Privacy Law Update
Employment Law Conference 2004 (Continuing Legal Education)
Leo McGrady Q.C.
McGrady, Baugh & Whyte
April 29, 2004
TABLE OF CONTENTS
(Note: With all Table of Contents hyperlinks you can use your browser back button to come back to the top of the page to select another link)
Introduction What is Personal Information? What is Consent? Withdrawal of Consent Obtaining and Documenting Consent Collection, Use and Disclosure of Personal Information
Collection (Part 4) Use (Part 5) Disclosure (Part 6)Accuracy and Retention
Accuracy of Personal Information Retention of Personal InformationComplaints Remedies
When Minister Santori rose in the House to move second reading of Bill 38, the Personal Information and Protection Act, he spoke to the government’s highest aspirations for the privacy statute. He said:
This bill retains provincial jurisdiction over this key aspect of B.C.’s commercial activity by replacing the cumbersome and confusing federal Personal Information Protection and Electronic Documents Act, also known as the PIPED Act. … It minimizes the regulatory burden on B.C. businesses by providing an easier to understand and less onerous set of privacy rules that are supported by the B.C. private sector…[The Act applies] a straightforward and practical approach to the protection of personal information…
The Minister identified the comprehensive scope of the proposed as one of its key elements. He stated that:
Bill 38 "…provides broader protection than the federal legislation, which relates only to commercial activity. For example, this bill protects the employee information of British Columbians working for provincial companies. The federal act would not have protected B.C. employees…"
Regrettably, the Personal Information Protection Act, S.B.C. 2003, c. 63 ("PIPA"), is the antithesis of the plain language approach to legislative drafting. In addition, it simply does not deliver on its promise of protection of employee information in the British Columbia private sector.
This paper will explore the discrepancy between the laudable goals the Minister attributed to the province’s newest privacy statute and the reality. In so doing, it will consider the key concepts of the statute:
Before dealing with my material, let me commend the following resources to you.
Personal Information Protection and Electronic Documents Act:
We strongly recommend this site for anyone concerned with issues arising under the federal legislation. It contains, of course, the legislation, contact points, answers to frequently asked questions, all of the decisions, as well as links to other provinces and territories.
Freedom of Information and Protection of Privacy Act:
Personal Information Protection Act: http://www.oipc.bc.ca/private/
Information and Privacy Commissioner for British Columbia
3rd Floor, 756 Fort Street
Victoria, BC V8W 1H2
Phone: (250) 387-5629
Fax: (250) 387-1696
Until the federal Cabinet declares PIPA to be substantially similar, the Office of the Privacy Commissioner of Canada has a legal obligation to apply the Personal Information Protection and Electronic Documents Act ("PIPEDA") where appropriate. Attached in the Appendix are excerpts from the federal Privacy Commissioner’s March 11, 2004 letter to the Privacy Commissioners of British Columbia and Alberta.
Government Agency Responsible:
Ministry of Management Services
Corporate Privacy and Information Access Branch
Box 9437, Stn. Prov. Govt.
Phone: (250) 387-1992
Personal Information Protection Act Hotline
Phone: (250) 356-1851
Fax: (250) 953-0455
We are fortunate now in having a series of very valuable guides to the implementation of the provincial legislation.
The first, of course, is British Columbia’s A Guide to PIPA available from the Office of the Information and Privacy Commissioner’s website listed above.
The second one that we found very helpful is one prepared by the BC Federation of Labour, "Protecting Our Members’ Privacy Rights: Complying with the Federal and Provincial Privacy Legislation" (2003). It is available at: http://www.bcfed.com/links.
We have also found the Canadian Institute of Chartered Accountants’ document helpful. It is very detailed and lengthy (90 pages), and is available at: http://www.cica.ca/index.cfm/ci_id/1009/la_id/l.htm.
What is Personal Information?
"Personal information" is defined under PIPA as meaning information about an identifiable individual, including employee personal information. Although not expressly referred to in the definition, the following matters are typically covered by that term:
The term may also cover:
The two main exceptions under the legislated definition relate to contact information, including name, work position or title, business telephone number, business address, business email, and business fax number of the individual; or work product information, that is, information prepared or collected by an individual or group of individuals as part of their employment- or business-related responsibilities or activities.
What is Consent?
Surprisingly, given the role that consent plays in PIPA, one would have thought that the statute would include a short, precise definition.
There is much to be said for the simplicity of the approach adopted in the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, ("FOIPPA"), the privacy statute governing the B.C. public sector. That Act is, in many significant respects, in pari materia with PIPA. For example, section 2(1) of FOIPPA provides that one of the statute’s purposes is "to protect personal privacy by…"
Section 2 of PIPA states:
The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
The definition of consent in FOIPPA is found in section 6 of the Freedom of Information and Protection of Privacy Regulation, B.C. Reg. 323/93:
The consent of an individual to a public body disclosing any of the individual’s personal information under section 33(b) of the Act must
As we shall see shortly, PIPA adopts a much more complex and unfortunate system of express, statutory, deemed, and "opt out" consent.
The provisions of PIPA dealing with consent are extensive. They are set out in four rather lengthy sections (sections 6, 7, 8 and 9).
Section 6 begins with a very clear statement prohibiting an organization from collecting, using or disclosing personal information about an individual. Subsection 2 of section 6 then immediately describes three exceptions:
Jumping ahead for a moment, the section heading to section 8 then refers to ‘implicit’ consent. In fact, the section deals with deemed consent, the same consent covered by section 6(2)(c).
Section 7 then sets out what does not constitute consent. There is no valid consent under the Act unless the purpose for the organization’s collection of the information is communicated to the person, as set out in section 10, along with a number of other requirements, and the consent is otherwise in accordance with the Act (section 7(1)). An organization must not, as a condition of supplying a product or service, require a person to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service (section 7(2)). If an organization does attempt to obtain consent for collecting, using or disclosing that personal information by providing false information, or using misleading practices, the consent is void (section 7(3)).
Under section 8(1), an individual is deemed to consent to the collection, use or disclosure if at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and the individual voluntarily provides the personal information to the organization for that purpose.
Under subsection (2), a person is deemed to consent for the purposes of enrolment and coverage under an insurance, pension, benefit, or similar plan if he or she is a beneficiary or has an interest as an insured under the plan.
Section 8 continues in its elaboration of implicit or deemed consent by providing in subsection (3) for a form of "opt out" consent. Subsection (3) allows an organization to collect information for specified purposes if certain events occur, all of which are judged by a standard of reasonableness. Thus, an organization can collect, use or disclose personal information if:
Section 8(4) provides that there may be no deemed consent under subsection (1) for a purpose different than the purpose to which that subsection applies. One must ask why that restriction applies only to the deemed consent in subsection (1), and not also to subsections (2) and (3). The logic making it applicable to subsections (2) and (3) seems rather compelling, but their omission from subsection (4) leaves it open to organizations to argue they benefit from a broader form of deemed consent under subsection (2) or opt out consent in subsection (3).
Let’s pause here to summarize where we are on the issue of consent.
Despite the government’s claims and the claims of some of the advocates of the legislation of simplicity, the concept of consent in PIPA appears to be unnecessarily complex, and at the same time somewhat ambiguous. There appear to be four kinds of consent under the legislation:
Furthermore, PIPA carves out a special subset of "personal information", namely, "employee personal information" that obviates, in broadly stated circumstances, the need to obtain consent. Employee personal information is defined as: "personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment".
The Act, touted by Minister Santori as demonstrating B.C.’s "leadership role" in the provision of privacy rights "…to employees of businesses that are provincially regulated…", provides tepid protection to workers at best. Subsection (2) of the Act’s separate sections dealing with the collection (section 13), use (section 16), and disclosure (section 19) of "employee personal information" state that employee consent is not required:
Where the employee personal information is collected, used or disclosed to establish, manage or terminate an employment relationship, the statute simply requires the organization to notify the individual that it will be collecting, using, or disclosing the information without that person’s consent.
The former Privacy Commissioner of Canada identified this large loophole as one of the "very grave deficiencies" that would militate against the Government of Canada’s ability to recognize PIPA as "substantially similar" to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). (If B.C.’s PIPA is not considered by Ottawa to be "substantially similar" to PIPEDA, then PIPEDA applies by default to govern B.C.’s private sector.) The former Commissioner went on to write in his May 7, 2003, letter to Minister Santori:
…the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. The workplace is where most people spend most of their waking lives; in few circumstances are privacy rights more important. Yet Bill 38 specifically allows the collection, use and disclosure of employee personal information without consent – completely depriving an employee or a prospective employee of any control over his or her information.
I recognize that the bill requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship. This is a weak test, however, and meager consolation for employees or prospective employees concerned about privacy…
In spite of this critique of Bill 38, the B.C. Legislature passed PIPA without significant modification. The "inferior" privacy safeguards afforded to B.C. employees, therefore, remain.
Withdrawal of Consent
Subject to two exceptions, a person may withdraw consent at any time on reasonable notice (section 9(1)). The organization must then stop collecting, using or disclosing that personal information. Once an organization receives notice, it must advise the person of the likely consequences of withdrawal of the consent (subsection (2)). The organization must not prohibit an individual from withdrawing his or her consent (subsection (3)).
The first exception is that an individual may not withdraw consent if by doing so he or she would frustrate the performance of a legal obligation (section 9(5)). It is not clear, but one would assume the performance of a legal obligation by the organization, as well as by the individual, is covered.
Finally, there may be no withdrawal of a consent to a credit reporting agency in certain limited circumstances (section 9(6)).
Obtaining and Documenting Consent
Given the complexity of the consent provisions, organizations are doubtlessly looking for any assistance they may find. The following tips on consent are taken from guides on PIPA prepared by the Office of the Information & Privacy Commissioner for British Columbia and the B.C. Federation of Labour:
Collection, Use and Disclosure of Personal Information
The three major activities covered by PIPA are:
Collection (Part 4)
Either before or at the time of the collection of personal information from the individual, an organization must disclose to the individual, either verbally or in writing, the purposes for the collection and, if requested, the name and contact information for an employee of the organization able to answer the person’s questions about the collection (section 10(1)). In addition, where one organization is seeking information about an individual from another organization without the consent of the individual, the first organization must provide the other with sufficient information regarding the purpose of the collection to allow the latter to determine whether the disclosure would be in accordance with the Act (section 10(2)).
Neither of these conditions applies, however, in the case of deemed consent (section 10(3)). It would appear, therefore, that they apply in the case of an express consent under section 6(2)(a), or an opt out consent under section 8(3). It would make no sense for these to be a requirement in the case of a statutory consent under section 6(2)(b), although the matter is not entirely clear.
Section 11 limits the collection of personal information to purposes that a reasonable person would consider appropriate in the circumstances, and that achieve the purposes disclosed under section 10(1), or for purposes otherwise permitted under the Act.
Section 12 then sets out eleven circumstances in which consent is not required. They are, generally, where:
Section 1 defines investigation as an investigation related to:
A proceeding means a civil, criminal or an administrative proceeding that is related to the allegation of:
- a breach of an agreement,
- a contravention of an enactment of Canada or a province, or
- a wrong or breach of a duty for which a remedy is claimed under an enactment, under the common law or in equity,
Section 13 describes the special rules which apply to the collection of "employee personal information" – namely, that consent is not required where the information is available to it without consent under the terms of section 12 above, or where "the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual" (section 13(2)).
As discussed in the section on consent, the employer must simply provide notice to the employee that it will be collecting personal information, and the purposes for which it will be doing so (section 13(3)). No notice is required if section 12 permits the collection without the consent of the individual (section 13(4)).
Use (Part 5)
Section 14 begins by limiting the use of the personal information "only for purposes that a reasonable person would consider appropriate in the circumstances". In addition, the purposes must fulfill those disclosed under section 10(1), or be otherwise permitted under the Act. With respect to the collection of information that predates the Act, the use must fulfill the purposes for which it was collected.
Part 5 then proceeds, in section 15, to provide for a series of thirteen usages that may be made without consent that largely parallel the without consent collections set out in section 12. Subsections (k) and (l) have no parallel in section 12.
With respect to employee personal information, section 16 parallels the collection of personal information requirements in section 13.
Disclosure (Part 6)
Section 17 follows the pattern set in section 14 for the use of personal information. The former permits an organization to disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and that fulfill the purposes that the organization discloses under section 10(1), or that are otherwise permitted under the Act. With respect to the disclosure of information collected prior to the Act coming into force, the disclosure must fulfill the purpose for which it was collected.
Section 18 provides for a series of circumstances in which disclosure is permitted without consent. The circumstances generally parallel those provided for in section 15 involving the use of personal information without consent, with a number of significant additions. The additions include disclosure pursuant to a treaty (section 18(1)(h)); compliance with a subpoena, warrant or order (section 18(1)(i)); disclosure to a public body or law enforcement agency in Canada concerning an offence under the laws of Canada to assist in the investigation, or the making of a decision to undertake an investigation (section 18(1)(j)); regarding compelling circumstances affecting the health and safety of any individual (section 18(1)(k)); the disclosure for the purposes of contacting next of kin, or a friend of an injured, ill or deceased individual (section 18(1)(l)); disclosure to a lawyer representing the organization (section 18(1)(m)); and disclosure to an archival institution in some certain circumstances (section 18(1)(n)).
Disclosure, as discussed in section 18(2), may be made to another organization without consent in circumstances similar to those set out for the use of information without consent in section 15(2). Similarly, section 19 parallels section 13 in the former’s treatment of the disclosure of employee personal information.
The balance of this part, sections 20-22, then deals with three other purposes for which personal information may be transferred or disclosed.
Section 20 deals with the sale of an organization or its business assets. This issue was of considerable concern to both businesses and unions during the drafting stages of the legislation. In my view, the provisions deal adequately with most of those concerns. The scheme of section 20 provides for the disclosure of the information relating to employees, customers, directors, officers or shareholders without consent to a prospective party as long as certain conditions are met.
First, the information must be necessary for the prospective party to determine whether to proceed with the business transaction. Second, the organization and the prospective party must have entered into an agreement limiting the use of that personal information solely for purposes relating to the prospective business transaction.
Section 20(3) states that if the prospective party proceeds with the purchase, the disclosure may be made without consent, as long as material is used only for the same purposes for which it was collected, used or disclosed; the personal information relates directly to the part of the organization or its business assets covered by the transaction; and the employees, customers, directors, officers and shareholders whose information is disclosed are notified of the transaction and the disclosure.
There are additional safeguards, including one that the disclosure may proceed only if the transaction involves "substantial assets" of the organization, other than the personal information (subsection (7)). In addition, if the sale does not proceed or is not completed, the prospective party must either destroy the information or return it to the organization (subsection (6)).
Section 21 authorizes disclosure in certain narrow circumstances for research or statistical purposes. The purposes do not include "market research purposes" (section 21(2)). The other conditions that must be met are:
Accuracy and Retention
Accuracy of Personal Information
As a starting point, section 33 requires an organization "make a reasonable effort to ensure that personal information collected by or on behalf of the organization is accurate and complete" if the personal information is likely to be used to make a decision that affects the individual or is likely to be disclosed to another organization.
If an individual discovers an error or omission in his or her personal information, he or she may request, in writing, a correction (sections 24(1), 27). If the organization is "satisfied on reasonable grounds" that there was such an error or omission, then it must correct the personal information as soon as reasonably possible and send the corrected version to each organization to which the organization had disclosed the individual’s personal information during the previous year (section 24(2)). If it makes no correction, the organization must nevertheless annotate the personal information under its control that such a correction was requested but not made (section 24(3)).
Unless the organization has applied for an extension of time, it has 30 days in which to respond to a request for a correction (section 29(1)). As well, the organization is under a legal duty to "respond to each applicant as accurately and completely as reasonably possible" (section 28). In addition, the Act prohibits an organization from charging a fee respecting employee personal information (section 32(1)).
Retention of Personal Information
The Act requires organizations to destroy documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal information was collected is no longer being served by retention of the personal information, and retention is no longer necessary for legal or business purposes (section 35(2)).
Technology reporter Keith Damsell of the Globe and Mail observes in his March 9, 2004 article, "Privacy Rules Turn Shredders On", that new privacy legislation has made the paper shredding trade a very big business, escalating peoples’ contact with their paper shredder "from a casual fling to a torrid relationship". He quotes the president and CEO of a shredding firm in Ottawa, Proshred Security International Inc., as indicating that sales are projected to climb about 30% from 2003 to 2004.
Lest you turn the shredder on too quickly, note must be made of section 35(1) of PIPA, which states that "…if an organization uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year…" The purpose for this mandatory retention period is to allow the affected individual "a reasonable opportunity to obtain access" to the information used to make the decision in question.
PIPA not only sets out the privacy principles governing B.C.’s private sector, it requires a system for access to and correction of personal information. According to section 5 of the statute, every organization must develop a complaint process and make information about that complaint process available on request. To comply, the complaint process must be able to deal with both privacy and access/correction complaints. The organization must make available to the public the title of the person it designates to be responsible for ensuring compliance with the Act as well as his or her contact information (section 4(3) and (5)).
This part of the paper will focus on an assessment of the remedial options available to a person seeking to exercise a right under the legislation. I will consider here the powers of the Commissioner, the possibility of laying a criminal charge, the statutory right of action, a class action, and, finally, arbitration.
Powers of the Commissioner
The Commissioner’s primary enforcement mechanism appears to be his or her ability to investigate and deal with "requests" made by aggrieved individuals. The definition of "request" refers to either a complaint under section 36(2) or a review.
A review is defined in section 45 as a:
…review of a decision, act or failure to act of an organization
A complaint under section 36(2), in turn, is one that alleges:
The procedure of making a request is detailed in sections 47 and 48 of the Act. Typically, an individual has 30 days from the date on which the person making the request is notified of the circumstances on which the request is made to deliver his or her written request to the Commissioner. Once that request is received, the Commissioner must give notice by providing a copy of the request to the organization concerned and "any other person that the Commissioner considers appropriate".
It appears from the Act that recourse to mediation and other informal dispute resolution techniques will be the Commissioner’s initial response to a request. Section 49 authorizes the Commissioner to appoint a mediator "to investigate and to try to settle the matter on which a request is based". Section 36(2) permits the Commissioner to "investigate and attempt to resolve complaints…"
If the request is not referred to a mediator or settled under section 49, then section 50 authorizes the Commissioner to hold an inquiry, possibly in private. The Commissioner determines whether submissions, referred to as "representations", are to be made verbally or in writing and also who is entitled to be present or to have access to representations to the Commissioner under section 50(4). The Commissioner must complete the inquiry within 30 days of receipt of a request regarding a complaint under section 50(6) or (7) or within 90 days of receipt of a request regarding a review under section 50(8).
At the end of the inquiry, the Commissioner must make an order under section 52. Possible orders include requiring an organization:
In the face of an adverse ruling, the organization must comply within 30 days after being given a copy of a Commissioner’s order unless it brings an application for judicial review during that period. Once a judicial review application has been brought, then the Commissioner’s order is stayed from that point "until a court orders otherwise" under section 53(2).
In addition to the Commissioner’s powers with respect to complaints and reviews, he or she also possesses general powers. For example, section 36(2)(a) allows the Commissioner to investigate and resolve complaints that a duty imposed by PIPA has not been performed. Section 36(1)(b) permits the Commissioner to make the orders described in section 52(3), such as requiring an organization to destroy personal information collected improperly, even if a review is not requested. The Commissioner is also empowered under section 36(1)(j) to "bring to the attention of any organization any failure of the organization to meet the obligations established by this Act." Finally, whether a complaint is received or not, under section 36(1)(a), the Commissioner may initiate investigations and audits to ensure compliance with the Act if there are reasonable grounds to believe that an organization is not complying with PIPA.
The Act also contains a quasi-criminal enforcement provision. Section 56 provides for fines up to $10,000 against an individual or $100,000 against "a person other than an individual" for willful breaches of the statute, such as where the organization or person:
In reality, the protection offered by section 56 is largely illusory. A similar offence section exists in the companion FOIPPA (section 74). No fine has ever been levied under the provision.
As well, successful prosecution requires proof beyond a reasonable doubt. Examples of the application of this demanding onus include the cases of R. v. White, 2000 BCSC 1080 and R. v. Taylor, 2002 BCPC, 321. White, supra, involved prosecution of offences under the Securities Act, R.S.B.C. 1985, c. 83. Taylor, supra, involved a prosecution under the Wildlife Act, R.S.B.C. 1996, c. 488.
The higher standard of proof involved in the prosecution of quasi-criminal offences makes them less attractive to those wishing to enforce compliance with the statutory scheme. The stricter onus has contributed to the offence provisions in the FOIPPA have been largely ignored. The offence section in PIPA is also likely to suffer the same fate.
For some time now, the consensus has been that the use of criminal or quasi-criminal sanctions to enforce compliance with or punish for violation of the kinds of statutes providing for rights such as PIPA is ineffective. Rather than legislate what are really illusory quasi-criminal sanctions, it would have been far preferable for the Legislature to implement a truly effective enforcement mechanism, such as we find in the Labour Relations Code, R.S.B.C. 1996, c. 244, the Human Rights Code, R.S.B.C. 1996, c. 210, and the Commercial Arbitration Act, R.S.B.C. 1996, c. 55 – the filing of the Commission(er)’s order in court.
Before leaving this point, it should be emphasized that, in addition to the other problems referred to earlier, it is a longstanding policy of the Attorney General in this province not to permit utilization of these kinds of offence sections when dealing with what is largely an administrative scheme. It should also be pointed out that the Ministry has a general rule of not permitting private prosecutions to proceed.
Given the significance of privacy legislation, the inclusion of a largely ineffective enforcement mechanism in PIPA seems inconsistent with the goals of the new Act.
Statutory Right of Action
Section 57 provides another enforcement mechanism. It states that if the Commissioner has made a final order against an organization, then the individual affected by the order has a cause of action against the organization for "damages for actual harm". This statutory right of action also applies when an organization has been convicted of an offence under the Act and the conviction has become final. "Actual harm", however, is not defined.
"Actual harm" is used in tort claims for the intentional infliction of mental suffering, where courts have equated the phrase with a "visible and provable illness": Rahemtulla v. Vanfed Credit Union,  B.C.J. No. 2790 (Q.L.) (S.C.).
It is unclear how the concept of "actual harm" will work with respect to privacy violations. For example, will the courts require proof of actual economic loss? Non-economic loss? Compensation for mental distress? Or the humiliation of the disclosure of true facts that never need to have been disclosed? There were surely simpler, clearer formulations available to the Legislature.
Interestingly, British Columbia’s Privacy Act, R.S.B.C. 1996, c. 373, states in section 1(1) that tort actions under that Act are "actionable without proof of damage".
Another remedial possibility, although not referred to in the Act, is the use of class actions. In the U.S., for example, two class actions have been brought alleging that two of the largest American information brokers, ChoicePoint Inc. and Reed Elsevier, invaded the privacy of millions of Florida drivers by obtaining sensitive personal information from Florida’s Department of Highway Safety and Motor Vehicles and then reselling it.
More recently, in Whittum v. Saginaw County, 2004 U.S. Dist. LEXIS 6397 (Eastern District of Michigan, Northern Div.), a group of pre-trial detainees and prisoners at the Saginaw County Jail applied to certify a class action to challenge the institution’s strip search policies. The plaintiffs claimed that both male and female pre-arraignment detainees were subjected to "unnecessary viewing and touching by correction officers, at times by those of the opposite sex…" while they were "unnecessarily changed from their personal attire to jail garb while awaiting arraignment." In addition, they claimed that male prisoners who participated in work release programs "were…subjected to group, cross-gender strip searches, violative of their constitutionally protected rights." The plaintiffs alleged unsuccessfully that the policy violated their privacy rights: on April 2, 2004, District Judge David M. Lawson refused to certify the action, writing that "…the record presently before the Court indicates that none of the named plaintiffs fall within either of the subclasses that they propose."
Class actions in British Columbia are permitted under the Class Proceedings Act, R.S.B.C. 1996, c. 50. Thus far, no privacy class actions have been decided under the statute.
The final enforcement mechanism is arbitration, also not referred to in the Act. The Supreme Court of Canada held in Parry Sound (District) Social Services Administration Board v. O.P.S.E.U., Local 324, 2003 SCC 42, that human rights statutes and other employment-related statutes are, by implication, incorporated into collective agreements. In consequence, labour arbitrators have an obligation to consider and to apply those statutes in resolving disputes.
The Supreme Court, in an earlier line of cases, affirmed the special status of human rights legislation. In Winnipeg School Division No. 1 v. Craton,  2 S.C.R. 150, McIntyre J. wrote at paragraph 8: "Human rights legislation is of a special nature and declares public policy regarding matters of general concern."
The Supreme Court has also recognized the constitutional significance of the right to privacy in several decisions. For example, Wilson J. suggested that the liberty right of section 7 of the Canadian Charter of Rights and Freedoms encompasses a privacy component in R. v. Morgentaler,  1 S.C.R. 30 at paragraph 245. McLachlin J. in her dissenting reasons in Rodriguez v. British Columbia (Attorney General),  3 S.C.R. 519, at paragraph 200, found that the section 7 right of security of the person "has an element of personal autonomy, protecting the dignity and privacy of individuals with respect to decisions concerning their own body." L’Heureux-Dubé J. held in her majority judgment in R. v. O’Connor,  4 S.C.R. 411, at paragraph 113, that privacy interests were protected by both the liberty right and the security of the person right in section 7. She reiterated that point in her dissenting reasons in A.M. v. Ryan,  1 S.C.R. 157 at paragraph 80.
In Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, Gonthier J. for the Court explained that as the federal Privacy Act, R.S.C. 1985, c. P-21 was closely linked to Canada’s constitution, the Court recognized it as having "quasi-constitutional status".
As courts have accepted federal privacy laws as quasi-constitutional documents, provincial privacy laws, too, must enjoy this special status. As quasi-constitutional laws, it is suggested that provincial privacy laws must be contained impliedly in collective agreements, just as human rights statutes are. In consequence, labour arbitrators are bound to consider such laws in the resolution of privacy-related disputes under collective agreements.
That appears to have been the conclusion, although not the reasoning, of Pinard J. in L’Ecuyer v. Aéroports de Montréal, 2003 FCT 573, at paragraph 22, with respect to a complaint arising in a workplace covered by a collective agreement:
Accordingly, the nature of the dispute between the parties and the scope of the applicable collective agreement lead the Court to conclude that the grievance arbitrator appointed under the Code and the collective agreement has exclusive jurisdiction ratione materiae to decide the dispute in question, to the exclusion of the federal Privacy Commissioner and also of this Court, before which the dispute has come as a result of the latter’s report.
An arbitrator, enforcing an individual’s privacy rights after an arbitration hearing, has the extensive remedial powers set out in sections 89 and 92 of the British Columbia Labour Relations Code.
Section 5 of the Act requires organizations to "develop and follow policies and practices that are necessary" to comply with the statute. Such policies and practices must be available on request.
To assist in this task, included in the Appendix are the following resources:
Although PIPA is an important and valuable improvement in the recognition of privacy rights in our society, it is not the easy-to-administer, plain language statute that Minister Santori promised the B.C. public in 2003. Rather, it is unnecessarily complex and consumed by exceptions that make it difficult for non-lawyers to follow. Furthermore, it extends only tepid privacy protection to employees in the province’s private sector. Finally, the Act lacks effective enforcement procedures.
Your Responsibilities Under PIPA
(with some adaptation from the federal website)
The following code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector.
An organization is responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties. Care in collecting, using and disclosing personal information is essential to continued consumer confidence and good will.
The 10 principles that businesses must follow are:
How to fulfill these responsibilities
Develop and implement policies and procedures to protect personal information including those that:
Train your front-line and management staff and keep them informed, so they can answer the following questions:
2. Identify the purpose
Your organization must identify the reasons for collecting personal information before or at the time of collection.
How to fulfil these responsibilities
Ensure that these purposes are limited to what a reasonable person would expect under the circumstances.
3. Obtain consent
How to fulfil these responsibilities
How to fulfil these responsibilities
5. Limit use, disclosure and retention
How to fulfil these responsibilities
6. Be accurate
Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.
How to fulfil these responsibilities
This may require reviewing your records or communicating with the client.
7. Use appropriate safeguards
How to fulfil these responsibilities
8. Be open
How to fulfil these responsibilities
9. Give individuals access
10. Provide recourse
How to fulfil these responsibilities
Exceptions to the Consent and Access Principles
Exceptions to Consent
Even though Section 6(1) prohibits an organization from collecting, using or disclosing personal information there are a number of exceptions.
Organizations may collect, use or disclose personal information where:
Collection of Personal Information without Consent
Organizations may collect personal information without the individual's consent only:
Use of Personal Information without Consent
Organizations may use personal information without the individual's consent only:
Disclosure of Personal Information without Consent
Organizations may disclose personal information without the individual's consent only:
Exceptions to Access
Section 23(1) states that on request an organization must provide the individual with the following:
However section 23(3-5) detail the exceptions to the above as follows:
Organizations may refuse an individual access to personal information:
Organizations must refuse an individual access to personal information:
Note that if the information referred to in s.23(3)(a-c) or (4) can be removed, the organization must release the remaining information (s.23(5)).
Excerpts from the Federal Privacy Commissioner’s March 11, 2004
letter to the Privacy Commissioners of British Columbia and Alberta
regarding the handling of complaints under PIPEDA as of January 1, 2004
"This letter will serve to confirm the discussions we had in Ottawa on January 21, 2004 concerning our current and future handling of complaints by our Office where the complaint is against an organization in, as the case may be, British Columbia or Alberta.
Our understanding is as follows:
1. The Office of the Privacy Commissioner of Canada (OPC) has a legal obligation to apply the Personal Information Protection and Electronic Documents Act (PIPEDA) where appropriate.
2. OPC will take complaints against private sector organizations in BC and Alberta that are collecting, using or disclosing personal information about their customers in the course of commercial activity. This includes organizations that deal in personal health information such as physicians and dentists’ offices, private laboratories, etc.
3. OPC will verbally inform complainants of the possibility of complaining directly to the appropriate provincial commissioner and that complaints which fall clearly in provincial rather than federal jurisdiction, after a substantially similar order, will be transferred in any event.
4. If the complainant wishes nevertheless to proceed federally, OPC will open a complaint file but will inform all parties to the complaint that there will be a transfer of the complaint and all information on the file to the appropriate provincial commissioner if and when a substantially similar order is made.