"PIPEDA" Is an acronym for the "Personal Information Protection and Electronic Documents Act". It is a federal law of Canada. The following are notes on the law and a summary of its key points. The summary is begins under the "PIPEDA Main Sections" section. The Howver, the most easily understood and most relevant to this project is the last part, namely, "Schedule 1". Schedule 1 addresses concretely the requirements for organizations that collect, use, and disclose privacy information. The notes for Schedule 1 appear last.
Before summarizing PIPEDA itself, this section outlines our responsibility with regard to personal information (PI). , and is derived from "Schedule 1, Principles of Protection of Personal Information"
Some of our projects involve the collection of user preferences. Now, it is debatable whether these preferences constitute PI that is subject to privacy. I am going to ignore that debate in what follows. If user preferences are considered private PI, then there are obligations on our organization. On the other hand, if the preferences are anonymous and privacy is not an issue, then well and good. In Still, in either case, we need to develop and publish a policy regarding privacy, even if this policy is a statement to the effect that we do not deem private the preferences information we collect.
- Defining a policy with respect to the collection, use, and disclosure of PI. This policy must be explicit and public – the organization is required to inform individuals what it is doing with their information. This can be both a general public web page stating the policy, or can occur in situ when individuals are interacting with the application that is collecting PI, or both.
- Define a policy for handling inquiries from individuals about their PI. This also needs to be explicit and open -- the organization is required to inform to individuals how they can make inquiries and complaints about their PIthe PI they have entrusted to the organization.
- Designate an individual within the organization who:
- Ensures that the policies are published.
- Ensures that the policies are followed internally.
- Ensures that the policies are updated or modified as required.
- Is the contact person for inquiries and who handles the inquiries.
PIPEDA Main Sections
- Protection of Personal Information (Division 1)
- Division 2, Remedies
- Division 3, Audits
- Division 4, General
- Schedule 1: Principles of protection of personal information
The full text of the act is available on the Government of Canada web site
- Defines rules for institutions and organizations that gather information about individuals and store that information in a digital or non-digital format.
- The rules govern how institution may disseminate personl personal information while protecting the privacy of the individual.
- The rules are conservative in the sense that it is better to protect an individual's privacy than not. In general, "respect personal privacy and be very cautious about giving personal information to third parties.
- Term: "personal information"
- "information about an identifiable individual" (PIPEDA, Part 1, Interpretation, Definitions).
- Comment: this is why there is a debate about privacy with respect to user preferencesit is debatable whether user preferences should be kept private: is there a way to identify an individual by based on their preferences? Is there a link from those preferences to an individual – yes there is – that can be used to identify them?
- Term: "personal health information"
- information about physical and mental health of an individual
- information about health services used by an individual
- information about bodily donations (e.g., blood) by the individual
- information collected about the individual during the course of treatment
- Term: "should"
- take a recommendation, not as an obligation.
- Term: "shall"
- an obligation; equivalent to "must" in RFC-2119
- Terms: "knowledge" and "consent"
- Knowledge: the individual is aware or made aware of X.
- Consent: the individual agrees to X.
- Terms: "implicit" vs. "explicit"
- Applied to "knowledge" and "consent" – the type of knowledge or consent.
- Consent does not imply knowledge, since in some cases, consent is implied by the context.
- An individual's explicit consent is valid only if it is reasonable to expect that the person is capable of giving consent.
- an example where explicit consent is not valid is when the individual is underage.
- Terms: "collect" vs. "use" vs. "disclose"
- Collect: gather PI about an individual, with or without knowledge or consent
- Use: use PI internally for the purposes defined by an Org with or without knowledge or consent
- Disclose: Share PI with a third party, with or without knowledge or consent.
- The terms "knowledge" and "consent" are orthogonal to the terms "collect", "use", and "disclose"
- Can mix and match. For example:
- Collect with knowledge of the individual, but not with their consent.
- Collect with knowledge and consent; use with knowledge but without consent.
- Collect and use with knowledge and consent, but disclose with neither.
- the act provides rules for the different combinations.
- (a) if collection is clearly in the interest of the individual, but consent cannot be obtained in a timely manner
- (b) if seeking consent would compromise the accuracy of the PI
- when PI is contained within a witness statement for the purpose of an insurance claim
- when collection is solely for journalistic, artistic, or literary purposes (verify this)
- when the PI is publicly available
- (e) in some cases when the purpose of the collection is disclosure – see disclosure rules (f) and (g) under "Disclosure"
There are rules for when an Org can use PI without knowledge or consent:
- if it is reasonable to believe that use is useful to an investigation of a contravention of the laws of Canada.
- if the PI is useful in an emergency where an individual is at risk: life, safety, health, or security.
- if PI is contained in a witness statement and the use is necessary for an insurance claim.
- if PI produced by individual as part of their job, business, or profession (E.g. ?)
- if PI is used for statistics or scholarly study, where:
- study can't cannot be successful without using the PI, AND confidentiality is ensured, OR
- it is impractical to obtain consent and the Org informs the Privacy Commissioner of the use beforehand.
- if the PI is publicly available and regulations state that it can be used.
- if the PI was collected as per (a), (b), or (e).
- to the Org''s lawyer (technically: an advocate/notary of Province of Quebec, or barrister/solicitor in other provinces).
- for purposes of collecting a debt owed by individual to Org.
- when required by subpoena or warrant.
- to a government institution when it relates to:
- (f) national security of Canada,
- enforcing a law (Canada, provincial, or foreign jurisdiction),
- investigation relating to that law,
- gathering intelligence relating to that law,
- to communicate with next of kin or authorized representative of injury, illness, or death of the individual.
- to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section.
- when initiated by the Org to a government institution, when the Org:
- has grounds to believe the PI relates to breaking a law of Canada, province, or foreign jurisdiction,
- (g) or suspects the PI relates to national security, defense, or the conduct of i10l international affairs of Canada.
- by the Org to another Org regarding a breach of law, and disclosure with knowledge or consent would compromise the investigation.
- by the Org to another Org regarding fraud, and disclosure with knowledge or consent would compromise prevention, detection, or suppression of the fraud.
- by the Org to the government because:
- there are grounds that the individual is a victim of financial abuse,
- and disclosure is for the sole purpose of preventing or investigating said abuse,
- and knowledge and consent of the individual would compromise prevention or investigation of the abuse.
- by the Org to the government or next of kin/authorized-representative with respect to injury, illness, or death of the individual.
- (h) BUT, if the individual is alive, Org shall inform the individual of the disclosure in writing ASAP.
- to a person who needs the PI because of an emergency that threatens the individual.
- of PI relating to an insurance claim.
- of PI produced by the individual in the normal course of their job.
- for statistics/scholarly research and it is impractical to obtain consent, BUT the Privacy Commissioner is notified of the disclosure.
- to an institution that acts as a record keeper of historic or archival importance.
- made 100 years after collecting the PI, or 20 years after the death of the individual, whichever is earlier:
- for PI that is public,
- for disclosure the is required by law.
- an individual may file a complaint in writing with the Privacy Commissioner against an Org if they feel the Org is not following Schedule 1.
- the Privacy Commissioner may initiate a complaint against an Org if there are reasonable grounds.
- if an individual makes an access request (principle 4.9 of Schedule 1), and the Org refuses the request, the individual can file a complaint. The complaint shall be filed within six months of the refusal, or any longer period that the Commissioner allows.
- the Commissioner shall notify the Org of the complaint.
- the Commissioner may discontinue the investigation if:
- there is insufficient evidence
- "the complaint is trivial, frivolous or vexatious or is made in bad faith"
- the Org has made a reasonable response
- etc. (meaning: numerous cases with wording that references other subsections/paragraph paragraphs along the lines of, "circumstances mentioned in paragraph 12(1)(a), (b) or (c)"
- Confidentiality: As a baseline, the Commissioner or delegates shall not disclose any information discovered in the course of performing their duties. However:
- Public Interest: The Commissioner or delegates may disclose any information if they consider it in the public interest
- Disclosure of necessary information:
- if required to conduct an investigation
- for establishing grounds for findings and recommendations
- Disclosure in the course of proceedings:
- a prosecution for an offence
- a hearing before a Court
- an appeal from a decision of the Court
- a judicial review of the performance of the Commissioner
- Various other restrictions, or lack thereof, regarding disclosure with respect to other acts
- Protection of the Commissioner: no criminal nor civil proceedings shall be taken against the Commissioner or delegates for anything they have done in good faith
- Defamation: any audit, report, or other information supplied by the Commissioner in good faith is not subject to a claim of defamation
- Provincial: The Commissioner may consult, make arrangements or agreements, and share information with his analog at the provincial level
- Foreign States: in certain cases, the Commissioner may consult, make arrangements or agreements, and share information with his analog of in another country
- Promotion: The Commissioner shall develop information programs to foster public understanding of privacy and the protection of PI
- Annual Report: The Commissioner shall, with the provinces help, submit to Parliament a report regarding the extent to which provinces have enacted legislation similar to PIPEDA. The report is due each financial year.
- Any person who believes that another person has contravened Division 1, may notify the Commissioner and request that their identity be kept confidential
- No employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee that has notified the Commissioner as above
- "employee" includes independent contractors
- Offence: Any person who knowingly contravenes or obstructs the Commissioner or delegates with respect to a complaint or audit is guilty of:
- a summary conviction and liable to a fine not exceeding $10,000, or
- an indictable offence and liable to a fine not execeeding exceeding $100,000.
Schedule 1, Principles of Protection of Personal information