There is little doubt that privacy is a hot topic these days in Canada. Recent news stories include the loss of student loan recipient personal information by Human Resources and Skills Development Canada in January of 2013 and the loss of a data stick containing the personal information of approximately 5000 Canadians by a federal government lawyer working on their Employment Insurance appeals in November of 2012.
These news stories, as well as experiences I have had with lawyers through my practice, has caused me to ask the question posed by the title of this post, and to come to the unfortunate answer in many cases of, no. At the heart of my concerns are not the actions of one lawyer losing one data stick, but more of a pervasive attitude that I have witnessed among certain members of the profession. The attitude is characterized by a mistaken belief that maintaining a client’s confidentiality, as is the professional duty of every lawyer, is equivalent to complying with the laws surrounding privacy and protection of information. The underlying theory being that a lawyers duty to maintain confidentiality is somehow a stricter standard of information control and therefore if one is complying with this standard then one needn’t worry about the lesser regulations surrounding privacy and protection of information. This is a mistaken viewpoint. The laws regarding privacy and protection of information in Canada do at times overlap with a lawyer’s duty regarding client confidentiality however, there are many circumstances in which a lawyer may be in compliance with confidentiality rules but offside of privacy and protection of information laws.
Before I identify a few of these circumstances, I should note that there are of course many lawyers and law firms that do an excellent job of complying with the laws regarding privacy and protection of information and that most mid to large firms in the country have a strong handle on this topic. I have found a lack of understanding in this area to be most prevalent with solo practitioners and those in small firms who may lack the resources to deal with this issue and therefore resort to the mistaken assumption outlined above. Even so, this is a concerning development in that a significant amount of lawyers in Canada practice in a solo or small firm environment (in British Columbia 51.2% of all lawyers in the province practice in firms of 5 or less lawyers). It is therefore essential that these lawyers familiarize themselves with the laws regarding privacy and protection of information in their jurisdiction.
The law in this area is set out by either the federal Personal Information Protection and Electronic Documents Act or by a similar provincial act in some jurisdictions such as British Columbia, Alberta and Quebec. A detailed discussion of the legislative scheme surrounding privacy and protection of information in Canada is outside of the scope of this post however, there are a number of requirements that lawyers should be aware of where compliance with the duty of confidentiality will not satisfy the applicable laws regarding privacy and protection of information. These include:
- The requirement to appoint a designated privacy officer who is responsible for compliance with the applicable legislation;
- The necessity to provide an explanation to clients regarding the purposes of the collection and use of all personal information;
- The need for disclosure and consent if any personal information is used for a secondary purpose. For instance, if a client’s information was collected in order to facilitate the provision of legal advice and then subsequently the lawyer uses the information for further marketing their services to the client, this is a secondary use and would require consent and disclosure.
- The requirement to provide access to a client’s personal information upon written request within a reasonable time and at little or no cost to the client.
In addition to the above there are various particular issues that lawyers should be aware of in regards to privacy in a civil litigation context. This includes the fact that the federal act differs from the acts in force in British Columbia and Alberta in its treatment of personal information available by law in a legal proceeding.
Privacy and protection of information is a complex and rapidly developing legal field and the above post is meant as a discussion point and is not in any way a complete statement of the myriad issues that lawyers must be aware of in order to discharge their responsibilities in regards to privacy and protection of information. It is recommended that all lawyers review and familiarize themselves with the appropriate law in their jurisdiction. Through continued research, education and discussion surrounding this topic, it is my hope that all lawyers, no matter the size of their practice, can put in place policies and procedures to ensure compliance with the applicable laws and provide their clients with the highest levels of privacy and protection of information.