John Higgins
Office of the Information and Privacy Commissioner/Ontario
National Association of Major Mail Users
April 22, 2002
Ontario Privacy Legislation
- Public Sector: Freedom of Information and Protection of Privacy Act (1988) and Municipal Freedom
of Information and Protection of Privacy Act (1991)
- Private Sector: Proposed Privacy of Personal Information Act, 2002 (“PPIA”)
Roles of the IPC
- Resolve appeals from access decisions by government organizations
- Investigate privacy complaints about government held information
- Conduct research on access and privacy issues and advise on proposed government legislation and programs
- Educate the public about access and privacy
The Invisible Data Trail
- ATM withdrawals, credit or debit card use
- Car or video rentals
- Insurance claims
- Internet cookies and web bugs
- Global positioning technology in cars, cell phones, and PDA’s
- Video surveillance
What is Privacy?
- In 1890, U.S. Supreme Court Justices Brandeis and Warren publish an essay called “The Right to Privacy”
- They define privacy as “the right to be let alone”
Voluntary Privacy Codes
- OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
- Canadian Standards Association Model Code (1996)
EU Data Protection Directive
- Adopted by European Union in 1995
- Restricts flow of personal information outside member states to countries that have adequate privacy protection in place
- Legislative action by Canada (PIPEDA) and proposed Ontario bill are designed in part to facilitate business with EU firms
Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada’s federal private sector privacy law
- Incorporates CSA Code as a schedule
- Has applied to commercial activities as of January 1, 2001
- Until January 1, 2004, applies only to federally regulated undertakings (banks, airlines, etc.) and to sales of personal information across provincial borders
- As of January 1, 2004, applies within any province that has not passed a “substantially similar” law
Ontario’s Draft Privacy of Personal Information Act, 2002
- Consultation paper published in 2000
- Consultation Draft released by Ministry of Consumer and Business Services on February 4, 2002
- Available on websites of the IPC and the Ministry of Consumer and Business Services
PPIA - Background
- Joins provisions formerly planned for two separate Acts – one for health and one for rest of private sector
- Replaces former Bill 159, the Personal Health Information Privacy Act, which never became law
- Some other provinces have health privacy acts, but only Quebec has a private sector privacy law
PPIA - Application and Scope
- Applies to organizations, not including individuals “acting in a personal and non-commercial capacity”
- Broader than PIPEDA – applies to voluntary/charitable sector
- Includes not-for-profit groups, universities and hospitals
- Covers personal information of employees
PPIA - Purposes
- Recognizes the “… privacy right of individuals to control the collection, use and disclosure of their personal information by organizations and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider
appropriate in the circumstances.” (s. 1(c))
Consent under PPIA – s. 19(1)
An organization shall not collect, use or disclose personal information about an individual unless it has obtained the individual’s consent under this Act or this Act permits the collection, use or disclosure, as the case may be.
Consent under PPIA – s. 8(1)
If this Act requires the consent of an individual to the collection, use or disclosure of personal information, the consent may be express or implied, except that the following consents must be express:
- A consent to the collection of personal health information by an organization that is not a health information custodian.
- A consent to the collection, use or disclosure of genetic information.
- A consent that this Act provides must be express, and not implied.
Consent under PPIA – s. 8(2)
If an organization is in doubt as to whether or not it has consent to the collection, use or disclosure of personal information, it shall obtain express consent to the collection, use or disclosure.
Implied Consent -- PPIA s. 8(5)
The consent of an individual … may be implied only if,
- in all the circumstances, the purpose of the collection, use or disclosure as the case may be, is reasonably obvious to the individual … ;
- it is reasonable to expect that the individual … would consent to the collection, use or disclosure; and
- the organization uses or discloses the information for no purpose other than that for which it was collected.
IPC Submissions on PPIA
- Clarify reasonable application of express and implied consent
- Including use of opt-in and opt-out for marketing purposes and relation to express and implied consent
- Questions any prohibition of opt-out as creating possible harmonization problems with PIPEDA
Proposed IPC Approach
- Co-operative, non-confrontational approach to businesses while ready to enforce the law
- Published orders
- Clear directions to organizations subject to the law
How to Contact the IPC
Information & Privacy Commission, Ontario
80 Bloor St. W., Suite 1700, Toronto, M5S 2V1
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: info@ipc.on.ca
|