|
|
| As of January 1, 2004 every private sector organization
in British Columbia will be subject to privacy legislation.
If your
organization doesn’t have a plan in place for dealing with
privacy legislation, you should consult with us soon – 2004 is
just around the corner. We can assist your organization
with:
- compliance with legal requirements and the
development of policies and practices;
- reducing exposure to complaints, legal liability and
negative publicity; and
- ongoing
practical advice regarding privacy practices, complaints,
liability and enforcement issues.
Some
practical steps that your organization can take now to be
properly prepared on January 1, 2004 are:
- Designate responsible individuals. Appoint a Privacy
Officer or individual who will bear the responsibility of
dealing with privacy matters for the organization, and lead
a team to ensure compliance throughout your organization.
- Take an
Information Inventory. The designated privacy team should
take an inventory of all personal information collected,
used, and disclosed, as well as information handling,
retention and security practices.
- Develop
Policies and Procedures. Your organization should develop
and implement readily available and transparent privacy
policies and practices, dealing with:
- principles of information practices;
- obtaining consent for the collection, use and
disclosure of personal information;
- how,
when and why personal information is collected, used and
disclosed;
- limiting use and disclosure;
- dealing with appropriate retention and destruction;
- dealing with requests for access to personal
information;
|
- accountability;
- maintaining accuracy and correcting personal
information; and
- implementing safeguards.
- Get the
Message Out. Develop appropriate documents for disseminating
information on privacy policies and obtaining consent, such
as customer brochures, a public customer policy, an employee
policy, and forms for responding to enquiries and
complaints.
- Develop
a Training Strategy. Train your staff to manage and protect
the privacy of personal information.
- Follow
up. Regularly monitor and review the privacy compliance
system to ensure that it is working effectively to secure
privacy of personal information and reduce risks to the
organization.
If your
organization does not properly address concerns about the
protection of personal information, it may suffer as a result
of lack of consumer confidence, complaints to privacy
commissioners, litigation and fines or damages for failing to
comply with the legislation.
Privacy
compliance does not end with the introduction of policies and
procedures into your organization. We can assist you by
providing ongoing practical advice regarding privacy issues
such as best practices, complaints, liability and enforcement
issues.
For more
information on how your organization will be affected by
privacy legislation, whether private-sector or public-sector,
federal or provincial, please contact us.
|
|
| |
|
|
Private Sector Privacy
Briefing
BC’s
Personal Information Protection Act (Bill 38)
— as of December
3, 2003 —
|
| The Personal Information Protection Act (“PIPA” or the “Act”)
has recently received Royal Assent and will come into force on
January 1, 2004. PIPA governs the collection, use and disclosure of personal
information by nearly all privatesector organizations in
British Columbia.
Summary
PIPA
will require nearly all private-sector organizations in
British Columbia to, among other things:
(a)
designate an individual to be responsible for protecting
personal information in the possession or control of the
organization;
(b)
define the purposes for which the organization collects,
uses and discloses personal information;
(c)
obtain consent to collect, use or disclose personal information for
those defined purposes,
except in certain specified circumstances;
(d)
give individuals, including employees, access to
their personal information; and
(e)
create a policy that sets out the manner in which the
organization intends to comply with the Act.
Damages
and criminal sanctions are available as remedies against
organizations that fail to comply with the obligations under the
Act.
Relationship
with other privacy legislation
PIPA
is intended to supplant the application of the federal
Personal Information Protection and Electronic Documents Act
(the “Federal Act”) for provincial organizations, to
the extent they are collecting,
using or disclosing personal information within
a province. The Federal Act will apply to all organizations across
Canada on January 1,
2004 unless replaced by provincial legislation such
as PIPA. The Federal Act already applies—and will continue to
apply—to the collection, use
and disclosure of personal information by federal works
and undertakings, including banks, telecommunication companies, etc.
Notably, after January 1, 2004, the Federal Act will
also |
apply
to provincial organizations
to
the extent that they transfer information across provincial
(or international) boundaries.
The
provincial Freedom
of Information and Protection of Privacy Act (“FOIPPA”)
continues to govern
the collection, use and disclosure of personal information
by provincial public bodies.
The
provincial Privacy
Act maintains
the tort of invasion of privacy, which remains
independent from the obligations under PIPA.
General
Rules
PIPA
applies to nearly every collection, use or disclosure of “personal information” within the provincial private sector.
Personal information is defined broadly and includes nearly any information
about an identifiable individual.
An
organization is responsible for personal information under its
control. It must designate an individual
to be responsible for compliance with the
Act, and it must make that individual’s contact information
available to the public. An
organization must develop and follow a privacy policy
that includes a complaint process, among other
procedures.
An
organization must have a reasonable purpose for the collection,
use or disclosure of personal information. That purpose must be
defined and explained up front. The organization must obtain consent
to collect, use or disclose information
for each purpose, except in limited circumstances
set out in the Act.
An
organization may not collect, use or disclose personal
information unless: (a) the individual expressly
consents;
(b)
the Act deems that consent has been given implicitly; or (c) the Act
authorizes the collection without consent.
In
every case, an organization may only collect, use
or disclose personal information for purposes
that a reasonable person would consider appropriate in
the circumstances.
Collection,
Use and Disclosure with Consent Express
Consent
Ordinarily,
an organization must obtain express consent.
To do so, an organization must state the purposes for which it is
collecting, using or disclosing the information, and obtain
the
|
individual’s
consent beforehand. The collection, use or disclosure must be for
the stated purposes.
When
collecting information, it is critical for an organization
to carefully consider the purposes for
which it may need to use or disclose the information, and
to state those purposes up front. An
organization will need to obtain the individual’s consent
to use or disclose the information for a new
purpose.
Implied
Consent
An
individual is deemed to consent to the collection, use
or disclosure of personal information for a purpose if that purpose
is obvious and the individual voluntarily provides the personal
information to the organization.
Where
the purpose is not obvious, an organization may
still collect, use or disclose personal information for specified
purposes if:
(a)
the organization provides notice of its intention to collect, use or
disclose for those purposes;
(b)
the individual has a reasonable opportunity to decline
or opt out;
(c)
the individual does not decline or opt out within the
reasonable time provided; and
(d)
the collection, use or disclosure is reasonable having
regard to the sensitivity of the personal information in the
circumstances.
Withdrawal
of Consent
An
individual may withdraw consent at any time unless it would
frustrate a legal obligation. If an individual
withdraws consent, an organization must
inform the individual of the likely
consequences.
Collection,
Use and Disclosure without Consent
In
certain limited circumstances, personal information
may be collected, used or disclosed without
consent. Further details on this point can be provided on
request.
Employees
Work
product information is defined to mean information prepared
or collected by an individual or
group of individuals as part of the individual’s or
group’s responsibilities or activities related to
their employment or business. It does not include personal
information about an individual who |
did
not prepare or collect the personal information. Work
product information is completely exempted from the
Act.
Information
about employees, including volunteers, is
treated differently. An organization may collect,
use or disclose employee personal information without
consent, provided:
(a)
the collection, use or disclosure is reasonably required
to establish, manage or terminate an employment relationship;
and
(b)
the organization notifies the individual
beforehand.
In
every other case, the employee’s personal information
is subject to the ordinary provisions of
the Act.
Miscellaneous Access
and Correction
An
organization must provide an individual, including employees, with
the individual’s personal information in its control, as well as the
ways it has been used and to whom it has been disclosed. An
organization must also provide an individual
with the ability to reasonably correct their
personal information.
Some
exceptions to the general rule of access
include:
(a)
the information is protected by solicitor-client
privilege;
(b)
disclosure would reveal confidential information that
would reasonably harm the organization’s competitive
position;
(c)
the personal information was collected without consent
for an investigation and the investigation and associated
proceedings have not been completed;
(d)
circumstances that would result in harm to another individual
or reveal personal information about another individual without
consent (including the identity of an individual who provided
personal information about the individual seeking
access);
If
one of the exceptions applies, the personal information
must still be disclosed if the excepted information
can be redacted.
A
request for access must be in writing. An organization must respond
within 30 days in most circumstances. An organization may require
payment of a minimal processing fee for all requests
except requests for employee personal information,
which are free. |
Care
and Retention
An
organization must take reasonable care to ensure that
information it collects is accurate and complete if the information
is likely to be used to make a decision that affects the individual,
or is likely to be disclosed. An organization must protect personal
information in its custody or control
by making reasonable security arrangements.
An
organization must keep information that it has
used to make a decision that directly affects the
individual for at least one year after using it. Otherwise, an
organization must destroy the personal
information or make it anonymous as soon as
retention is no longer necessary for legal
or business purposes or the purpose for which it
was collected.
Remedies
The
Privacy and Information Commissioner of British Columbia
has the power to order an organization
to give an individual access to his or
her personal information, disclose the ways in which the information
has been used and to whom it has been disclosed, and require an
organization
to change its practices and destroy information
collected unlawfully. The Commissioner’s orders are subject to
judicial review by the Supreme Court of British Columbia if either
party wishes to seek a review.
If
the Commissioner makes an order resulting from a
breach of the Act, an individual is entitled to damages for actual
harm suffered as a result of the breach.
Criminal
sanctions, including fines of up to $100,000, are
available for organizations that retaliate
against whistle-blowers, use deception or
coercion to collect personal information, dispose of personal
information with intent to evade a request for access, or obstruct
the commissioner in an investigation.
Click Here For RealtorLink Privacy
Brochure
|
|
