[Grey Areas, No. 59, January 2003]

Perhaps one of the most significant legal changes affecting the regulation of professions and industries is the imminent arrival of privacy of personal information legislation. It has been known for some time that a new law regulating the collection, use and disclosure of personal information would take effect on January 1, 2004. What is not known is which law it would be and what exactly it would require.

Federal or Provincial Law?

On April of 2000, the Personal Information Protection and Electronic Documents Act was passed by our federal Parliament. It set up a scheme to regulate personal information. The Act comes into force in stages. The most significant date for most professions and industries is January 1, 2004, when it applies to all commercial activities. However, as most professions and industries are a provincial responsibility, the federal government made a commitment that any province that passed its own substantially similar legislation would have their provincial law apply instead. Ontario has been in the process for the past two years of developing such an Act. The Ontario approach was to be quite different than the federal one, setting out more detailed rules applying to different types of personal information. The Ontario approach would also have applied to the non-profit sector.

However, with less than a year to go, there is now serious doubt that Ontario will pass its Act in time. It was to have been introduced last September, and then before the Legislature rose in December. Now the Legislature is recessed until March 17, 2003. There has been rampant speculation that there will be an election in Ontario this year. Media reports have indicated that the Ontario Cabinet is divided on the matter and that introduction in the near future is unlikely: http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1035776370456&call_page=TS_Columnists&call_pageid=970599109774&call_pagepath=Columnists

Time is running out for preparing for the new requirements. Regulators should now act on the assumption that the federal law will take effect this coming January.

Implications for Regulators

Below are just some of the implications of the Act for regulators.

(a)       Application of the Act

The Personal Information Protection and Electronic Documents Act applies to any “commercial activity” that involves personal information (with very few exceptions). A “commercial activity” is defined to include a single transaction so long as it is of a “commercial character”. Thus, the application of the Act is not defined by the nature of the organization (e.g., private sector, non-profit sector), but rather by what the organization does. It may well be that what most of what regulators do is not covered by the Act. However, many regulators do engage in the “selling, bartering or leasing of … membership … lists”. Thus, unless the regulator chooses to give up any fee for this activity, it will have to comply with the requirements of the Act.

The Act will apply to most private practices of professions and the operation of most industries which regulators oversee. Even non-profit professional operations (e.g., public hospitals, legal aid clinics) may engage in some activities covered by the Act (e.g., fund raising ventures or ancillary commercial operations).

(b)       Membership Registers

Many regulators are legally obliged, under their own statute, to provide the public with access to their members’ names and addresses. Often this database is called a register or roll. Some thought will have to be given as to whether the regulator cares if the Act applies to this activity.

The Act would only apply to the regulator’s maintaining of the register if the regulator charges for access to it. However, regulators often do charge for access to the names (at least where more than a handful of names are requested) for two reasons:

1. to minimize the expense to the regulator in handling such requests, and
2. to provide some control on commercial access to the list.

Regulators may choose to stop charging for access to the register. The infrastructure costs of having the Act apply to the regulator for just this activity are significant. The regulator would have to establish written policies and procedures, make them publicly available, appoint and train an official to oversee the program and develop a complaints process. Unless the regulator will be complying with these requirements for other reasons, it may be too expensive for a small revenue source.

Commercial access to the register could be discouraged by other means including:

1. requiring the commercial enterprise to satisfy the regulator that it is complying with the Act (e.g.,. proving it has consent or other legal authority for collecting the information); or
2. providing the information in an inconvenient form (e.g., not electronically or on address labels).

(c)       Regulator Access to Information

Even if the regulator is not covered by the Act, many of their members will be. Could the Act interfere with the ability of their members, or others, to provide information to the regulator? For example, a report that a member has engaged in misconduct or is incompetent is personal information about the member. In addition, many investigations of members involve collecting information about the members’ dealings with clients, often without the clients’ consent. Will the Act’s restrictions on the disclosure to the regulator of personal information by members or third parties without the relevant consent rules impede such access?

It would appear that if disclosure of personal information to the regulator is required by law, it is authorized by the Act. However, voluntary disclosure is only permitted in limited circumstances. Those circumstances can be expanded if the regulator is named in the federal regulations as an “investigative body”. Currently only the Crime Prevention Bureau of the Insurance Council of Canada, and the Bank Crime Prevention and Investigation Office of the Canadian Bankers Association are prescribed as investigative bodies. Regulators will wish to consider asking the federal government to be named as “investigative bodies” in order to ensure that voluntary disclosure of misconduct allegations are not restricted.

(d)       Record Keeping Rules

Many regulators have rules or guidelines for their members relating to record keeping. These include what information must be collected, security measures, access to the information and the length of time that information must be retained. Those rules or guidelines should be actively reviewed during this year to ensure that they are consistent with the Act. Further, to the extent that regulator’s directives are not formal “law” (e.g., not a formally enacted regulation, but just a guideline), they may become entirely obsolete.

For example, many regulators have directives about how long client records should be retained. However, if these directives are not formal law then the Act’s requirement that the record be destroyed after use may take precedence. (Even where a provincial regulator’s record requirement is a formal law, it may still be overridden by the federal Act. However, there is a much greater chance of the regulator’s directive applying if it is a formal law.)

(e)       Voluntary Privacy & Access Code

Even if regulators are not covered by the Act, they may wish to seriously consider developing their own privacy and access codes for a number of reasons. This initiative would be a way of showing leadership to the members of the profession and industry who are covered by the Act. It is difficult for the regulator to educate their members about standards that the regulator itself does not follow. In addition, public confidence in the regulator would thereby increase. Decisions by regulators on such issues as membership access to their files could then be made on a principled basis rather than just to follow past practices. Developing a voluntary privacy and access code might even avert less sensitive government legislation in the future.

Regulators should not assume that their current practices are acceptable. For the most part, these practices have been based on rigid notions of confidentiality that are rapidly changing. Most regulators who examine the provisions of the Personal Information Protection and Electronic Documents Act will find that significant changes need to be made to become consistent with those underlying principles.

(f)        Education of Members

Regulators should seriously consider making some effort to educate their members about the requirements of the Act in the coming months. With the confusion over the provincial legislation, there does not appear to be any level of government taking leadership on the issue. Whatever happens, there will be a scramble this fall. Early warning and advice by regulators can reduce the learning curve.

In the coming months, Grey Areas will be examining various aspects of the privacy legislation to assist regulators and their members adjust to the new order. Educational sessions will also be identified at www.sml-law.com.

For a copy of the Personal Information Protection and Electronic Documents Act and helpful educational documents (albeit of a general nature) see: http://www.privcom.gc.ca/index_e.asp.