In April I wrote a column in which I posed the question “Are lawyers paying enough attention to privacy?”. Based on some high profile privacy breaches and extensive discussions with practitioners that I have met and worked with in the past, my unfortunate conclusion to the question was, no. As I mentioned in the previous post, I believe that this state of affairs largely arises from the deep history of protection of confidentiality within the legal profession and the mistaken notion that protection of confidentiality equals protection of privacy and ensures compliance with the relevant legal requirements that surround the protection of privacy and use of information. In my previous post I concluded with a brief list of a few important requirements that law firms must abide by, including the requirement to appoint a privacy officer and the necessity to provide an explanation to clients regarding the use and disclosure of information. In this post I will expand on these thoughts and discuss the way in which lawyers can begin to take privacy and use of information seriously through the application of ten core privacy and use of information principles.
The legislative framework governing privacy and use of information in Canada for private sector organizations is set out by the Federal Personal Information Protection and Electronic Documents Act. This act applies to all private sector organizations in Canada unless exempted by the Act or unless they reside in a province that has established a similar legislative regime. Currently jurisdictions that have enacted such similar legislation include British Columbia (Personal Information Protection Act), Alberta (Personal Information Protection Act) and Quebec (An Act respecting the protection of personal information in the private sector).
While the exact provisions contained within each of these acts does differ somewhat, all privacy law in Canada incorporates to some extent a series of consistent principles that can be used as a foundation for the development of a strong privacy and information management system. The ten principles discussed below have been established by the Canadian Standard Association and are an expansion of a set of principles originally set down by the Organization for Economic Co-operation and Development. The principles are as follows:
- Be Accountable: Every organization must assign responsibility for privacy and designate an individual who is responsible. This individual is most often called a privacy officer however the privacy officer may have other duties within the organization. For example, your managing partner or office manager may be assigned the role of privacy officer in addition to their regular duties.
- Identify the Purpose: Every organization must tell the individual whose information that they are collecting the purpose for the collection. Typically this takes the form of a privacy notice and/or use of information policy that is either included in the document that is collecting the information (such as a client intake form) or a general notice is published in a conspicuous location (such as the waiting room or firm website.)
- Obtain Consent: The knowledge and consent of the individual are required for the collection, use and/or disclosure of personal information. Consent can be explicit or implicit and further details regarding the distinction can be found in all private sector privacy legislation in Canada.
- Minimize Collection: Every organization that is collecting personal information must collect only what they require and nothing more. The most common test in this regard is to collect information only for purposes that a reasonable person would consider appropriate in the circumstances.
- Limit Use, Disclosure and Retention: Organizations must ensure that they are limiting the use, disclosure and retention of personal information. When organizations are asked to share personal information they must make sure that the relevant legislation permits the disclosure and then disclose only the minimum of information necessary.
- Be Accurate: Every organization must ensure that the personal information that they are retaining is as accurate, complete and up to date as is reasonably necessary for the purposes for which it is intended to be used.
- Protect Information: Every organization must put safeguards in place to protect personal information. Safeguard measures commonly include administrative safeguards (such as policies and procedures), physical safeguards (such as locking filing cabinets) and technical safeguards (such as strong passwords and adequate file encryption.)
- Be Open: Organizations must make their privacy policies available to people who request them.
- Be Prepared to Provide Access: Every organization must be prepared to, upon request, inform an individual whether or not the organization holds personal information about the individual.
- Be Prepared to Receive Complaints: An organization must have procedures in place to receive and respond to complaints or inquiries relating to the organizations handling of personal information.
The law regarding privacy and use of information is a developing and therefore shifting landscape. Indeed, the Supreme Court of Canada recently delivered its decision in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401 that found the Alberta Personal Information Protection Act to be constitutionally invalid. This decision will mean that we will see an overhaul of the Alberta legislation within the next 12 months as well as likely changes to the BC Personal Information Protection Act that is very similar. Despite this shifting legislative landscape, the 10 principles outlined above continue to form the foundation for privacy law in Canada for private organizations and this is unlikely to change in any substantive way. These principles are therefore an excellent foundation for any legal services provider to consider when they are implementing a privacy and use of information management system within their office.