The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, January 20, 2004
You've got to hand it to ITBusiness. They've done a great job of covering the implementation of PIPEDA, with regular articles that deal with different aspects of the law. In the article entitled Life of PI, Shane Schick considers the difficulties being faced by organizations thanks to the shades of grey in the Act.
Unlike most statutes, PIPEDA has little to do with rules. It is really a collection of principles. Coming from the Canadian Standards Association Model Code for the Protection of Personal Information, it was originally drafted to be voluntary best practices to be adopted by companies. Of course, they'd adopt it for their particular business, since it was drafted to be industry neutral. Moving from best practices to law is difficult for some to handle. Most people are used to laws being relatively black and white. "You can do this and you can't do that." Instead, PIPEDA confuses people by saying things like:
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
The form of consent shall be commensurate with the sensitivity of the information. An example of what is "sensitive" is provided. But wait! It says any information can be sensitive depending upon the circumstances. Ok. It looks like it means the more sensitive it is, the more certain you must be that consent is informed consent and the more certain you have to be that you've actually obtained affirmative consent. Don't infer consent if the info is sensitive and don't presume consent. But in the end, the "user" is left to determine how sensitive the information is and whether the form of consent measures up.
It has been interesting to observe how people approach PIPEDA when they first read some of these provisions. They want answers and instead it is nothing but shades of grey. I have seen too many people throw up their hands, essentially saying that because they can't situate themselves in the spectrum of grey, it's futile. Others put themselves in the shoes of their more "privacy-aware" customers and think "If I were worried about my privacy, what would I want the company to do?" I prefer this approach. It is not a good idea to only try to technically comply or to do the absolute least. That's a recipe for trouble. If you can anticipate the needs/concerns/issues of the top five percent of privacy-aware customers and tailor your processes to get them onside, you should do OK. In short, err on the side of caution.
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.