Initial reflections of the privacy commissioner on Ontario’s draft privacy bill
-
Upload
fulton-fernandez -
Category
Documents
-
view
39 -
download
0
description
Transcript of Initial reflections of the privacy commissioner on Ontario’s draft privacy bill
Initial reflections of the privacy commissioner on Ontario’s draft privacy
bill
Ann Cavoukian, Ph.D.Information and Privacy Commissioner/Ontario
Toronto Board of Trade
February 19, 2002
Background to the Bill
European UnionDirective on Data Protection
Canadian Standards Association:Model Code for the Protection of Personal Information
Government of CanadaPersonal Information Protection and Electronic Documents Act
Government of OntarioPrivacy of Personal Information Act, 2002
Privacy of Personal Information Act, 2002
Integrated health & private sector privacy protection
Guide to Ontario’s Consultation on Privacy Protectionwww.cbs.gov.on.ca/mcbs/english/56Y2QL.htm
Privacy of Personal Information Act, 2002 www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm
Consultation periodEnds March 8, 2002
Scope of the Draft Bill
Bill applies to:Ontario businessesOntario universitiesOntario hospitals, doctors, pharmacies, clinics…Ontario associations (incorporated or not)Ontario partnershipsOntario unions
Does not apply to: Individuals acting in a personal and non-commercial
capacityArtistic, journalistic or literary exemption
Ontario Draft Bill
Things we like:
Made in Ontario response to PIPEDA
Scope of Bill extends beyond business sector
Based on CSA Fair Information Practices
Single oversight body for both public and private sector privacy
Dramatic improvements to health component from earlier Bill 159
Striking the Right Balance?
The government is working to find the appropriate privacy balance,
But…
Concerns about the Bill: Permitted uses without consentExtensive use of RegulationsLack of full investigation powers
Simplify the Draft Bill
Complex drafting
Inconsistencies
Redundancies
Duplication
Complex and Confusing
Personal Information
Personal Health Information
Organizations
(non-health)
Health Information Custodians
Definition of Personal Information
Personal Information – covered
Personal Health Information – covered
Business Information – not covered
Professional Information – not covered
Exemptions to Consent
Exemptions should be very limited regarding the collection, use and disclosure without consent:
Minimize exemptions
Notice requirementsIf exemptions exist for use or disclosure
without consent, notice should be provided
Procedures for Access
Different procedures for accessing personal information vs. personal health information
Will create confusion, without adequate justification for doing so
Duplication between two access schemes completely unnecessary
Use of Regulations
Use of Regulations too broad:
Section 80(1)(g) enables specific organizations or classes of organizations, to be pulled outside of the scope of the legislation without any public consultation or accountability.
Section 80(1)(n) permits the government,
without public consultation or accountability, to exempt organizations from acting in conformity with their information practices.
Commissioner’s Powers
Lack of full investigation powers
No power to compel witnesses to testify (risk of another POSO debacle)
Privacy oversight bodies in virtually every other jurisdiction with similar legislation have the power to require testimony, including: Canada (federal), Alberta, Saskatchewan, Manitoba, Quebec, Australia and New Zealand.
Other issues to consider
ConsentExpressImpliedOpt-in / Opt-out?
NoticeSufficient?
Harmonization with PIPEDA
EU Response to PPIA?
EU Adequacy Decision “Canada is considered as providing an adequate level of
protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act.”
But… “This Decision may be amended at any time in the light of
experience with its functioning or of changes in Canadian legislation, including measures recognizing that a Canadian province has substantially similar legislation.”
The IPC & PPIA, 2002
Cooperation and mediation, not confrontation
IPC has a long history of working collaboratively with the public and private sectors
Learn from the experience of jurisdictions with private sector privacy laws: “We have never seen a business plan that could not be
operated within the [data privacy] legislation.”Elizabeth France, UK Commissioner
Will produce guidelines for businesses and public outlining responsibilities and expectations
The Value of Privacy
“Complying with privacy regulations can be considered just a business cost, but many companies understand that a reputation for guarding privacy can also be a selling point. They need to be stewards, to the extent they can gain a competitive advantage from privacy.”
Ken DeJarnette, Deloitte & Touche
How to Contact Us
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
80 Bloor St. W., Suite 1700, Toronto, M5S 2V1
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]