Privacy Law Update

Employment Law Conference 2004 (Continuing Legal Education)

Leo McGrady Q.C.

McGrady, Baugh & Whyte

Vancouver, BC

April 29, 2004

 

TABLE OF CONTENTS

(Note: With all Table of Contents hyperlinks you can use your browser back button to come back to the top of the page to select another link)

 

Introduction

What is Personal Information?

What is Consent?

Withdrawal of Consent

Obtaining and Documenting Consent

Collection, Use and Disclosure of Personal Information

Collection (Part 4)

Use (Part 5)

Disclosure (Part 6)

Accuracy and Retention

Accuracy of Personal Information

Retention of Personal Information

Complaints

Remedies

Powers of the Commissioner

Criminal Charges

Statutory Right of Action

Class Action

Arbitration

Privacy Policy

Conclusion

APPENDIX 1

Introduction

When Minister Santori rose in the House to move second reading of Bill 38, the Personal Information and Protection Act, he spoke to the government’s highest aspirations for the privacy statute. He said:

This bill retains provincial jurisdiction over this key aspect of B.C.’s commercial activity by replacing the cumbersome and confusing federal Personal Information Protection and Electronic Documents Act, also known as the PIPED Act. … It minimizes the regulatory burden on B.C. businesses by providing an easier to understand and less onerous set of privacy rules that are supported by the B.C. private sector…[The Act applies] a straightforward and practical approach to the protection of personal information…

The Minister identified the comprehensive scope of the proposed as one of its key elements. He stated that:

Bill 38 "…provides broader protection than the federal legislation, which relates only to commercial activity. For example, this bill protects the employee information of British Columbians working for provincial companies. The federal act would not have protected B.C. employees…"

Regrettably, the Personal Information Protection Act, S.B.C. 2003, c. 63 ("PIPA"), is the antithesis of the plain language approach to legislative drafting. In addition, it simply does not deliver on its promise of protection of employee information in the British Columbia private sector.

This paper will explore the discrepancy between the laudable goals the Minister attributed to the province’s newest privacy statute and the reality. In so doing, it will consider the key concepts of the statute:

Before dealing with my material, let me commend the following resources to you.

Federal Government

Personal Information Protection and Electronic Documents Act:

http://www.privcom.gc.ca

We strongly recommend this site for anyone concerned with issues arising under the federal legislation. It contains, of course, the legislation, contact points, answers to frequently asked questions, all of the decisions, as well as links to other provinces and territories.

British Columbia

Law:

Freedom of Information and Protection of Privacy Act:

http://www.oipc.bc.ca/legislation/

Personal Information Protection Act: http://www.oipc.bc.ca/private/

Oversight:

David Loukidelis

Information and Privacy Commissioner for British Columbia

3rd Floor, 756 Fort Street

Victoria, BC V8W 1H2

Phone: (250) 387-5629

Fax: (250) 387-1696

E-mail: info@oipc.bc.ca

Website: http://www.oipc.bc.ca

Until the federal Cabinet declares PIPA to be substantially similar, the Office of the Privacy Commissioner of Canada has a legal obligation to apply the Personal Information Protection and Electronic Documents Act ("PIPEDA") where appropriate. Attached in the Appendix are excerpts from the federal Privacy Commissioner’s March 11, 2004 letter to the Privacy Commissioners of British Columbia and Alberta.

Government Agency Responsible:

Ministry of Management Services

Corporate Privacy and Information Access Branch

Box 9437, Stn. Prov. Govt.

Victoria, BC

Phone: (250) 387-1992

E-mail: EnquiryBC@gems3.gov.bc.ca

Website: http://www.mser.gov.bc.ca/foi_pop/

Personal Information Protection Act Hotline

Phone: (250) 356-1851

Fax: (250) 953-0455

E-mail: cpiaadmin@gems5.gov.bc.ca

 

We are fortunate now in having a series of very valuable guides to the implementation of the provincial legislation.

The first, of course, is British Columbia’s A Guide to PIPA available from the Office of the Information and Privacy Commissioner’s website listed above.

The second one that we found very helpful is one prepared by the BC Federation of Labour, "Protecting Our Members’ Privacy Rights: Complying with the Federal and Provincial Privacy Legislation" (2003). It is available at: http://www.bcfed.com/links.

The third one – and perhaps the most important one for all lawyers present – is the Law Society of British Columbia’s Model Privacy Policy, available online at the Law Society’s webpage: http://www.lawsociety.bc.ca. Once at that webpage, click on Practice and Services, then Practice Resources; scroll down to Office Organization Model Policies, Privacy Policy.

We have also found the Canadian Institute of Chartered Accountants’ document helpful. It is very detailed and lengthy (90 pages), and is available at: http://www.cica.ca/index.cfm/ci_id/1009/la_id/l.htm.

Finally, when I was preparing my privacy paper for the CBA National Conference in Ottawa in November of 2003, there were no comprehensive checklists suitable for use by employers and unions in British Columbia. As a result, we took the federal guidelines, conducted a line-by-line review of the provincial legislation, and developed our own guidelines. We published those guidelines with the paper distributed at the conference. The feedback that we have received since November 2003 suggests that you may find this checklist a reliable guide in creating and monitoring your privacy policy.

 

What is Personal Information?

"Personal information" is defined under PIPA as meaning information about an identifiable individual, including employee personal information. Although not expressly referred to in the definition, the following matters are typically covered by that term:

    1. race, national or ethnic origin
    2. colour
    3. religion
    4. age
    5. sex
    6. sexual orientation
    7. marital or family status
    8. The term may also cover:

    9. educational attainment
    10. the individual’s history relating to medical, psychiatric, psychological, criminal or employment matters, or any financial transaction in which the individual has been involved
    11. views or opinions of the individual
    12. fingerprints or blood type

The two main exceptions under the legislated definition relate to contact information, including name, work position or title, business telephone number, business address, business email, and business fax number of the individual; or work product information, that is, information prepared or collected by an individual or group of individuals as part of their employment- or business-related responsibilities or activities.

 

What is Consent?

Surprisingly, given the role that consent plays in PIPA, one would have thought that the statute would include a short, precise definition.

There is much to be said for the simplicity of the approach adopted in the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, ("FOIPPA"), the privacy statute governing the B.C. public sector. That Act is, in many significant respects, in pari materia with PIPA. For example, section 2(1) of FOIPPA provides that one of the statute’s purposes is "to protect personal privacy by…"

    1. preventing the unauthorized collection, use or disclosure of personal information ….

Section 2 of PIPA states:

The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

The definition of consent in FOIPPA is found in section 6 of the Freedom of Information and Protection of Privacy Regulation, B.C. Reg. 323/93:

The consent of an individual to a public body disclosing any of the individual’s personal information under section 33(b) of the Act must

    1. be in writing, and
    2. specify to whom the personal information may be disclosed and how the personal information may be used.

As we shall see shortly, PIPA adopts a much more complex and unfortunate system of express, statutory, deemed, and "opt out" consent.

The provisions of PIPA dealing with consent are extensive. They are set out in four rather lengthy sections (sections 6, 7, 8 and 9).

Section 6 begins with a very clear statement prohibiting an organization from collecting, using or disclosing personal information about an individual. Subsection 2 of section 6 then immediately describes three exceptions:

    1. where the individual consents;
    2. where the Act provides the necessary authorization, or makes consent unnecessary; and
    3. where the Act deems consent.

Jumping ahead for a moment, the section heading to section 8 then refers to ‘implicit’ consent. In fact, the section deals with deemed consent, the same consent covered by section 6(2)(c).

Section 7 then sets out what does not constitute consent. There is no valid consent under the Act unless the purpose for the organization’s collection of the information is communicated to the person, as set out in section 10, along with a number of other requirements, and the consent is otherwise in accordance with the Act (section 7(1)). An organization must not, as a condition of supplying a product or service, require a person to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service (section 7(2)). If an organization does attempt to obtain consent for collecting, using or disclosing that personal information by providing false information, or using misleading practices, the consent is void (section 7(3)).

Under section 8(1), an individual is deemed to consent to the collection, use or disclosure if at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and the individual voluntarily provides the personal information to the organization for that purpose.

Under subsection (2), a person is deemed to consent for the purposes of enrolment and coverage under an insurance, pension, benefit, or similar plan if he or she is a beneficiary or has an interest as an insured under the plan.

Section 8 continues in its elaboration of implicit or deemed consent by providing in subsection (3) for a form of "opt out" consent. Subsection (3) allows an organization to collect information for specified purposes if certain events occur, all of which are judged by a standard of reasonableness. Thus, an organization can collect, use or disclose personal information if:

    1. it provides the individual with a notice in a form that person can reasonably be considered to understand that it intends to collect, use or disclose the personal information for those specified purposes;
    2. it gives the individual a reasonable opportunity to decline within a reasonable time;
    3. the individual does not decline within that time; and
    4. the collection, use or disclosure of that information is reasonable, having regard to the sensitivity of the personal information in the circumstances.

Section 8(4) provides that there may be no deemed consent under subsection (1) for a purpose different than the purpose to which that subsection applies. One must ask why that restriction applies only to the deemed consent in subsection (1), and not also to subsections (2) and (3). The logic making it applicable to subsections (2) and (3) seems rather compelling, but their omission from subsection (4) leaves it open to organizations to argue they benefit from a broader form of deemed consent under subsection (2) or opt out consent in subsection (3).

Let’s pause here to summarize where we are on the issue of consent.

Despite the government’s claims and the claims of some of the advocates of the legislation of simplicity, the concept of consent in PIPA appears to be unnecessarily complex, and at the same time somewhat ambiguous. There appear to be four kinds of consent under the legislation:

    1. express consent: section 6(2)(a)
    2. statutory consent: section 6(2)(b)
    3. deemed or implicit consent: sections 6(2)(c) and 8(1) and (2)
    4. opt out consent: section 8(3)

Furthermore, PIPA carves out a special subset of "personal information", namely, "employee personal information" that obviates, in broadly stated circumstances, the need to obtain consent. Employee personal information is defined as: "personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment".

The Act, touted by Minister Santori as demonstrating B.C.’s "leadership role" in the provision of privacy rights "…to employees of businesses that are provincially regulated…", provides tepid protection to workers at best. Subsection (2) of the Act’s separate sections dealing with the collection (section 13), use (section 16), and disclosure (section 19) of "employee personal information" state that employee consent is not required:

    1. if the Act permits collection, use, or disclosure without consent in sections 12, 15, or 18; or
      1. the collection, use, or disclosure is "reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual".

Where the employee personal information is collected, used or disclosed to establish, manage or terminate an employment relationship, the statute simply requires the organization to notify the individual that it will be collecting, using, or disclosing the information without that person’s consent.

The former Privacy Commissioner of Canada identified this large loophole as one of the "very grave deficiencies" that would militate against the Government of Canada’s ability to recognize PIPA as "substantially similar" to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). (If B.C.’s PIPA is not considered by Ottawa to be "substantially similar" to PIPEDA, then PIPEDA applies by default to govern B.C.’s private sector.) The former Commissioner went on to write in his May 7, 2003, letter to Minister Santori:

…the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. The workplace is where most people spend most of their waking lives; in few circumstances are privacy rights more important. Yet Bill 38 specifically allows the collection, use and disclosure of employee personal information without consent – completely depriving an employee or a prospective employee of any control over his or her information.

I recognize that the bill requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship. This is a weak test, however, and meager consolation for employees or prospective employees concerned about privacy

In spite of this critique of Bill 38, the B.C. Legislature passed PIPA without significant modification. The "inferior" privacy safeguards afforded to B.C. employees, therefore, remain.

 

Withdrawal of Consent

Subject to two exceptions, a person may withdraw consent at any time on reasonable notice (section 9(1)). The organization must then stop collecting, using or disclosing that personal information. Once an organization receives notice, it must advise the person of the likely consequences of withdrawal of the consent (subsection (2)). The organization must not prohibit an individual from withdrawing his or her consent (subsection (3)).

The first exception is that an individual may not withdraw consent if by doing so he or she would frustrate the performance of a legal obligation (section 9(5)). It is not clear, but one would assume the performance of a legal obligation by the organization, as well as by the individual, is covered.

Finally, there may be no withdrawal of a consent to a credit reporting agency in certain limited circumstances (section 9(6)).

 

Obtaining and Documenting Consent

Given the complexity of the consent provisions, organizations are doubtlessly looking for any assistance they may find. The following tips on consent are taken from guides on PIPA prepared by the Office of the Information & Privacy Commissioner for British Columbia and the B.C. Federation of Labour:

  1. Note that PIPA regards personal information collected before the Act came into force on January 1, 2004, to have been collected with consent. Use or disclose such information for the purposes for which it was originally collected (sections 14(b) and 17(b)).
  2. Obtain consent from the individual before or at the time of collection of new personal information or when a new use is identified (section 10).
  3. In determining what form of consent to use, consider the sensitivity of the personal information, what a reasonable person would expect and consider appropriate in the circumstances, the circumstances of collection, your proposed uses or disclosures, and whether you may need to prove that you obtained consent. The more sensitive the personal information, the better it would be to obtain express, written consent.
  4. When detailing the purposes of collection, use or disclosure in consent clauses, be as specific as possible. Use plain language.
  5. Never obtain consent by deceptive means or by providing false or misleading information about how the personal information will be used or disclosed (section 7(3)).
  6. Never make supplying a product or service condition on obtaining consent unless the collection, use or disclosure of the personal information is necessary to provide the product or service (section 7(2)).
  7. Allow individuals to withdraw consent unless the withdrawal would frustrate the performance of a legal obligation (section 9(5)).
  8. If an individual withdraws consent, explain the likely consequences of withdrawing consent (section 9(2)).

 

Collection, Use and Disclosure of Personal Information

The three major activities covered by PIPA are:

    1. the collection of personal information (Part 4);
    2. the use of personal information (Part 5); and
    3. the disclosure of personal information (Part 6).

 

Collection (Part 4)

Either before or at the time of the collection of personal information from the individual, an organization must disclose to the individual, either verbally or in writing, the purposes for the collection and, if requested, the name and contact information for an employee of the organization able to answer the person’s questions about the collection (section 10(1)). In addition, where one organization is seeking information about an individual from another organization without the consent of the individual, the first organization must provide the other with sufficient information regarding the purpose of the collection to allow the latter to determine whether the disclosure would be in accordance with the Act (section 10(2)).

Neither of these conditions applies, however, in the case of deemed consent (section 10(3)). It would appear, therefore, that they apply in the case of an express consent under section 6(2)(a), or an opt out consent under section 8(3). It would make no sense for these to be a requirement in the case of a statutory consent under section 6(2)(b), although the matter is not entirely clear.

Section 11 limits the collection of personal information to purposes that a reasonable person would consider appropriate in the circumstances, and that achieve the purposes disclosed under section 10(1), or for purposes otherwise permitted under the Act.

Section 12 then sets out eleven circumstances in which consent is not required. They are, generally, where:

    1. the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
    2. the information is necessary for medical treatment of the person and the person is unable to give consent;
    3. seeking consent would compromise the availability or accuracy of the information and the collection is reasonable for an investigation or a proceeding;
    4. Section 1 defines investigation as an investigation related to:

      1. a breach of an agreement,
      2. a contravention of an enactment of Canada or a province,
      3. a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity,
      4. the prevention of fraud, or
      5. trading in a security…


A proceeding means a civil, criminal or an administrative proceeding that is related to the allegation of:

    1. a breach of an agreement,
    2. a contravention of an enactment of Canada or a province, or
    3. a wrong or breach of a duty for which a remedy is claimed under an enactment, under the common law or in equity,
    1. the information is to be collected by observation at a performance, a sports meet or similar event that is open to the public;
    2. the personal information is available to the public from any of the other sources set out in section 12;
    3. the collection is necessary to determine the individual’s suitability to receive an honour or to be selected for an athletic or artistic purpose;
    4. where the organization is a credit reporting agency collecting the information to create a credit report, and at the time of the original collection, the individual had consented;
    5. the collection is required or authorized by law;
    6. the information was disclosed to the organization under sections 18 to 22 of the legislation (which will be dealt with shortly);
    7. the personal information is necessary to collect or pay a debt owed to or by the organization; and
    8. an organization may collect personal information from or on behalf of another organization without consent if the individual had previously consented to its collection by that other organization, and the collection or disclosure is for the purposes for which it was previously collected and being used to assist the organization to carry out work on behalf of the other organization (subsection (2)).

Section 13 describes the special rules which apply to the collection of "employee personal information" – namely, that consent is not required where the information is available to it without consent under the terms of section 12 above, or where "the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual" (section 13(2)).

As discussed in the section on consent, the employer must simply provide notice to the employee that it will be collecting personal information, and the purposes for which it will be doing so (section 13(3)). No notice is required if section 12 permits the collection without the consent of the individual (section 13(4)).

 

Use (Part 5)

Section 14 begins by limiting the use of the personal information "only for purposes that a reasonable person would consider appropriate in the circumstances". In addition, the purposes must fulfill those disclosed under section 10(1), or be otherwise permitted under the Act. With respect to the collection of information that predates the Act, the use must fulfill the purposes for which it was collected.

Part 5 then proceeds, in section 15, to provide for a series of thirteen usages that may be made without consent that largely parallel the without consent collections set out in section 12. Subsections (k) and (l) have no parallel in section 12.

With respect to employee personal information, section 16 parallels the collection of personal information requirements in section 13.

 

Disclosure (Part 6)

Section 17 follows the pattern set in section 14 for the use of personal information. The former permits an organization to disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and that fulfill the purposes that the organization discloses under section 10(1), or that are otherwise permitted under the Act. With respect to the disclosure of information collected prior to the Act coming into force, the disclosure must fulfill the purpose for which it was collected.

Section 18 provides for a series of circumstances in which disclosure is permitted without consent. The circumstances generally parallel those provided for in section 15 involving the use of personal information without consent, with a number of significant additions. The additions include disclosure pursuant to a treaty (section 18(1)(h)); compliance with a subpoena, warrant or order (section 18(1)(i)); disclosure to a public body or law enforcement agency in Canada concerning an offence under the laws of Canada to assist in the investigation, or the making of a decision to undertake an investigation (section 18(1)(j)); regarding compelling circumstances affecting the health and safety of any individual (section 18(1)(k)); the disclosure for the purposes of contacting next of kin, or a friend of an injured, ill or deceased individual (section 18(1)(l)); disclosure to a lawyer representing the organization (section 18(1)(m)); and disclosure to an archival institution in some certain circumstances (section 18(1)(n)).

Disclosure, as discussed in section 18(2), may be made to another organization without consent in circumstances similar to those set out for the use of information without consent in section 15(2). Similarly, section 19 parallels section 13 in the former’s treatment of the disclosure of employee personal information.

The balance of this part, sections 20-22, then deals with three other purposes for which personal information may be transferred or disclosed.

Section 20 deals with the sale of an organization or its business assets. This issue was of considerable concern to both businesses and unions during the drafting stages of the legislation. In my view, the provisions deal adequately with most of those concerns. The scheme of section 20 provides for the disclosure of the information relating to employees, customers, directors, officers or shareholders without consent to a prospective party as long as certain conditions are met.

First, the information must be necessary for the prospective party to determine whether to proceed with the business transaction. Second, the organization and the prospective party must have entered into an agreement limiting the use of that personal information solely for purposes relating to the prospective business transaction.

Section 20(3) states that if the prospective party proceeds with the purchase, the disclosure may be made without consent, as long as material is used only for the same purposes for which it was collected, used or disclosed; the personal information relates directly to the part of the organization or its business assets covered by the transaction; and the employees, customers, directors, officers and shareholders whose information is disclosed are notified of the transaction and the disclosure.

There are additional safeguards, including one that the disclosure may proceed only if the transaction involves "substantial assets" of the organization, other than the personal information (subsection (7)). In addition, if the sale does not proceed or is not completed, the prospective party must either destroy the information or return it to the organization (subsection (6)).

Section 21 authorizes disclosure in certain narrow circumstances for research or statistical purposes. The purposes do not include "market research purposes" (section 21(2)). The other conditions that must be met are:

    1. the research purpose cannot be accomplished without that personal information;
    2. the persons not be contacted to ask them to participate in the research;
    3. linkage of the personal information to other information is not harmful to the individuals identified by the personal information and the benefits to be derived from any linkage are clearly in the public interest;
    4. the organization to which the personal information is to be disclosed has signed an agreement with respect to five specified conditions;
    5. it is impracticable for the organization to seek the consent of the individual for the disclosure.


Accuracy and Retention

 

Accuracy of Personal Information

As a starting point, section 33 requires an organization "make a reasonable effort to ensure that personal information collected by or on behalf of the organization is accurate and complete" if the personal information is likely to be used to make a decision that affects the individual or is likely to be disclosed to another organization.

If an individual discovers an error or omission in his or her personal information, he or she may request, in writing, a correction (sections 24(1), 27). If the organization is "satisfied on reasonable grounds" that there was such an error or omission, then it must correct the personal information as soon as reasonably possible and send the corrected version to each organization to which the organization had disclosed the individual’s personal information during the previous year (section 24(2)). If it makes no correction, the organization must nevertheless annotate the personal information under its control that such a correction was requested but not made (section 24(3)).

Unless the organization has applied for an extension of time, it has 30 days in which to respond to a request for a correction (section 29(1)). As well, the organization is under a legal duty to "respond to each applicant as accurately and completely as reasonably possible" (section 28). In addition, the Act prohibits an organization from charging a fee respecting employee personal information (section 32(1)).

 

Retention of Personal Information

The Act requires organizations to destroy documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal information was collected is no longer being served by retention of the personal information, and retention is no longer necessary for legal or business purposes (section 35(2)).

Technology reporter Keith Damsell of the Globe and Mail observes in his March 9, 2004 article, "Privacy Rules Turn Shredders On", that new privacy legislation has made the paper shredding trade a very big business, escalating peoples’ contact with their paper shredder "from a casual fling to a torrid relationship". He quotes the president and CEO of a shredding firm in Ottawa, Proshred Security International Inc., as indicating that sales are projected to climb about 30% from 2003 to 2004.

Lest you turn the shredder on too quickly, note must be made of section 35(1) of PIPA, which states that "…if an organization uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year…" The purpose for this mandatory retention period is to allow the affected individual "a reasonable opportunity to obtain access" to the information used to make the decision in question.

 

Complaints

PIPA not only sets out the privacy principles governing B.C.’s private sector, it requires a system for access to and correction of personal information. According to section 5 of the statute, every organization must develop a complaint process and make information about that complaint process available on request. To comply, the complaint process must be able to deal with both privacy and access/correction complaints. The organization must make available to the public the title of the person it designates to be responsible for ensuring compliance with the Act as well as his or her contact information (section 4(3) and (5)).

Remedies

This part of the paper will focus on an assessment of the remedial options available to a person seeking to exercise a right under the legislation. I will consider here the powers of the Commissioner, the possibility of laying a criminal charge, the statutory right of action, a class action, and, finally, arbitration.

Powers of the Commissioner

The Commissioner’s primary enforcement mechanism appears to be his or her ability to investigate and deal with "requests" made by aggrieved individuals. The definition of "request" refers to either a complaint under section 36(2) or a review.

A review is defined in section 45 as a:

…review of a decision, act or failure to act of an organization

    1. respecting access to or the correction of personal information about the individual who requests the review, and
    2. referred to in the request for the review.

A complaint under section 36(2), in turn, is one that alleges:

    1. a duty imposed by this Act or the regulations has not been performed,
    2. an extension of time for responding to a request is not in accordance with section 29,
    3. a fee required by an organization under this Act is not reasonable,
    4. a correction of personal information requested under section 24 has been refused without justification, and
    5. personal information has been collected, used or disclosed by an organization in contravention of this Act.

The procedure of making a request is detailed in sections 47 and 48 of the Act. Typically, an individual has 30 days from the date on which the person making the request is notified of the circumstances on which the request is made to deliver his or her written request to the Commissioner. Once that request is received, the Commissioner must give notice by providing a copy of the request to the organization concerned and "any other person that the Commissioner considers appropriate".

It appears from the Act that recourse to mediation and other informal dispute resolution techniques will be the Commissioner’s initial response to a request. Section 49 authorizes the Commissioner to appoint a mediator "to investigate and to try to settle the matter on which a request is based". Section 36(2) permits the Commissioner to "investigate and attempt to resolve complaints…"

If the request is not referred to a mediator or settled under section 49, then section 50 authorizes the Commissioner to hold an inquiry, possibly in private. The Commissioner determines whether submissions, referred to as "representations", are to be made verbally or in writing and also who is entitled to be present or to have access to representations to the Commissioner under section 50(4). The Commissioner must complete the inquiry within 30 days of receipt of a request regarding a complaint under section 50(6) or (7) or within 90 days of receipt of a request regarding a review under section 50(8).

At the end of the inquiry, the Commissioner must make an order under section 52. Possible orders include requiring an organization:

    1. to give the individual access to all or part of his or her personal information under the control of the organization,
    2. to disclose to the individual the ways in which the personal information has been used, or
    3. to disclose to the individual names of the individuals and organizations to whom the personal information has been disclosed by the organization;

In the face of an adverse ruling, the organization must comply within 30 days after being given a copy of a Commissioner’s order unless it brings an application for judicial review during that period. Once a judicial review application has been brought, then the Commissioner’s order is stayed from that point "until a court orders otherwise" under section 53(2).

In addition to the Commissioner’s powers with respect to complaints and reviews, he or she also possesses general powers. For example, section 36(2)(a) allows the Commissioner to investigate and resolve complaints that a duty imposed by PIPA has not been performed. Section 36(1)(b) permits the Commissioner to make the orders described in section 52(3), such as requiring an organization to destroy personal information collected improperly, even if a review is not requested. The Commissioner is also empowered under section 36(1)(j) to "bring to the attention of any organization any failure of the organization to meet the obligations established by this Act." Finally, whether a complaint is received or not, under section 36(1)(a), the Commissioner may initiate investigations and audits to ensure compliance with the Act if there are reasonable grounds to believe that an organization is not complying with PIPA.

Criminal Charges

The Act also contains a quasi-criminal enforcement provision. Section 56 provides for fines up to $10,000 against an individual or $100,000 against "a person other than an individual" for willful breaches of the statute, such as where the organization or person:

    1. uses deception or coercion to collect personal information in contravention of this Act,
    2. disposes of personal information with an intent to evade a request for access to the personal information,
    3. obstructs the commissioner or an authorized delegate of the commissioner in the performance of his or her duties or powers under the Act,
    4. knowingly makes a false statement to the commissioner, or knowingly misleads or attempts to mislead the commissioner, in the course of the commissioner’s performance of his or her duties or powers under this Act,
    5. contravenes section 54 (which protects employees from retaliation), or
    6. fails to comply with an order made by the commissioner under this Act.

 

In reality, the protection offered by section 56 is largely illusory. A similar offence section exists in the companion FOIPPA (section 74). No fine has ever been levied under the provision.

As well, successful prosecution requires proof beyond a reasonable doubt. Examples of the application of this demanding onus include the cases of R. v. White, 2000 BCSC 1080 and R. v. Taylor, 2002 BCPC, 321. White, supra, involved prosecution of offences under the Securities Act, R.S.B.C. 1985, c. 83. Taylor, supra, involved a prosecution under the Wildlife Act, R.S.B.C. 1996, c. 488.

The higher standard of proof involved in the prosecution of quasi-criminal offences makes them less attractive to those wishing to enforce compliance with the statutory scheme. The stricter onus has contributed to the offence provisions in the FOIPPA have been largely ignored. The offence section in PIPA is also likely to suffer the same fate.

For some time now, the consensus has been that the use of criminal or quasi-criminal sanctions to enforce compliance with or punish for violation of the kinds of statutes providing for rights such as PIPA is ineffective. Rather than legislate what are really illusory quasi-criminal sanctions, it would have been far preferable for the Legislature to implement a truly effective enforcement mechanism, such as we find in the Labour Relations Code, R.S.B.C. 1996, c. 244, the Human Rights Code, R.S.B.C. 1996, c. 210, and the Commercial Arbitration Act, R.S.B.C. 1996, c. 55 – the filing of the Commission(er)’s order in court.

Before leaving this point, it should be emphasized that, in addition to the other problems referred to earlier, it is a longstanding policy of the Attorney General in this province not to permit utilization of these kinds of offence sections when dealing with what is largely an administrative scheme. It should also be pointed out that the Ministry has a general rule of not permitting private prosecutions to proceed.

Given the significance of privacy legislation, the inclusion of a largely ineffective enforcement mechanism in PIPA seems inconsistent with the goals of the new Act.

Statutory Right of Action

Section 57 provides another enforcement mechanism. It states that if the Commissioner has made a final order against an organization, then the individual affected by the order has a cause of action against the organization for "damages for actual harm". This statutory right of action also applies when an organization has been convicted of an offence under the Act and the conviction has become final. "Actual harm", however, is not defined.

"Actual harm" is used in tort claims for the intentional infliction of mental suffering, where courts have equated the phrase with a "visible and provable illness": Rahemtulla v. Vanfed Credit Union, [1984] B.C.J. No. 2790 (Q.L.) (S.C.).

 

It is unclear how the concept of "actual harm" will work with respect to privacy violations.  For example, will the courts require proof of actual economic loss? Non-economic loss? Compensation for mental distress? Or the humiliation of the disclosure of true facts that never need to have been disclosed? There were surely simpler, clearer formulations available to the Legislature.

Interestingly, British Columbia’s Privacy Act, R.S.B.C. 1996, c. 373, states in section 1(1) that tort actions under that Act are "actionable without proof of damage".

Class Action

Another remedial possibility, although not referred to in the Act, is the use of class actions. In the U.S., for example, two class actions have been brought alleging that two of the largest American information brokers, ChoicePoint Inc. and Reed Elsevier, invaded the privacy of millions of Florida drivers by obtaining sensitive personal information from Florida’s Department of Highway Safety and Motor Vehicles and then reselling it.

In Massachusetts, a privacy class action was launched alleging that a number of pharmaceutical companies had secretly intercepted individual web users’ personal information through the use of cookies and other devices. However, on November 6, 2003, the United States District Court of Massachusetts allowed the defendant pharmaceutical companies’ motion for summary judgment. Judge Tauro held that the plaintiffs had not met the evidentiary burden on them under the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et. seq. to show that the interception of the information had been intentional.

More recently, in Whittum v. Saginaw County, 2004 U.S. Dist. LEXIS 6397 (Eastern District of Michigan, Northern Div.), a group of pre-trial detainees and prisoners at the Saginaw County Jail applied to certify a class action to challenge the institution’s strip search policies. The plaintiffs claimed that both male and female pre-arraignment detainees were subjected to "unnecessary viewing and touching by correction officers, at times by those of the opposite sex…" while they were "unnecessarily changed from their personal attire to jail garb while awaiting arraignment." In addition, they claimed that male prisoners who participated in work release programs "were…subjected to group, cross-gender strip searches, violative of their constitutionally protected rights." The plaintiffs alleged unsuccessfully that the policy violated their privacy rights: on April 2, 2004, District Judge David M. Lawson refused to certify the action, writing that "…the record presently before the Court indicates that none of the named plaintiffs fall within either of the subclasses that they propose."

Class actions in British Columbia are permitted under the Class Proceedings Act, R.S.B.C. 1996, c. 50. Thus far, no privacy class actions have been decided under the statute.

Arbitration

The final enforcement mechanism is arbitration, also not referred to in the Act. The Supreme Court of Canada held in Parry Sound (District) Social Services Administration Board v. O.P.S.E.U., Local 324, 2003 SCC 42, that human rights statutes and other employment-related statutes are, by implication, incorporated into collective agreements. In consequence, labour arbitrators have an obligation to consider and to apply those statutes in resolving disputes.

The Supreme Court, in an earlier line of cases, affirmed the special status of human rights legislation. In Winnipeg School Division No. 1 v. Craton, [1985] 2 S.C.R. 150, McIntyre J. wrote at paragraph 8: "Human rights legislation is of a special nature and declares public policy regarding matters of general concern."

The Supreme Court has also recognized the constitutional significance of the right to privacy in several decisions. For example, Wilson J. suggested that the liberty right of section 7 of the Canadian Charter of Rights and Freedoms encompasses a privacy component in R. v. Morgentaler, [1988] 1 S.C.R. 30 at paragraph 245. McLachlin J. in her dissenting reasons in Rodriguez v. British Columbia (Attorney General), [1993] 3 S.C.R. 519, at paragraph 200, found that the section 7 right of security of the person "has an element of personal autonomy, protecting the dignity and privacy of individuals with respect to decisions concerning their own body." L’Heureux-Dubé J. held in her majority judgment in R. v. O’Connor, [1995] 4 S.C.R. 411, at paragraph 113, that privacy interests were protected by both the liberty right and the security of the person right in section 7. She reiterated that point in her dissenting reasons in A.M. v. Ryan, [1997] 1 S.C.R. 157 at paragraph 80.

In Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, Gonthier J. for the Court explained that as the federal Privacy Act, R.S.C. 1985, c. P-21 was closely linked to Canada’s constitution, the Court recognized it as having "quasi-constitutional status".

As courts have accepted federal privacy laws as quasi-constitutional documents, provincial privacy laws, too, must enjoy this special status. As quasi-constitutional laws, it is suggested that provincial privacy laws must be contained impliedly in collective agreements, just as human rights statutes are. In consequence, labour arbitrators are bound to consider such laws in the resolution of privacy-related disputes under collective agreements.

That appears to have been the conclusion, although not the reasoning, of Pinard J. in L’Ecuyer v. Aéroports de Montréal, 2003 FCT 573, at paragraph 22, with respect to a complaint arising in a workplace covered by a collective agreement:

Accordingly, the nature of the dispute between the parties and the scope of the applicable collective agreement lead the Court to conclude that the grievance arbitrator appointed under the Code and the collective agreement has exclusive jurisdiction ratione materiae to decide the dispute in question, to the exclusion of the federal Privacy Commissioner and also of this Court, before which the dispute has come as a result of the latter’s report.

An arbitrator, enforcing an individual’s privacy rights after an arbitration hearing, has the extensive remedial powers set out in sections 89 and 92 of the British Columbia Labour Relations Code.

 

Privacy Policy

Section 5 of the Act requires organizations to "develop and follow policies and practices that are necessary" to comply with the statute. Such policies and practices must be available on request.

To assist in this task, included in the Appendix are the following resources:

 

Conclusion

Although PIPA is an important and valuable improvement in the recognition of privacy rights in our society, it is not the easy-to-administer, plain language statute that Minister Santori promised the B.C. public in 2003. Rather, it is unnecessarily complex and consumed by exceptions that make it difficult for non-lawyers to follow. Furthermore, it extends only tepid privacy protection to employees in the province’s private sector. Finally, the Act lacks effective enforcement procedures.

 

APPENDIX 1

 

 

Checklist of

Your Responsibilities Under PIPA
(with some adaptation from the federal website)

 

The following code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector.

An organization is responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties. Care in collecting, using and disclosing personal information is essential to continued consumer confidence and good will.

The 10 principles that businesses must follow are:

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure, and retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual access
  10. Challenging compliance

1. Be accountable

Your responsibilities

How to fulfill these responsibilities

Develop and implement policies and procedures to protect personal information including those that:

Tips

Train your front-line and management staff and keep them informed, so they can answer the following questions:

  • How do I respond to public inquiries regarding our organization's privacy policies?
  • What is consent? When and how is it to be obtained?
  • How do I recognize and process requests for access to personal information?
  • To whom should I refer complaints about privacy matters?
  • What are my privacy protections and rights?
  • What are the ongoing activities and new initiatives relating to the protection of personal information at our organization?

When transferring personal information to third parties, ensure that they:

  • Name a person to handle all privacy aspects of the contract.
  • Limit use of the personal information to the purposes specified to fulfil the contract.
  • Limit disclosure of the information to what is authorized by your organization or required by law.
  • Refer any people looking for access to their personal information to your organization.
  • Return or dispose of the transferred information upon completion of the contract.
  • Use appropriate security measures to protect the personal information.
  • Allow your organization to audit the third party's compliance with the contract as necessary.

 

2. Identify the purpose

Your organization must identify the reasons for collecting personal information before or at the time of collection.

 

Your responsibilities

How to fulfil these responsibilities

Ensure that these purposes are limited to what a reasonable person would expect under the circumstances.

Tips

  • Define your purposes for collecting data as clearly and narrowly as possible so the individual can understand how the information will be used or disclosed.
  • Avoid overly broad purposes as they may conflict with the knowledge and consent principle.
  • Examples of purposes include:
    • opening an account
    • verifying creditworthiness
    • providing benefits to employees
    • processing a magazine subscription
    • sending out association membership information
    • guaranteeing a travel reservation
    • identifying customer preferences
    • establishing customer eligibility for special offers or discounts

 

3. Obtain consent

Your responsibilities

How to fulfil these responsibilities

Tips

  • Consent is normally obtained from the individual whose personal information is collected, used or disclosed.
  • For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney.
  • Consent is only meaningful if the individuals understand how their information will be used.
  • Consent clauses should:
    • be easy to find
    • use clear and straightforward language
    • not use blanket categories for purposes, uses and disclosures
    • be specific as possible about which organizations handle the information
  • Consent can be obtained in person, by phone, by mail, via the Internet, etc.
  • The form of consent should take into consideration:
    • reasonable expectations of the individual
    • circumstances surrounding the collection
    • sensitivity of the information involved
  • Express consent should be used whenever possible and in all cases when the personal information is considered sensitive. Relying on express consent protects both the individual and the organization.

4. Limit collection

Your responsibilities

How to fulfil these responsibilities

Tips

  • By reducing the amount of information gathered, you can lower the cost of collecting, storing, retaining and ultimately archiving data.
  • Collecting less information also reduces the risk of inappropriate uses and disclosures.

 

5. Limit use, disclosure and retention

Your responsibilities

How to fulfil these responsibilities

Tips

  • It may be less onerous and complicated to destroy or erase information than to make personal information anonymous.
  • Conduct regular reviews to help determine whether information is still required. Establish a retention schedule to make this easier.

 

6. Be accurate

Your responsibilities

Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.

How to fulfil these responsibilities

Tips

  • One way to determine if information needs to be updated is to ask whether the use or disclosure of out of date or incomplete information would harm the individual.
  • Apply the following checklist for accuracy:
    • List specific items of personal information required to provide a service.
    • List the location where all related personal information can be retrieved.
    • Record the date when the personal information was obtained or updated.
    • Record the steps taken to verify accuracy, completeness and timeliness of the information.

This may require reviewing your records or communicating with the client.

 

7. Use appropriate safeguards

Your responsibilities

How to fulfil these responsibilities

Tips

  • Make sure personal information that has no relevance to the transaction is either removed or masked when providing copies of information to others.
  • Keep sensitive information files in a secure area or computer system and limit access to individuals on a "need-to-know" basis only.

 

8. Be open

Your responsibilities

How to fulfil these responsibilities

Tip

  • Information about these policies and practices may be made available in person, in writing, by telephone, in publications or on your website.

 

9. Give individuals access

Your responsibilities

How to fulfil these responsibilities

Tips

  • Keep personal information about individuals in one place to make retrieval easier. Or record where all such information can be found.
  • Never disclose personal information unless you are sure of the identity of the requestor and that person's right of access.
  • If you do not store all personal information in one place, keep a record of where the information can be found to make retrieval easier.

 

10. Provide recourse

Your responsibilities

How to fulfil these responsibilities

Tips

  • How well your organization handles an individual's complaint may help preserve or restore the individual's confidence in your organization.
  • Record all decisions to ensure consistency in applying the Act.

 

Exceptions to the Consent and Access Principles

Exceptions to Consent

Even though Section 6(1) prohibits an organization from collecting, using or disclosing personal information there are a number of exceptions.

Organizations may collect, use or disclose personal information where:

  1. the individual consents
  2. the Act provides the necessary authorization, or makes consent unnecessary; and
  3. the Act deems consent

 

Collection of Personal Information without Consent

Organizations may collect personal information without the individual's consent only:

 

Use of Personal Information without Consent

Organizations may use personal information without the individual's consent only:

 

 

Disclosure of Personal Information without Consent

Organizations may disclose personal information without the individual's consent only:

 

 

Exceptions to Access

Section 23(1) states that on request an organization must provide the individual with the following:

    1. the individual’s personal information under the control of the organization;
    2. information about the ways in which the personal information referred to in paragraph (a) has been and is being used by the organization;
    3. the names of the individuals and organizations to whom the personal information referred in paragraph (a) has been disclosed by the organization.

 

 

However section 23(3-5) detail the exceptions to the above as follows:

Organizations may refuse an individual access to personal information:

 

Organizations must refuse an individual access to personal information:

 

Note that if the information referred to in s.23(3)(a-c) or (4) can be removed, the organization must release the remaining information (s.23(5)).

 

 

 

Excerpts from the Federal Privacy Commissioner’s March 11, 2004

letter to the Privacy Commissioners of British Columbia and Alberta

regarding the handling of complaints under PIPEDA as of January 1, 2004

"This letter will serve to confirm the discussions we had in Ottawa on January 21, 2004 concerning our current and future handling of complaints by our Office where the complaint is against an organization in, as the case may be, British Columbia or Alberta.

Our understanding is as follows:

1. The Office of the Privacy Commissioner of Canada (OPC) has a legal obligation to apply the Personal Information Protection and Electronic Documents Act (PIPEDA) where appropriate.

2. OPC will take complaints against private sector organizations in BC and Alberta that are collecting, using or disclosing personal information about their customers in the course of commercial activity. This includes organizations that deal in personal health information such as physicians and dentists’ offices, private laboratories, etc.

3. OPC will verbally inform complainants of the possibility of complaining directly to the appropriate provincial commissioner and that complaints which fall clearly in provincial rather than federal jurisdiction, after a substantially similar order, will be transferred in any event.

4. If the complainant wishes nevertheless to proceed federally, OPC will open a complaint file but will inform all parties to the complaint that there will be a transfer of the complaint and all information on the file to the appropriate provincial commissioner if and when a substantially similar order is made.

***

  1. Before the making of a substantially similar order, the complaints will be handled as per (2) above in all cases unless the complaint is substantially about the crossing of inter-provincial boundaries or the issue otherwise falls under OPC’s jurisdiction.
  2. After the making of a substantially similar order, complaints will be handled as per arrangements which we will continue to develop between OPC and your respective offices. …"