Protecting personal information - BC Civil Liberties AssociationBC Civil Liberties Association

Submission to the Government of Canada in response to the discussion paper “The Protection of Personal Information: Building Canada’s Information Economy and Society” The B.C. Civil Liberties Association (BCCLA) is a non-profit, charitable, citizens-based organization that, since 1962, has worked to protect the civil liberties of British Columbians. The BCCLA considers privacy to be an important and vital civil liberty in our democratic society. Over the past decade in particular, the BCCLA has devoted significant resources to the protection and enhancement of privacy through education, research, law reform work, personal advocacy and litigation. Thus, the BCCLA applauds the federal government for its initiative to create privacy legislation that would apply to the private sector.

As an organization that promotes the importance of citizen participation in democratic decision-making, we also wish to recognize the efforts of Industry Canada and the Department of Justice to solicit the perspectives of a wide diversity of Canadians and organizations on this issue. We thank you for the opportunity to share our views. This consultation will likely result in better and more legitimate privacy legislation.

Our submission will respond to some of the specific questions raised in “The Protection of Personal Information—Building Canada’s Information Economy and Society” (the “discussion paper”). In addition, we will comment on many of the assertions and assumptions within the document.

1. Privacy as a fundamental right

Federal legislation to protect personal information of citizens should explicitly recognize privacy generally, and information privacy specifically, as a fundamental right.

Though the discussion paper makes some reference to the importance of information privacy as a right, the primary motive for protecting personal information is its instrumental importance to promote and facilitate electronic commerce. This premise is captured both in the title of the discussion paper and in the following quote:

For Canada to become the most connected country in the world by the turn of the century, all of us—consumers, business and government—need to feel confident about how our personal information is gathered, stored, and used. (at 2)

This thrust for creating legislation appears throughout the document.

Under the subtitle “Why Current Protection is No Longer Enough”, various reasons are given for the need to create a law covering the private sector. They include: to promote consumer confidence; the easy manipulation of personal information using technology; private sector organizations are as big a collector and user of personal information as governments; other government agencies are not able to adequately regulate industry; voluntary initiatives, though important, will not provide adequate protection for personal information; and Canada needs a law to avoid a non-tariff trade barrier created by European Community’s 1995 Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the “European Community Directive”).

All of these are legitimate factors that point to the benefits of creating privacy legislation for the private sector. Indeed, it seems a savvy strategy to win over private sector interests by arguing that privacy legislation will make their services more marketable to both Canadian consumers and overseas clients.

Yet, the BCCLA believes that the primary reason for creating a law to protect information privacy in the private sector must be that privacy is a fundamental right. Canadian courts have recognized elements of privacy as part of constitutional rights in sections 7 and 8 of our Charter of Rights and Freedoms.¹ The Privacy Commissioner of Canada has also expressed the need for extending protections of privacy to the private sector² as has David Flaherty, the Information and Privacy Commissioner for B.C.³

Why is privacy so important? Privacy is such an important value in our society because it plays a central role in many of the liberties and freedoms we enjoy in Canada. Without privacy, our rights to freedom of religion, speech and association would be seriously undermined. We can think of three important reasons for protecting privacy: to avoid harm from the disclosure and manipulation of our personal information, the importance of privacy to our democratic society and the important role privacy plays in our psychological well being.⁴

Therefore, any new federal or provincial legislation that purports to protect the information privacy of citizens should state explicitly that information privacy, as a subset of privacy more generally, is a fundamental right shared by all Canadians.

2. Legislation must be broad in scope and cover employees

Proposed federal legislation must protect employees as well as “consumers” and citizens more generally.

The discussion paper uses the nouns “citizens” and “consumers” interchangeably. The protection of consumer interests including the privacy of consumers is important. However, the BCCLA does not believe that privacy legislation in the private sector can or should be justified on the need to protect consumer interests alone. In our view, it is more appropriate to use the noun “citizen” when discussing a law for the private sector since many individuals’ information privacy interests do not arise in their status as consumers. Further, the use of the word “citizen” better reflects the democratic nature of our society upon which legislative protection must be justified. The use of the noun “consumer” reflects a more narrow approach that justifies protecting information privacy only as a matter of commercial transactions.

We add as a note of caution that even the word “citizen” may not be adequate since presumably the law would cover those who do not have the formal status of a citizen: e.g. visitors, landed immigrants, etc., though protection ought be extended to non-citizens simply due to their status as individuals worthy of respect as opposed to their status as “consumers”.

It is not clear from the discussion document whether the legislation would extend privacy protections to employees of organizations covered by a law. Given the use of the word “consumer”, one might conclude that the proposed law will not cover employees. This would be a grave mistake.

The BCCLA submits that any proposed law must cover the employees of organizations as well as any other person about whom the organization collects personal information or intrudes upon their privacy.

New technologies are transforming the workplace into sites of extraordinary surveillance of individuals. Employers are now able to garner an incredible array of information about the activity of employees not only during working hours but in their own private lives as well (e.g. drug testing).⁵ And employers are increasingly using such technology. If the principled motive for creating a law is to protect privacy as a fundamental right, this law must also apply to the employees of organizations.

3. The CSA Model Code needs supplementation

The BCCLA supports the use of the Canadian Standards Association Model Code for the Protection of Personal Information subject to the addition of one important principle: “Justification”.

The BCCLA supports the proposal to use the principles contained in the Canadian Standards Association (CSA) Model Code as the basis for creating obligations in legislation, subject to one crucial addition discussed below. The Model Code was developed after considerable debate and discussion by a diverse group of interests. The process that was used to arrive at the principles gives the Model Code considerable credibility as a starting point. The fact that it was arrived at on the basis of consensus decision making further underscores its value as a foundation for legal principles.

However, though the Model Code is good as far as it goes, the BCCLA submits that it does not go far enough by fully protecting information privacy. Privacy can only really be safeguarded when the person whose privacy is at issue has principal control over when, how, where, to what extent and with whom she will share any of her personal information. Metaphorically speaking, privacy is protected only when it is an individual’s own choice to open the window into her private life. As long as someone else can open that window, without her knowledge and consent, then she does not have true self-determination over her informational privacy.

There are many principles included in the CSA Model Code that seek to protect personal control over personal information. These include identifying purposes (principle 2), limiting collection (principle 4), and limiting use, disclosure and retention (principle 5). Perhaps the principle of consent (principle 3) is pre-eminent in safeguarding information privacy.

Yet these principles do not adequately enshrine self-determination because they effectively permit others to open the window into a person’s private life. For example, unlike consumers who usually have a choice to seek services elsewhere if they do not like a business asking for personal information (as long as the whole industry does not also follow the same invasive practice), employees who are subject to drug testing as a condition of employment have no real choice. They either “consent” to the collection of their personal information or they look elsewhere for work. Where the employment market is weak and where the practice is widespread, the protection of privacy through the principle of “consent” becomes seriously diluted by such a practice. Another example of this problem, though in the context of a public body, was the recent controversy over the B.C. government’s requirement that applicants for and recipients of social assistance “consent” to an extraordinarily wide collection and disclosure of personal information if they were to be eligible for assistance. Free choice with respect to consent in many transactions simply does not exist. Thus, the principle of “consent” is not itself adequate.

To bolster citizens’ ability to control their own personal information, we submit that the principle of “justification” be added to the list of principles in the CSA Model Code. In a word, this principle would limit organizations to collecting personal information only when there is a good and legitimate reason to do so. This principle would not only require the organization wanting to gather personal information to state why it needs the information (principle 2—purpose) but, if challenged, it would be under an obligation to justify its request for information in the first place.

Of course the next issue then becomes what is a legitimate justification for collecting personal information and what is not. This issue is difficult to address in the abstract without considering concrete cases. Likely, in many cases, an organization has a good and legitimate reason for wanting to collect personal information that would easily satisfy this obligation. At this point, the BCCLA is not able to neatly define what might count as legitimate and what might not. Certainly jurisprudence would help to flesh out the meaning of this principle though in the interests of predictability and fairness it may be useful to have some guidance in the law itself.

Adding this principle provides citizens with further ability to assert control over their own personal information by allowing them to challenge the reason for the collection of their personal information. An organization would bear the burden of justifying its practice and may be subject to independent scrutiny.

Precedent for a principle of justification can be found in other legislation protecting personal information. For example, in section 4 of Quebec’s Act Respecting the Protection of Personal Information in the Private Sector “[A]ny person carrying on an enterprise who may, for a serious and legitimate reason, establish a file on another person must, when establishing the file, enter its object.” (emphasis added) This provision requires more than an organization simply stating the purpose of the file. This provision also implies that enterprises may only collect personal information if they have a serious and legitimate reason in the first place. Thus, a person who feels aggrieved by an organization’s creation of a file may challenge the collection on the basis that there is no serious and legitimate reason to collect the information in the first place.

In addition, Article 6 of the European Community Directive states that member states shall provide that personal data must be (1)(b) “collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.” (Emphasis added) Again, this provision at least implies that organizations that collect personal information must have legitimate justification for that collection.

4. Legislation must cover intrusive processes as well as records

Federal legislation must explicitly apply to the process of intruding upon privacy as well as safeguards for the protection of personal information within a record or file.

Unless federal legislation applies to the process of intrusions into privacy, then safeguards for personal information will not provide complete protection for privacy of citizens.

Two examples will help to illustrate the need for the law to apply to processes as well as records of personal information per se.

The BCCLA has a longstanding concern about the policy of the B.C. Racing Commission to test licensees for the use of drugs pursuant to provisions in our provincial Horse Racing Act. At the time the BCCLA first became aware of this issue, the Racing Commission was testing not only jockeys but any and all licensees up to and including the owners of horses. The BCCLA launched a complaint against this regime of drug testing to the Information and Privacy Commissioner of B.C. In his response, David Flaherty pointed out that the legislature had explicitly enacted this authority and that the “collection of urine does not involve the creation of a “record” as that term is defined in Schedule 1 of the FOIPP Act. Therefore, my jurisdiction to challenge the propriety of urine, blood, tissue or saliva collection and procedures is limited.”⁶ Mr. Flaherty went on to note that records created by the testing of these samples would fall within his mandate.
The second example relates to BCCLA concerns about the practice of a school board in British Columbia to require, as a condition of use, the consent of parents to permit locker searches of their children’s school lockers at any time. Again, the BCCLA complained to the Information and Privacy Commissioner that this practice unreasonably violated students’ privacy. And again, the Commissioner declined to investigate on the basis that his jurisdiction did not involve the assessment of the process of collecting personal information or intruding upon privacy interests but rather simply on the existence of a “record” that contains personal information.

These examples illustrate the need for a law that applies to the practices and processes of organizations that impinge on privacy interests of citizens whether or not they ultimately result in the creation of a “record” of personal information. Surely, the collection of an individual’s body fluids or tissue should be covered by the proposed legislation whether or not the fluid or tissue is ultimately tested to extract personal information. Actions that lead to intrusions on privacy must be of as great a concern as how personal information may manipulated after it is collected. If legislation merely focuses on the latter, it can provide only a partial and false sense of privacy security.

5. Sectoral codes

The BCCLA supports in principle the use of codes of practice for particular industries or sectors. We recognize that, to date, various industry/sectoral associations have spent considerable resources in creating privacy codes of practice for their specific members that conform to the CSA Model Code. These industry specific codes may assist considerably in fleshing out private sector organizations’ responsibilities under any proposed legislation. There are several principled reasons for supporting the use of codes of practice under proposed legislation:

development of the code permits members of the “regulated” industry or sector to have considerable input into the rules that it must live by; the BCCLA perceives this as a positive form of participatory democracy.
rules that have been developed with the input of those who must follow the rules tend to have a better chance of securing a higher level of compliance.
codes would perform a salutary educative function: those regulated will likely be more familiar with their obligations (thus promoting compliance); citizens who have their privacy interests affected will also likely become more aware of those interests.
Codes provide greater detail in relation to legal obligations outlined in general principles thus providing better guidance for those regulated under the law to understand and meet their legal obligations.

Obligations in a code of practice must be at least as stringent, if not more, than the general obligations in a proposed law.

With respect to the issue regarding what effect these codes would have, the BCCLA prefers the Dutch model: codes of practice would assist in the interpretation of general obligations under the law but would not themselves have legally binding force. In other words, evidence of compliance with a code of conduct would assist in proving compliance with general obligations but would not itself be determinative of compliance. Conversely, evidence of non-compliance with a sectoral code would be evidence of non-compliance with general obligations but not itself determinative of the matter.

The BCCLA prefers this model because it provides greater flexibility and efficiency since a code could be generated in much less time than if the code had the full force of the law. Furthermore, this model does not take away the responsibility of our elected officials to do the job they have been given a mandate to do: to govern in the public interest. The New Zealand model seems to us to be an abdication of traditional rules of parliamentary sovereignty in that legislators are not really responsible for creating rules. Further, our preferred model preserves the discretion of oversight agencies.

If sectoral codes of practice are to be part of the overall framework of legislation, two further questions arise. Who should develop them and who, if anyone, should approve them?

Sectoral codes will have some legitimacy only if there is an inclusive process in their creation. It would not be appropriate if those regulated in a particular sector are the only parties to a process that creates a code. It is critical that the code involve the full and equal participation of those whose information privacy interests are at stake. Funding for public interest participation should be provided. Consensus based decision making should be the modus operandi of any decision making process.

With respect to “approval” of a code of practice, the BCCLA believes that it is important that a code gets some sort of official stamp of “recognition” (in contrast to “approval”) before it can play a role in assisting in interpretation of the law. This stamp would be forthcoming as long as the process for creating the code was fair and inclusive and the code does not create any conflicts with general obligations under the law. That is, it would not be up to the accrediting body to rewrite the code or disapprove of the code unless there has not been fairness in the process used to create it or if there is an obvious conflict with general obligations. Conversely, the endorsement of a code would not be proof positive that the code itself has the authority of law given our comments above about its purpose of guiding those subject to the law and oversight agencies.

The discussion document suggests that the Standards Council of Canada or internal or external auditors (whoever they are) perform the recognition function. Others suggest that the agency that has oversight control might be responsible for this task as exists in New Zealand (where codes have the force of law), Hong Kong and the Netherlands. Neither of these suggestions seem to us to be the best solutions. The Standards Council of Canada, though it has expertise, has no governing function. Oversight agencies usually are already overburdened with other tasks. Furthermore, it may be awkward for an oversight body that has an adjudicative role to apply a code of practice which it has already “endorsed”. Instead, we suggest that a branch of the administrative structure of government perform this function. For example, at the federal level, officials within the Department of Justice or Industry Canada could be responsible for reviewing and “recognizing” sectoral codes.

6. Oversight: Ensuring adequate compliance and enforcement

The BCCLA believes that a law that seeks to protect information privacy must have adequate systems of accountability and oversight to ensure compliance. The benefits of a voluntary compliance regime are limited as illustrated by the CSA Model Code. We are mindful that industry will balk at expensive, unnecessarily bureaucratic and ineffective regimes for oversight, and so they should. Thus, an oversight system should strive to be:

efficient: by ensuring compliance with as little burden and cost as possible
comprehensive: by providing adequate authority to investigate, monitor, research and enforce privacy interests
citizen friendly: those whose personal information is at issue should be able to make complaints and have enforceable rights, and
fair: to those regulated by the law and to those who the law is meant to protect—citizens generally.

The BCCLA submits that a central authority should be given responsibility to oversee legislative compliance. Oversight should be divided between an agency that has a general administrative/ombudsman role and a body that has an adjudicative role. The administrative body should have adequate authority to ensure compliance. It should have the authority to receive complaints, conduct proactive audits⁷, undertake research and public education, conduct investigations, make public reports, etc. The adjudicative body, perhaps an independent administrative “privacy” tribunal, should have the authority to enforce obligations under the law and provide remedies for citizens whose privacy interests have been violated under the law.

The discussion document suggests that the Office of the Privacy Commissioner of Canada could provide an oversight function. The BCCLA submits that it would be premature to endorse any particular agency that presently exists. It is better to first define the scope and authority of an oversight agency and then assess whether any particular existing agency would be appropriate. In any case, it is likely that the statutory authority for the Office of the Privacy Commissioner or any other agency would need to be redefined.

However, the BCCLA strongly submits that oversight through an Ombudsman-like agency is not nearly enough to make the rights and obligations under proposed law effective. In our experience, the federal Commissioner’s limited authority to make recommendations does not go far enough. His ability to effect change is limited to moral suasion and negative publicity. These methods for securing rights are too dependent on extraneous, often variable factors such as the public commitment of the offending public body to the value of privacy (often lukewarm) and the extent and nature of exposure in the media. Government agencies not committed to the value of privacy often ignore or dismiss the Commissioner’s findings and recommendations. Furthermore, fickle media may or may not report on negative findings. Of course, the use of public condemnation to promote compliance is a tricky business: use it too often (even if it is legitimate) and you tend to become ignored. A right to privacy in a proposed law deserves more teeth rather than be left to variables outside the control of an overseeing body.

Privacy rights must be enforceable in law. Thus, the BCCLA recommends that a privacy tribunal be created to adjudicate allegations of breaches of obligations under the proposed law. In the interests of fairness and efficiency, not all allegations of violations should proceed to an adjudication if they can not be resolved earlier. An automatic right to a hearing could create undue burden on those regulated under the Act. Rather, only the more serious claims should receive standing to take their case before a tribunal. The BCCLA suggests that the tribunal be given responsibility in the law to determine which cases would have standing. This discretion could be guided by particular factors expressly articulated in the law such as the seriousness of the alleged violation, the seriousness of the alleged harm suffered, the number of citizens whose privacy interests are implicated by a complaint, etc.

An approximate example of this model can be found in the new revisions to the British Columbia Police Act with respect to a police complaints system. These amendments will create an independent officer of the Legislature, the Police Complaint Commissioner, who will have broad authority to oversee the system for police complaints regarding municipal police officers in the province. Complainants who are not satisfied with responses to their complaint at earlier stages of resolution will be able to request a public hearing into the complaint. The Police Complaint Commissioner may only grant the request if it is necessary in the “public interest”. His discretion is guided by consideration of specific factors articulated in the law. By acting as gatekeeper, it is hoped this system will ensure that truly meritorious complaints will get a full hearing while not unduly burdening the system of administrative justice and those who are accountable under the law.

With respect to a system for complaints, the BCCLA recommends that there be several stages. At the first stage, whether submitted directly to an organization or the Ombudsman, complaints should be first dealt with by the organization alleged to have contravened their obligations in the law. If the complaint has not been resolved successfully at the first stage, an aggrieved party could apply to the Ombudsman for assistance in resolving the complaint. The Ombudsman could conduct an investigation, assist the parties to mediate a resolution and issue non-binding recommendations. If the complainant is still unsatisfied, he or she could apply for standing for a hearing before the tribunal. As discussed above, the tribunal would decide on standing and adjudicate if standing was granted. Under this system, a relatively small proportion of total complaints would actually be adjudicated since complaints would either be resolved earlier in the process or would be judged not to merit a hearing. Thus, this system would not be unduly burdensome or costly. Indeed, if organizations want to avoid costly disputes they have a great incentive to resolve complaints as early as possible.

The BCCLA submits that the Ombudsman and tribunal must have statutory powers to adequately carry out their tasks. For example, the authority to investigate would require the power to search premises and seize records. The tribunal would require subpoeana powers. We do not propose to identify in detail these powers except to note that precedents can be found in many administrative law contexts.

7. Miscellaneous submissions

The discussion document asks a series of questions. Many of our comments above respond directly to specific questions psed in the document. The following comments respond to other issues raised.

Privacy impact statements

The BCCLA suggests that a requirement to conduct a privacy impact statement for all new information technology would be too onerous. Given the rapid changes in information technology, organizations might forever be completing privacy impact statements. Further, it’s not clear what they should comprise, who should review them and what status they would have. Furthermore, as noted above in point 4, concerns about privacy intrusions usually concern processes as opposed to the technology itself. Finally, our proposed recommendation to add a principle of “justification” to the list of CSA Model Code principles might achieve the utility of privacy impact statements yet go much further in providing citizens a means to challenge inappropriate practices.

Public education

The BCCLA agrees that the success of any project that seeks to protect citizens’ privacy will depend to a great extent on public education. In our experience, the public is just beginning to awaken to understanding the importance of their privacy in the information age. Nevertheless, there is a keen interest in these issues and concerns about eroding privacy. A poll of British Columbians in 1995 revealed that 64% of respondents considered privacy of consumer information and “extremely important” issue. 57% believe privacy to be a fundamental right while 37% expressed fear that their privacy will erode by the year 2000.⁸

Education about obligations and rights in a proposed federal law must be a shared responsibility. Organizations that are subject to the law should both educate themselves about their obligations and must play a role in educating the public about their rights under the law. Government and oversight agencies have a central role in educating those subject to the law about their obligations and citizens’ rights. Finally, citizens and consumer advocacy groups have a key responsibility in educating citizens especially given the fact that compliance mechanisms will rely to a great extent on complaints about non-compliance.

Harmonization

The BCCLA urges the federal government to work with and encourage its provincial counterparts to provide analogous legislation to extend to private sector entities under provincial jurisdiction. It is likely that much information privacy falls within the constitutional jurisdiction of the provinces and thus action by the provinces is crucial. Even if plausible arguments for exclusive federal jurisdiction exist, some provinces would challenge an overarching federal law in the courts thus casting doubt on the status of legal protections for privacy. It is better that provinces legislate and avoid legal disputes. The BCCLA will take this message to the Special Legislative Committee that is presently reviewing the information and privacy legislation that regulates public bodies in B.C.

However, provincial reticence must not be a bar to the federal government from establishing legislation. In this respect, we see the federal government as a leader. Indeed, the legislation that it creates will act as a template for other provinces.

8. Conclusion

The BCCLA would again like to thank the federal government for the opportunity to comment on this initiative. We look forward to further working with all interested parties in creating effective privacy legislation in Canada for the private sector.

Notes

1. For example, see the comments of the Supreme Court of Canada in R. v. O’Connor [1995] 4 S.C.R. 411, which identifies a constitutional right to privacy (section 7 of the Charter) with respect to confidential records of records created through the provision of counselling and medical advice, and Hunter v. Southam [1984] 2 S.C.R. 145 which established that section 8 of the Charter protects a person’s reasonable expectation of privacy.

2. The Privacy Commissioner of Canada’s Annual Reports: 1994-95 (at 2-7-14,15), 1993-94 (at 6-7), 1992-93 (at 9-12).

3. Submission by David Flaherty, Information and Privacy Commissioner for B.C. to the Special Legislative Committee of the Legislative Assembly of British Columbia, February 24, 1998 (Item #10).

4. J. Westwood, et al., The Privacy Handbook (Vancouver: BCCLA, 1994)

5. Presentation by Dr. Rebecca Grant, Faculty of Business, University of Victoria, to a conference on Surveillance Technologies, Challenges to Privacy Rights, sponsored by the Office of the Information and Privacy Commissioner of B.C., October 8, 1997.

6. Letter from David Flaherty to Murray Mollard, dated December 11, 1997.

7. Many questionable uses of the personal information of citizens often occur unknown to those whose personal information is at issue. Thus, it is vital that an effective oversight agency have the authority to take proactive measures to uncover problems not known to citizens.

8. As reported by Professor Colin Bennett, Privacy Protection on British Columbia’s Electronic Highway—A Position Paper from the Advisory Council on Information Technology (1998) from a survey conducted by Harris L. & A.F. Westin, The Equifax Canada Report on Consumers and Privacy in the Information Age, (Ville d’Anjou: Equifax Canada, 1995).