Publication

Access to Information and Protection of Personal Information Team

The Personal Information Protection and Electronic Documents Act (known as Bill C-6) was adopted by the House of Commons on April 4, 2000 and it is expected that it will come into force on January 1, 2001. The Act establishes a regime governing the collection, use, retention and disclosure of personal information.

Its adoption prompts a series of fundamental questions pertaining to its constitutionality, its unique wording and structure and will pose practical and legal problems for businesses and their day-to-day activities.

The purpose of this newsletter is to provide you with an overview of what you, as operators of federal undertakings, should know with regards to privacy. If you are operating a provincially regulated undertaking, even in the Province of Quebec, we urge you not to disregard this note as the Act will most likely affect your practices.

To Whom Does the Act Apply?

The Act applies to all organizations that are federally regulated (such as banks, railways, airlines) and to all organizations which are normally subject to provincial legislative jurisdiction, in the course of commercial activities conducted in more than one province (including Quebec organizations). The Act regulates the collection, use and disclosure of personal information, which is defined as any information about an identifiable individual with the exception of the name, title or business address or telephone number of an employee of an organization.

While the Act provides that the Governor in Council may exempt, by decree, an organization or activity from its application where there is legislation in a province substantially similar to the privacy legislation of the Act, such an exemption would only apply to the collection, use and disclosure of personal information which takes place solely within that province. Consequently, the exemption is quite limited and businesses will remain subject to both the provincial legislation and the federal Act when conducting commercial activities in more than one province.

Key Principles

The Act applies to a broad range of employee and client information including: home address/phone; age, marital status; educational or employment history; performance appraisals; references; income and assets, debts; benefit utilization, medical information, discipline records, investigation material; and surveillance records. The Act also contains a separate definition of personal health information.

The Act establishes a number of key principles governing the collection, use and disclosure of personal information, which can be summarized as follows:

• Subject only to specified exceptions, information shall not be collected, used or disclosed without the knowledge and consent of the individual to whom it pertains.
• The form of the consent may vary depending on the circumstances.
• Generally, organizations will be required to collect personal information solely from the individual to whom the information pertains and only after disclosing to the individual how the information will be used and disclosed.
• The information may only be used or disclosed in the manner identified at the time of collection unless further consent is obtained from the individual. An individual may withdraw a previously given consent.
• The individual to whom the information pertains may, by written request, obtain information regarding the existence, use and disclosure of his or her personal information and, subject to certain exceptions, obtain access to the information. An individual may also challenge the accuracy of the information and have the information corrected where appropriate.
• Personal information is to be retained only as long as is necessary to fulfill the purpose for which it was collected, or to permit an individual to access his or her information pursuant to a request for access.
• Organizations are required to protect information from unauthorized use or disclosure.

The above principles will, subject to very limited exceptions, require organizations to obtain the individual's consent (implicitly or explicitly) to the collection, proposed use and disclosure of the personal information.

To avoid indiscriminate collection of unnecessary personal information, organizations will need to consider whether the information being collected is truly necessary and responsive to the purpose for which it is being collected.

The right of an individual to obtain particulars regarding the existence, use and disclosure of his/her personal information, and, with limited exception, obtain access to the actual information, will require organizations to track the use and disclosure of personal information and establish systems to retrieve requested information.

Protecting personal information from unauthorized use or disclosure will require organizations to establish rules governing both internal and external access to personal information. Such safeguards could include:

• limiting the information to be retained on individuals according to the type of files;
• limiting the categories of personal information or the type of files which may be accessed by various employees or groups of employees;
• creating security systems to restrict access to authorized personnel;
• creating systems to track access to and disclosure of personal information;
• establishing protocols to approve and record "non-routine access" and external requests for information;
• establishing security measures to protect personal information when it is copied, transmitted electronically or by facsimile; and
• developing standards for maintaining the accuracy of information and deleting information which is no longer required.

Today, most organizations recognize that they have a moral, if not legal, duty to protect and limit the collection and use of personal information pertaining to their employees and individuals with whom they have dealings. Notwithstanding this fact, the Act requires even the most sophisticated organizations to alter the manner in which they handle personal information. Along with establishing clear policies that are responsive to the legislation, organizations will be required to monitor on an ongoing basis the collection, use and disclosure of personal information to reduce the risk of complaints and investigations under the Act.

The purpose of this document is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Ogilvy Renault or any member of the Firm on the points of law discussed.

If you wish to correct or change your mailing information, please contact Client Services by telephone at (514) 847-4859 or by fax at (514) 286-5474.

© OGILVY RENAULT 2002 - All Rights Reserved