Continuing the theme of cross-border data transfers, the federal Privacy Commissioner has just issued the following press-release:

News Release

Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders

Ottawa, August 18, 2004 - The Privacy Commissioner of Canada, Jennifer Stoddart, today calls for a greater dialogue between governments, the private sector and the public about cross-border exchanges of Canadians’ personal information. The Commissioner articulated this need in the Office’s submission to the Information and Privacy Commissioner of British Columbia about the privacy implications of the USA PATRIOT Act.

The Privacy Commissioner congratulates the B.C. Information and Privacy Commissioner, David Loukidelis, for leading this important inquiry.

"The growing frequency in which personal information is shared across borders in increasingly globalized interdependent economies has important privacy implications for Canadians," said Ms. Stoddart. "We have an obligation to protect the privacy rights of Canadians. We must have a balanced and reasoned approach to personal information protection."

Canadians expect that governments and the privacy sector will collaborate to protect against mismanagement of personal information. We must collectively seek a balance balance will be struck between the requirements of national security, the need for public safety and the conditions of an open and efficient economy.

In the submission, the Privacy Commissioner recommends practical measures for citizens, companies and governments to better manage the cross-border flow of personal information. Some measures include:

• Citizens can lodge a complaint with the Privacy Commissioner or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern if they feel that an organization subject to privacy laws has violated their privacy rights. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), please request a copy of the Office’s Individuals Guide or visit http://www.privcom.gc.ca/information/02_05_d_08_e.asp (PDF).
• Private sector organizations can comply with their obligations under PIPEDA or similar provincial legislation to protect customers’ personal information and to adopt appropriate safeguards. Under PIPEDA, organizations can request a copy of the Office’s Business Guide, or visit www.privcom.gc.ca/information/guide_e.asp (PDF).
• Review by the federal government of PIPEDA and the Privacy Act to ensure that the highest standards of privacy protection relating to cross-border flow of personal information are met.
• Enhanced federal/provincial/territorial cooperation in privacy protection and the promotion of a multi-stakeholder dialogue (private sector, civil society and other institutional partners) on privacy issues of national significance.

Along with this release, the Commissioner has also issued a fact sheet on cross-border personal information transfers:

What Canadians Can Do to Protect Their Personal Information Transferred Across Borders

Canadians benefit from a reasonable standard of protection of their personal information. They do not want to see that protection vanish when personal information about them is transferred across borders, and they do not want to see governments or organizations in Canada transfer their information across borders if it will be put at risk of inappropriate disclosure, whether for security or for commercial purposes.

The extent to which personal information about Canadians should be made available to foreign governments is a complex issue of continuing concern. Nonetheless, Canadians can take some measures to protect their personal information from inappropriate disclosure to foreign governments:

• By bringing complaints about the handling of personal information (especially outsourcing arrangements) to the Office of the Privacy Commissioner of Canada or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern;
• By relying on the "whistle blowing" provisions of PIPEDA if a US based affiliate of a Canadian organization seeks to reach into Canada to obtain personal information held in a Canadian database in order to comply with a US legal order. These provisions would protect the confidentiality of employees who notify the Privacy Commissioner of Canada that a company intends to transfer information abroad in violation of PIPEDA. The provisions also protect employees against retaliation by the employers, such as harassment, dismissal or demotion;
• By letting organizations in Canada that collect personal information about Canadians know that there is a concern about personal information being processed outside Canada;
• By taking advantage of the information rights existing under PIPEDA and provincial private sector statutes which require organizations to follow fair information practices, notably obtaining consent for information use;
• By reminding companies in Canada of their legal obligation to introduce appropriate security measures to prevent their subsidiaries or affiliates in another country from secretly obtaining access to personal information held in Canada to comply with a court order made in the foreign country;
• By raising their concerns about the potential for excessive disclosure of personal information to foreign governments or to foreign companies with their elected representatives; and
• Generally, by being more attentive to what may be happening to their personal information when it crosses borders and to the importance of clear and enforceable international standards on information sharing in democratic countries.

What Companies Do to Protect the Personal Information of Canadians Transferred Across Borders

Companies that are subject to PIPEDA or similar provincial legislation must comply with that legislation. It is important for the management of organizations subject to such laws to understand their responsibilities under the laws — for example, the obligations in PIPEDA to ensure the security of personal information. PIPEDA requires personal information to be protected by security safeguards appropriate to the sensitivity of the information.

Corporate leaders increasingly recognize that maintaining a high level of public trust in how personal information is handled is vital to achieve customer loyalty. It is also abundantly clear to corporate leaders that personal information holdings are key business assets that need to be protected against misuse.

And, finally, the Federal Commission has released a submission to the BC Privacy Commissioner in response to his request for submissions about the USA Patriot Act. (See previous blog entries: BC Responds to USA Patriot Act, Campaign in BC to Prevent Outsourciing and Labour groups raise outsourcing privacy fears.) The Commissioner's submission is available at http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.asp

Labels: bc, british columbia, information breaches, outsourcing, patriot act, privacy