510 likes | 989 Vues
Getting Ready for PIPA . A Workshop for Organizations on the Personal Information Protection Act Alberta Government Services (Information Management, Access and Privacy Division) and Office of the Information and Privacy Commissioner of Alberta
E N D
Getting Ready for PIPA A Workshop for Organizations on the Personal Information Protection Act Alberta Government Services (Information Management, Access and Privacy Division) and Office of the Information and Privacy Commissioner of Alberta With the assistance of Alberta Chambers of Commerce March 2004
What we will cover today • What is the Personal Information Protection Act (PIPA)? • Who/what does PIPA apply to? • Overview of PIPA’s requirements • What to do to comply • Resources for organizations • Questions
What is Privacy? “…the right to be let alone – the most comprehensive of rights and the right most valued by civilized men.” U.S. Supreme Court Justice Louis Brandeis in Olmstead v. U.S., 1928
Threats to privacy • Modern threats to privacy chiefly arise in the collection and use of information about us • Privacy used to be protected by default – the nature of paper records • Electronic records diminish the barriers of time, distance and cost that once guarded privacy
Includes: Name Birth date Gender Address Education Employment Income Medical history S.I.N. Held by: Credit unions Insurance companies Retailers Landlords Employers Fundraisers Credit bureaus Sports clubs Personal Information
What is PIPA? • The Personal Information Protection Actbalances: • the right of an individual to have his or her personal information protected, and • the need of organizations to collect, use or disclose personal information for purposes that are reasonable • Provides “common sense” rules for collection, use and disclosure of personal information by private-sector (non-government) organizations • The Act also provides a right of access to one’s own personal information
PIPA/PIPEDA • Both focus on protecting personal information in the private sector • “Substantially similar”, but not necessarily the same • Federal and Provincial Commissioners are working to harmonize practices and protocols
PIPA applies to… “Organizations”, including: • Corporations • Unincorporated associations • Trade unions (Labour Relations Code) • Partnerships (Partnership Act) • Individuals acting in a commercial capacity
PIPA does not apply to… • Personal information for personal or domestic purposes • Personal information for journalistic, artistic, literary purposes • A public body or personal information protected under FOIP Act • In a record that is at least 100 years old, or about an individual dead for at least 20 years • Health information (as defined in HIA) collected, used or disclosed for health care purposes, but not personal employee information
Special provisions for… • Specified non-profit organizations carrying out commercial activities • Professional regulatory organizations
“Personal Information” • Defined as “information about an identifiable individual” • PIPA has broad coverage • Applies to personal information regardless of whether it is used for commercial purposes (except for specified non-profits) • Includes “personal employee information”
“Business Contact Information” • Information you would find on a business card or company letterhead • Includes name, position or title, business telephone number, address, e-mail and fax number • PIPA does not apply to business contact information when it is collected, used or disclosed for sole purpose of contacting individual in capacity as an employee or official
PIPA requires reasonableness • When “reasonable” is used in the Act, it means: • What a reasonable person would consider appropriate in the circumstances
Be accountable • An organization is responsible for personal information in its custody or control • Must designate individual(s) to be responsible for compliance with the Act • Develop policies, practices and procedures and make information about them available to public on request • In meeting responsibilities under the Act, organizations must act in a reasonable manner
Obtain consent • Unless Act allows otherwise, organizations need consent: • to collect, use or disclose personal information • to collect personal information from anyone other than the individual • Consent can be express, implied, or opt-out, depending on circumstances • Consent invalid if obtained by deception or misleading means
Withdraw or vary consent • An individual may withdraw or vary consent, subject to legal obligations • Individual must give reasonable notice to organization • Organization must advise individual of likely consequences, unless obvious
Grandfathering • Personal information collected before January 1, 2004 is deemed to have been collected with consent • It may be used and disclosed by the organization for the purpose for which it was collected • The general rules in the Act regarding safeguards, access, correction, etc. still apply to this information
How to collect personal information • Identify purposes for collection • Is purpose reasonable? • Notify individual of purposes and get consent • Except where inappropriate, collect personal information directly from the individual concerned • Limit type and amount of personal information collected • Is information reasonable to fulfill purpose?
Collection from another organization with consent • An individual can consent to an organization collecting his or her personal information from another organization • The collecting organization must demonstrate that it has obtained consent • The disclosing organization must be satisfied that the consent complies with the Act
Collection without consent • The Act permits personal information to be collected without consent in limited circumstances, including: • when clearly in the interests of the individual • when another Act or regulation authorizes it • for investigations or legal proceedings • to collect a debt or repay monies owed • to create a credit report • to determine suitability for honour or award • for archival or research purposes
Collection without consent • Information is “publicly available”: • name, address, telephone number in public telephone directory, if subscriber can refuse to be included • name, title, address, telephone number in professional or business directory available to public where collection, use or disclosure relates directly to purpose for which information appears in the directory • personal information in government registry or registry operated under a statute • to which public has access • collection, use or disclosure relates directly to purpose for which information appears in the registry
Collection without consent • Information is “publicly available”: • personal information in record of administrative tribunal, if • available to public • collection, use, or disclosure relates directly to purpose for which information appears in the record • personal information in publication, including magazine, book or newspaper, in printed or electronic form, if • available to public • reasonable to assume that individual provided the information
Investigations • Organizations do not need consent if the collection, use or disclosure of personal information is reasonable for an investigation or legal proceeding • “Investigation” means an investigation related to: • a breach of agreement • a contravention of an enactment • circumstances or conduct that may result in a remedy or relief being available in law if the breach, contravention, circumstances or conduct has or may have occurred or is likely to occur, and it is reasonable to conduct an investigation
Use of personal information • Use personal information only with consent, unless otherwise permitted by the Act • Use personal information only for purposes that are reasonable • Use only the personal information reasonably needed to fulfill the purposes
Use without consent • The Act permits the use of personal information without consent for purposes including those listed under collection without consent, plus: • to respond to an emergency threatening the life, health or security of individual or public
Disclosure of personal information • Disclose personal information only with consent, unless otherwise permitted by the Act • Disclose personal information only for purposes that are reasonable • Disclose only the personal information reasonably needed to fulfill the purposes
Disclosure without consent • The Act permits disclosure of personal information without consent for purposes including those listed under collection and use without consent, plus: • in accordance with a treaty • to comply with a subpoena or court order • to a public body or law enforcement agency to assist in an investigation • to contact next of kin of injured or deceased person • to a surviving spouse or relative of a deceased individual, if reasonable • to protect against fraud or market manipulation, to any agency empowered by legislation
Personal employee information “Personal employee information” means: • personal information of • employees or prospective employees • reasonably required for the purposes of establishing, managing or terminating the employment or volunteer work relationship
Personal employee information • “Employee” includes an individual employed by the organization who performs a service for an organization, including as an • apprentice • volunteer • participant • student • an individual under a contract or agency relationship
Treatment of personal employee information • PIPA recognizes true nature of employment – not consent-based • Act allows “personal employee information” to be collected/used/disclosed without consent when • reasonably required for establishing, managing or terminating an employment or volunteer work relationship • Does not include personal information unrelated to the employment or volunteer relationship • Must give notice in case of current employees - transparency • Subject to review by Commissioner
Sale of Business • Special recognition for purchase, sale, lease, merger, etc., of a business • Act provides for the collection, use and disclosure of personal information (including employee information) between parties involved if: • the information is necessary to decide whether to proceed and complete the transaction, and • the parties agree to use the information only for that purpose • Provision does not apply where primary purpose of transaction is sale, etc. of personal information
Providing access • Individuals can request access to: • own personal information contained in a record • information about the purposes for which personal information has been and is being used, and • Information about to whom the information is disclosed and under what circumstances • Organization has a duty to assist • Organization must respond within 45 calendar days
Providing access • Organization may designate office to receive requests • Organization may charge a reasonable fee • Any right under the Act may be exercised by another person on an individual’s behalf (s. 61)
Refusing access • Access must be refused if disclosure would • threaten the life or security of another individual • reveal personal information about another individual • reveal the identity of an individual who has provided in confidence an opinion about another individual (may disclose with consent) • An organization must provide access to remaining information if able to sever • Access may be refused if, for example: • information is protected by legal privilege • disclosure would reveal confidential commercial information (sever) • information was collected for an investigation or legal proceeding • disclosure might result in that type of information no longer being provided
Making corrections • Individuals can ask that their personal information be corrected • If it is wrong - correct it promptly • Notify those to whom the information has been disclosed • If you cannot agree that it is wrong, annotate that the information is disputed • You cannot correct expert opinions • No fees for correction
Safeguarding & Ensuring Accuracy Organization must: • Protect personal information in its custody or control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction • Make reasonable efforts to ensure that any personal information collected, used or disclosed by or on behalf of an organization is accurate and complete
Records management implications • Privacy compliance requires sound records management practices • Need to locate records quickly in order to process requests within time limit • In deciding how long to keep a record, an organization should be guided by legal and business purposes
Oversight – by Commissioner • PIPA enforced by the Information and Privacy Commissioner of Alberta • same Commissioner for the FOIP Act and the Health Information Act • independent Officer of the Legislature • The Commissioner can: • investigate complaints • initiate own investigations & issue Orders • authorize an organization to disregard access requests from individuals • extend time limit to respond to access request • provide non-binding advice and advance rulings
Complaints • Once an individual has brought a case to the OIPC, the Commissioner can: • refer an individual to another grievance, complaint or review process before handling the case • attempt mediation • conduct an inquiry • issue binding orders • publish those orders (including the name of the organization)
Whistleblower protection • An organization cannot take adverse employment action against an employee who, acting in good faith and on reasonable belief, informs the Commissioner of a possible breach of the Act
What to do to comply • Put someone in charge of privacy • Become familiar with the Act • Review how your organization handles personal information • Put your practices to the test • Develop privacy policies and practices
What to do to comply • Develop an access and complaints handling process • Review and revise forms, and create notice statements • Review and revise contracts • Consider employees’ personal information • Train staff
What you might have to change • Forms • Add collection, use and disclosure notification • Use appropriate form of consent • Is all the personal information you ask for directly connected to its use and is reasonable? • Systems • Add database fields to indicate the uses/disclosures individuals consented to • Rethink access controls • Records management practices • New security • New retention schedule
What happens if organizations don’t comply with PIPA? • Commissioner may make an Order if: • complaint or request for review is made • Orders will name the organization & will be public • Damaging to reputation of organization • Commit an offence if don’t comply with order, wilfully contravene PIPA or obstruct Commissioner • If convicted of an offence, fines are • up to $10,000 for individuals • up to $100,000 for businesses • An individual can pursue damages in court for loss or injury suffered as a result of breach of privacy
Non-profit organizations • “Non-profit organizations” are defined as organizations incorporated under the: • Societies Act • Agricultural Societies Act • Part 9 of the Companies Act • PIPA only applies to non-profit organization’s collection, use or disclosure personal information in connection with a commercial activity • All other not-for-profit organizations must comply with PIPA for all their activities
Commercial activity of non-profit organizations • “Commercial activity” means any transaction, act or conduct, or any regular course of conduct, that is of a commercial character, and includes: • the selling, bartering or leasing of membership lists or donor or other fund-raising lists • operation of a private school or early childhood services program (School Act) • operation of a private college (Post-secondary Learning Act) • PIPA does not apply to personal employee information of non-profit organizations unless part of a commercial activity
Professional regulatory organizations • Are considered “organizations” under PIPA • Have the option of creating a “personal information code” to govern the collection, use and disclosure of personal information • An individual would still be able to complain to the Commissioner • Details are in the Regulation
PIPA Resources for Organizations • PIPA Websites (including links) • OIPC - http://www.oipc.ab.ca/pipa/ • Access and Privacy Branch - http://www.psp.gov.ab.ca/ • Access and Privacy Branch Information Line: (780) 644-PIPA (7472) • OIPC: (403) 297-2728 • Consultants List • Jointly developed by Access and Privacy Branch & OIPC • Workshops in key centres throughout Province • Guides and other publications
PIPA Publications for Organizations • PIPA on a Page • Summary for Organizations – 4-page summary of organizations’ key obligations • Getting Ready for PIPA outlines steps organizations should consider to prepare for PIPA • Guide for Organizations and Business on PIPA – Detailed guide to help organizations understand the Act and their obligations • Information Sheet on Non-profit Organizations • Guidelines for Developing a Personal Information Code for Professional Regulatory Organizations