180 likes | 322 Views
Initial reflections of the privacy commissioner on Ontario’s draft privacy bill. Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Toronto Board of Trade February 19, 2002. Background to the Bill. European Union Directive on Data Protection Canadian Standards Association:
E N D
Initial reflections of the privacy commissioner on Ontario’s draft privacy bill Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Toronto Board of Trade February 19, 2002
Background to the Bill European Union • Directive on Data Protection Canadian Standards Association: • Model Code for the Protection of Personal Information Government of Canada • Personal Information Protection and Electronic Documents Act Government of Ontario • Privacy of Personal Information Act, 2002
Privacy of Personal Information Act, 2002 • Integrated health & private sector privacy protection • Guide to Ontario’s Consultation on Privacy Protection • www.cbs.gov.on.ca/mcbs/english/56Y2QL.htm • Privacy of Personal Information Act, 2002 • www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm • Consultation period • Ends March 8, 2002
Scope of the Draft Bill • Bill applies to: • Ontario businesses • Ontario universities • Ontario hospitals, doctors, pharmacies, clinics… • Ontario associations (incorporated or not) • Ontario partnerships • Ontario unions • Does not apply to: • Individuals acting in a personal and non-commercial capacity • Artistic, journalistic or literary exemption
Ontario Draft Bill • Things we like: • Made in Ontario response to PIPEDA • Scope of Bill extends beyond business sector • Based on CSA Fair Information Practices • Single oversight body for both public and private sector privacy • Dramatic improvements to health component from earlier Bill 159
Striking the Right Balance? • The government is working to find the appropriate privacy balance, But… • Concerns about the Bill: • Permitted uses without consent • Extensive use of Regulations • Lack of full investigation powers
Simplify the Draft Bill • Complex drafting • Inconsistencies • Redundancies • Duplication
Complex and Confusing Personal Information Personal Health Information Organizations (non-health) Health Information Custodians
Definition of Personal Information • Personal Information – covered • Personal Health Information – covered • Business Information – not covered • Professional Information – not covered
Exemptions to Consent • Exemptions should be very limited regarding the collection, use and disclosure without consent: • Minimize exemptions • Notice requirements • If exemptions exist for use or disclosure without consent, notice should be provided
Procedures for Access • Different procedures for accessing personal information vs. personal health information • Will create confusion, without adequate justification for doing so • Duplication between two access schemes completely unnecessary
Use of Regulations • Use of Regulations too broad: • Section 80(1)(g) enables specific organizations or classes of organizations, to be pulled outside of the scope of the legislation without any public consultation or accountability. • Section 80(1)(n) permits the government, without public consultation or accountability, to exempt organizations from acting in conformity with their information practices.
Commissioner’s Powers • Lack of full investigation powers • No power to compel witnesses to testify (risk of another POSO debacle) • Privacy oversight bodies in virtually every other jurisdiction with similar legislation have the power to require testimony, including: Canada (federal), Alberta, Saskatchewan, Manitoba, Quebec, Australia and New Zealand.
Other issues to consider • Consent • Express • Implied • Opt-in / Opt-out? • Notice • Sufficient? • Harmonization with PIPEDA
EU Response to PPIA? • EU Adequacy Decision • “Canada is considered as providing an adequate level of protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act.” • But… • “This Decision may be amended at any time in the light of experience with its functioning or of changes in Canadian legislation, including measures recognizing that a Canadian province has substantially similar legislation.”
The IPC & PPIA, 2002 • Cooperation and mediation, not confrontation • IPC has a long history of working collaboratively with the public and private sectors • Learn from the experience of jurisdictions with private sector privacy laws: • “We have never seen a business plan that could not be operated within the [data privacy] legislation.” Elizabeth France, UK Commissioner • Will produce guidelines for businesses and public outlining responsibilities and expectations
The Value of Privacy “Complying with privacy regulations can be considered just a business cost, but many companies understand that a reputation for guarding privacy can also be a selling point. They need to be stewards, to the extent they can gain a competitive advantage from privacy.” Ken DeJarnette, Deloitte & Touche
How to Contact Us Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario 80 Bloor St. W., Suite 1700, Toronto, M5S 2V1 Phone: (416) 326-3333 Web:www.ipc.on.ca E-mail:commissioner@ipc.on.ca