Home Page
Firm
Partners and Associates
General Counsel
Prosecution
Independent Counsel
Defence
Privacy Services
Seminars and Training
Event List and Registration
Publications
Newsletters
Subscribe to our Newsletters
Links
Contact Us
Shopping Cart
 
       
 
Privacy Guidelines For Regulators
by Lisa S. Braverman
 

[Administrative Law and Practice Points, No. 7, February 2004]

On January 1, 2004, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal privacy legislation for the collection, use, and disclosure of personal information, became law in all of the provinces across Canada including Ontario (with the exception of Quebec which is largely exempted from PIPEDA as Quebec’s private sector privacy law was deemed substantially similar to PIPEDA). Given the complexity of the legislation, PIPEDA has become a significant legal challenge for regulators, associations, and practitioners. For example, regulators have been faced with a number of challenging questions such as: Does PIPEDA apply to some or all of the activities of regulators? If PIPEDA does apply to regulators, what are the responsibilities of regulators to ensure compliance with PIPEDA? If PIPEDA does apply to regulators, what should be contained in a regulator’s Privacy Policy to balance the protection of personal information with a regulator’s mandate to protect the public interest? If PIPEDA does not apply to regulators, should regulators develop a Voluntary Privacy and Access Code and, if so, what should it contain?

Until recently, there has not much guidance for regulators in addressing these questions. In October 2003, the Government of Alberta produced a very helpful document entitled “Guidelines for Developing a Personal Information Code for Professional Regulatory Organizations”. This document was developed to help professional regulatory organizations (“professional regulators”) in Alberta prepare for the Personal Information Protection Act, the new Alberta privacy legislation which also became law on January 1, 2004. This document provides a lot of useful guidance which would be relevant to regulators outside Alberta because the Personal Information Protection Act, just like PIPEDA, is based on the 10 principles of fair information practices in the Canadian Standards Association’s Model Code for the Protection of Personal Information.

The document sets out the advantages and disadvantages of developing a personal information code (“code”). Many of these advantages and disadvantages would apply to regulators outside Alberta and would apply regardless of whether a regulator is developing a Privacy Policy or a Voluntary Privacy and Access Code.

For example, some of the applicable advantages include the following:

  1. A code may serve to put privacy principles into context for the particular profession or occupation.
  2. A code may send a positive statement to the public that the professional regulator is responsive to the privacy concerns of individuals and is active in protecting their privacy rights.
  3. A code may enable a professional regulator to develop a code in a manner that allows it to harmonize the code with other elements of its governing legislation as well as bylaws and rules of conduct.
  4. A code may help change the culture of a professional regulator by raising the awareness of privacy and by introducing a compliance regime.
  5. A code may enable a professional regulator to develop a simplified version of the privacy principles that would be directly relevant and meaningful to the profession, its members, and the public.

By contrast, there is a much smaller number of applicable disadvantages, which include the following:

  1. A code must be developed, implemented, and kept up to date. Developing and administering the code requires a professional regulator to have sufficient resources to carry out this function.
  2. A code may not be appropriate if the professional regulator does not need to promote cultural change through the introduction of a privacy code.

The document also sets out a process for developing, approving, and reviewing a code. A summary of some of the process guidelines which would apply on a general basis to regulators outside Alberta include the following:

  1. Draft a code to a professional standard using language that is clear and easy to understand.
    1. A code must not be established in a regulation or in a bylaw, rule of conduct, or policy of the professional regulator. It should be a free-standing document.
    2. It should be written to a professional standard, using language that is clear, unambiguous, and easy for individuals to understand their rights and obligations.
    3. Try not to use professional jargon that some individuals may not understand and, if the code uses profession-specific language, include a list of definitions to explain the terms.
    4. Each paragraph should be numbered or lettered to help with communication, application, and compliance.
    5. If the professional regulator does not have expertise in drafting codes, it may be useful to obtain outside help from legal and plain language experts.
  2. Consult with members of the professional regulator on drafts of the code.
    1. It should use a consultation process similar to what it would use to consult with members on draft new or amended regulations.
    2. As a best practice, the professional regulator may wish to consult with relevant stakeholders, including members of the public, on drafts of the code to ensure that the code adequately meets the needs and expectations of those stakeholders and the public. The credibility and integrity of a code depends in part on it gaining support and acceptance from both stakeholders and members of the public.
  3. Have the code approved by the governing council or governing body of the professional regulator.
  4. Promote the code and make it available on request.
    1. A professional regulator must make a copy of the code and any relevant explanatory material available to any person on request.
    2. If a code includes a complaint handling procedure, the professional regulator should promote the code more widely in the media or on its website.
  5. Commit sufficient resources to properly administer the code.
  6. Include a process for review of the code.
    1. A code should include a process for reviewing its operation at regular intervals (e.g., every three years). The review process could be similar to the process that enabled the code to be approved by the governing body of the professional regulator.
    2. The professional regulator must allocate sufficient resources to the review of the code.

The most useful part of the document for regulators is a sample code with provisions setting out: relevant definitions (e.g., definitions of the words “collection”, “use”, and “disclosure”), the scope and application of the code, detailed privacy principles, a procedure for handling complaints, and monitoring/reviewing the operation of the code. The sample provisions are often followed by commentary, alternative wording, or examples which makes the sample code an excellent starting point for regulators.

For example, the following is an excerpt from the sample code:

3.3     Collecting Personal Information

3.3.1      We will only collect personal information for purposes that are reasonable and we will only collect the information that is reasonable for carrying out those purposes.

3.3.2      We will collect personal information only for the following purposes (referred to in this Code as “identified purposes”):

A PRO should review its own professional statute, regulations, bylaws and rules to determine what personal information it collects and for what purposes and include those purposes here. Some examples of purposes follow by way of illustration only:

  • creating and maintaining records about applications for and obtaining registration as a member;
  • creating and maintaining records about applications for and obtaining a practice permit and for keeping records about suspended, cancelled or reinstated practice permits;
  • creating and maintaining records about members fulfilling their continuing education or continuing competence requirements;
  • lodging, investigating and conducting hearings and appeals concerning complaints against members;
  • meeting other legal and regulatory requirements.

The only caveat is that regulators want to be careful about adopting the provisions verbatim as set out in the sample code because they were developed from the Personal Information Protection Act, which has not yet been determined to be substantially similar to PIPEDA.

If you are interested in obtaining a copy of the entire document, it can be found on the internet at: http://www.psp.gov.ab.ca/pdf/PICGuidelines.pdf.

As a final thought, the Privacy Commissioner of Canada has begun to provide regulators with some guidance about the application of PIPEDA in its new fact sheet entitled “The Application of the Personal Information Protection and Electronic Documents Act to Charitable and Non-Profit Organizations”. For example, the fact sheet indicates collecting membership fees, organizing activities, compiling a list of members’ names and addresses, and mailing out newsletters are not considered commercial activities. The fact sheet also indicates that a clear, simple, and easy to execute opt-out process could be used to obtain consent for selling, bartering, or leasing a membership list.
 
 
       
  Feedback    
   
  Home ~ Firm ~ Partners & Associates ~ General Counsel ~ Prosecution ~ Independent Legal Counsel
Defence ~ Privacy Services ~ Seminars & Training ~ Event List & Registration ~ Publications
Newsletters ~ Subscribe ~ Links ~ Contact Us~ Shopping Cart ~ Site Map
   
  Copyright 2002 - 2010 - Steinecke Maciura LeBlanc, Barristers & Solicitors
401 Bay Street, Suite 2308 - P.O. Box 23, Toronto, ON M5H 2Y4
(416) 599-2200 ~ Fax: (416) 593-7867 ~ info@sml-law.com
   
  By using this site you agree to our User Agreement | Please Review our Privacy Policy