The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, August 19, 2004
Continuing the theme of cross-border data transfers, the federal Privacy Commissioner has just issued the following press-release:
News Release
Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders
Ottawa, August 18, 2004 - The Privacy Commissioner of Canada, Jennifer Stoddart, today calls for a greater dialogue between governments, the private sector and the public about cross-border exchanges of Canadians’ personal information. The Commissioner articulated this need in the Office’s submission to the Information and Privacy Commissioner of British Columbia about the privacy implications of the USA PATRIOT Act.
The Privacy Commissioner congratulates the B.C. Information and Privacy Commissioner, David Loukidelis, for leading this important inquiry.
"The growing frequency in which personal information is shared across borders in increasingly globalized interdependent economies has important privacy implications for Canadians," said Ms. Stoddart. "We have an obligation to protect the privacy rights of Canadians. We must have a balanced and reasoned approach to personal information protection."
Canadians expect that governments and the privacy sector will collaborate to protect against mismanagement of personal information. We must collectively seek a balance balance will be struck between the requirements of national security, the need for public safety and the conditions of an open and efficient economy.
In the submission, the Privacy Commissioner recommends practical measures for citizens, companies and governments to better manage the cross-border flow of personal information. Some measures include:
- Citizens can lodge a complaint with the Privacy Commissioner or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern if they feel that an organization subject to privacy laws has violated their privacy rights. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), please request a copy of the Office’s Individuals Guide or visit http://www.privcom.gc.ca/information/02_05_d_08_e.asp (PDF).
- Private sector organizations can comply with their obligations under PIPEDA or similar provincial legislation to protect customers’ personal information and to adopt appropriate safeguards. Under PIPEDA, organizations can request a copy of the Office’s Business Guide, or visit www.privcom.gc.ca/information/guide_e.asp (PDF).
- Review by the federal government of PIPEDA and the Privacy Act to ensure that the highest standards of privacy protection relating to cross-border flow of personal information are met.
- Enhanced federal/provincial/territorial cooperation in privacy protection and the promotion of a multi-stakeholder dialogue (private sector, civil society and other institutional partners) on privacy issues of national significance.
Along with this release, the Commissioner has also issued a fact sheet on cross-border personal information transfers:
What Canadians Can Do to Protect Their Personal Information Transferred Across Borders
Canadians benefit from a reasonable standard of protection of their personal information. They do not want to see that protection vanish when personal information about them is transferred across borders, and they do not want to see governments or organizations in Canada transfer their information across borders if it will be put at risk of inappropriate disclosure, whether for security or for commercial purposes.
The extent to which personal information about Canadians should be made available to foreign governments is a complex issue of continuing concern. Nonetheless, Canadians can take some measures to protect their personal information from inappropriate disclosure to foreign governments:
- By bringing complaints about the handling of personal information (especially outsourcing arrangements) to the Office of the Privacy Commissioner of Canada or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern;
- By relying on the "whistle blowing" provisions of PIPEDA if a US based affiliate of a Canadian organization seeks to reach into Canada to obtain personal information held in a Canadian database in order to comply with a US legal order. These provisions would protect the confidentiality of employees who notify the Privacy Commissioner of Canada that a company intends to transfer information abroad in violation of PIPEDA. The provisions also protect employees against retaliation by the employers, such as harassment, dismissal or demotion;
- By letting organizations in Canada that collect personal information about Canadians know that there is a concern about personal information being processed outside Canada;
- By taking advantage of the information rights existing under PIPEDA and provincial private sector statutes which require organizations to follow fair information practices, notably obtaining consent for information use;
- By reminding companies in Canada of their legal obligation to introduce appropriate security measures to prevent their subsidiaries or affiliates in another country from secretly obtaining access to personal information held in Canada to comply with a court order made in the foreign country;
- By raising their concerns about the potential for excessive disclosure of personal information to foreign governments or to foreign companies with their elected representatives; and
- Generally, by being more attentive to what may be happening to their personal information when it crosses borders and to the importance of clear and enforceable international standards on information sharing in democratic countries.
What Companies Do to Protect the Personal Information of Canadians Transferred Across Borders
Companies that are subject to PIPEDA or similar provincial legislation must comply with that legislation. It is important for the management of organizations subject to such laws to understand their responsibilities under the laws — for example, the obligations in PIPEDA to ensure the security of personal information. PIPEDA requires personal information to be protected by security safeguards appropriate to the sensitivity of the information.
Corporate leaders increasingly recognize that maintaining a high level of public trust in how personal information is handled is vital to achieve customer loyalty. It is also abundantly clear to corporate leaders that personal information holdings are key business assets that need to be protected against misuse.
And, finally, the Federal Commission has released a submission to the BC Privacy Commissioner in response to his request for submissions about the USA Patriot Act. (See previous blog entries: BC Responds to USA Patriot Act, Campaign in BC to Prevent Outsourciing and Labour groups raise outsourcing privacy fears.) The Commissioner's submission is available at http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.asp
Labels: bc, british columbia, information breaches, outsourcing, patriot act, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.