This is the presentation from the class I taught at the University of Toronto Faculty of Information Sciences graduate school - a major challenge to capture the concepts in less than 3 hours!
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
1. PRIVACY PRACTICE FUNDAMENTALS WEEK #2: UNDERSTANDING COMPLIANCE REGIMES AND REQUIREMENTS Legislation, Regulations and Governance Anita Fineberg, LL.B., CIPP/C September 16, 2009 Barrister & Solicitor University of Toronto President Faculty of Information Anita Fineberg & Associates Inc. Faculty of Applied Sciences and Engineering
2.
3. Privacy in the News The model, the blogger and the Web giant. Once-anonymous writer angered after Google complies with court order to out her 300K Patient Files on Stolen Laptops. Alberta's privacy commissioner has launched an investigation into the theft of two laptops from a University of Alberta lab, reports CBC News Cavoukian: Smart Grid Privacy a "Sleeper" Issue. The recent Toronto Hydro security breach that exposed the information of 179,000 customers has Ontario's Information and Privacy Commissioner warning that a Smart Grid could present privacy risks, Reuters reports Facebook makes friends with privacy czar. Social-networking giant agrees to changes that will allow users to have more control over their personal data
14. Privacy Regulatory Regimes: Legislative – Canada Federal Public: Privacy Act Private: Personal Information Protection and Electronic Documents Act Alberta Public: Freedom of Information and Protection of Privacy Act Public/Private: Health Information Act Private: Personal Information Protection Act British Columbia Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection Act Electronic Health Information: e-Health (Personal Health Information Access and Protection of Privacy) Act Yukon/NWT/Nunavut Private: Personal Information Protection and Electronic Documents Act Manitoba Public: Freedom of Information and Protection of Privacy Act Public/Private: Personal Health Information Act Private: Personal Information Protection and Electronic Documents Act Saskatchewan Public: Freedom of Information and Protection of Privacy Act Public/Private: Health Information Protection Act Private: Personal Information Protection and Electronic Documents Act Ontario Public: FIPPA Public/Private: Personal Health Information Protection Act, 2004 Private: Personal Information Protection and Electronic Documents Act P.E.I. Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection and Electronic Documents Act Quebec Public: An Act respecting Access to Documents held by Public Bodies and the Protection of Personal Information Private: An Act respecting the protection of personal information in the private sector New Brunswick Public: Protection of Personal Information Act / Right to Information Act Private: Personal Information Protection and Electronic Documents Act Public/Private: Personal Health Information Privacy and Access Act (not yet in force) Nova Scotia Public: Freedom of Information and Protection of Privacy Act Private: Personal Information Protection and Electronic Documents Act Newfoundland Public: Freedom of Information and Protection of Privacy Act (not yet in force) Private: Personal Information Protection and Electronic Documents Act Public/Private: Personal Health Information Act (not yet in force)
Thank Ruth for the opportunity to speak with you today
we have a very ambitious agenda – won’t do all the slides in detail but want them to have reference materials. When you heard the topic for today’s class – groans re: boring-me too. So my objective today is to enable you to see how relevant this is to your daily lives, as well as to those organizations with which you interact
If you read the papers at all you’ll know that privacy has been in the news a lot lately – who would have thought there was a connection between smart meters, models, patient records and Facebook? But there is and the common link as the stories describe is privacy issues
Facebook has been one of the biggest privacy issues in the news lately-demonstrating the leadership coming from Canada in privacy matters
Before we discuss the question of the week and your responses, I have some questions of you regarding your use of Facebook: How many of you are on Facebook How many of your children are on Facebook? Before the Commissioner’s report cam out did you, or anyone you know ever read their Privacy Policy? Manage your privacy settings? Ask them a question about their policy? Now to your responses to the question and Were you aware of the report before I included it in the question? Do you care about your privacy on Facebook? On other social media sites? On the internet generally? Or do you think that given the nature of social media and its objective of communication, people should be responsible for their own information? Importance of Facebook report – first time public report on the application of privacy law to social media; law lags behind technology; Canada’s leadership – comments of Australian Commissioner and Facebook’s response that it will follow the recommendations for its entire global user base, not just Canada. If you thought that the Commissioner’s report resolved any concerns about your control over your info when you set your privacy settings-think again !
Before we begin our discussion of regulatory regimes would like to review the core concepts that Ruth addressed last week
Regardless of whether we think the yeas or the nays were the winners, the reality is that most countries around the world regulate privacy in some way shape or form or are in the process of developing it. Also second generation privacy laws.
And now to the regulatory regimes
While we take our trip around the world think about the different objectives and perspectives that different countries have on privacy rights
It may appear a bit strange to begin with the EEA – the European Economic Area – but there’s a reason for this. The EEA represents the union of the European Union and the European Free Trade Association. The genesis for privacy legislation around the world comes from the OECD and the various privacy laws in many European countries and states. The objective was the protection of human rights. I’ve always thought that it’s a bit ironic as the legislation applied to the private sector but it was the public sector, state governments, that were responsible for the abuses based on information, but in any event… There is a difference in terminology over there as they use the term “data protection” as opposed to privacy
As time went on more and more European countries and states developed their own legislation. Lead to a desire for harmonization of legislation among the countries and the Directive .was the result A couple of critical points about the Directive that have a direct impact on other privacy laws – “adequate”, definition of personal data
As per the Directive, the countries “transposed” or implemented the Directive by passing their own legislation – regimes are called “data protection". It is so important in the EU that countries applying for admission often pass very strict legislation using it as a “demonstration” of its commitment to the values of the EU. An example of the very politicized nature of privacy legislation
I’d like to move on closer to home to Canada. This slide is one that I call “The Big Map” This may be a bit of a geography lesson as well – the 10 Canadian provinces and the 2 territories. I have set out both the public sector privacy laws – those applying to government bodies – and the private sector laws, as well as you’ll see that in certain provinces there is also health information specific privacy legislation, or in the case of B.C. legislation dealing specifically with electronic health information. Note that the map only contains privacy specific legislation – we’ll deal with other laws, professional codes etc later on. Also in the health context, professional Codes of Ethics, College by-laws We sometimes call it a ‘patchwork’ but it is not nearly as complicated as the US approach and we’ll see why when we discuss their privacy environment. You’ll see that all provinces have public sector access and privacy legislation that applies to government “institutions” – ministries and agencies. One aspect of that is access – for open government. That is how, for example, the Ontario PC caucus was able to get all of the information you’ve seen on TV and in the news on the eHealth Agency over the summer. This public sector legislation also sets out the rules for how governments must deal with the personal information it maintains on its citizens. So for example when you go to the doctor in Ontario and the doctor submits an OHIP claim, the fact that you were treated for x on a certain date by doctor y is information in the hands of the Ontario Ministry of Health as the insurer to pay OHIP. The challenge with much of the public sector laws is that they are very old and don’t address the current realities of government use of legislation, let alone new technologies (the law is always behind anyway as we saw in the case of Facebook). E.g. The Federal Privacy Act was enacted in ??? And the Commissioner has been lobbying for years for change. I don’t want to spend time on the public sector legislation – in the limited time we have, want to focus on the private sector laws because they are generally more relevant to everyone’s daily lives and work.
Why does the map look the way it does? The reason lies in the way the Canadian constitution affords certain powers to the federal government and others to the provinces.
Let’s begin our examination of Canadian laws with PIPEDA, the Federal private sector privacy law. It was the Canadian government’s response to the potential of the non-tariff trade barriers that could result from the EU laws restricting transfers of personal data out of the country. The US response was Safe Harbor –we’ll look at the EU laws and Safe Harbor later Because of the different areas of powers and jurisdiction between the federal government and the provinces that I set out previously, PIPEDA is limited to the application of pi collected, used and disclosed in the course of commercial activities. In addition it applies when pi crosses inter-provincial or international; e.g. to the US, borders. The final ‘division of powers’ restriction is that it applies to the employee personal information of only federally regulated industries or organizations – banks, telcos, airlines, railways. Regulation of employment is a provincial matter so there are privacy rules applying to employee information only in those provinces that have enacted ‘substantially similar’ legislation – a designation made by the federal government. If you look at how PIPEDA came into force in 3 stages – you see that the feds gave the provinces a 3-year opportunity to enact their own legislation but few got it done
The scope of application is limited to “personal information” and as you see there are certain exclusions for what type of information falls into that category. One is that of work product information , a term that came from a 2001 finding of the federal Privacy Commissioner that IMS physician prescribing information is not “personal information” and is thus not subject to PIPEDA. The commissioner is the oversight body for PIPEDA. As we saw in the Facebook report, the federal commissioner can only make recommendations – they are not binding on the company. We will see if Facebook follows the recommendations and, if not, whether the commissioner will take the matter to court as that is the only option available to her. Another point of comparison between the Canadian approach and that of the U.S. with more “teeth” – Commissioner relies on persuasion and corporate concerns of adverse publicity.
There are 3 provinces – Quebec, Alberta and B.C. – that have general privacy legislation. It’s a bit of a misnomer in the case of Alberta which, as we’ll see also has health information specific legislation, but in B.C. and Quebec, the provincial laws cover all pi, including personal health information. The fact that all 3 provinces’ laws have a ‘substantially similar’ designation means that they, and not PIPEDA, apply to pi cud in the course of commercial activities within those provinces. In other provinces without ss provincial laws, PIPEDA has ‘dropped in’ and applies. There are also provincial privacy commissioners in each province that provide oversight.
So Alberta and BC were the only 2 provinces that took advantage of the Fed’s 3-year window under PIPEDA and got their act together to enact legislation before the Jan. 1, 2004 deadline (Quebec’s was in place before).. The fact that all 3 provinces’ laws have a ‘substantially similar’ designation means that they, and not PIPEDA, apply to pi cud in the course of commercial activities within those provinces. In other provinces without ss provincial laws, such as Ontario, PIPEDA has ‘dropped in’ and applies. There are also provincial privacy commissioners in each province that provide oversight.
In addition, there are the 4 provinces indicated that have specific health information privacy legislation – covers health information generally in the public and private sectors. Newfoundland and New Brunswick are not yet in force. Only Ontario’s is ss meaning that technically it is that law that applies when phi is cud in that province in the course of commercial activities. However the practical reality is that even without the designation the other provinces have assumed their health information applies instead of PIPEDA.
These are only a very few of the other privacy frameworks in existence in Canada. Some. Like the ISO, are international. Some are voluntary; others are mandatory such as those of the CMA and the Marketing Association where in order to be a member in good standing of the association, you must follow the Code. The point is that when you are working on any project involving personal information, the data protection framework is not necessarily limited to privacy legislation – other rules may apply as well.
So what does all of this mean to you in the real world? From the practical perspective the point is that the analysis of what rules you need to follow requires asking yourself a number of questions about the personal information, its use etc. and the organization before you can even decide on the framework that applies. In certain cases an organization may be subject to both provincial and federal legislation. These are the series of questions that form the basis of what may be called the decision tree to determine what privacy law applies in a particular scenario involving personal information in Canada.
The US approach to privacy legislation is very different from that in Canada – approach is sector-specific – though to some extent Canada’s is as well when it comes to legislation regulating personal health information. Talk about HITECH and the stimulus bill – for health technology. Tell the story of the Bork confirmation hearings.
This barely scratches the surface of the state laws in effect – numerous states have legislation protecting personal health information as well. Compliance with U.S. law represents even more of a challenge than the Canadian law for a number of reasons. One is simply a numbers game – 50 states plus DC, Puerto Rico, Guam and the VI vs. 10 provinces and 2 territories. So assuming you’re a business that operates nationally – more legislation that will apply. Like Canada, where the legislation addresses the same subject matter; e.g. data breach, there are numerous critical differences amongst the state laws; e.g. the data covered; timing of reporting; method of reporting; consequences of data breach; also there is no what is called “federal pre-emption” which means that is a federal law deals with a certain matter, as well as a state law, the organization has to comply with both
You’ll recall that I mentioned that the Federal Privacy Commissioner can only make recommendations, so if Facebook doesn’t comply she will have to launch a court action. Even where Commissioners have order making power in Canada (provinces)– still have to go to court if the organization doesn’t comply, publicity etc. But while the Canadian privacy regimes is vastly different from that in the U.S. is in the consequences of non-compliance. Data chain-tell the story of the security auditor being sued.
I’d like to do a quick high level comparison: Like in many things in this world, Canadian privacy laws fall somewhere in the middle of the road between the US and European approaches Caveat re: “publicly available information”
Not only does PIPEDA differ from the EU approach but also from the US as well. An ‘omnibus’ approach as it covers all type of personal information and not confined to e.g. health, financial, video rental records etc as in the US
While there are other privacy regulatory regimes in existence around the world – e.g. APEC – and legislation in many other countries including Hong Kong and Russia – let’s take a glimpse at how the different regimes interact in The Wired World
I’d like to touch briefly on an issue that continues to be in the news and the subject of a lot of misconceptions in the public and the media. Have any of you heard about the controversy surrounding the US Patriot Act and the issue of storage of Canadian data in the US? What have you heard? What is the concern?
Now that we’ve had our privacy around the world in 80 minutes, let’s consider the practical impact of such regimes.
Obviously the first thing that probably comes to mind is compliance
But there are said to be other “business drivers” that incent organizations to follow the privacy rules. The Ontario Privacy Commissioner Ann Cavoukian often says in her presentations that “privacy is good for business”. The reverse would appear to be that an organization that abuses its customers’ personal information, will suffer from a business perspective. But.. Even those organizations in the B2B space are not immune from privacy issues.
Most organizations will look at privacy compliance from a risk management perspective.
Let’s take a look at Canadian futures re legislation
Industry Canada has been consulting with the privacy commissioners of the other provinces on their PIPEDA data breach proposal – the objective is to try as much as possible to ensure that any amendments to the provincial legislation are the same as or as close as possible to those in PIPEDA to avoid the situation like you have in the US with some 40 different state notification laws, with differences and no federal law with preemption. While it may seem a bit out of place I mention Bill C-51 as it is certainly relevant to pharma and healthcare products industries in Canada – proposal to monitor the safety and effectiveness throughout the product’s lifecycle under a progressive licensing regime. Will be interesting how the government addresses the privacy issues that will inevitably arise from PIPEDA and other provincial privacy legislation in the context of some of the industry reporting requirements.
And as we know privacy is nothing without security!