Imprimer Envoyer à un collègue Augmenter la taille de la police

Publication

TITRE

New Privacy Legislation for the Private Sector in British Columbia

DATE

28 mai 2003

EXPERTISE

Protection de la vie privée et accès à l'information

B.C. Labour and Employment Law Group
Privacy and Access to Information Team

Bill 38, the Personal Information Protection Act ("Act") is to come into force in British Columbia on January 1, 2004.  Through consultation with businesses, non-profit and professional organizations, it was determined that B.C. organizations would prefer a provincial solution rather than be subject to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") which will, in general, apply to personal information collected, used or disclosed within the province on January 1, 2004.  The Act is the result of that consultation process, and all private sector businesses and organizations need to be aware of their obligations under this new legislation. At the time of writing, the Act has passed second reading and is at the committee stage in the provincial legislature.  The Act has yet to undergo analysis for substantial similarity to PIPEDA at the federal government level.  If the federal Cabinet is satisfied that the Act is "substantially similar" to PIPEDA, it may exempt the provincial organizations to which the Act applies from the application of PIPEDA.

INTRODUCTION

The purpose of the Act is to govern the collection, use, and disclosure of personal information by organizations in a way that recognizes both the rights of individuals to protect their personal information, and the fact that organizations must be able to collect, use or disclose personal information for reasonable purposes.

Personal information is defined as information about an identifiable individual, including information collected, used or disclosed for the purposes of managing an employment relationship ("employee personal information").  It does not include business contact information or information prepared or collected as part of an individual's or group's employment or business activities ("work product information").  This definition recognizes that an employee's work product is not owned by that individual and therefore should not be subject to the same restrictions as his or her personal information.

The Act applies to every organization in the province. Organization is defined to include a person (and therefore a corporation), an unincorporated association, a trade union, a trust or a not-for-profit organization.  Individuals acting in a personal capacity or as employees, public bodies, the courts and private trusts are all specifically excluded from the definition of organization.

There are some limited exceptions to the application of the Act. It does not apply to the collection, use or disclosure of personal information if PIPEDA applies. This exemption assists in resolving the issue of which law will apply to information within the scope of PIPEDA (and the growing concerns about "patchwork privacy legislation").  In addition, the Act does not apply to personal information that is subject to the Freedom of Information and Protection of Privacy Act (legislation applicable to public sector departments and agencies). It will also not apply retroactively to the collection of personal information before the Act comes into force. The Act does not affect solicitor-client privilege.

An organization is responsible for personal information that is under its control. The Act requires that all organizations implement policies and practices to ensure that their obligations under the Act are met.  Specific requirements include that an organization develop a process for responding to complaints arising under the Act, and that an organization designate a person or team to be responsible for ensuring the organization's compliance with the Act.

CONSENT

Consent is required for the collection, use or disclosure of personal information about an individual, unless the Act deems such consent to have been given or authorizes collection, use or disclosure without the individual's consent.  An individual's consent will not be valid unless the organization collecting the information discloses to the individual the purposes for the collection.

An organization may collect, use or disclose personal information about an individual for specified purposes if:

  • the individual is given notice;
  • the individual is informed of the purposes;
  • the individual is given the opportunity to decline to have his or her personal information collected, used or disclosed for those purposes;
  • the individual does not decline; and
  • the collection, use or disclosure is reasonable in the circumstances.

The federal Privacy Commissioner has stated that the provision for implicit consent makes the Act inferior to the federal law in protection of privacy, which may affect whether the federal Cabinet exempts B.C. organizations from PIPEDA.  Notwithstanding this view, we note that PIPEDA also contemplates implicit consent in appropriate circumstances.

An individual will also be deemed to consent to the collection, use or disclosure of personal information for the purpose of enrollment and coverage under an insurance, pension or benefit plan.

An individual may withdraw his or her consent to the collection, use or disclosure of his or her personal information at any time.

COLLECTION, USE OR DISCLOSURE OF PERSONAL INFORMATION

Subject to the Act, an organization may collect, use or disclose personal information only for appropriate purposes and purposes that fulfill the purposes disclosed for its collection.  Where the personal information was collected before the Act comes into force, it must be used or disclosed for purposes that fulfill the purposes for which it was collected. The federal Privacy Commissioner has expressed the opinion that this is a significant difference from the federal law, which requires organizations to obtain consent to the use or disclosure of personal information collected before the federal law came into effect.  His opinion may affect whether the federal Cabinet is satisfied that the Act is substantially similar to PIPEDA, although ultimately the decision rests with Cabinet.

The Act provides that an organization may collect, use or disclose personal information about an individual without consent in certain situations.  These include (but are not limited to) situations where the collection, use or disclosure is in the individual's interests and consent cannot be obtained in a timely way, and where the collection, use or disclosure is reasonable for an investigation and obtaining consent would compromise the availability or accuracy of the personal information.

An organization may also collect personal information from or on behalf of another organization, and use or disclose that personal information without the consent of the individual to whom it relates, in certain specified circumstances.

An organization generally may not collect, use or disclose employee personal information without the individual's consent, with some exceptions.  Where consent is not required, an organization must still notify an individual that it will be collecting, using or disclosing employee personal information about him or her, and the purposes for doing so.

An organization may be entitled to disclose personal information about its employees, customers, directors, officers or shareholders without their consent in the context of a business transaction, such as the sale of a business or assets.  It may disclose personal information to a party or prospective party to a business transaction, but conditions for the use and disclosure of such personal information will exist under the Act.

ACCESS TO PERSONAL INFORMATION

On the individual's request, an organization must grant him or her access to his or her personal information which is under the control of the organization, and must also provide information about how his or her personal information has been used and to whom it has been disclosed.  An organization will not be required to grant such access in certain circumstances, for example where the disclosure of the personal information could harm the competitive position of the organization, or where the personal information was collected for the purposes of an investigation and the investigation or any associated proceedings or appeals have not been completed.  Also, there are certain circumstances in which an organization is prohibited from providing an individual with access to his or her personal information.

On the request of an individual, an organization may be required to correct an error or omission in that individual's personal information.

An organization is obligated to make a reasonable effort to assist and to respond accurately and completely to an individual who requests access to or correction of his or her personal information, within set time limits.

CARE OF PERSONAL INFORMATION

An organization has certain obligations regarding care of personal information.  It must:

  • make a reasonable effort to ensure that personal information it has collected is accurate and complete if it is to be used or disclosed;
  • protect personal information under its control by making security arrangements to prevent unauthorized access, disclosure, modification or similar risks;
  • retain personal information about an individual that it uses to make a decision that directly affects the individual for one year; and
  • destroy documents (including electronic documents) containing personal information when retention of the personal information no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes.
OVERSIGHT BY THE COMMISSIONER

The B.C. Information and Privacy Commissioner has broad powers to ensure the purposes of the Act are achieved.  The Commissioner may initiate investigations and audits to ensure compliance with the Act if there is reason to believe an organization is not in compliance, whether or not a complaint is received.  In addition, the Commissioner may investigate and attempt to resolve complaints, including complaints that a duty under the Act has not been performed, or that personal information has been collected, used or disclosed in contravention of the Act.  The Commissioner's powers in respect of investigation include the power to enter any premises occupied by an organization, other than a personal residence, and to examine and copy any documents found on those premises.

An individual who has requested access to or correction of their personal information may seek a review by the Commissioner of the decision, act or failure to act of the organization, and any individual may make a complaint to the Commissioner.  Reviews or complaints may result in mandatory mediation or an inquiry process conducted by the Commissioner.  The Commissioner must dispose of the issues on an inquiry by making an order, which may require an organization to grant access to information at issue, or to perform a duty under the Act.  Failure to comply with an order of the Commissioner is an offence under the Act, for which an organization is liable to a fine of up to $100,000.  Other offences exist under the Act, as does a cause of action for damages for actual harm suffered by a person because of a contravention of the Act.

CONCLUSION

The B.C. government news release regarding the Act states that this legislation will further stimulate electronic commerce because of strengthened consumer confidence, and will increase opportunities for international trade where jurisdictions such as the European Union require that their trading partners have privacy protection laws.  The government has also promised to provide businesses with tools, such as privacy checklists and staff training information, to help them implement the Act.

The federal Privacy Commissioner has stated that the Act requires amendment to be considered substantially similar to PIPEDA.  Such amendment, if it occurs, is likely to be limited to a few provisions, rather than requiring a wholesale revision of the legislation.

In preparation for the coming into force of this legislation, it is essential for all businesses and organizations in British Columbia to examine their privacy practices and ensure that they will be in compliance with the Act.

Note:
Bill 44, the Personal Information Protection Act, was introduced and passed first reading in the Alberta legislature on May 14, 2003.  Stay tuned for an upcoming newsletter from the Privacy and Access to Information Team describing that legislation.

The purpose of this document is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Ogilvy Renault or any member of the Firm on the points of law discussed.

Vancouver

Matthew Cooperwilliams
(604) 806-3852
mcooperwilliams@ogilvyrenault.com
Patrick Gilligan-Hackett
(604) 806-3860
phackett@ogilvyrenault.com
Simon Heath
(604) 806-3846
sheath@ogilvyrenault.com
Muriel Henry
(604) 806-3828
mhenry@ogilvyrenault.com
Jennifer A. Jamieson
(604) 806-3847
jjamieson@ogilvyrenault.com
Graeme M. McFarlane
(604) 806-3859
gmcfarlane@ogilvyrenault.com
Julie D. Nichols
(604) 806-3857
jnichols@ogilvyrenault.com
Thomas A. Roper, Q.C.
(604) 806-3850
troper@ogilvyrenault.com
Delayne M. Sartison
(604) 806-3851
dsartison@ogilvyrenault.com
Kim G. Thorne
(604) 806-3854
kthorne@ogilvyrenault.com
Michael A. Wagner
(604) 806-3853
mwagner@ogilvyrenault.com

Toronto

Mark S. Hayes
(416) 216-4094
mhayes@ogilvyrenault.com

Ottawa

Martha A. Healey
(613) 780-8638
mhealey@ogilvyrenault.com

Montréal

Christine A. Carron
(514) 847-4404
ccarron@ogilvyrenault.com 

©OGILVY RENAULT 2003 - All Rights Reserved

 Retour aux résultats de la recherche de publications

Christine A. Carron


ccarron@ogilvyrenault.com
Profil

Martha A. Healey


mhealey@ogilvyrenault.com
Profil



Pour recevoir nos publications