[This month’s issue of Grey Areas consists of an article that regulators and professional associations may wish to reprint for their own members. Permission is granted to adapt the article to your own audience as long as any substantive changes are approved by Richard Steinecke.]
[Grey Areas, No. 63, May 2003]
Over the past few years, there has been a lot of confusion about privacy legislation. Who does it apply to? When is it really coming? How much impact will it have? Busy practitioners need to know what privacy legislation means for them. While there remains a fair degree of uncertainty, the outlines of what is going to happen are now becoming clearer.
When Does Privacy Legislation Take Effect?
For almost all practitioners, the federal privacy act takes effect this coming January. On January 1, 2004, the Personal Information Protection and Electronic Documents Act comes fully into force. Ontario has circulated a draft Privacy of Personal Information Act, but it is highly unlikely that it will be enacted before this January. Practitioners covered by the federal privacy act need to have their policies and procedures in place by then.
Who Does Privacy Legislation Apply To?
The privacy act is intended to cover the entire private sector. With very few exceptions, the privacy act applies to anyone who carries on “commercial activities”. That will include most practitioners. Even if the government pays for the goods or services, the privacy act will likely apply. Only practitioners employed by a government body or a non-profit agency that does not sell goods or services will be exempt.
The privacy act applies to any collection, use or disclosure of personal information. “Personal information” means any information about an identifiable individual that relates to their personal characteristics (e.g., gender, age, colour, ethnic background, education, family status), their health (e.g., health history, health conditions, health services received by them) or their activities and views (e.g., dealings with the practitioner, opinions expressed by an individual, religion, political involvement, a practitioner’s view or evaluation of an individual). Personal information is to be contrasted with business information (e.g., an individual’s business address and telephone number), which is not protected by the privacy act.
What Has To Be Done?
reviewing the organization’s policies and practices for collecting, using and disclosing personal information (including conducting an audit of the current personal information practices of the organization);
implementing procedures to safeguard personal information;
ensuring individuals have the right to access and correct any personal information about themselves held by the organization;
implementing a retention and destruction of information policy;
training the organization’s staff;
acting as a contact person for inquiries from the public or clients; and
ensuring there is a process for handling complaints made about the organization’s information practices.
Practitioners must also make sure that their organization has privacy policies dealing with all of these issues. These policies must be made available to the public. This public access obligation might be met by posting the policy on the organization’s website or in its reception area. Alternatively, a copy can be provided to new clients on their first visit and to anyone else upon request. The policies have to be understandable.
What Are The Restrictions On The Collection, Use And Disclosure Of Personal Information?
As a general rule, practitioners need to obtain informed consent for the collection, use and disclosure of personal information. This consent is distinct from the consent for providing services. Like any consent, it can be obtained in writing, verbally or by implied consent. In the traditional circumstance of a practitioner collecting information directly from the client solely for the purpose of providing services to the client, consent may be implied. However, any departure from this simple approach creates some new obligations for obtaining informed consent. In real life, the simple approach is not usually enough.
Areas in which some change may be required include the following:
Where the practitioner collects information about other individuals (e.g., about the client’s family members or his or her own clients).
Where the practitioner collects information about the client from other persons (e.g., from previous practitioners for the client, from family members of the client, from the client’s business contacts).
Where the practitioner collects information to be shared with others who are also advising or providing services to the client (i.e., a team approach).
Where there is the likelihood of an ongoing relationship and the information will be used for ongoing services, especially if this is not obvious to the client (e.g., collecting a broad background of a client’s health, family or financial situation to ensure that one can provide broader services later on).
Where third parties will have access to the information (e.g., for a legal, billing or financing purposes).
Where the practitioner will use the information for related purposes (e.g., for billing the client or a third party later).
Where the practitioner will use or disclose the information for secondary purposes (quality control by the organization, regulatory accountability, research).
Where the practitioner might sell the practice or business later on and will need to provide prospective purchasers with access to client information to help the purchaser conduct a due diligence review.
In any of these circumstances, the practitioner should at a minimum explain the purposes for which the information is being collected and obtain some form of consent. Often the consent process can be a brief oral discussion with the client. Giving the client a handout setting out the practitioner’s usual information practices and checking with the client that he or she understands the handout would often be sufficient. Alternatively, obtaining a written consent at a client’s first visit may work in many circumstances. While the Information and Privacy Commissioner is leery of obtaining blanket consents, it may be that, for the usual private practice, this may be appropriate and sufficient.
There are some exceptions that permit practitioners to collect information without consent. The most common example is where the purpose is to investigate a breach of law or contract and obtaining consent would compromise the investigation (e.g., a fraud by a client; helping a client deal with a third party). Certain emergency situations (e.g., medical crisis) may permit the collection, use or disclosure of information without consent as well.
Practitioners are also obliged to collect the least amount of personal information that is consistent with the purposes for which it was collected. For example, collecting an individual’s Social Insurance Number is usually not necessary. One should not routinely collect a client’s home address (unless the client wants something to be sent there). Practitioners should not collect financial information about a client who pays the full account at the time of service.
What Kind Of Safeguards Are Needed?
Most practitioners are already careful to preserve their client’s confidentiality. However, when setting out the safeguard policies in writing, practitioners may wish to review some of his or her practices. For example, can people see confidential files or computer screens when walking through the office or business? Is all personal information shredded before being put in the recycling box? The Information and Privacy Commissioner strongly disapproves of sending personal information through regular email over the internet.
What Are Access And Correction Rights?
A fundamental principle of the privacy act is that any individual has the right to request and see any personal information practitioners hold about them. In fact, practitioners are required to help individuals make such a request (e.g., explain the filing system so the person knows what to ask for) and to assist them in understanding the information (e.g., explain abbreviations and technical terms). There are a few exceptions where access can be restricted (e.g., where the disclosure will reveal personal information about another individual or will reveal trade secrets), but these are narrow. Practitioners will also have to tell individuals to whom the organization has disclosed the personal information about them.
If the individual believes any of the personal information is wrong, he or she can ask that it be corrected. The organization must correct any information it agrees is wrong. The organization must also notify any third parties who received the wrong information of the correction. Where the client and the organization cannot agree that an error has been made then the organization must record the disagreement and notify any third parties who received the contested information. Disagreements about corrections can be taken to the Information and Privacy Commissioner who may review the situation.
What Should An Internal Complaint System Look Like?
Organizations must also have an internal complaints system to handle concerns about their privacy practices. The internal complaints system should have the following features:
a designated individual in the organization (perhaps the Information Officer) to receive and ensure the prompt investigation and response to all complaints;
an easily accessible and simple to use complaints procedure that at a minimum includes:
a process for the organization to respond appropriately to complaints that are justified including making changes to its privacy policies; and
notifying the public of external recourses including the practitioner’s regulatory body and the federal Information and Privacy Commissioner.
Who Ensures Compliance With The Privacy Legislation?
Practitioners will be held accountable to both the federal Information and Privacy Commissioner and, to a lesser extent, their own regulatory body, in respect of their compliance with the privacy act.
The federal Information and Privacy Commissioner has oversight of the privacy act and functions as an ombudsman. The Commissioner has the following responsibilities:
investigating complaints about an organization’s personal information handling practices including entering the organization’s premises and summonsing documents and witnesses;
mediating and conciliating such complaints;
auditing the personal information handling practices of an organization;
making a public report of poor personal information practices by an organization;
seeking remedies for a breach of the privacy act in the Federal Court of Canada.
Once the Commissioner has issued a report, either the complainant or the Commissioner can then apply to the Federal Court of Canada for one or more of the following remedies:
an order for the organization to correct its personal information handling practices;
an order for the organization to publish a notice of corrective action; or
an award of damages for any humiliation of the complainant.
All indications are that the current Information and Privacy Commissioner tends to be educational rather than punitive in his enforcement style. However, it is still better to avoid a complaint than having to deal with one.
Professional regulators may also hold the practitioner accountable for his or her privacy practices. Where the conduct involves a breach of core professional values, regulators will have an additional reason to take regulatory action. Even where core professional values are not breached, every practitioner is generally obliged to comply with the law, especially those designed to protect the public or which reflect on the practitioner’s suitability to be a member of the profession. Many breaches of the privacy act by a practitioner may warrant some regulatory action.
Where To Start?
Richard Steinecke will be a presenter at a seminar on getting ready for the new privacy legislation on November 7, 2003. The seminar will be held in Toronto and will include a step-by-step workbook that will assist practitioners in developing and implementing privacy policies. See www.sml-law.com/privacyseminarfor registration details.