Initial reflections of the privacy commissioner on Ontario’s draft privacy bill

Initial reflections of the privacy commissioner on Ontario’s draft privacy

bill

Ann Cavoukian, Ph.D.Information and Privacy Commissioner/Ontario

Toronto Board of Trade

February 19, 2002

Background to the Bill

European UnionDirective on Data Protection

Canadian Standards Association:Model Code for the Protection of Personal Information

Government of CanadaPersonal Information Protection and Electronic Documents Act

Government of OntarioPrivacy of Personal Information Act, 2002

Privacy of Personal Information Act, 2002

Integrated health & private sector privacy protection

Guide to Ontario’s Consultation on Privacy Protectionwww.cbs.gov.on.ca/mcbs/english/56Y2QL.htm

Privacy of Personal Information Act, 2002 www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm

Consultation periodEnds March 8, 2002

Scope of the Draft Bill

Bill applies to:Ontario businessesOntario universitiesOntario hospitals, doctors, pharmacies, clinics…Ontario associations (incorporated or not)Ontario partnershipsOntario unions

Does not apply to: Individuals acting in a personal and non-commercial

capacityArtistic, journalistic or literary exemption

Ontario Draft Bill

Things we like:

Made in Ontario response to PIPEDA

Scope of Bill extends beyond business sector

Based on CSA Fair Information Practices

Single oversight body for both public and private sector privacy

Dramatic improvements to health component from earlier Bill 159

Striking the Right Balance?

The government is working to find the appropriate privacy balance,

But…

Concerns about the Bill: Permitted uses without consentExtensive use of RegulationsLack of full investigation powers

Simplify the Draft Bill

Complex drafting

Inconsistencies

Redundancies

Duplication

Complex and Confusing

Personal Information

Personal Health Information

Organizations

(non-health)

Health Information Custodians

Definition of Personal Information

Personal Information – covered

Personal Health Information – covered

Business Information – not covered

Professional Information – not covered

Exemptions to Consent

Exemptions should be very limited regarding the collection, use and disclosure without consent:

Minimize exemptions

Notice requirementsIf exemptions exist for use or disclosure

without consent, notice should be provided

Procedures for Access

Different procedures for accessing personal information vs. personal health information

Will create confusion, without adequate justification for doing so

Duplication between two access schemes completely unnecessary

Use of Regulations

Use of Regulations too broad:

Section 80(1)(g) enables specific organizations or classes of organizations, to be pulled outside of the scope of the legislation without any public consultation or accountability.

Section 80(1)(n) permits the government,

without public consultation or accountability, to exempt organizations from acting in conformity with their information practices.

Commissioner’s Powers

Lack of full investigation powers

No power to compel witnesses to testify (risk of another POSO debacle)

Privacy oversight bodies in virtually every other jurisdiction with similar legislation have the power to require testimony, including: Canada (federal), Alberta, Saskatchewan, Manitoba, Quebec, Australia and New Zealand.

Other issues to consider

ConsentExpressImpliedOpt-in / Opt-out?

NoticeSufficient?

Harmonization with PIPEDA

EU Response to PPIA?

EU Adequacy Decision “Canada is considered as providing an adequate level of

protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act.”

But… “This Decision may be amended at any time in the light of

experience with its functioning or of changes in Canadian legislation, including measures recognizing that a Canadian province has substantially similar legislation.”

The IPC & PPIA, 2002

Cooperation and mediation, not confrontation

IPC has a long history of working collaboratively with the public and private sectors

Learn from the experience of jurisdictions with private sector privacy laws: “We have never seen a business plan that could not be

operated within the [data privacy] legislation.”Elizabeth France, UK Commissioner

Will produce guidelines for businesses and public outlining responsibilities and expectations

The Value of Privacy

“Complying with privacy regulations can be considered just a business cost, but many companies understand that a reputation for guarding privacy can also be a selling point. They need to be stewards, to the extent they can gain a competitive advantage from privacy.”

Ken DeJarnette, Deloitte & Touche

How to Contact Us

Ann Cavoukian, Ph.D.

Information & Privacy Commissioner/Ontario

80 Bloor St. W., Suite 1700, Toronto, M5S 2V1

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: commissioner@ipc.on.ca