The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, November 03, 2004

Privacy and Public Libraries

Last week, I gave a presentation to a group of directors of public libraries in Nova Scotia. Library staff are regularly called upon to consider privacy issues, particularly in connection with public use internet stations. Police regularly ask for information related to who was using a particular terminal at a particular time, often in connection with threats made or other allegedely illegal conduct. In addition, some libraries are contemplating offering reading suggestions based on reader preferences, a form of "data mining".

PIPEDA applies in Nova Scotia and public libraries are not, by and large, engaged in commercial activities. While they were interested in PIPEDA, most of the discussion related to privacy best practices they can adopt to meet the growing expectation of their users. The presentation is available here: Privacy and Public Libraries

Labels: information breaches, libraries, presentations, privacy

11/03/2004 07:09:00 AM :: (2 comments) :: Backlinks

Comments:

Thanks so much for posting your presentation. Do I read it correctly to say that Canadian library users do not have legal protection for their records unless a public library formally adopts the Model Code (or a similar policy)? Are there any provincial laws that protect library user records?
Mary Minow, LibraryLaw Blog

# posted by

Anonymous : November 10, 2004 2:37 AM

We don't have consistent protection of library patron records in Canada. Our federal system divides jurisdiction between the federal government and the provinces. For example, the provinces have jurisdiction over property and civil rights in a province while the feds have jurisdiction over trade and commerce. The federal government came up with a federal privacy law in 2001, but have to rely on their trade and commerce power to implement it. This means that the Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to "commercial activities", something that public libraries are usually not engaged in. (If they sell their member list, it is deemed to be a commercial activity and PIPEDA applies to the sale.)

Because the provinces have jurisdiction over civil rights, there is concurrent jurisdiction that means that provinces can legislate in the privacy area as well, and put in place laws with wider application. Here in Nova Scotia, the provincial government has not done so, meaning that PIPEDA applies in the province, but again only to commercial activities.

But all provinces have public sector privacy and access laws. Nova Scotia's is called the Freedom of Information and Protection of Privacy Act (FOIPOP), which governs records held by public bodies. I do not believe that public libraries are public bodies under FOIPOP, so there is no privacy protection under that law. (This may not be the case in other provinces. For example, public libraries are under the Ontario Municipal Freedom of Information and Protection of Privacy Act and under the Alberta Freedom of Information and Protection of Privacy Act.)

This leaves library users records unprotected in Nova Scotia, by either federal or provincial law. What I recommend is that libraries still follow the good information practices set out in the Canadian Standards Association Model Code for the Protection of Personal Information, which is the mandatory standard under PIPEDA. It requires (i) appointing a privacy officer, (ii) developing a privacy policy and a statement of purposes for which personal information is collected, used and disclosed, (iii) getting consent for the use of personal information, (iv) only using and disclosing personal info for the purposes for which it was collected and for which consent has been obtained, (v) only retaining information for as long as is reasonably necessary, (vi) safeguarding the info against all threats, and (vi) having a complaint mechanism. If you have a privacy statement that becomes part of the user agreement, it should be binding upon the library and give the users specific rights vis-à-vis their information. In my experience, users expect that their privacy will be respected and libraries should live up to that expectation.