Privacy Law for Network Administrators

Steven Penney

Faculty of Law

University of New Brunswick

Overview

• Criminal Code

• Public sector privacy legislation

• Private sector privacy legislation

• Sector-specific legislation

Criminal Code

Interception and seizure of private communications

• Prohibitions– Wire-to-wire communications– Wireless (radio-based) communications– Systems manager exception (quality control, unauthorized use,

mischief)

• Interception (wiretap) warrants– Content– Routing (“envelope”) data

• Search and seizure warrants

• 3d party production orders

Public sector privacy legislation

• Privacy Act– “Personal information” under control of a

“government institution”

• Provincial legislation

Private sector privacy legislation

PIPEDA

Personal Information Protection and Electronic Documents Act

History

• EU Directive (1995)– “adequate level of protection”

• CSA Model Code (1996)

• Phased implementation– Full effect January 1, 2004

Jurisdiction

• Commercial activities (federal & provincial)

• Employee information (federal only)

• Exemptions– Privacy Act – Personal or domestic purposes– “substantially similar” provincial statutes

(intra-provincial information only)

Overview

• Personal information

• Privacy principles

• Oversight and enforcement

Personal Information

• Definition– “information about an identifiable

individual . . . [except] the name, title or business address or telephone number of an employee of an organization”

• Intimacy not required

• Collection v. generation irrelevant

• Anonymity and aggregation

Privacy Principles

Interpretive tools

• Schedule (“shall” v. “should”) (s. 5(2))

• Reasonableness (s. 5(3))– “An organization may collect, use or disclose

personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”

The Schedule

Accountability

• Designated person

• 3d party transfers

– Mere processing (contractual protections)

– Disclosure (must comply with Act)

Notice of purposes

• New purposes

Informed consent• No conditions for non-essential information

– e.g. “no SIN, no connection”

• Form of consent– Sensitivity of information– Express v. implied– “Opt-in” v. “opt-out”

• Withdrawal of consent– Subject to legal and contractual restrictions

Exceptions to consent

• Collection– Interests of person and consent can’t be obtained– Investigation of breach of contract or law – Journalistic, artistic, or literary purpose– Publicly available and in regulations

• Use– Investigation of breach of law– Health or security emergency– Statistical or scholarly research (restrictions)– Publicly available and in regulations– Collected under ss. 7(1)(a) or (b)

Exceptions to consent con’t• Disclosure

– Organization’s lawyer– Debt collection– Court order– Law enforcement and national security (where legal

entitlement)– Investigation of breach of contract or law (to or by

investigative body)– Health or security emergency– Statistical or scholarly research (restrictions)– Archives– 100 years or 20 years after death– Publicly available and in regulations– Compliance with law

Limiting collection

• Only for identified purposes

Limiting use, disclosure and retention

• No additional purposes without consent

• Retain only for as long as necessary to fulfill purpose for which information collected

• Retain long enough to enable access to information used for decision

• Guidelines and procedures encouraged, including minimum and maximum retention periods

Accuracy

• Accurate, complete, and up-to-date

Safeguards

• Loss or theft, unauthorized access, etc.

• Measures vary with sensitivity of information

• Technological measures (e.g. encryption)

• Employee training

Openness

• Policies in readily accessible form

• Contact information

• Means for access to information

• General description of types of information held

Access

• Confirmation of existence

• Right of review

• Disclosure of information to third parties (list)

• Minimal or no cost

• Due diligence and time limits

• Amendment and corrections

Exceptions to Access

• 3d party information

• Solicitor-client privilege

• Confidential commercial information

• Health or security of 3d party

• Compromise legal investigation

• Information generated from formal dispute resolution process

• Notification of access request to government for law enforcement (government veto)

Challenging compliance

• Procedures and notification

• Duty to investigate

• Appropriate remedies

Oversight and Enforcement

Privacy Commissioner

• Complaints

• PC’s power to initiate

• Investigative powers and mediation

• Reports (confidentiality and shaming)

• Audits

• Education, research, and compliance assistance

Federal Court

• Complainant

• Privacy Commissioner

• Remedies

Provincial Legislation

• Non-commercial

• Employees in provincial sector

• Commissioners’ order-making powers

• Jurisdictional issues