information about the BCR obligations undertaken as part of the system.
C. Bundle 3 – BCR documents
Paragraph 4.1.3 of WP108 states:
All relevant documents that comprise the ‘binding corporate rules’ to be adopted by your organisation (e.g. any policies, codes, notices, procedures and contracts that may be relevant to the application). As well as a general statement of principles, the data protection authorities need to see how personal data is actually handled within your group.
In our experience, data protection authorities need not be provided with copies of every single document dealing with privacy matters, but they expect to see examples of documents at all levels, such as:
Top level privacy policies
Privacy statements
Internal compliance guidelines, checklists or similar notes
Customer-facing policies
Data quality policies (dealing with issues such as data retention)
Access request response procedures
Information security policies
Data processing agreements
Intra-group agreements providing binding force to the BCR (if any)
Examining the Role of the Privacy Commissioner of Canada in Judicial Proceedings Kris Klein and Megan Brady*
As more and more privacy-related cases make their way to Court through the mechanism provided for in the Personal Information Protection and Electronic Documents Act (PIPEDA), the issue of the Privacy Commissioner of Canada’s role in these judicial proceedings warrants further consideration.
The Privacy Commissioner is an ombudsman. When she receives a complaint, the Privacy Commissioner investigates it and seeks to resolve it confidentially, through negotiation and mediation. At the conclusion of her process, the Privacy Commissioner will issue a non-binding report containing any recommendations she considers necessary to enhance the personal information management practices of a respondent organization.
Unlike a typical ombudsman, who must resort to the political arena for enforcement of his or her recommendations, PIPEDA empowers the Privacy Commissioner or a complainant to apply to the Federal Court for a binding, judicial resolution of a privacy matter addressed in the Commissioner’s report. Melding the Privacy Commissioner’s ombudsman process with the Federal Court’s judicial process raises interesting questions about the role the Privacy Commissioner should play before the Federal Court.
Traditional rules governing the judicial supervision of administrative actors are unable to adequately delineate the Privacy Commissioner’s role in judicial proceedings under PIPEDA. This is in part because hearings under PIPEDA proceed on a de novo basis. Before the Federal Court, the alleged privacy violation is determined ‘afresh’ and ‘anew’, ostensibly as if the Privacy Commissioner’s process had never occurred. In proceedings before the Federal Court, it is the complainant’s allegations and the respondent organization’s conduct that are in issue and not the reasonableness or correctness of the Privacy Commissioner’s report. In this context, there is no role for the “pragmatic and functional approach” to play in ascribing an appropriate degree of judicial intervention.
The fact that PIPEDA expressly contemplates the Privacy Commissioner becoming a party to any proceeding introduces additional complexity. The de novo nature of a hearing brought pursuant to PIPEDA is inconsistent with the role administrative decision makers traditionally play on judicial review of their own decisions – namely, explaining the record and making representations as to jurisdiction (See Northern Utilities v. City of Edmonton, [1979] 1 S.C.R. 684 at 708 - 710). Because it is not a review of the Privacy Commissioner’s findings, a de novo proceeding eliminates, in large measure, the relevance of the record before the Privacy Commissioner and therefore, any explanatory role she might otherwise play.
However, under PIPEDA, the Privacy Commissioner is empowered to initiate a hearing of her own accord (with the consent of a complainant); the Privacy Commissioner may appear on behalf of a complainant; and the Privacy Commissioner may apply for leave to become an added party. Unlike typical administrative decision-makers who are precluded from addressing the merits of a decision under review, PIPEDA appears to contemplate the Privacy Commissioner assuming the role of privacy advocate and acting as a full participant in an adversarial judicial process.
In one of the first PIPEDA cases to reach the courts, the Federal Court sought to understand the Privacy Commissioner’s role by applying factors that dictate the appropriate standard of review in other contexts. In Englander v. Telus Communications Inc., 2003 FCT 705 at para. 33, the Federal Court noted that “as a statutorily created administrator with specialized expertise, the [Privacy Commissioner of Canada] is entitled to some deference with respect to decisions clearly within his jurisdiction”. Similarly, in Eastmond v. Canadian Pacific Railway, 2004 FC 852 at para. 122-123., Lemieux J. determined that the Privacy Commissioner was deserving of deference “in the area of his expertise which would include appropriate recognition of the factors he took into account in balancing the privacy interests”.
Notwithstanding the Privacy Commissioner’s obvious expertise in privacy issues, the Federal Court of Appeal has largely rejected the concept of deference as a relevant consideration. In Englander v. Telus Communications Inc., 2004 FCA 387 at para. 48, Décary J.A. noted that a hearing under PIPEDA is a “proceeding de novo akin to an action”. He found that “the report of the Commissioner, if put in evidence, may be challenged or contradicted like any other document”. Décary J.A. was concerned that showing any deference to the Privacy Commissioner’s findings “would give a head start to the Commissioner when acting as a party and thus could compromise the fairness of the hearing” (para. 48).
Technically speaking, the Federal Court of Appeal appears to be right. It makes little sense to speak of deference to the Privacy Commissioner’s findings in a hearing de novo. The Privacy Commissioner’s findings are, technically, irrelevant. Though the report itself is a necessary precondition to a hearing, the substance of the Privacy Commissioner’s report need not be introduced in evidence by any of the parties. Moreover, the evidence before the courts may differ considerably from that before the Privacy Commissioner. In a de novo hearing, no rules exist which would preclude a party from adducing fresh or additional evidence. And any formal recognition of deference to the Privacy Commissioner’s findings could undermine the fairness of a hearing de novo, which contemplates each side having a fresh and full opportunity to argue the merits of their case from the beginning.
But many of the reasons why administrative tribunals are accorded deference on judicial review support the granting of some deference to the Privacy Commissioner’s findings. The Privacy Commissioner’s significant and special expertise in privacy law is such that her findings, were they subject to review, would warrant deference. In the course of investigating and reporting on complaints brought under PIPEDA, the Privacy Commissioner must consider and balance a multiplicity of policy issues and competing interests. In crafting her recommendations, the Commissioner is engaged in remedial exercise that falls far outside the traditional role and expertise of the Federal Court. Although the Federal Court is empowered to order an organization to correct its personal information management practices, ascertaining the specific corrections required falls within the relative expertise of the Privacy Commissioner.
Since the Federal Court of Appeal’s decision in Englander, the federal courts have opted to “adopt” and “add to” the Privacy Commissioner’s findings without formally deferring in an administrative law sense (See Wansink et al. v. Telus Communications Inc., Docket A-639-05, January 29, 2007 at paras. 11-12). In Morgan v. Alta Flights (Charters) Inc., 2005 FC 421 at paras. 16-17, Noel J. determined that deference was voluntary: “[t]he Court may rely on the decision of he Privacy Commissioner or certain parts of it where applicable in arriving at a determination, but it is not bound to do so”. Noel J. attempted to reconcile this approach with the de novo nature of the proceedings by noting that “the question of whether or not a breach under PIPEDA occurs...is a question of interpretation under the Act, and so should be reviewable on a standard of correctness”.
From the melding of ombudsman and judicial processes in the privacy law context, one thing is clear: Parliament intended to ensure that remedies were available for privacy infractions by the private sector. Far less clear is the role the Privacy Commissioner and her process can and ought to play in securing the judicial remedies available for breaches of privacy rights. The Privacy Commissioner is a gatekeeper to the judicial process; she can contribute considerable legal and policy expertise to a resolution of privacy complaints; and, insofar as she is permitted to act on a complainant’s behalf, plays an important role in ensuring access to justice in the de novo determination of the complainant’s case. The federal courts’ efforts to develop a principled approach to reconciling these unique roles within a poorly understood process are deserving of close scrutiny.
* Kris Klein and Megan Brady are litigation counsel with the Office of the Privacy Commissioner of Canada. The opinions expressed in this article are the views of the authors and they are not necessarily reflective of the views of the Office of the Privacy Commissioner of Canada.
Trans-jurisdictional Outsourcing Involving Personal Information: Canadian Approaches Bonnie Freedman*
I. Outsourcing
The Information and Privacy Commissioner of Alberta concluded in his February 2006 report, “Public-sector Outsourcing and Risks to Privacy”1 that government bodies are no longer able to provide an appropriate degree of security to information they manage internally and accordingly must outsource services involving personal information. In 2003, the Government of British Columbia approved outsourcing by public bodies to private sector service providers as a means of addressing antiquated information technology systems. Despite opposition culminating in legal proceedings, British Columbia subsequently outsourced some functions of its public health and drug benefits plan.2
Outsourcing has been defined in a number of ways, but at its most essential involves retaining an outside supplier to provide services which a company or public body might otherwise have its employees perform. To the extent that outsourcing involves suppliers in a jurisdiction outside of that in which a company or public body operates (a “foreign jurisdiction”), it has become a matter of public interest, thanks in part to George Bush. The Bush administration’s lack of respect for interests that it views as interfering with the war on terrorism, the enactment of the USA PATRIOT Act3 in October 2001 and its renewal by the USA PATRIOT ActImprovement and Reauthorization Act of 2005 in March 2006, have done much to raise awareness in Canada of the potential risks of outsourcing personal information services to the United States. Media reports of threatened or actual data security breaches and misuse of personal information by the employees of service providers in foreign jurisdictions other than the U.S. have reinforced the concerns and highlighted the fact that the issues are global.4
The following surveys approaches adopted in Canada to the outsourcing to third party service providers in foreign jurisdictions of services and programs involving personal information. The approaches involve legislative measures and guidelines.
The survey is not comprehensive and is only intended to provide an introduction to the issues and some of the options adopted by governments. Legislation governing the collection, use and disclosure of personal health information is not reviewed. Sections III and IV below provide a summary of or reproduce provisions in legislation and guidelines that apply to the outsourcing of services involving personal information to third party service providers in foreign jurisdictions. Section 0 provides a preliminary analysis of the approaches to such outsourcing.
II. Audits of Public Sector Outsourcing Practices
The challenge by the Service Employees’ Union (“BCSGEU”) to the decision of British Columbia’s Ministry of Health Services to outsource the administration and several information management functions of the province’s Medical Services Plan and BC PharmaCare, brought the risks of outsourcing to the attention of the public and made them a matter for government action. A report by the Information and Privacy Commissioner for British Columbia on the implications of the USA PATRIOT Act for British Columbia public sector outsourcing5 called for public bodies to conduct audits of their outsourcing agreements to determine the level of security they were affording to personal information, implement a program of routine and thorough compliance audits, diligently monitor the performance by service providers of their contractual obligations and enforce available remedies where such obligations are breached.
The Alberta government took heed of the BC report and in February 2006, the Office of the Information and Privacy Commissioner of Alberta released the results of a survey it had conducted of provincial government ministries and a representative sample of public bodies.6 The survey canvassed the extent of outsourcing by public bodies governed by the Freedom of Information and Protection of Privacy Act,7 the types of services that are outsourced by these bodies and the contractual safeguards used to protect personal information to which third party service providers may have access.
The federal government also heard the call and in October 2004, asked the 160 institutions subject to the Privacy Act8 to audit their outsourcing activities that involve personal information. The object of the review was to “determine if information that is being stored by private companies or is accessible under the terms of a contract was susceptible to disclosure, specifically under the USA PATRIOT Act.”9 The review also looked at the nature of the contractual safeguards being used by the institutions in connection with outsourced services and programs.
In addition to audits, the attention garnered by outsourcing has led to legislative amendments.
III. Legislation and Legislative Amendments
A. Public Sector Access and Personal Information Protection Laws
A.1 British Columbia - Freedom of Information and Protection of Privacy Act, (BC/FOIPPA)10
The British Columbia legislature sought, but ultimately did not wait for a report from its Information and Privacy Commissioner before amending the BC/FOIPPA which applies to personal information in the custody and control of public bodies.
Amendments to BC/FOIPPA that came into force in October, 2004 severely restricted the storage of and access to personal information in the custody or control of a public body from outside Canada. There have been subsequent amendments to BC/FOIPPA, perhaps in response to difficulties incurred by users of equipment, including medical equipment that is only serviced from outside Canada.
The principal provisions affecting third party service providers supplying services involving personal information to public bodies are found in Part 3 of BC/FOIPPA in sections 30.1 through 33.2. One of the unique features of the amendments is brought into effect by section 31.1(b), which expands the application of the sections of BC/FOIPPA relating to the protection of personal information to service providers, their employees and associates including subcontractors. Accordingly, in British Columbia, the relationship between a service provider and a public body client may be determined by BC/FOIPPA as well as by contract. Section 31.1 provides:
31.1 The requirements and restrictions established by this Part also apply to:
(a) the employees, officers and directors of a public body, and
(b) in the case of an employee that is a service provider, all employees and associates of the service provider.
Section 30.1 of BC/FOIPPA requires a public body to ensure that personal information in its custody or under its control is only stored and accessed in Canada, unless the individual to whom the information relates consents to another arrangement or the storage or access are for the purpose of a disclosure permitted under the Act, including for the purposes of the public body collecting a debt or making a payment. Section 30.1 provides:
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if it was disclosed under section 33.1 (1) (i.1) [for the purposes of a payment to be made to or by the government of British Columbia or a public body, authorizing, administering, processing, verifying or canceling such a payment, or resolving an issue regarding such a payment].
Section 30.2 of BC/FOIPPA requires notification of the responsible minister of any demand from a foreign authority for the disclosure of personal information, which notification could violate provisions introduced by the USA PATRIOT Act prohibiting disclosure of such demands except in limited circumstances. Section 30.2 provides:
30.2 (2) If a public body, an employee of a public body or an employee or associate of a service provider
(a) receives a foreign demand for disclosure,
(b) receives a request to disclose, produce or provide access to personal information to which this Act applies, if the public body, employee or other person receiving the request
(i) knows that the request is for the purpose of responding to a foreign demand for disclosure, or
(ii) has reason to suspect that it is for such a purpose, or
(c) has reason to suspect that unauthorized disclosure of personal information has occurred in response to a foreign demand for disclosure, the head of the public body, the employee or other person must immediately notify the minister responsible for this Act.
(3) The notice under subsection (2) must include, as known or suspected,
(a) the nature of the foreign demand for disclosure,
(b) who made the foreign demand for disclosure,
(c) when the foreign demand for disclosure was received, and
(d) what information was sought by or disclosed in response to the foreign demand for disclosure.
Section 33.1 governs the disclosure of personal information in the custody or under the control of a public body inside or outside of Canada. Until recently, this provision only permitted disclosure in limited circumstances, for example where required to comply with another law of British Columbia or Canada, or to permit government officials to carry out their duties. Amendments to the section that came into force in 2006 permit the disclosure of personal information to a service provider outside Canada where the service provider would normally receive the information in Canada, but is temporarily travelling outside Canada.11 Other amendments permit disclosure to a service provider where the disclosure is necessary for:
(a) installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system, or
(b) data recovery that is being undertaken following failure of an electronic system that is used in Canada by the public body or by a service provider for the purposes of providing services to a public body, and
in the case of disclosure outside Canada,
(c) is limited to temporary access and storage for the minimum time necessary for that purpose, and
(d) in relation to data recovery under subparagraph (b) above, is limited to access and storage only after the system failure has occurred.12
Public bodies may also disclose personal information inside Canada in response to a subpoena, warrant or order issued or made by a court or other person or body in Canada with the authority to compel the production of information.13 This provision is significant in that it prohibits public bodies and their service providers from disclosing personal information in response to a subpoena or other legal instrument issued by a foreign authority and applies even where the service provider is subject to the law of the foreign jurisdiction in which the subpoena or instrument was issued.
A.2 Alberta - Freedom of Information and Protection of Privacy Act (“AB/FOIPPA”),14
Following on British Columbia’s lead, Alberta’s amendments to the AB/FOIPPA in 2006 limit the powers of foreign courts, governments and governmental authorities to order the province’s public bodies to produce personal information. Section 3(d) provides that the AB/FOIPPA does not apply so as to interfere with an order compelling a witness to testify or the production of documents made by a court or tribunal in Canada. Section 40(1)(g) narrows the scope of disclosure permitted in response to a legal instrument, to circumstances where the disclosure is:
...for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body having jurisdiction in Alberta to compel the production of information or with a rule of court binding in Alberta that relates to the production of information.15
A.3 Nova Scotia - The Personal Information International Disclosure Protection Act (“PIIDPA”)16
PIIDPA received Royal Assent on July 14, 2006 but has yet to be proclaimed in force. PIIDPA borrows liberally from the initial amendments made to BC/FOIPPA, but incorporates provisions intended to address some of the operational difficulties that were reported to have arisen because of the requirement in the British Columbia legislation to store and access personal information in Canada.
PIIDPA applies to public bodies, including their directors, officers and employees and to employees and associates of a service provider. A service provider is defined as “...a person who is retained under a contract to perform services for a public body and in the course of performing those services, uses, discloses, manages, stores or accesses personal information in the custody or under the control of a public body”.17
Section 5(2) of PIIDPA contains an exemption from the requirement that a public body ensure that personal information in its custody or under its control is stored and accessed in Canada that applies where the head of a public body considers the storage of or access to personal information from outside Canada “... to meet the necessary requirements of the public body’s operation.” Under section 5(4), where the head of a public body permits personal information to be stored or accessed from outside of Canada, he or she is required to report the decision and reasons for making the decision to the responsible minister. Service providers are required to limit their collection and use of personal information that is stored, accessed or disclosed outside of Canada to the information and uses that are necessary to fulfill their contractual obligations and to make reasonable security arrangements to protect the information.
Under section 6(1) of PIIDA, public bodies and their service providers are required to report foreign demands for disclosure to the responsible minister.
A.4 Quebec - Amendments to An Act respecting Access to documents held by public bodies and the Protection of personal information (“ARA”)18
Quebec has amended the sections on “security measures” in its public sector access and protection of personal information legislation. Section 63.1 of ARA now requires public bodies to:
...take the security measures necessary to ensure the protection of the personal information collected, used, released, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
Section 63.2, which is not yet in force, will require public bodies to “...protect personal information by implementing the measures enacted for that purpose by regulation of the Government.” This provision will permit, but not require, Quebec to prescribe by regulation security measures for personal information kept by a public body in the exercise of its duties.
B. Amendments to Private Sector Laws
To date, provinces have required the private sector to protect personal information to which it gives third party service providers access, but have been reluctant to impose more direct forms of restriction on its outsourcing activities. It is not clear whether Quebec has become the exception. Quebec has amended its private sector privacy legislation and the amendments may restrict outsourcing or may merely be an express statement that organizations must use appropriate safeguards where personal information may be subject to the laws and authorities of a foreign jurisdiction. To assess the Quebec amendment, it may be useful to examine the requirements relating to outsourcing in the Personal Information Protection and Electronic Documents Act (“PIPEDA”).19
Principle 4.1.3 of Schedule 1 to PIPEDA provides that:
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Principle 4.8 provides that:
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
The office of the Privacy Commissioner of Canada (the “OPC”) has applied Principle 4.1.3 and Principle 4.8 to a complaint about the outsourcing of services involving personal information to a foreign third party service provider. The complaint was made about the outsourcing of credit card transaction processing by the Canadian Imperial Bank of Commerce (“CIBC”) to an American service provider.20 The Assistant Commissioner made a number of noteworthy findings about the application of PIPEDA to outsourcing activities, but for the purposes of this review, the significant findings are that PIPEDA does not prohibit the use of foreign-based third-party service providers, but requires organizations to ensure that foreign-based third-party service providers afford personal information a comparable level of protection to that required in Canada (Principle 4.1.3.). Applying Principle 4.8, the Assistant Commissioner reiterated the position of the OPC that companies resident in Canada that outsource personal information processing or like services to the United States should notify the individuals to whom the information relates that it may be available to the U.S. government or its agencies under a lawful order.
According to the finding in the CIBC case, the requirement established in Principle 4.8 for organizations to be transparent about their personal information handling practices extends to giving individuals notice in circumstances where their personal information may be transferred to a foreign jurisdiction, notwithstanding that consent is not required where personal information is transferred for the purposes of data processing.21 The finding in the CIBC case is harder to interpret in regard to the requirements established in Principle 4.1.3. While the Assistant Commissioner initially describes the obligation on organizations in the language of Principle 4.1.3 (an organization must ensure that personal information is afforded “a comparable level of protection while the information is being processed by a third party”), she later frames it as an obligation to “…protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means” (emphasis added).22
B.1 Quebec - An Act respecting the protection of personal information in the private sector (“PIPPS”)23
As suggested above, the obligations created under amendments to Quebec’s private-sector privacy legislation that apply where services involving personal information are outsourced, are not entirely clear. Section 17 of PIPPS applies to a person carrying on business in Quebec who “communicates personal information outside Quebec or entrusts a person outside Quebec with the task of holding, using or communicating such information on his behalf”. Section 17 provides:
Refusal
If the person carrying on an enterprise considers that the information ... will not receive the protection ...[required under the Act], the person must refuse to communicate the information or refuse to entrust a person or a body outside Quebec with the task of holding, using or communicating it on behalf of the person carrying on the enterprise.
Section 17 may require an environmental scan, taking into account factors such as the laws governing data protection in the foreign jurisdiction in which a service-provider operates (or lack thereof), the degree to which the rule of law is respected and the stability of the political situation and economy. If this is the extent of the obligation, it is questionable whether companies will have the resources to conduct the required research. Even where companies do have the resources, the requirement may have such a significant impact on the economics of outsourcing as to make it less interesting. Without assistance from government, for example information along the lines of the travel alerts posted by the Government of Canada where it believes Canadians may be at risk travelling in a country or region, it is not reasonable to expect companies to conduct a full environmental scan of jurisdictions in which they are considering retaining a third party service provider.
Another possible interpretation of section 17 is that it is not intended to introduce a prohibition on outsourcing where there are concerns over data security, but rather to require companies to address the nature and magnitude of the risks by including appropriate provisions in their contracts with third party service providers.24
Finally, it is open to debate whether section 17 permits an organization to outsource services involving personal information in circumstances where the information will not receive the degree of protection required under the Act, if the organization obtains the consent of the individual to whom the information relates to the arrangement.
IV. Guidelines
A.1 Taking Privacy into Account Prior to Making Contracting Decisions (“Taking Privacy into Account”)25
The Treasury Board of Canada Secretariat (the “Treasury Board”) has produced two guidance documents for use by federal government institutions that are subject to the Privacy Act26 when they outsource services or programs involving personal information. The first document, “Taking Privacy into Account” establishes a 3-step program to assess the risks to personal information and the nature of the safeguards that may be used where services or programs are to be outsourced. It also provides sample provisions for inclusion in Requests for Proposal (“RFPs”) and contracts for outsourced services involving personal information.
Taking Privacy into Account recommends that federal institutions ensure that there is a business case for outsourcing, by assessing factors such as the quality and speed of delivery of the outsourced service and the specialized expertise and other resources required to provide the service, before commencing the risk assessment.
Step 1 involves identifying any privacy risks associated with the proposed arrangement by determining whether the proposed arrangement is in compliance with the Privacy Act and Treasury Board privacy policies, conducting an “Invasion of Privacy Test” and conducting a Privacy Impact Assessment (“PIA”). The Privacy Invasion Test was developed for the Treasury Board and involves assessing 3 risk factors: the sensitivity of the exposed information; the expectations of the individuals to whom the information relates regarding privacy; and the nature and scope of the potential injury if a breach of data security were to occur. The Treasury Board has guidelines to assist institutions with performing PIAs.
Step 2 involves assessing the privacy risks related to the jurisdiction in which the proposed service provider is resident. Step 2 is potentially quite onerous in that institutions are to:
...give consideration to whether contracts or operations under contracts can be negatively affected by the foreign jurisdiction’s economy, political reality, laws and/or legal system.
Step 2 also involves determining whether any international trade agreements apply to the proposed arrangement. The requirement to consider international trade agreements may be unique to the federal public sector and validates the Privacy Commissioner of Canada’s comments that personal information is more likely to be obtained by American authorities under grand jury subpoenas, search warrants, information sharing agreements and bilateral mutual legal assistance treaties signed by Canada and the U.S. than under the amendments enacted by the USA PATRIOT Act.27 The second guidance document, “Privacy Matters”, makes the point more succinctly when, in reference to the amendments to BC/FOIPPA, it suggests that similar provisions could not be included in the Privacy Act, because,
Such action could encourage other foreign governments to do the same, choking off the economic benefits to Canada from work outsourced to Canadian suppliers.
In addition, the federal government must respect international trade agreements that are not binding on provincial governments.28
Step 3 of Taking Privacy Into Account involves assessing whether the protection of personal information in a given outsourcing arrangement requires the imposition on service providers of certain obligations and restrictions.
Institutions are to consider including the first set of obligations in the RFP for the services it is seeking to outsource. The obligations are of general application and include requiring the service provider to:
where international trade agreements do not apply, conduct the work and retain the data in Canada or Government of Canada facilities;
segregate the information from other information;
submit an information management and security plan;
have specified qualifications or certifications (relating for example, to its knowledge of privacy law and implementation of privacy policies and procedures);
maintain a list of personnel authorized to access personal information or facilities in which personal information is housed;
maintain audit trails and report on access to, disclosure and destruction of personal information.
Institutions are to consider including the second set of obligations in the agreement they enter into with the service provider. The obligations require that:
the institution maintain control over the personal information involved in the transaction by defining the role and responsibility of the service provider for the personal information, confirming the institution’s ownership of the personal information and demanding that the service provider return or destroy the personal information on demand;
the most stringent of the privacy laws applicable to each of the parties be applied;
access to personal information be limited to authorized persons for the purposes of the contract;
the service provider obtain prior approval for the disclosure of sensitive personal information and the use of subcontractors;
approved subcontractors agree to comply with the privacy, confidentiality and security provisions in the contract and the institution approve the contract between the service provider and the subcontractor;
the institution have the right to inspect the premises and operations of the service provider; and
the service provider promptly notify the institution of any data security breach and indemnify the institution for any damages arising out of such a breach.
Where the risk to privacy is very high and the contract involves database development and data processing, Taking Privacy into Account recommends that proponents responding to an RFP also be required to certify that they have:
... the unfettered lawful right to comply with ... [terms in the RFP or proposed agreement with the company relating to the protection of personal information] and to ensure that personal information which is managed, accessed, collected, used, disclosed, retained, received, created or disposed of in order to fulfill the requirements for the Contract shall be treated in accordance with the Privacy Act, R.S.C. 1985, c.P-21 and the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.
Taking Privacy into Account also contains a set of criteria for determining whether foreign law will apply to personal information as a result of an outsourcing arrangement. The risk designations run from “No Risk”, where the information is maintained and processed at a Government of Canada site or is maintained and processed off-site by a Canadian company that operates uniquely in Canada, to “High Risk”, where personal information is maintained, processed, stored and disposed of by a foreign-based company in a foreign jurisdiction.
A.2 Privacy Matters, The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows (“Privacy Matters”)29
The second federal guidance document, Privacy Matters, makes reference to and incorporates some of the information and recommendations in Taking Privacy into Account, but focuses on the strategy of the federal Government in regard to public sector outsourcing of services involving personal information to foreign-based third party service providers. Privacy Matters incorporates some of the suggestions made by the Information and Privacy Commissioner for British Columbia in his report on the USA PATRIOT Act,30 including having institutions audit their outsourcing contracts involving personal information. In this respect, Privacy Matters is the federal version of the survey conducted in Alberta.
Privacy Matters makes many of the same recommendations as are made in Taking Privacy into Account. It is more detailed in some respects, recommending for example, that the personnel of service providers be required to sign non-disclosure agreements and the use of encryption technology. Privacy Matters also makes reference to technological solutions to protect information and includes as part of the Government’s mid-term (6 months to a year) strategy, the need to determine “best practices in building privacy into design through technological and architectural solutions”.31 The incorporation of privacy considerations into technology and data architectures is too often overlooked given that by thinking about privacy at the design stage, systems architects may be able to eliminate some data security risks, for example by eliminating points of access to personal information or the storage of live data in a system.
V. Preliminary Conclusions and Steps Forward
As this brief survey indicates, different jurisdictions have taken different approaches to the outsourcing of services that involve personal health information.
The federal strategy in response to the USA PATRIOT Act is to ensure the best practices are used more uniformly throughout government.32 The approach is designed to identify and make institutions more aware of the risks surrounding transborder flows of personal and other sensitive information and to assist institutions in mitigating those risks, for example by insisting on stronger contractual protections.
The federal guidelines on outsourcing demonstrate the value of creating a framework within which to evaluate the threats and risks to personal information that is transferred to or made accessible from a foreign jurisdiction. The degree to which the guidelines will influence the decision to outsource, the choice of service provider and the shape of the agreement reached with the service provider may be largely shaped by economics: a dominant theme in Privacy Matters is that privacy considerations have to be “balanced” with others, such as “significant cost and service efficiencies, and economic benefits from contracting out as well as the need to respect Canada’s obligations under its trade agreements and the requirements to protect national security”. According to Privacy Matters, one in every four jobs in Canada is related to international trade.33
The Office of the Chief Information and Privacy Officer for Ontario has circulated draft guidelines on outsourcing services involving personal information for consultation, but as of the date of writing, has not released an official version of the guidelines.
British Columbia was the pioneer and perhaps because of the attention the BCSGEU case received, it adopted a highly restrictive approach to the outsourcing of services involving personal information by public bodies to foreign-based service providers. If there was any thought that legislative restrictions on accessing and storing personal information would encourage the establishment of home-grown data processing businesses, the restrictions do not appear to have had that effect. The capital costs of starting up or expanding businesses that supply the types of services being outsourced may be too formidable. As noted by Jean Walters and John Tuck, lawyers with the Legal Services Branch of the British Columbia Ministry of Attorney General, in a paper on outsourcing and USA PATRIOT Act:
Many of the companies seeking contracts from governments are companies with connections to other countries, including the US. Often it is such large and sophisticated corporations that have the expertise and infrastructure required to provide the services required in complex outsourcing initiatives given the breadth and complexity of the services that need to be provided.34
Ultimately British Columbia was forced to relax the restrictions in BC/FOIPPA on storing and accessing personal information from outside Canada, although even under the most recent amendments, public bodies are only entitled to disclose personal information outside of Canada for limited purposes, including where such disclosure is necessary for data recovery after a system has failed.
Alberta rejected the British Columbia approach, concluding that:
The easy answer, suggested in some quarters, of protecting privacy by assuring no company affiliated in any way with an American company, or doing business in the USA, is allowed to do outsource work for Canadian governments, fails to recognize the existing transnational nature of the IT services industry.35
The amendments made by Alberta to AB/FOIPPA require third party service providers to disregard any demand for disclosure made by or under a foreign authority. Rather than restrict the activities of public bodies, Alberta has essentially told service providers that if they want to do business with the public sector in Alberta, they have to agree to comply with the laws of Alberta and the laws of Canada applicable in Alberta, regardless of any penalties they may incur for non-compliance with foreign laws to which they are subject.
While adopting essentially the same approach as British Columbia, Nova Scotia was careful to build exceptions into its stand-alone legislation, which permit public bodies to store and access personal information outside Canada where such access and storage is required for a public body’s operations. The requirement for a public body to report situations where personal information in its custody and under its control is to be stored or accessed from outside Canada ensures accountability for such decisions.
Quebec focuses on safeguards, by placing the onus on the public body or company outsourcing functions involving personal information to ensure that the information will be afforded an appropriate degree of protection. If under Quebec law, determining the appropriate level of protection involves a full environmental scan prior to engaging a foreign-based service provider, outsourcing may become less attractive, particularly to small businesses. Small businesses may also not have the bargaining power to secure an agreement with a foreign-based service provider that contains adequate safeguards for personal information. Where performing the services internally is not an option, an organization may decide to use a foreign-based service provider, even where it deems the risks to personal information to be significant. The deal made by British Columbia in connection with the outsourcing of functions of the Medical Services Plan and BC PharmaCare involved the establishment of corporate structures designed to ensure that personal information does not become subject to foreign laws in addition to technical and contractual safeguards, but such arrangements have little chance of acceptance in less remunerative, shorter term transactions.36
As recognized by the Information and Privacy Commissioner of British Columbia in his report on the implications of the USA PATRIOT Act, technological advances and trade liberalization have resulted in an increased flow of information across geographic borders.37 It is interesting that technology, which has been a principal driver of outsourcing and a principal source of risk to the security of personal and other sensitive information, is only slowly being recognized as a significant part of the solution. Perhaps because policy makers and lawyers rather than technology experts have been tasked with creating means to mitigate privacy risks, the focus has been on legislative restrictions and contractual safeguards. It is encouraging that Privacy Matters refers to the need to explore “technology and data architecture solutions to protect information flows”.38 Privacy needs to be considered from the initial stages of system design and not as an afterthought. A culture needs to be established in which systems architects embrace the challenge of building systems that incorporate privacy protection as enthusiastically as they embrace building systems with ever-greater functionality.39 Privacy Matters points out that the Government of Canada was the first national government to introduce a mandatory PIA policy, but the effectiveness of tools such as PIAs needs to be routinely examined: adherence to best practices, including performing PIAs, should not in and of itself provide comfort that personal information protection has been adequately addressed.
The approach and means of protecting personal information will undoubtedly change over time. Perhaps the anticipation of change was part of Nova Scotia’s rationale in passing its law on international disclosure of personal information in stand-alone legislation rather than as an amendment to its Freedom of Information and Protection of Privacy Act.40
* Bonnie Freedman, Goodman and Carr LLP. The opinions expressed in this article are those of the author and do not necessarily reflect the views of Goodman and Carr, LLP.
1 “Public-sector Outsourcing and Risks to Privacy”, Office of the Information and Privacy Commissioner, Alberta, February 2006, http://www.oipc.ab.ca/ims/client/upload/Outsource_Feb_2006_corr.pdf 2 Tuck, John and Walters, Jean M. “Outsourcing and the USA Patriot Act”, Health Information Privacy and Security Conference, Insight Information, January 29-30, 2007, pp. 4-5. See also British Columbia Government and Services Employees’ Union v. Minister of Health Services et. Al., 2005 BCSC 446, Victoria Registry, March 23, 2005. An appeal has been heard but the decision is under reserve. 3Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act, Pub. L. No. 107-56, 115 Stat. 272 (2001) 4 In one case, a medical records transcriptionist in Pakistan threatened to post the medical records of patients of a San Francisco hospital if she was not paid wages she claimed were owing to her. Her employer was a subcontractor retained by the service provider to the hospital. In another case, employees of a service provider in India demanded money in exchange for not making public confidential information entrusted to their employer. For reports on these cases by the San Francisco Chronicle, see: http://www.sfgate.com/cgi-bin/article.cgi?file+/c/a/2003/10/22/MNGCO2FN8G1.DTL and http://sfgate.com/cgi-bin/article.cgi?file+/c/a/2004/04/02/MNG175VIEB1.DTL. 5 “Privacy and the USA Patriot Act, Implications for British Columbia Public Sector Outsourcing”, October 2004, Information & Privacy Commissioner for British Columbia, http://www.oipcbc.org/sector_public/archives/usa_patriot_act/pdfs/report/privacy-final.pdf 6 See above note 1 7 R.S.A. 2000, c. F-25 8 R.S.C. 1985, c. P-21 9 “Privacy Matters”, The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows,www.tbs-sct.gc.ca, p. 16 10 RSBC 1996, c. 165 11Ibid., s. 33.1(1)(e.1)(ii)(B) 12Ibid., s. 33.1(1)(p) 13Ibid., s. 33.2(b) 14 See above note 8715Ibid., s. 40(1)(g). 16 Chapter 3 of the Acts of 2006 17Ibid, s. 1(g) 18 R.S.Q., c. A-2.1 19 S.C. 2000, c.5 20 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #313 http://www.privcom.gc.ca/cf-dc/2005/313_20051019_e.asp 21 PIPEDA, Schedule 1, Principle 4.1.3 22 See above note 21 23 R.S.Q., c. P-39.1 24 This interpretation among others was reviewed by Anita Fineberg, Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health, in a presentation on January 29, 2007 at Insight Information’s conference on Health Information Privacy and Security. 25 Treasury Board, http://www.tbx-sct.gc.ca/gos-sog/atip-aiprp/in-ai/in-ai2005/2005-19_e.asp 26 See above note 8 27 “Transferring Personal Information about Canadians Across Borders – Implications of the USA PATRIOT Act”, Submission of the Office of the Privacy Commissioner of Canada to the Office of the Information and Privacy Commissioner for British Columbia, August 18, 2004, Office of the Privacy Commissioner of Canada, http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.asp 28 See above note 9, p.12 29Ibid 30 See above note 5 31 See above note 9, p.31 32Ibid, p.15 33Ibid, pp.10 and 12 34 See above note 2, p.14 35 See above note 1, p.12 36 See above note 2, pp.26-28 37 See above note 5, p. 13 38 See above note 9, p.4 39Ibid, p.3 40 S.N.S., 1993, c.5
Push and Pull: Negotiating the Transfer of Passenger Name Record Information Allison Knight*
INTRODUCTION
In the days following 9/11, the United States passed legislation requiring air carriers operating flights to, from or through the United States to provide Passenger Name Record (PNR) information to US Customs and Border Patrol.1 A Passenger Name Record consists of information provided by a passenger to an airline when booking an airline ticket. PNR information can range from a person’s name, address, and travel itinerary, to ticket payment information, frequent flyer information, passport details and any special circumstances or requests such as disability accommodations or meal preferences.2
According to US law, PNR data must be made available in order to identify “individuals who may pose a threat to aviation safety or national security”; PNR data may also be shared with other US agencies for the purpose of “national security.”3 Refusal of an airline to provide requested PNR data could result in the withdrawal of its landing authorization in the US.4 Upon passage of this legislation, the US began negotiating agreements with foreign jurisdictions for transfer of PNR data to US authorities. Negotiations with the European Union have proven to be the most complex and problematic, mainly due to differences in the ways in which the respective jurisdictions collect and process personal data.
US-EU AGREEMENT
Initial talks between the US and the European Commission (EC) were intended to reconcile the security interests of the United States with the data privacy safeguards required by the European Data Protection Directive 95/46/EC.5 The European Directive prohibits transfer of personal data to a third country that does not ensure an “adequate” level of data protection. As the US does not have an adequate legislative data protection scheme in place to protect the privacy rights of EU citizens,6 transfer of PNR data in accordance with the European Directive requires contractual safeguards to be included in an agreement. Specifically, the European Directive requires that personal information be collected “for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”7 Further, the European Directive limits the retention period for records containing personal information and provides access and correction rights for data subjects.
While the first US-EU agreement,8 negotiated in 2004, did not explicitly address any of these requirements, it did refer to Undertakings given by the Department of Homeland Security (DHS) concerning the processing of personal information. According to the Undertakings, PNR data would be used strictly for the purposes of preventing and combating terrorism, related crimes, and other serious crimes.9 Although the US had originally planned to store PNR data for fifty years, the Undertaking agreed to limit retention of unaccessed data to three-and-one-half years, and retention of accessed data to eight years. In regard to access and correction, the Undertaking offered non-US citizens the opportunity to file an access request under the Freedom of Information Act10 as well as the opportunity to make “requests for rectification.”
The European Council issued a decision that the data protections contained in the US-EU 2004 agreement and its additional US Undertakings ensured an “adequate” level of data protection.11 The agreement purported to be legally binding in all Member States and provided a unified standard across the EU for the provision of PNR data to the US.12
CANADA/EU AGREEMENT
Similar to the US, Canada also passed legislation requiring the provision of, or access to, the PNR information of all persons en route to Canada at the time of their departure. The Passenger Information (Customs) Regulations,13 made under section 107.1 of the Customs Act,14 came into effect on October 4, 2002. Under the Regulations, PNR information must be made available to the Canada Customs and Revenue Agency15 for the purpose of maintaining a safe border, and interdicting “potentially high-risk passengers” who are inadmissible to Canada.
Both the US and the Canadian governments required the transfer of PNR data from European airlines on a unilateral basis, as the European Union does not have similar legislation. However, because Canada has a similar data protection scheme to that of the European Union, it did not face many of the challenges posed in the US-EU PNR negotiations. Canada’s privacy legislation16 has been declared “adequate” to EU data protection laws, thereby allowing cross-border flow of data without the requirement of additional contractual safeguards.17
Three other factors added legitimacy to the Canadian negotiations. First, Canada has an independent privacy office18 that provides oversight, administration and enforcement of its privacy laws. Second, Canada requested fewer PNR fields from the European airlines than the 34 fields required by the US agreement.19 Third, Canada agreed to a “push” system of PNR information transfer, as opposed to the “pull” system proposed by the US. Under a “push” system, airlines provide the data to the Canadian government on request. The “pull” system allows the US government to access the airlines’ information, thereby giving control of the data transfers to US authorities.20
However, because Canadian privacy law only extends to individuals present in Canada, the EU required Canada to provide an undertaking that the same protections would be extended to EU passengers who were not present in Canada. Upon completion of this requirement, Canada and the EU finalized and signed a PNR agreement.
INVALIDATION OF THE US AGREEMENT
The US-EU and Canada-EU agreement negotiations took place with European Commission representatives as a result of a consultative process, rather than the assent procedure required by the European Parliament. Parliament, dissatisfied that the European Commission’s negotiations had adequately protected EU citizens’ data privacy rights, sought to have the US-EU 2004 agreement annulled. It argued that because the European Commission acted without authority (ultra vires), the agreement fell outside of the scope of Community law. Pending a decision of the European Court of Justice, the European Parliament also rejected the Canada-EU agreement on PNR data, even though Members considered the content of the agreement with Canada to be an “acceptable balance” between ensuring security and protecting personal data.21
In May 2006, the European Court of Justice declared the terms of the US-EU agreement invalid.22 The Court did not rule whether the US-EU agreement and related Decisions infringed fundamental rights with regard to data protection; rather, it annulled the agreement on jurisdictional grounds, stating that “neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis.” According to the Decision, the transfer of PNR data outside the EU is a matter of law enforcement rather than a commercial transaction; therefore, the agreement should have been negotiated under the third, or “Police and Judicial Co-operation in Criminal Matters” pillar of European law, which concerns “co-operation in the fight against crime.” Although in theory the Canada-EU agreement could suffer from the same jurisdictional fault, Parliament is unlikely to bring a case against the agreement as it contains strong privacy protections for EU citizens’ personal data.
CONSEQUENCES OF INVALIDATION
The invalidation of the EU-US 2004 Agreement was in some respects a “pyrrhic victory” for data protection rights.23 The European Court of Justice’s decision that PNR negotiations rightly belong under the “third pillar” of European law removes PNR data from the scope of the European Data Protection Directive and, because no EU-wide third pillar data protection agreement currently exists, places it under the mandate of individual Member States. The EU is in the process of developing a framework to provide data protection across third pillar activities of the EU - the proposed framework would offer a level of protection equivalent to that provided by the European Data Protection Directive - but it does not seem that Member States will reach a consensus any time soon.24 Third pillar data protection framework negotiations have been ongoing since April 2001. Most recently, the German Presidency submitted a letter to the Framework’s Article 36 Committee outlining further concerns with the draft document.25
US INTERIM AGREEMENT
In annulling the Agreement and Decisions, the Court preserved their effects only until September 30, 2006. Because of the ensuing legal vacuum, the US and the European Commission quickly negotiated an interim agreement, which expires in July of 2007. The provisions of the interim agreement are strikingly similar to the 2004 US-EU Agreement, and in fact provide even fewer protections for individuals’ personal information.
For example, the interim agreement states that the Department of Homeland Security is “deemed to ensure an adequate level of protection for PNR data.” The standard of adequacy to which this clause refers is unclear: the European Data Protection Directive is no longer applicable to this agreement; the European Court of Justice invalidated the European Commission’s decision on the “adequacy” of the 2004 agreement’s safeguards; no uniform standard of data protection has yet been adopted under the third pillar; and the European Parliament has had no input into the negotiations, nor approval, of the interim agreement.
To add another layer of confusion and questionable legality to this complex issue, Stewart Baker, Assistant Secretary for Policy at the US Department of Homeland Security (DHS), submitted a letter (the “Baker letter”) to the Council of Europe which purports to “set forth [DHS’] understandings with regard to the interpretation of… the Passenger Name Record (PNR) Undertakings issued on May 11, 2004.”26 In the letter, the Department of Homeland Security vastly expanded both its scope and its treatment of individuals’ personal data. For example, the letter interprets the Undertakings “so as not to impede the sharing of PNR data by DHS with other authorities of the US government responsible for preventing or combating of terrorism and related crimes”. The letter reneges on the US’s prior commitment to a data retention period of three-and-one-half years, at least in future agreements, and expands the list of PNR data to include all contact information associated with a frequent flyer number, in addition to reiterating DHS’ requirement for all thirty-four PNR data fields. In its concluding paragraph, the letter refers to the usefulness of PNR data in the context of infectious disease control, a situation for which access to PNR data was not previously envisioned.27 While the Council of Europe acknowledged receipt of the letter, it did not comment on its content.
GOING FORWARD: 2007 NEGOTIATIONS
In the absence of a European “third pillar” data protection framework to govern security, the next US-EU agreement runs the risk of containing even fewer privacy protections than the current interim agreement. However, there are three factors that may change the course of the next round of negotiations: (1) the recent disclosure of the Department of Homeland Security’s Automated Targeting System; (2) the US’s secret subpoenas of SWIFT data in violation of the EU Data Protection Directive; and (3) the increasing assertion of human rights of European citizens by the European Parliament.
Automated Targeting System
In November of 2006, the Department of Homeland Security published a notice of its Automated Targeting System (ATS), a risk profiling program that was originally created to screen shipping cargo, but had since been used to screen individuals travelling to and from the US.28 ATS processes “available information”, including PNR data, to develop a risk assessment for each traveller. The ATS terrorist risk profiles are secret, unreviewable, and maintained by the government for 40 years. As the agency notice makes clear, the ATS profiles may be integrated with other government databases and may be used for a wide variety of purposes.29
Following the announcement of the Automated Targeting System, European Commission Vice-President Franco Frattini sent a letter to the US Government requesting formal confirmation that the way European Union PNR data are handled in the ATS is the one described in the Undertakings. As stated by Frattini,
“The information published by the DHS reveals significant differences between the way in which PNR data are handled within the Automated Targeting System (ATS) on the one hand and the stricter regime for European PNR data according to the Undertakings given by the DHS.”
It is difficult to see how the Automated Targeting System could possibly comply with the terms of the US-EU interim agreement, as the Department of Homeland Security sought to exempt the program from its own domestic legislation, the Privacy Act.31
SWIFT Financial Data
The Society for Worldwide Interbank Financial Telecommunications (SWIFT), a Brussels-based banking consortium, complied with US Treasury Department subpoenas for five years by supplying US authorities with financial data. The European Union's Article 29 Data Protection Working Party concluded that SWIFT violated data protection laws by transferring records of millions of private financial transactions to American intelligence agencies in what it called a "hidden, systematic, massive and long-term transfer of personal data."32 According to the unanimously adopted draft statement, SWIFT failed to provide an appropriate level of protection to meet the requirements for international transfers of personal data; further, the transfer agreement demonstrated a lack of transparency and adequate and effective control mechanisms, and violated the principles of proportionality and necessity contained in European Data Protection Directive.
European Parliament
The uncertain legitimacy of US instruments of negotiation such as the “Baker letter” and the interim agreement, the imminent deadline for a new agreement, and the two scenarios described above have fostered a certain amount of mistrust towards both the Department of Homeland Security and the European Commission in their respective PNR dealings. The European Parliament has been highly critical of what it sees as a lack of democratic legitimacy in the negotiations, most recently noting in its January 31, 2007 joint debates that, “the solutions envisaged so far by the Council and the Commission as well as by private companies do not adequately protect the personal data of EU citizens.”33 Allegations by the Minister for European Affairs late last year that the European Commission and European Council were aware of the Automated Targeting System as early as 200534 have further strengthened the European Parliament’s resolve to attend and participate in upcoming high-level negotiation meetings between the US and the EU.
The European Parliament’s February 7, 2007 Joint Resolution adopted at the conclusion of the joint debates demonstrates the degree to which the SWIFT and the Automated Targeting System data transfers have impacted the PNR debate. As stated in the opening sentence of the Resolution, “[a]greements on PNR, SWIFT and the existence of the US Automated Targeting System (ATS), have led to a situation of legal uncertainty with regard to the necessary data protection guarantees for data sharing and transfer between the EU and the US for the purposes of ensuring public security and, in particular, preventing and fighting terrorism..” The disclosures of these two data transfer programs have had the effect of focussing the debate on a few key privacy principles related to transparency and accountability, namely the need for independent oversight, and access and correction mechanisms. These two features, oversight by an independent agency, and the availability of redress procedures, form the critical distinction between the US-EU and Canada-EU agreements.
The momentum that is currently building in the European Parliament may be enough to ensure that the next US-EU PNR agreement, in July 2007, contains satisfactory data protections based on Europeans’ fundamental right to the protection of their personal data,35 regardless of whether an EU third pillar data protection framework is yet in place. Formal negotiations for a new US-EU PNR agreement will begin in Washington, DC this March.
* Allison Knight is Staff Counsel at the Electronic Privacy Information Center in Washington, DC, and a member of the Ontario Bar. She can be reached at knight@epic.org.
1 Division of the Department of Homeland Security. 2 For further discussion of Passenger Name Records, see Privacy and Human Rights 2005 (EPIC/Privacy International, 2006) at 80-88. 3US Aviation and Transportation Security Act 2001, Pub. L. No. 107-71, § 101(a) and 115, 115 Stat. 597. 4Air Commerce Regulations, 19 C.F.R. § 122.14 (d) (1999). 5 EC, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ. L. 281. 6 The Privacy Act of 1974, 5 U.S.C. § 552a, which stipulates data privacy requirements for US federal government agencies, only extends its protections to US citizens and permanent residents. 7Ibid. at Section I, Article 6, ss.1(b). 8 EC, Agreement between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, [2004] CE/USA/en 1. 9 US, Department of Homeland Security Bureau of Customs and Border Protection (CBP), Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) (2004) at s.3. 10 5 U.S.C. § 552. 11 EC, Council Decision on the Conclusion of an Agreement Between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, [2004] 2004/496/EC. 12 EC, Airline passenger data transfers from the EU to the United States (Passenger Name Record) Frequently Asked Questions, [2003] MEMO/03/5. Available at: <http://ec.europa.eu/comm/external_relations/us/intro/pnrmem03_53.htm>. 13 S.O.R./2003-219. 14 R.S. 1985, (2nd Supp.), c.1. 15 Now to the Canada Border Services Agency. 16Privacy Act, R.S. 1985, c. P-21; Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5. 17 EC, Commission Decision No. 2002/2/EC pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, [2001] O.J. L 2/13. 18 The Office of the Privacy Commissioner of Canada. Available online: <http://www.privcom.gc.ca>. 19 Canadian authorities requested a maximum of 25 PNR fields. 20 EC, Agreement Between the European Community and the Government of Canada on the Processing of API/PNR Data, [2006] O.J. L.82/15. 21 European Parliament, Press Release, “MEPs reject the EU-Canada agreement on transfer of personal data” (7 July 2005). Available online: <http://www.statewatch.org/news/2005/jul/ep-canada-pnr.pdf>. 22Parliament v. Council, C-317/04 and C-318/04, [2006] O.J. C. 178 at 1. 23 Statewatch, PNR Observatory, available online: http://www.statewatch.org/news/2006/jun/pnrobservatory.htm. 24 Council of Europe, Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, Memo/05/349 (2005). 25 Council of Europe, Presidency, Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, (2007) Interinstitutional File 2005/0202 (CNS). 26 72 Fed. Reg. 348 (2007). 27 The Centers for Disease Control and Prevention (CDC) issued a proposed rule in 2005 that would require airline and shipping industries to gather passenger information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. The comment period for the proposed rule closed in March 2006; however, a final rule has not been published. See online <http://www.cdc.gov/ncidod/dq/nprm/>. See also the Electronic Privacy Information Center’s comments on the proposed rule at <http://www.epic.org/privacy/medical/cdc_com013006.pdf>. 28Notice of Privacy Act system of records, 71 Fed. Reg. 64543 (2006). 29 Electronic Privacy Information Center, “EPIC Spotlight on Surveillance: Customs and Border Protection’s Automated System Targets U.S. Citizens” (October 2006). Available online: <http://www.epic.org/privacy/surveillance/spotlight/1006/default.html>. 30 European Union, Press Release No.108/06, “Statement by European Commission Vice-President Franco Frattini, Responsible for Justice, Freedom and Security, in the European Parliament on ‘Data Protection and Transfer of PNR Data’” (December 13, 2006). Available online: < http://www.eurunion.org/News/press/2006/20060108.htm>. 31 Supra note 25. 32 Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). Available online: <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf>. 33 EC, Motion for a Resolution to Wind Up the Debate on Statements by the Council and Commission Pursuant to Rule 103(2) of the Rule of Procedure (2007). 34 Address to the European Parliament by Minister for European Affairs Paula Lehtomaki on Data Protection (December 2006). Available online: <http://www.statewatch.org/news/2006/dec/ats-eu-coun-statement-12-dec-06.pdf>. 35Charter of Fundamental Rights of the European Union, [2000] 2000/C 364/01 at art.8.
Notifications under PHIPA 1. Privacy Breach Notification 2. Transfer of Records to Successor
Elaine Ashfield*
1. Privacy Breach Notification
Overview of Breach Notification Laws Organizations that collect, use and disclose personal health information within Ontario must comply with the Personal Health Information Protection Act, 2004 (PHIPA). Currently, PHIPA stands alone as the only privacy statute in Canada that requires individuals be notified if personal information has been subject to a privacy breach. Following a number of high profile privacy breaches, the most recent being that affecting customers of TJX Cos., there is increased public awareness and pressure on other governments to impose laws requiring organizations to notify individuals of privacy breaches. Whether such changes are coming to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is uncertain although the federal parliamentary review committee has heard many submissions from privacy proponents, including the federal Privacy Commissioner, advocating for the inclusion of a notification requirement.
In contrast to Canada, the United States has seen a proliferation of data breach notification laws.1 These U.S. laws define breaches differently and prescribe different thresholds for notification triggers than PHIPA and hence the term “data breach” is usually used in the U.S. rather than “privacy breach”. For example, in California, which was the first state to institute a data breach notification law, notice is required when certain specified types of personal information are acquired without authority but notification is not required if the information is encrypted electronic information.2 In the U.S., the justification for imposing data breach notification laws continues to be the premise that individuals should be notified of the breaches so that they may take appropriate measures to protect against identity theft. In Ontario, PHIPA goes beyond the concept that the notification is required so the individual may protect himself or herself. The underlying purposes of PHIPA are to protect both the confidentiality of the information and the privacy of the individuals with respect to the information.3 PHIPA’s inclusion in its purposes of the individual’s right to privacy, which includes the right to control of one’s personal information, leads to a much broader notification requirement in PHIPA as contrasted with the U.S. laws. As a result, Ontarians have a “privacy breach” notification law that requires notification even in circumstances in which there is no likelihood of identity theft occurring. For example, if a health care professional inadvertently picks up a patient chart from a stack of charts that recently have been reviewed by a physician and inadvertently reads a physician’s order on a patient that he or she is not caring for before realizing that the wrong patient chart was read, the patient must be notified of the privacy breach under PHIPA.
The Notification Provision: Subsection 12(2) of PHIPA For health information custodians who must notify individuals, the focus must be on managing the notification process so that it complies with the law and evolving best practices while delivering the message to individuals in such a way that the individual understands the nature and impact of the privacy breach. The goal for the organization is to provide the notification in a manner that mitigates and minimizes potential damage to reputation.
The privacy breach notification provision in PHIPA is found in subsection 12(2) which states:
“…A health information custodian that has custody or control of personal information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
Considerations for Notifying Individuals of Privacy Breach When faced with a situation in which a potential privacy breach occurs, the custodian first must assess whether to notify the affected individual. Factors to consider include whether the custodian has a legal or contractual obligation to notify in the particular circumstances. If there is no legal or contractual obligation to notify, the custodian should then consider other factors such as whether there is a risk of identity theft or other fraud, whether there is a risk of physical harm to the individual, or a risk of hurt, humiliation or damage to the individual’s reputation or whether there is a risk of loss of business or employment opportunities to the individual.
Once the custodian decides to notify the affected individual, then the custodian must decide when and how to notify the affected individual and what to include in the notification.
Timing PHIPA requires that notification occur “at the first reasonable opportunity”. When that “first reasonable opportunity” arises will certainly depend on the particular circumstances of the privacy breach. The nature of the incident will impact the time it takes to contain and investigate the incident before the custodian is able to make a decision on whether a privacy breach has occurred. Further, the number of individuals who must be notified and the mode chosen to notify them will also impact the length of time it takes to notify.
The obvious first step4 once learning of a privacy breach is to contain the breach by notifying the organization’s privacy office, the police (if appropriate) and securing the environment (as appropriate). An investigation is required before notifying – what happened to whose information in what jurisdiction and why did it happen and what are you going to do about it. For example, if a privacy breach involves a misdirected fax containing a patient’s information, the breach usually can be contained and investigated quickly. Notification should occur quickly – either the same day or next business day it occurred. In contrast it will take longer to contain and investigate an incident involving the theft of a laptop containing thousands of patient records and consequently you may not be in a position to notify for some time. The time to notify will depend on the administrative resources that the organization has available to identity the affected individuals and assemble and process their contact information. If the custodian can’t identify what information was on the laptop, it won’t be able to notify the affected individuals directly. When law enforcement is involved, the timing of the notice may also be impacted if the police indicate that providing notice will impede their investigation.
Mode of Notification PHIPA does not stipulate the mode that must be used to notify the individual of the breach. The mode of notification and whether direct or indirect notification should be used will need to be determined having regard to the particular circumstances. With one misdirected fax, it may be appropriate to notify an individual directly by calling to advise him or her of the data breach (provided that the custodian has information that may be used to authenticate the identity of the individual over the phone before providing information on the privacy breach). When notifying numerous individuals, the custodian may choose to either post a general notice where the individual is likely to see it or to send a letter to the individual advising them of the breach. The custodian may choose to use multiple forms of notice such as sending a letter to affected individuals and posting a notice on the website, in an office or in a newspaper. Direct notice of individuals should be the preferred mode of notification if there is a risk of identity theft or other risk to the individual. Indirect notification would be appropriate in circumstances where a large number of individuals have been affected by the breach and it would be impractical to notify all of them directly or direct notification would affect the timeliness of the notification.
Content of the Notice Whatever approach is chosen, the information about the data breach must be conveyed in a sensitive manner and consideration should be given as to whether an apology is appropriate. The notice should provide the following information:
the date of the breach;
description of the breach including the nature and circumstances of the breach;
description of what personal information was involved in the breach (the data elements);5
contact information for the person(s) who are available to answer questions and provide information to the individual;
what steps the individual can take to mitigate the risk of harm and protect against identity theft (if appropriate); and
measures the organization has taken to mitigate the harm and any further likely steps.
If the Information and Privacy Commissioner of Ontario has been notified, include this in the notification and provide the Commissioner’s contact information to the individual.
When a breach affects many individuals, the custodian should prepare for follow-up enquiries from the individuals, from the Commissioner’s office, from the media, and from other customers or the general public. In anticipation of these follow-up enquiries, the custodian should develop and provide Q & As for its staff, designate a media contact, consider posting information about the data breach on its website, and consider setting up a dedicated phone line for enquiries from the affected individuals.
Additional information that a custodian may wish to consider including with a written notification are set out below. Additional guidance and information is readily available on the Information and Privacy Commissioner of Ontario’s website at www.ipc.on.ca.
Sample FACT SHEET
Information on the Personal Health Information Act, 2004
The Personal Health Information Act, 2004 (the Act) came into effect on November 1, 2004 and governs the collection, use and disclosure of personal health information within the health care system. The objective is to keep personal health information confidential and secure, while allowing for the effective delivery of health care services.
Under the Act, [name of organization] is prescribed as a health information custodian and is required to adhere to the Act in carrying out its duties. Section 12 (1) of the Act requires that health information custodians ensure that personal health information in its custody or control is protected against theft, loss and unauthorized disclosure. In the event of any of the above, the Act requires a health information custodian, under section 12 (2) to notify individuals when their personal health information is disclosed.
In fulfilling [name of organization] obligations under section 12(2) of the Act, we have notified you [identify data breach and date of occurrence].
2. Request a copy of your credit report, which is available free of charge.
Review the information on your credit report carefully to see if any unauthorized changes have been made to your existing accounts. Look for inquiries from creditors that you did not initiate. Look for personal information, such as home address and a social insurance number that is not accurate. If you see anything that you do not understand call the credit agency.
3. If you suspect fraud, follow up with the business and if it is confirmed you should file a police report.
If you find a problem on your credit report, contact the business where the fraudulent charge occurred. Talk to someone in that business’s security or fraud department. If the fraud is confirmed, you should file a police report.
2. Notice for Transfer of Personal Health Information Records to a Successor
Transferring records containing personal health information to a successor is one of the exceptions to the general rule under PHIPA that consent must be obtained from the individual for the disclosure of personal health information. PHIPA requires only that the custodian provide notice to the individual. Subsection 42(2) of the Act states:
“A health information custodian may transfer records of personal health information about an individual to the custodian’s successor if the custodian makes reasonable efforts to give notice to the individual before transferring the records or, if that is not reasonably possible, as soon as possible after transferring the records.”
The term “successor” is defined in PHIPA Regulation 329/04 as a successor that is a health information custodian and as such is not a practically useful definition. It would be reasonable to consider a “successor” of a custodian to include any person or entity that is merging with or acquiring the shares or assets or taking over the provision of services of a custodian.
Considerations for Notifying Individuals of Transfer of Records
The obligation to provide notice about the transfer of records is that of the transferor. In practical terms, the form, content and timing of the notice will likely be the subject of negotiations between the transferor and successor. Notice may be provided in a number of ways: in person, by telephone, or by letter to the individual; or by a notice posted in an area likely to be seen by the individuals; or by a general notice in a newspaper. What constitutes “reasonable efforts” to provide notice will depend upon the particular circumstances. If the transfer involves large numbers of records, or involves historical records without current contact information for individuals, it will not be reasonable to notify each of the individuals.
The notice of transfer should contain the following information:
what records are being transferred;
name and contact information for the successor;
when the records have been or will be transferred.
A sample notice for posting in an office is attached.
Sample NOTICE TO PATIENTS
TRANSFER OF RECORDS
Effective [insert date] [insert transferor name] will no longer be engaged in the [specify services] for [identify affected patients]. As of [insert date of transfer] [insert successor name] will provide [specify services and location]. Please accept this as notice that [transferor] will be transferring [identify records being transferred]. [Insert successor name] requires these records in order to facilitate continuity of care.
Any questions regarding the transfer of these records may be directed to:
[Identify name and contact information for representative of Transferor]
or: [Insert name and contact information for representative of Successor]
*This notice is provided in compliance with the requirements of the Personal Health Information Protection Act, Ontario.
[Please post from [date] to [date]]
* Elaine Ashfield, B.Sc.N, R.N., LL.B., Executive Director, Privacy, Records and Information Management, Canadian Blood Services, (613) 739-2410, Elaine.ashfield@bloodservices.ca.
1 Thirty-four U.S. States now have privacy statutes and there are many other sector specific laws that impact privacy as well. 2 California Civil Code Sections 1798.29, 1798.82, and 1798.84. In contrast to this California law, PHIPA does not address encrypted data. It is left to the health information custodian to decide whether notification is required when information is encrypted. The question at the crux of the issue is whether encrypted data is properly characterized as “personal health information.” 3Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A, s. 1. 4 Privacy breach management procedures that address communication escalation processes, define roles and responsibilities within the organization, and include decision making matrices and templates for addressing a privacy breach assist an organization to improve its management and response to privacy breaches. The Information and Privacy Commissioner of Ontario has published guidelines on managing privacy breaches that may be used by organizations to develop their privacy breach management procedures. The guidelines are available at www.ipc.on.ca. 5 Consider also commenting on what information was not included when the privacy breach involves personal health information only. Individuals who receive a privacy breach notice under PHIPA may assume that their financial information is at risk and therefore alerting them to the fact that their social insurance numbers, bank account numbers, and like information were not involved in the privacy breach may be helpful.
Video Surveillance Use by Municipalities in Ontario Louise Vrebosch* and Michael Migus**
In the early morning hours of July 31, 2005, the surveillance cameras panned across revelers in Toronto’s downtown Dundas Square. Among the hundreds in the Square that night, the camera operator could see dozens of on-duty police officers, just steps from their precinct headquarters at 52 Division. Also there, almost out of view at the edge of the Square, were 21-year-old Dwayne Taylor and 24-year-old Ajine Stewart, both Toronto residents. In the midst of this celebration, in front of these hundreds, Ajine Stewart allegedly shot Dwayne Taylor dead.
Sadly, the events of that night were not anomalous. Gun violence increasingly plagues Toronto and other Canadian cities and has prompted an eruption of media coverage and public outcries for political action.1 In the most recent federal election and municipal elections, gun violence was a hotly debated topic, as various means were proposed as ‘solutions’ to deal with the issue.
Closed Circuit Television or CCTV has often been hailed as a quick-fix solution. But reports on the efficacy of CCTV systems have been inconclusive, due in part to the existence of confounding variables, such as the concurrent installation better lighting or increased police presence. What is known is that the implementation of CCTV systems has the potential to significantly and negatively impact citizens’ fundamental freedoms, such as the freedom of association and movement.
The potential erosion of these freedoms cannot be justified without a clear representation as to the actual efficacy of CCTV.
Current Operations in Ontario
Many municipalities across Ontario already have CCTV systems in place, a trend that is reflected throughout Canada.
In response to the stabbing death of a young man, the City of London, Ontario, implemented one of the most comprehensive surveillance systems in the province in November of 2001.2 The Downtown Camera Program installed 16 cameras, 14 of which are situated in the downtown core, in order to promote a “safer environment”.3 In November of 2005, the City of Thunder Bay also chose to install 16 cameras in its downtown as part of a street surveillance program. The City of Peterborough and the Town of Thessalon also have systems.
The Greater Sudbury Police Service’s Lions Eye in the Sky was one of the first CCTV systems in Ontario.4 This program came into effect in 1996 and is unique in that it is administered by a Police Services Board and not the municipality.
Legal Authority to Install and Operate Video Surveillance Cameras in Public Areas
Municipalities have been statutorily delegated the power to implement a public CCTV system, primarily via the Municipal Act, 2001.5 Although the Municipal Act does not address CCTV systems, section 130 grants municipalities the authority to regulate matters not specifically provided for by the Act or any other Act for purposes related to the health, safety and well-being of the inhabitants of the municipality.6
In addition, municipalities have a duty under the Occupiers’ Liability Act7 to take reasonable care as the occupier of publicly owned spaces, to ensure that persons entering on premises under the municipalities’ control, and the property they bring onto the premises, are reasonably safe while on the premises.8 Although the Liability Act does not apply to municipalities as occupiers of public roads or highways, including streets or sidewalks, the Act does apply to municipalities as an occupier of publicly owned spaces such as parks or civic squares.
Neither of these statutes permits municipalities to participate in the investigation of criminal activity, but they do justify certain measures taken on behalf of public safety. Arguably, the installation of surveillance cameras provides a certain amount of safety to the citizens of a municipality. In light of these limited statutory powers, the objective of municipal implementation of CCTV systems is best viewed as the protection of the health, safety and well-being of municipal inhabitants through the deterrence of unlawful or anti-social behaviour in public places.
According to the Police Services Act,9 municipalities are required to provide adequate and effective police services through a Police Services Board.10 Unlike municipalities that are unauthorized to participate in criminal investigations, Police Services Boards are statutorily mandated to prevent crime, enforce the law, and maintain public order.11 Consequently, CCTV systems that are implemented by Police Services Boards rather than municipalities, like the one in Sudbury, may serve additional purposes beyond deterrence, such as enhancing the police’s ability to respond to crime.12 Since Police Services Boards have their own statutory powers they are not required to seek municipal council approval to implement a CCTV system.
Further, municipalities are required to provide the infrastructure and administration necessary for providing policing services.13 A CCTV system could potentially be classified as part of this necessary infrastructure. Consequently, one factor that may determine whether a municipality, as opposed to a Police Services Board, will implement a CCTV system is the finances of the respective bodies. Where the municipality decides to implement the system, the police and the municipality can arrange for a “data-sharing agreement” with the police to outline how information will be shared. Such an agreement would be subject to the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”).14
Requests for Footage Captured by CCTV Systems
Three main categories of individuals would likely generate requests for footage: the municipality itself, the police, and members of the public.
The Municipality
Under the Municipal Act, municipalities have the power to make by-laws the contravention of which would constitute an offence under that act.15 Theoretically, a municipality could use video surveillance footage as evidence in its prosecution of certain offences and by-law infractions. However, this would seldom be necessary, given the types of activities most municipalities prosecute. However, one could foresee the use of footage in prosecutions under certain by-laws, such as the Dog Owner Liability Act.16
Police
Where a municipality operates a CCTV system, the Police Services Board and the municipality may enter into a data-sharing agreement, subject to MFIPPA. The police would be able to use the personal information collected by the cameras either proactively or reactively; for example, they could use the footage to respond to real-time criminal activity more effectively, or they could use it to find and charge alleged offenders after the commission of a crime.
The Public
The public could also request surveillance footage produced by municipally-operated or police-operated CCTV system the same way they would request any other information under the control of a municipality or municipal police force. They may simply request the footage or, if this is unsuccessful, may apply in accordance with the MFIPPA to view the footage. All relevant considerations under MFIPPA would apply in deciding whether to release the information to members of the public, such as whether or not the video contained personal information about another individual or falls within some other disclosure requirement exemption.17
While it is possible for the public to request public surveillance footage, it is unlikely many requests will be generated by the public. According to the City of London, Ontario, it has received only three requests for video surveillance information in 2003, and one in 2004. The requestor in 2004, having reviewed the information pursuant to MFIPPA, did not request a copy.18
The Use of Surveillance Footage as Evidence Generally
In general, the use of video surveillance evidence in court is prevalent; specifically in certain areas such as insurance law, where litigants often hire private investigators to conduct surveillance of beneficiaries. Surveillance footage is commonly used as evidence in criminal law matters as well. Police officers often obtain warrants to conduct surveillance of specific targets.
As early as 1950, courts in Canada acknowledged that the use of photographic and video evidence would change the face of litigation. Chief Justice Farris (as he then was), stated in Army & Navy Department Store (Western) Ltd. V. Retail Wholesale & Department Store Union, Local No. 535 et al.,19 that:
With the scientific development of moving pictures, there might arise, in the future, an action when the pictures themselves, properly proved, would be the very best evidence of what occurred.20
Justice Fleury in Greenough v. Woodstream Corp.21 reiterated this statement some forty years later and then went further:
I am satisfied that these scientific developments have occurred and that new rules have to be devised to deal with the introduction of videotape evidence.22
The Courts have yet to grapple with the specific privacy implications involved in the installation of CCTV systems by public bodies. The Courts have, however, dealt with surveillance of specific individuals for a specific purpose and the surveillance of employees in the workplace. This latter line of cases may be helpful in predicting how the issue of privacy in public places will be dealt with.
In Amalgamated Transit Union Local No. 569 v. Edmonton (City),23 the Alberta Court of Queen’s Bench referred to “the supposed truism that a person does not have an expectation that his public actions will be free from surveillance”.24 The Court referred to this proposition as a “common sense assumption” that must, however, give way in specific circumstances.25 In this case, an employee working in a public place was found not to have a reasonable expectation of privacy.
The Court also acknowledged, in reference to an article entitled “Privacy and the Reasonable Paranoid: the Protection of Privacy in Public Places”,26 that there will be circumstances where there may be an expectation of privacy in relation to public actions, which could protect the actor from state intrusion. Further, it is interesting that the Judge specifically noted:
I also accept that electronic recording of our actions might be characterized as invasive simply because a device might catch something that the naked eye might not. Such devices provide the means to expose the captured activity on a much broader scale then the actor could ever have imagined.27
Municipally-owned Surveillance Footage as Evidence
As noted earlier, video surveillance systems have been established by municipalities and municipal police services boards in Ontario since at least 1996. One would assume that in the ten years since, footage produced by these systems would have been used in the prosecution of an alleged offender or in a civil action against an alleged wrongdoer. However, a thorough search of reported Ontario court decisions failed to reveal any cases and municipal employees in Greater Sudbury and Peterborough knew of none.
There are many potential reasons why there are no reported uses, including:
The amount of footage being produced makes actual use too cumbersome;
Once the alleged offender has been apprehended, the video footage becomes a non-issue due to the existence of other identification evidence;
Once the police have the required footage, alleged offenders are taking plea bargains; or
Cases are still working their way through the system.
This last hypothesis has potential support when one looks at examples of incidents given by the City of London in the City of London Ontario Report.28 The report lists incidents between March and May of 2005 where police were able to use CCTV footage to apprehend and charge alleged offenders.29 Given the currency of these examples, it may still be too early to determine how the use of the footage will play a role in any potential trials.
Effectiveness of CCTV Systems
Municipalities have primarily implemented CCTV systems to deter unlawful or anti-social behaviour in public places. Various theories have been advanced to support the idea that CCTV systems make poor deterrents.
One such theory is the theory of “displacement” or “dissipation”. It is argued that the focusing of cameras on a concentrated area known for criminal activity will displace the activity to a different non-surveilled area or disperse it throughout the community. This displacement or dissipation makes the undesirable activity harder to manage. Little real world support can be found for this theory. A report by the UK Home Office on the effectiveness of CCTV systems concluded that little or no displacement or dissipation has occurred as a result of the implementation of CCTV systems in the UK.30 The City of London Ontario Report reached a similar conclusion.
Another reason advanced to support the proposition that CCTV systems are poor deterrents, is that CCTV systems will likely fail to modify the behaviour of individuals who commit impulsive crimes or crimes of the most egregious or heinous nature. The UK Report suggests CCTV systems may differently affect different crimes; for instance impulsive crimes (e.g., alcohol-related crimes) are less likely to be reduced than premeditated crime (e.g., theft of motor vehicles).31
The Dundas Square incident with which we opened supports a proposition that CCTV systems are ineffective in deterring the most egregious of crimes, such as those involving guns. In this incident the gunman was not deterred by the throngs of people, the numerous police officers or the presence of video surveillance cameras. The gunman represents the type of individual that likely could not have been deterred from committing his crime.
There is no documented definitive proof that CCTV systems effectively deter either impulsive or premeditated crime. The UK Report noted:
[S]tudies of CCTV have not been definitive about whether CCTV works and this is the case even though different criteria may be used to assess effectiveness. But there is a further problem in that the research points to possible successes and failures without explaining why these have occurred.32
The report noted that the lack of evidence supporting the effectiveness of CCTV systems stems from the difficulty in judging the actual effects of such systems. Difficulties arise because other variables may influence the results, such as the installation of lights or fences and increased police patrols.
An empirical study of CCTV control room operation conducted by UK researchers Clive Norris and Gary Armstrong provides another reason why CCTV systems are likely to be ineffectual: operator prejudice.33 The study concluded that operator prejudice, as opposed to criminal behaviour, was the primary reason for the surveillance of individuals. Forty percent of all individuals targeted by camera operators were targeted for no apparent reason other than belonging to a particular cultural group. It was also found that women were targeted by camera operators for voyeuristic reasons. For these reasons the authors concluded that rather than becoming a tool to promote social justice through the prevention of crime, CCTV will likely become a tool of injustice and discrimination.34
The City of London Ontario Report provides a rare example of a study that has examined the effectiveness of the implementation of a CCTV system. The report concluded the city’s CCTV system had no significant impact on the incidence of crime. It is noted in an appendix to the report that:
As in previous years, it is not felt that the cameras are reducing crime in the downtown area or pushing crime away from the intersections into other areas not monitored by the cameras.
Despite this conclusion, the City of London Ontario Report still recommended the continuation of the program.35
The lack of reported cases using municipally-owned street surveillance footage as evidence is another factor weighing against the effectiveness of CCTV systems as deterrents in Ontario. Arguably, one of the largest factors contributing to deterrence of crime is an individual’s fear that the footage may be used against him or her in legal proceedings. If offenders learned that the authorities would likely not use surveillance footage, this would negatively impact deterrence.
Privacy Concerns
Privacy is a fundamental right that has constitutional dimensions, under ss. 7 and 8 of the Canadian Charter of Rights and Freedoms.36 CCTV systems impact these fundamental freedoms, including the freedom of association and movement. Privacy advocates argue that the average person, fearing that they may be caught by the camera, will act differently than they would otherwise. This is known as the ‘Panoptic effect’.
In 1787, Jeremy Bentham proposed the Panopticon, an architectural system of social discipline, which was applicable to various institutional locales such as prisons.37 The Panopticon design consists of a central tower surrounded by a ring-shaped building. Individuals in the ring are subject to asymmetric scrutiny by an observer in the tower who remains unseen.38 Control is maintained through the induction in the individual of a state of conscious and permanent visibility.39 Conformity is forced upon the individual because they do not know whether or not they are being watched and they must therefore assume that they are.40 In its essence, the Panopticon acts directly on individuals and gives power of mind over mind.41
CCTV systems are unique in that through technology, they extend the social discipline of the Panopticon to non-institutionalized public spaces.42 Proponents of CCTV systems often argue that individuals should have a lower expectation of privacy in these public spaces, since no matter where they are they will be seen by someone. In rebuttal, privacy advocates argue that there is an essential difference between being seen or even watched by passers-by and being directly monitored by an individual in a position of authority. This asymmetry is made more poignant by the fact that CCTV systems capture one’s image, potentially permanently. In essence, surveillance cameras erode expectations of privacy in public and do so in an exceedingly insidious fashion.
The adoption of emerging technologies will continue to expand CCTV’s surveillance footprint: facial recognition software to ‘recognize’ wanted individuals and magnetic resonance imaging technology to ‘predict’ an individual’s likely next action are but two examples. These technologies have the potential to confound any expectation of privacy (even reduced privacy) in public spaces.
Response to Privacy Concerns
The Ontario Information and Privacy Commissioner in her Guidelines on the Use of Video Surveillance in Public Places addressed some of the aforementioned privacy concerns in 2001.43 The Ontario Guidelines stated that, in certain circumstances, municipalities might be justified in installing video surveillance cameras in public places. It further notes that the implementation should be accompanied by an assessment of the effects the system will have on personal privacy and should be implemented in a manner that minimizes privacy intrusions.
The Office of the Information and Privacy Commissioner for British Columbia also released a set of guidelines in 2001, which echoed the sentiments of the Ontario Guidelines.44 The BC Guidelines require that a privacy impact assessment be conducted before any public surveillance system is implemented. They also note that any potential system should only be implemented when the benefits of surveillance substantially outweigh any reduction of privacy.
In March 2006, the federal Privacy Commissioner released her own guidelines on the use of video surveillance systems in public places.45 Like the Ontario Guidelines and BC Guidelines they do not recommend a blanket prohibition on video surveillance of public places; however, they stress the importance of proper justification and public consultation in light of the potential privacy implications and suggest various safeguards against misuse of the information collected.
Conclusion
Times have changed. Crime has changed. Police forces in Canada must have the ability to respond to these changes effectively. However, the implementation of CCTV systems is only one option for fighting crime, and it is an option that potentially carries with it serious privacy implications.
With the lack of clear evidence as to the effectiveness of video surveillance, it is critical that any CCTV system be subject to regular, mandatory justification via audits. Indeed, the ongoing review of the base need for surveillance systems is common privacy guidance in Ontario, British Columbia, and federally. The Federal Guidelines, the most recent of the three reviews, stress justification and public input even more than either of the Ontario Guidelines or BC Guidelines.
It is equally important to review the marginal effectiveness of these systems. If results of reviews show that CCTV systems are not effective in achieving the goals for which they were implemented, the infringement of fundamental freedoms may not be justified.
* Louise Vrebosch is an associate with Purser, Dooley, Cockburn and Smith LLP in Barrie, Ontario. She is grateful to the City of Toronto for its research support during the writing of this article. The views expressed herein are solely those of the authors.
** Michael Migus is an articling student with Deeth Williams Wall LLP in Toronto.
1 Although firearm crimes are reportedly down, gun-related murders are on the rise in Toronto. Coalition for Gun Control, Gun Violence: Just the Facts, online: <http://www.guncontrol.ca/Content/New/08janFactSheet06.pdf>. 2 Ontario Information and Privacy Commissioner, Review of the Video Surveillance Program in London, Ontario (2002) [unpublished, submitted to the Corporation of the City of London City Clerk’s Department, September 26, 2002]. 3 City of London, Downtown Camera Program, online: City of London Website <http://www.london.ca/Cityhall/EnvServices/cctvproject.htm>. 4 Greater Sudbury Police Service, Inside the GSPS/Lions Eye in the Sky, online: Greater Sudbury Police Service Website <http://www.police.sudbury.on.ca/inside/lionseye.php>. 5 S.O. 2001, c. 25 [Municipal Act]. 6Ibid. s. 130. 7 R.S.O. 1990, c. O.2 [Liability Act]. 8Ibid. s. 3(1). 9 R.S.O. 1990, c. P.15 [Police Act]. 10Ibid. s. 4, 27 and 31. 11Ibid. s. 4(2). 12 KPMG, Evaluation of the Lion’s Eye in the Sky Video Monitoring Project, online: Greater Sudbury Police Service Website <http://www.police.sudbury.on.ca/publications/reports/KPMG.pdf>. 13Supra note ix, s. 4(3). 14 R.S.O. 1990, c.M.56 [MFIPPA]. 15Supra note v s. 425. 16 R.S.O. 1990, c. D.16. 17Supra note xiv, s. 6-16. 18 Peter W. Steblin, P. Eng., General Manager and City Engineer, Environmental and Engineering Services Department, City of London, Annual Evaluation Report of the Downtown Monitored Surveillance Program, presented to the Community and Protective Services Committee, Meeting on March 21, 2005, at p. 3. [City of London Ontario Report]. 19 (1950) 97 C.C.C. 258. 20Ibid. at 261. 21 [1991] O.J. No. 77. 22Ibid. 23 [2004] A.J. No. 419. 24Supra note 22, para. 51. 25Ibid. para 80. 26 Elizabeth Paton-Simpson, Privacy and the Reasonable Paranoid: the Protection of Privacy in Public Places (Summer 2000), 50 Univ. of Toronto L.J. 305. A Copy of this article is attached as Appendix A. 27Supra note xxiii at para 93. 28Supra note 17. 29Ibid. at 2. 30 Martin Gill and Angela Spriggs, “U.K. Home Office Research Study 292: Assessing the impact of CCTV” (February 2005), online: Home Office Research, Development and Statistics Directorate <http://www.homeoffice.gov.uk/rds/pdfs05/hors292.pdf> [UK Report]. 31Supra note xxx, p. vi. 32Ibid. 33 Norris, C. and Armstrong, G. "The unforgiving Eye: CCTV surveillance in public space" (1997) Centre for Criminology and Criminal Justice, Hull University. 34Ibid. at 8. 35Supra note 17. 36 The Constitution Act, 1982, being Schedule B to the Canada Act 1982 (U.K.), 1982, c. 11, Part I. 37 Michael McCahill, “Beyond Foucault: towards a contempory theory of surveillance” In: Clive Norris et al., Surveillance, closed circuit television, and social control (Aldershot: Ashgate, 1998) at 42. 38Ibid. at 43. 39 Michel Foucault, Discipline and punish, trans. By Alan Sheridan (New York: Vintage Books, 1995) at 202. 40Supra note xxxvii at 43. 41Supra note xxxix at 206. 42Supra note xxxvii at 43. 43 Ontario Information and Privacy Commissioner, Guidelines for Using Video Surveillance in Public Places Ann Cavoukian, Information and Privacy Commissioner, (Toronto: Ontario IPC: 2001), online: <http://www.ipc.on.ca/images/Resources/video-e.pdf > [Ontario Guidelines]. 44 Office of the Information & Privacy Commissioner for British Columbia, Public Surveillance System Privacy Guidelines, online: < http://www.oipcbc.org/advice/VID-SURV(2006).pdf> [BC Guidelines]. 45 Office of the Privacy Commissioner of Canada, OPC Guidelines for the Use of Video Surveillance of Public Places by Police and Law Enforcement Authorities, online: <http://www.privcom.gc.ca/information/guide/vs_060301_e.asp> [Federal Guidelines].
Identity (ID) Theft: How to advise your clients when they ask what to do? Corinne D. Leon*
What is ID Theft? Society generally views identity theft to be the act of unlawfully taking and collecting an individual’s personal information to use it for criminal purposes. These criminal purposes could be to commit financial fraud (e.g. through theft of an individual’s credit card) or to take over the person’s identity (i.e. become that person) with the intent to cause personal disruption and direct financial loss to the ID theft victim.
Is ID Theft On The Rise? ID theft is said to be the “fastest growing crime” in North America. Canadian statistics** for 2006 show 1137 victims in Canada for a total loss in Canadian dollars of $1, 876, 683.58. The growth of this crime is said to be due to:
More personal information being collected and stored by organizations;
Multiple storage sites within an organization (e.g. multiple copies of the same in formation in emails and personal files); and
Potentially careless destruction procedures allowing for theft of information from garbage sites (e.g. dumpster diving).
** Source: As of February 27th, 2006 - www.phonebusters.com – website of The Canadian Anti-Fraud Call Centre, operated by the OPP in conjunction with the RCMP and the Canadian Competition Bureau.
What is ID Theft’s Risk to Society? If left uncontrolled, identity theft can result in wide-spread economic disruption and social upheaval. The ultimate risk to an organization is the loss of its business through:
Loss of reputation
Loss of trust
Loss of customers/clients
Loss of revenue
Law suit damages
ID theft is therefore of great concern to both consumers and businesses alike.
Is ID Theft Addressed by the Criminal Code? The Criminal Code does not contain a provision that directly addresses ID theft. The Criminal Code focuses on the unlawful use of personal information (through section 380: fraud; section 342: fraudulent use of credit cards/data; section 368: uttering a forged document; and section 403: personation), however the Code does not focus on the unlawful taking and possession of information per se.
To address ID theft, the Criminal Code would have to be amended to introduce a new provision to specifically target identity theft and would have to carefully delineate between information lawfully in someone’s possession (for example, your friend’s telephone number given to you by your friend) vs. information unlawfully obtained and possessed by someone with the intention to commit harm through fraud or otherwise.
Is ID Theft Addressed by PIPEDA? The Personal Information Protection and Electronics Documents Act (PIPEDA) also does not directly speak to ID theft. However, PIPEDA does require organizations that collect and use personal information to (among other things):
Limit collection of personal information to what is necessary to the organization’s business;
Limit the use, disclosure and retention of personal information;
Protect personal information and keep it secure; and
When no longer needed securely dispose of the personal information.
The privacy statutes in Quebec, Alberta and B.C. have similar requirements in this regard.
How Can An Organization Manage the Risk of ID Theft? An organization that works on managing the risk of ID theft is working in tandem with the federal privacy requirements to protect personal information. When clients ask for advice on how to protect personal information, they are also asking how they can manage the risk posed by ID theft to their organizations.
First, an organization should seek to establish an atmosphere of trust for its customers/clients and employees. An atmosphere of trust can be developed through the establishment of “policies of protection” that collectively demonstrate an interest in and concern regarding the collection, use and storage of personal information by that organization.
Generally, policies of protection are focused on the following goals:
Determining if/what personal information needs to be collected and why;
Limiting access to personal information within the organization on a “need-to-know” basis;
Determining how long personal information must be retained by the organization;
Establishing secure procedures to follow when storing and destroying personal information;
Implementing “know-your-employee procedures as part of the organization’s hiring process;
Installing a process to monitor and enforce compliance with your policies;
Ensuring your policies require an annual written attestation of compliance and the performance of an annual compliance assessment.
The organization’s ultimate goal is to reduce/eliminate the possibility of unauthorized access to personal information.
What Kind of Checklists Should An Organization Use? Each organization should come up with its own set of checklists to assess why, where and how personal information is collected, used and stored, as each organization will have unique business needs. However, there are certain basic checklists that can apply to all organizations regardless of the industry involved. The following is a non-exhaustive list of checklists that can be used as a starting point of assessment that may in turn generate more ideas about where in an organization personal information is held and whether it is secure and protected against unauthorized access:
1. Need and Storage Checklist
Does the organization need to collect personal information? If personal information is required, have a written policy listing the reasons why. Even if personal information is not required, have a written policy to this effect.
Where is personal information stored? Make a list of all locations, both physical and electronic, on-site and off-site and determine the physical/electronic protection measures that are or need to be in place.
2. Retention Checklist
The organization should assess its current retention requirements (legally, contractually and business/marketing-wise) and create a written retention policy based on these requirements.
3. Physical Security Checklist
The organization should assess its physical premises to determine if they are secure unauthorized access. For example, locked filing cabinets; badge access system for visitors and employees; controlled reception areas; and, if possible, meeting rooms on-site but not within office premises.
4. Computer Security Checklist
The organization should ensure its computers are secure against unauthorized access. For example: use of anti-virus protection software that is regularly deployed; installation of firewalls; use of alphanumeric passwords that must be changed at regular intervals; use of privacy screens and screen savers; use of 128 bit encryption or higher; two-factor authentication; mutual authentication protocol; forcing passwords to be site-specific; use of public key cryptography; saving data on network drives rather than hard drives which are much less secure; and requirements to store personal information in password-protected or encrypted file folders with access on a “need to know” basis only.
The organization’s system administrator should regularly monitor the organization’s web site for malicious activity (e.g. phishing and hacking).
The organization should set its security levels so that only the administrator can perform computer network tasks.
5. Mail and Miscellaneous Security Checklist
The organization should keep track of mail delivery ensuring it is not left unattended once delivered.
Employees should be required to immediately pick up their documents and not leave them lying around at the printer.
Reception areas should be free of magazines that contain personal address subscription labels.
6. Destruction Security Checklist
The organization should ensure that any personal information is disposed of securely. Examples include: using cross-shredders; and ensuring that material sent for recycling (e.g. paper, CDs, tapes, diskettes, USB Keys) is shredded/disabled.
The organization should be aware of who picks up its garbage and where it goes and what are the building’s general garbage policies and procedures.
7. Employee Hiring and Training Security Checklist
The organization should have a documented employee hiring process that includes screening requirements, the performance of background checks (including criminal background checks), and obtaining copies of education credentials and written references.
Regular employee training programs should be held to ensure that employees are aware of the organization’s policies regarding the handling and protection of personal information.
Employees should be required to annually confirm in writing their compliance with the organization’s policies, and copies of these confirmations should be kept in each individual employee’s file.
8. Policies and Procedures
They should be written, easily readable and accessible.
Employees should be regularly reminded of their obligation to comply with the organization’s policies and procedures and encouraged to frequently reference them.
They should be regularly reviewed and updated as may be required by law and/or business needs.
There should be written investigation procedures to address any policy contraventions.
Policy contraventions should be addressed quickly and effectively and any resulting updates to the policy should be immediately brought to the attention of all employees.
As mentioned earlier, these checklists are not exhaustive and do not cover the kind of detailed specifics that, for example, a computer administrator would need to address such computer fraud issues as “phishing”. However, these checklists are a good place to start the process of addressing the security and accessibility of personal information collected and used by organizations, in an effort to escalate the fight against and reduce/eliminate the incidences of identity theft that are currently on the rise.
* Corinne D. Leon is Senior Counsel at Visa Canada Association. This paper is based on a presentation prepared and delivered by Ms. Leon at the OBA 1st Annual Privacy Law Summit on November 9th, 2006.
Case Comment on Rousseau v. Wyndowe: Access to Personal Health Information under the Common Law, PIPEDA and PHIPA Michael Migus*
A patient’s common law right to access their medical records was firmly established by the Supreme Court in McInerney v. MacDonald.1 In the recent Federal Court decision Rousseau v. Wyndowe,2 the Federal court concluded that within the context of an independent medical exam (IME), a similar statutory right exists under the Personal Information Protection and Electronic Documents Act.3 While a court has yet to determine if the same right exists under Ontario’s Personal Health Information Protection Act, 2004,4 an application of the facts in Rousseau to the statutory framework created by PHIPA suggests that no right of access would exist in the context of an IME.
The central issue in Rousseau was whether PIPEDA provided the Applicant, Mr. Rousseau, with the right to access the notes taken by a physician during an IME performed on behalf of an insurer. There was no need for the court to consider PHIPA, because at the time of the dispute the Act was not in force.
The dispute started when Mr. Rousseau claimed long-term disability (LTD) benefits from his insurer Maritime Life. Sometime after granting the LTD benefits the insurer, in the process of assessing Mr. Rousseau’s ongoing entitlement to the benefits, exercised its rights under the insurance contract to conduct an IME of Mr. Rousseau. This exam was conducted by Dr. Wyndowe on behalf of the insurer.
Following the IME the insurer stopped payment of the LTD benefits to Mr. Rousseau. However, this was temporary as the benefits were subsequently reinstated. After the IME, Mr. Rousseau sought access to the notes made by Dr. Wyndowe, but was denied on the ground that they were not subject to access under PIPEDA.
In response to the denial of access Mr. Rousseau filed a complaint with the Privacy Commissioner of Canada. The report concluded that the notes, while not necessarily forming part of Mr. Rousseau’s medical record, nevertheless contained personal information as defined in PIPEDA, and furthermore were not subject to any of the exceptions to access found in the Act.5 Following the issuance of the report Mr. Rousseau exercised his rights under s. 14 of the Act to apply to the Federal Court for a hearing.
Did the Notes Contain Personal Information or Personal Health Information?
At the Federal Court hearing Mr. Rousseau submitted that the notes taken by Dr. Wyndowe were part of his medical record and that they contained personal information within the meaning of PIPEDA. Dr. Wyndowe argued to the contrary that since PIPEDA contains no section specifically addressing health records, it should be interpreted in a manner consistent with the common law. He further submitted that since the common law duty to grant access does not extend to information arising outside the physician-patient relationship,6 no common law fiduciary duty would arise in this case, because no such relationship is formed in the context of an IME.7
The court agreed with Mr. Rousseau and found that the notes contained information that was personal information within the scope of PIPEDA. It failed to comment on whether they formed part of the medical record. When reaching this conclusion, Justice Teitelbaum noted that the definition of personal information under PIPEDA was broad enough to encompass the notes, which contained information that was “extremely personal in nature”.8
Arguably, even if Rousseau was decided in the common law context a duty to grant access would be recognized. The significance the court placed on the personal nature of the information is analogous to the rationale the court in McInerney used as its basis for creating the common law fiduciary duty to provide access. When discussing this duty in McInerney, Justice La Forest noted:
Of primary significance is the fact that the records consist of information that is highly private and personal to the individual. It is information that goes to the personal integrity and autonomy of the patient.
It seems that it is this disclosure of inherently personal information by the patient to a physician that creates the physician-patient relationship, which then consequently gives rise to a right of access. Thus while the court failed to address whether Dr. Wyndowe’s notes were part of Mr. Rousseau’s medical record, it remains likely that access would have been granted under the principles in McInerney.
Dr. Wyndowe attempted to distinguish Rousseau from McInerney on the basis that the procedures in McInerney were not conducted in the context of an IME. However, this distinction is artificial when one considers the nature of the information in both cases, namely that the information collected in both cases is characteristically personal.
This point was emphasized in the pre-PIPEDA case Parslow v. Masters.9Parslow was decided shortly after McInerney and contains a fact pattern that is very similar to that in Rousseau. When considering whether a common law right of access arises in the context of an IME the court noted that the difference between the situation of a patient attending a physician for an IME and attendance for professional services was only one of degree and not substance, since both involve the patient disclosing personal and private information. Consequently, the court noted that the principles in McInerney extend to a scenario where information is collected during an IME.
Since Rousseau was decided under PIPEDA the relevant question was whether the information contained in the notes was personal information. If PHIPA was in force at the time of the dispute, the relevant question would shift to whether the information was personal health information within the meaning of PHIPA. Interestingly, PIPEDA defines both personal information and personal health information. Justice Teitelbaum commented in Rousseau that the relationship between these definitions was unclear, but it was reasonable to interpret the definition of personal health information as being broad enough to capture medical information.10 This finding is logical. Personal health information is only found in the interpretation and transitional provisions of the Act.11 This suggests that personal health information is a subset of personal information, and the only purpose for defining it in the Act was to allow for a one-year grace period before the Act applied to this subset.
After commenting on the unclear relationship, Justice Teitelbaum noted that while he was not required to rule on whether the information was personal health information, some of the information may fall within that category.12 While this observation was based on the definition of personal health information contained in PIPEDA, it would likely be unaltered under PHIPA since its definition of personal health information is almost identical to that found in PIPEDA.13
In summary, the information contained within the notes taken during the IME would likely qualify as the type of information protected by the common law principles of McInerney and the statutory provisions of both PIPEDA, and PHIPA.
Exceptions to Access
Dr. Wyndowe argued that even if the information in the notes was personal information under PIPEDA, he could refuse access based on the exemptions in s. 9 of the act, mainly s. 9(3)(a) and 9(3)(d). Under s. 9(3)(a) access may be refused if the information is protected by solicitor-client privilege. Both of the parties and the court agreed that in light of the Supreme Court’s decision in Blank v. Canada14 this exemption extends to litigation privilege.15 To establish litigation privilege one must show that litigation was the dominant purpose for creating the communication for which privilege is sought. In Rousseau the court found otherwise, because the primary purpose for conducting the IME was to determine whether Mr. Rousseau was still entitled to disability benefits rather than for the preparation of litigation.16
The second exemption relied upon by Dr. Wyndowe was that in s. 9(3)(d), which protects information generated in the course of a formal dispute resolution process. The court quickly dismissed this argument on the basis that submitting to an IME was part of the insurance contract and there was no evidence to suggest that a requisition for an IME was indicative of an ongoing dispute resolution process.17
It is also likely that Dr. Wyndowe would similarly be prevented from relying on an exemption to access if Rousseau was decided under the common law doctrine rather than under PIPEDA. In McInerney the court noted that the equitable right of access may be denied by a physician if he believes granting access may potentially harm the patient or a third-party.18 The court qualified this exemption by noting that it should be exercised sparingly and that disclosure should be the norm. In Parslow the Saskatchewan Court of Queen’s Bench was given a chance to interpret this exemption within the context of an IME. It determined that disclosure of the information would not harm the patient or the insurer. Consequently the physician could not rely upon it.
It is likely that the result would have been different under PHIPA. An individual is given a general right of access under PHIPA to a record containing personal health information about the individual that is in the custody or under the control of a health information custodian.19
As under PIPEDA, PHIPA exempts from disclosure information subject to legal privilege20 and information collected or created in anticipation of, or for use in, a formal dispute resolution process.21 As in McInerney, PHIPA also exempts from disclosure information which a physician believes could potentially harm the patient or a third-party.22 Due to the similarities between these exemptions and those in the other regimes, the rationale of the courts in Parslow and Rousseau for denying a right of refusal based on these grounds would likely be unchanged under PHIPA.
PHIPA contains a novel disclosure exemption for information collected to prevent fraud. The act exempts from disclosure information collected in the course of an inspection undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a service or benefit, to which the person is not entitled under an Act or program operated by the Minister.23 This exemption would exempt from disclosure information obtained during an IME conducted to determine or monitor an individual’s rights to benefits under a provincial Act or program. However, once the inspection, together with all proceedings, appeals or processes resulting from them are exhausted, the exemption no longer applies.24
The above exemption would have applied in Rousseau, had the rights to LTD benefits been derived from a provincial Act or program instead of from a private insurance contract. Arguably, the legislature’s choice to limit the above exemption to publicly derived benefits suggests that its intention was not to exempt from disclosure information collected during an IME conducted on behalf of a private insurer. Consequently, it is unlikely that any of the exemptions in s. 52 of PHIPA could be relied upon to bar access to information collected during an IME.
The unavailability of a s. 52 exemption does not however guarantee a right of access. The exemption scheme under PHIPA is much more complex then the schemes under PIPEDA or in common law. This complexity arises, because the definitions of personal health information and health information custodian each have their own set of exemptions.
As discussed above, it is likely that the information collected by Dr. Wyndowe would qualify as personal health information under s. 4(1)(a) of PHIPA. Further, none of the exemptions to the definition of personal health information are applicable.
However, the health information custodian exemptions are relevant and would most likely apply to Dr. Wyndowe when he collects information in the course of an IME. The general definition of health care custodian in PHIPA encompasses health care practitioners.25 This definition is subject to certain exemptions.26 One significant exemption excludes from the definition a person who is authorized to act on behalf of a person who is not a health information custodian, if the scope of duties of the authorized person does not include the provision of health care.27 In Rousseau, Dr. Wyndowe is an authorized person acting on behalf of the non-health care custodian insurance company. Thus, the question of whether this exemption would apply to Dr. Wyndowe turns on the question of whether the IME involved the provision of health care. Health care is a defined term in the Act:28
[A]ny observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that,
(a) is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition
The key to this definition is that in order to constitute health care, the procedure must be done for a health-related purpose. Justice Teitelbaum clearly states that the primary purpose of the IME was to determine whether Mr. Rousseau was still entitled to disability benefits. This purpose seemingly falls outside the scope of a health-related purpose. Consequently, Dr. Wyndowe would be exempt from the definition of health care practitioner and Mr. Rousseau would have no right of access to the personal health information collected during the IME.
Conclusion
The above analysis suggests that a right of access would be granted to Mr. Rousseau under both the common law and PIPEDA. However, this right would be denied under PHIPA. This result seems strange considering the respective purposes of PIPEDA and PHIPA.PIPEDA is commercial in nature. Its goal is to support and promote electronic commerce.29PHIPA is protectionist in nature. It has an enumerated purpose of providing individuals with a right of access to personal health information about themselves.30 It thus seems contradictory that the scope of access under PHIPA is limited in comparison to that of the common law or PIPEDA.
This limitation arises, because PHIPA gives more weight to the reason for disclosure than the other regimes. Under the common law and PIPEDA the central concern is the nature of the information disclosed. If the information is personal in nature, exemptions from access due to the reasons for disclosure will only occur in rare cases. Conversely, such exemptions are more likely under PHIPA.
However, while the right of access afforded to an individual undergoing an IME is limited under PHIPA, this does not limit the overall right of access since PHIPA and PIPEDA run concurrently in this context. Insurance companies are largely exempt from PHIPA. They are only subject to its reach if they receive information from a health information custodian.31 It is difficult to imagine a situation when this would arise, since a physician conducting an IME is exempted from the definition of health information custodian.32 Yet while a private-sector commercial insurer is exempt from PHIPA, it will remain subject to PIPEDA.33
Furthermore, it is likely that the physician that conducted the IME would also be subject to PIPEDA. Normally, since PHIPA has been declared substantially similar to PIPEDA, health information custodians are exempt from PIPEDA.34 However, as previously mentioned a physician that conducts an IME is exempt from the definition of health information custodian. Since as a result of this exemption they are not subject to PHIPA, it follows that they would no longer be exempt from PIPEDA.
Thus while an individual in Ontario who undergoes an IME may not have a right of access under PHIPA to the notes taken during the exam, he will, in light of the Rousseau decision, continue to have a right of access under PIPEDA. The Federal Court decision in Rousseau has been appealed and a stay of Justice Teitelbaum’s order has been granted pending the appeal.35 The outcome of this appeal will be significant, because if the appeal is successful an individual will have no right of access to information collected during an IME.
* Michael Migus, M.Biotech, LL.B., is an articling student with Deeth Williams Wall LLP. He can be reached at <mmigus@dww.com>.
1 [1992] S.C.J. No. 57 [McInerney]. 2 [2006] F.C.J. No. 1631 [Rousseau]. 3 S.C. 2000, c. 5 [PIPEDA]. 4 S.O. 2004, c. 3 Sch. A [PHIPA]. 5PIPEDA Case Summary #306: Physician refuses to provide access to individual's personal information, online: Office of the Privacy Commissioner of Canada <http://www.privcom.gc.ca/cf-dc/2005/306_20050317_e.asp>. 6Supra note 1 at para. 38. 7Supra note 2 at para. 19. 8Supra note 1 at para. 30-32. 9 [1993] S.J. No. 210 [Parslow]. 10Supra note 2 at para. 30 and 31. 11 Supra note 3, s. 2(1) and 30(1.1). 12Supra note 2 at para. 32. 13 Section 4(1) of PHIPA, supra note 4, states: In this Act, “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information, (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. This definition is almost identical to that found in PIPEDA except that it adds the “identifying” requirement. 14 [2006] S.C.J. No. 39, 2006 SCC 39 [Blank]. 15Supra note 2 at para. 34. The Supreme Court held in Blank that the solicitor-client privilege in the Access to Information Act, R.S.C. 1985, c. A-1, was intended to include litigation-privilege. 16Supra note 2 at para. 35. 17Ibid. at para. 37. 18Supra note 1 at para. 36. 19Supra note 4, s. 52(1). 20Ibid. s. 52(1)(a). 21Ibid. s. 52(1)(c). The PHIPA exemption is broader than that contained in PIPEDA in that it is not limited to a formal dispute resolution proceeding, but rather extends to all “proceedings”. 22Ibid. s. 52(1)(e)(i). 23Ibid. s. 52(1)(d)(i). 24Ibid. s. 52(1)(d)(ii). 25Ibid. s. 3(1)(1). 26Ibid. s. 3(3) to 3(11). 27Ibid. s. 3(3)(2). 28Ibid. s. 2. 29 Supra note 3, preamble. 30 Supra note 4, s. (1)(b). 31 Ann Cavoukian, Ph.D., “Frequently Asked Questions: Personal Health Information Protection Act” (February 2005) online: Information and Privacy Commissioner <http://www.ipc.on.ca/images/Resources/hfaq-e.pdf> at p. 6. 32 See supra note 4, s. 3(3)(2) and the definition of “health care” in s. 2. 33 Ann Cavoukian, Ph.D., “Fact Sheet: Health Information Custodians Working for Non-Health Information Custodians” (February 2006) online: Information and Privacy Commissioner < http://www.ipc.on.ca/images/ Resources/up-2fact_11_e.pdf>. 34 Ibid. 35Wyndowe v. Rousseau, 2006 FCA 422 (CanLII).
Volume 7, No. 3 - April/Avril 2007 
Anyone reviewing the recent issues of Eye on Privacy cannot help but be struck by the ever-increasing complexity of privacy law issues in Canada and the rapid acceleration of the importance of privacy issues in the business environment. From the almost daily media attention to privacy security breaches to the impact of compliance on transactions, contracts and corporate organization, privacy has gone from a curiosity championed by a small number of knowledgeable advocates to a mainstream part of the business environment.
I am keenly aware, in writing an article for Eye on Privacy, that this is an audience that truly cares about the details of Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), and is keenly interested in the current review of the Act and the likely outcomes.
The information that organisations hold about customers, employees and other individuals is a very valuable asset. Exploiting this information correctly is crucial for their operations, but its use on a global basis is strictly regulated by EU data protection law, which does not allow the transfer of personal information to countries outside Europe that do not have an adequate level of data protection. 
As more and more privacy-related cases make their way to Court through the mechanism provided for in the Personal Information Protection and Electronic Documents Act (PIPEDA), the issue of the Privacy Commissioner of Canada’s role in these judicial proceedings warrants further consideration. 
Melding the Privacy Commissioner’s ombudsman process with the Federal Court’s judicial process raises interesting questions about the role the Privacy Commissioner should play before the Federal Court. 
1. Privacy Breach Notification
What is ID Theft?