Privacy 101 for Engineers and Geoscientists© McInnes Cooper, 2020 The knowledge and consent of the individual are required for the collection, use or disclosure of personal information,

© McInnes Cooper, 2020

Privacy 101 for Engineers

and Geoscientists

David Fraser / [email protected] / @privacylawyer

APEGNB Annual General Meeting

February 2020

En anglais seulement

mailto:[email protected]


• Privacy means different things to different people.

• In this context, it usually means giving people control

over their personal information:

– What information they have to share

– With whom they share it

– Where it goes

• People also DO NOT LIKE being surprised

• Any intrusion without consent has to be justified.

What is privacy?

2


• For a service provider like an Engineer, often depends

on the client and it’s complicated …

• PIPEDA applies to all collection, use and disclosure of

personal information in the course of “commercial

activities”.

• Provincial FOIPOP/RTIPPA/ATIPPA applies to all

provincial “public bodies”.

• Federal Privacy Act applies to all federal “government

institutions”.

• Personal information collected by engineers for their

own business is subject to PIPEDA

Question 1: What law applies?

3


• If it’s personal information from your client,

then the law that governs your client will apply.

– When you handle personal information for your

client, they are ultimately accountable.

• If it’s personal information about your clients

and prospects, then PIPEDA will apply.

– When you handle personal information on your own

behalf, you are accountable.

• No statute regulates your employee information

in New Brunswick.

What law applies?


• Addresses “personal information” – information

about an identifiable individual:

– NOT business contact information when used to

contact someone in their business role.

– Would include name, address, income, health

information, demographics, preferences, birth date,

SIN, customer numbers, unique identifiers,

surveillance video

– Information about a client’s property can be personal

information

What is “personal information”?

5


• Also includes information that may be traced

back to an individual

• The same information may be personal

information about more than one individual.

• Doesn’t matter if the information is public or well

known; not talking “private information” but

“personal information”.

What is personal information?

6


CSA Model Code

• Ten principles from the code now baked into law

• Fundamentally about:

– Reasonable purposes

– Notice

– Consent (and then only using the information for those purposes).

1. Accountability

2. Identifying purposes

3. Consent

4. Limiting collection

5. Limiting use, disclosure and retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual access

10. Challenging compliance

7


An organization is responsible for personal information

under its control and shall designate an individual or

individuals who are accountable for the organization’s

compliance with the principles contained in the Canadian

Standards Association model code for the protection of

personal information.

– Must appoint a privacy officer

– Organization remains accountable even if info has been

transferred to another organization for processing or using a

contractor.

– Must implement practices and procedures to implement the

standards

Principle 1 - Accountability

8


The purposes for which personal information is collected

shall be identified by the organization at or before the time

the information is collected.

– Must document (internally) why you collect personal

information;

– Must identify the purposes to the individual at or

before the time personal information is collected

(may be oral or in writing);

Principle 2 – Identifying Purposes

9


The knowledge and consent of the individual are required

for the collection, use or disclosure of personal information,

except where inappropriate.

– Requires informed consent – organizations must make a

reasonable effort to advise the individual (in an intelligible way)

of the purposes for which the information is being collected;

– Form of consent is dependent upon the sensitivity of the

information;

– Cannot require consent for collection, use or disclosure of

personal information beyond that required to fulfil the explicitly

stated and legitimate purposes;

– Consent may be withdrawn.

Principle 3 - Consent

10


The collection of personal information shall be limited by

that which is necessary for the purposes identified by the

organization. Information shall be collected by fair and

lawful means.

– Organization needs to identify the purposes

(Principle 2) and then limit their collection to that

which is necessary for those purposes;

– Must be honest – no collection by misleading

means;

Principle 4 – Limiting Collection

11


Personal information shall not be used or disclosed for purposes other

than those for which it was collected, except with the consent of the

individual or as required [or permitted] by law. Personal information

shall be retained only as long as necessary for the fulfilment of those

purposes.

– Limited to using and disclosing personal information to the purposes

for which it was collected, unless you get further consent and

document the new purpose;

– Need to have a document retention plan – must keep information used

to make a decision about someone long enough for them to have

access to the information;

– Information no longer needed can be destroyed or made anonymous;

Principle 5 – Limiting use, disclosure

and retention

12


Personal information shall be as accurate, complete, and

up-to-date as is necessary for the purposes for which it is

to be used.

– Only really an issue when personal information is

used to make a decision about someone;

Principle 6 - Accuracy

13


Personal information shall be protected by security safeguards

appropriate to the sensitivity of the information.

– CRITICAL PRINCIPLE;

– Must protect from many threats:

“The security safeguards shall protect personal

information against loss or theft, as well as

unauthorized access, disclosure, copying, use, or

modification. Organizations shall protect personal

information regardless of the format in which it is

held.”

– Must use secure disposal methods;

Principle 7 - Safeguards

14


An organization shall make readily available to individuals

specific information about its policies and practices relating to

the management of personal information.

– Means that an organization must have a privacy policy;

– “The information made available shall include

(a) contact info for the privacy officer;

(b) how to exercise access rights;

(c) a description of the type of personal information held by the

organization, including a general account of its use;

(d) what personal information is made available to related

organizations (e.g., subsidiaries).”

Principle 8 - Openness

15


Upon request, an individual shall be informed of the existence, use, and

disclosure of his or her personal information and shall be given access

to that information. An individual shall be able to challenge the accuracy

and completeness of the information and have it amended as

appropriate.

– Subject to some exceptions;

– Must respond within 30 days;

– Need to let the individual know to whom the information has been

disclosed, so must keep a record of how your data is used.

– Should be at “minimal or no charge”;

– Must be comprehensible to the individual;

Principle 9 – Individual Access

16


An individual shall be able to address a challenge

concerning compliance with the above principles to the

designated individual or individuals accountable for the

organization's compliance.

– Have to have a method to receive complaints and

address them properly;

– Need to let individual know they have a right to

complain to the appropriate authority.

Principle 10 – Challenging compliance

17


• Individual (not just customer!) can make a written complaint to the

Privacy Commissioner (s. 11).

– Commissioner may initiate a complaint of his own accord.

– Commissioner investigates the complaint

– Powers in s. 12(1): Compel evidence, administer oaths, accept any

evidence whether ordinarily admissible (or not), enter any premises

other than a dwelling, review documents, etc.

• Commissioner’s Report

– To contain findings and recommendations, whether there was a

settlement

– Commissioner can decline to issue a report if the complainant has

other recourse available

Consequences - PIPEDA

18


• Court hearing

– A complainant (not the organization), after receiving the

Commissioner’s report, may apply to the Federal Court – Trial

Division for a hearing.

• Court’s remedies include:

– Order the organization to correct its practices in order to

comply with ss. 5-10 of the Act;

– Order the organization to publish a notice of actions taken to

correct its practices; and

– Award damages, including damages for humiliation the

complainant may have suffered.

Consequences - PIPEDA

19


• Commissioner has the power to “make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so.” s. 20(2).

• Commissioner can publicize information handling practices, even before the Court has been given the opportunity to consider the matter.

• Commissioner’s pronouncements are privileged for the purposes of any law related to libel or slander, so long as it is said in good faith.

Power of Publicity

20


Getting sued for breaches

of privacy


One who intentionally [or recklessly]

intrudes, physically or otherwise, upon

the solitude or seclusion of another or

his private affairs or concerns, is

subject to liability to the other for

invasion of his privacy, if the intrusion

would be highly offensive to a

reasonable person.

Intrusion upon seclusion


• Damages are presumed by the act of the offensive

intrusion – plaintiff does not have to prove any harm.

• Intentional or “reckless”

• Court of Appeal set a range for general damages, which

compensate for non-financial harm: nominal damages

to $20,000

• Generally not viable for individual claims, but class

actions are a different matter

Intrusion upon seclusion


Publicity given to private life: One who

gives publicity to a matter concerning the

private life of another is subject to liability to

the other for invasion of his privacy, if the

matter publicized, or the act of publication, is

of a kind that (a) would be highly offensive

to a reasonable person, and (b) is not of

legitimate concern to the public.

Public disclosure of private facts


(i) Confidential Information - Did Plaintiff supply

Defendant with information having a quality of

confidence about it?

(ii) Communication in Confidence - Did Plaintiff

communicate this information to Defendant in

circumstances in which an obligation of confidence

arises?

(iii) Misuse of Information - Did Defendant

misuse or make an unauthorized use of the

information?

Breach of confidence


• Traditional claims for breach of contract if

there’s a confidentiality agreement or

confidentiality provisions in your engagement

letter.

Contract claims


New Data Breach Reporting

Requirements


• Amendments to PIPEDA (Bill S-4: Digital Privacy Act)

mandated breach response (reporting, notification and

record-keeping) – in force on November 1, 2018

• There may be a common law duty to notify if the

individual would be able to take steps to mitigate the

effect of the breach

• Will spawn many, many more privacy class actions

Breach notification requirements


• Be very careful about the definition of a

“breach” – From the Digital Privacy Act

amendments to PIPEDA:

“breach of security safeguards” means the loss of,

unauthorized access to or unauthorized disclosure

of personal information resulting from a breach of

an organization’s security safeguards that are

referred to in clause 4.7 of Schedule 1 or from a

failure to establish those safeguards.

Breach notification


Report to Commissioner

10.1 (1) An organization shall report to the Commissioner any breach of security

safeguards involving personal information under its control if it is reasonable in the

circumstances to believe that the breach creates a real risk of significant harm to

an individual.

Report requirements

(2) The report shall contain the prescribed information and shall be made in the

prescribed form and manner as soon as feasible after the organization determines that

the breach has occurred.

Notification to individual

(3) Unless otherwise prohibited by law, an organization shall notify an individual of any

breach of security safeguards involving the individual’s personal information under the

organization’s control if it is reasonable in the circumstances to believe that the

breach creates a real risk of significant harm to the individual.

Notification obligations


4.7 Principle 7 – Safeguards

Personal information shall be protected by security safeguards appropriate to

the sensitivity of the information.

4.7.1 The security safeguards shall protect personal information against

– loss or theft, as well as

– unauthorized access,

– disclosure,

– copying,

– use, or

– modification.

Organizations shall protect personal information regardless of the format in

which it is held.

Safeguarding obligations


4.7.2 The nature of the safeguards will vary depending on the

sensitivity of the information that has been collected, the amount,

distribution, and format of the information, and the method of storage.

More sensitive information should be safeguarded by a higher level of

protection.

• Not defined in PIPEDA, but some examples are given:

“Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”

Safeguarding - sensitivity


• Use common sense and “risk management” concepts and possible harm.

• Think about the context:

– Your name on a list of people who went to a hockey game (probably not sensitive)

– Your name on a list of people who are being treated by a psychiatrist (sensitive)

Safeguarding - sensitivity


• Has to be reasonable and appropriate

• What does that mean?

• Think of the “standard of care” that has

developed in the industry. Adopt that and go

one better

• Also, imagine being cross-examined and asked

“why didn’t you do this”?

Safeguarding – what’s the standard?


• “Real risk” depends on the sensitivity of the

personal information involved in the breach and

the probability that the personal information has

been, is being or will be misused. May be other

prescribed factors.

• Compare a Condon v Canada to Ashley

Madison. lost hard-drive to intentional data

theft. Where the info was targeted, you can

more readily assume malevolent intent or

likelihood of misuse.

“Real Risk”


• “Significant harm” includes

– bodily harm,

– humiliation,

– damage to reputation or relationships,

– loss of employment, business or professional opportunities,

– financial loss,

– identity theft,

– negative effects on the credit record and damage to or loss of

property.

• Ties pretty closely to the sensitivity concept.

“Significant Harm”


Report — content, form and manner

2 A report of a breach of security safeguards referred to in subsection 10.1(2) of the Act

must be in writing and must contain

(a) a description of the circumstances of the breach and, if known, the cause;

(b) the day on which, or the period during which, the breach occurred;

(c) a description of the personal information that is the subject of the breach;

(d) an estimate of the number of individuals in respect of whom the breach creates a real

risk of significant harm;

(e) a description of the steps that the organization has taken to reduce the risk of harm to

each affected individual resulting from the breach or to mitigate that harm;

(f) a description of the steps that the organization has taken or intends to take to notify

each affected individual of the breach in accordance with subsection 10.1(3) of the Act;

and

(g) the name and contact information of a person who can answer, on behalf of the

organization, the Commissioner’s questions about the breach.

Report to Commissioner


From the Act:

10.1(4) The notification shall contain sufficient information

to allow the individual to understand the significance to

them of the breach and to take steps, if any are possible, to

reduce the risk of harm that could result from it or to

mitigate that harm. It shall also contain any other

prescribed information.

Notice to individuals


Contents of notification

3 The notification provided by an organization, in accordance with subsection 10.1(4) of

the Act, to an individual affected by a breach of security safeguards must contain, in

addition to the information set out in that subsection,

(a) a description of the circumstances of the breach;

(b) the day on which, or period during which, the breach occurred;

(c) a description of the personal information that is the subject of the breach;

(d) a description of the steps that the organization has taken to reduce the risk of harm to

the affected individual resulting from the breach or to mitigate that harm;

(e) a description of the steps that the affected individual could take to reduce the risk of

harm resulting from the breach or to mitigate that harm;

(f) a toll-free number or email address that the affected individual can use to obtain

further information about the breach; and

(g) information about the organization’s internal complaint process and about the affected

individual’s right, under the Act, to file a complaint with the Commissioner.

Notice to individuals


• Companies will have to document every, single

breach, regardless of how trivial:

Records

10.3 (1) An organization shall, in accordance with any prescribed

requirements, keep and maintain a record of every breach of security

safeguards involving personal information under its control.

Provision to Commissioner

(2) An organization shall, on request, provide the Commissioner with

access to, or a copy of, a record.

• Creating a discoverable paper trail for future

litigation.

Record keeping requirements


• Recall the definition of a “breach”

“breach of security safeguards” means the loss of, unauthorized

access to or unauthorized disclosure of personal information resulting

from a breach of an organization’s security safeguards that are

referred to in clause 4.7 of Schedule 1 or from a failure to establish

those safeguards.

• A few scenarios:

– An employee violates the “clean desk policy” and a customer record is

seen by an employee from another department who had no need to

know the information;

– An employee lets his kid use her smart phone that contains customer

information;

– Employee works on a report in a plane, where the screen can be seen

by the person behind them;



• Every such breach has to be documented in the

prescribed manner and must be provided to the

Commissioner on request.

• It is an offense to not keep records and an

offense to not provide the records to the

Commissioner.



• Develop policies for responding to all kinds of breaches

• Make sure that definitions align with the law.

• Internal reporting is essential – someone has to know what’s going

on and able to notice trends

• Soon, all trivial breaches will have to be documented

• Develop a culture that allows breaches to be reported without

unreasonable fear of reprisals or discipline

• Carry our regular vulnerability assessments – be aware that most

breaches are caused internally: accidental and malevolent

• Have a documented plan and practice it

Preparing for data breaches


Canada’s Anti-Spam Law


How did we get here?

• Canada’s Anti-spam task

force

• Established in May 2004

• Reported in May 2005

• This law addresses

spam as it existed

almost 10 years ago

• CASL in effect in 2014


• Spam (commercial electronic messages)

• Installation of software (Spyware)

• Alteration of transmission data

The Act covers …


…a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

“Commercial Electronic Message”


• Rules apply to “electronic messages” (no

minimum number), when sent:

– by telecommunication

– to an “electronic address” – email, IM, phone or

similar account

– for the purpose of encouraging participation in a

commercial activity

– if a computer system located in Canada is used to

send or access the message

Anti-spam Rules


6. (1) No person shall send or cause or permit

to be sent to an electronic address a

commercial electronic message unless

(a) the person to whom the message is sent has

consented to receiving it, whether the consent is

express or implied; and

(b) the message complies with subsection (2).

[regarding the form of message]

The “consent rule”


(2) The message must be in a form that

conforms to the prescribed requirements and

must

(a) set out prescribed information that identifies the

person who sent the message and the person — if

different — on whose behalf it is sent;

(b) set out information enabling the person to whom

the message is sent to readily contact one of the

persons referred to in paragraph (a); and

(c) set out an unsubscribe mechanism in

accordance with subsection 11(1).

The “content rule”


• Providing a quote or estimate

• Facilitates, completes or confirms a transaction

• Warranty, recall, etc.

• Factual information about a transaction,

membership, etc.

Limited exceptions to consent rule, but not content

rule


• Employee-to-employee within same

organization, about the organization’s activities

• Employee-to-employee in other organizations, if

(i) orgs have a “relationship” and (ii) about the

org’s activities

• In response to a request, inquiry, complaint, etc.

• Some messages in closed messaging systems

• Registered charity or political party fund-raising

Some exclusions from consent and content rules


• Need express or implied consent to send CEM

• Onus is on YOU to prove consent

• Consent is implied only if:

– There is an existing business relationship (EBR) or existing non-business relationship (ENBR) between sender and recipient; or

– Recipient has published or disclosed the electronic address without indicating that does not want to receive unsolicited CEMs and CEM is relevant to person’s business role.

Consent


• Transaction within past two years

• Acceptance of opportunity within past two

years

• Bartering transaction within past two years

• Written contact in force or expired within past

two years

• Inquiry or application in past six months

• EBR passes to purchaser of business

“Existing business relationship”


• Donation to sender, if registered charity, in last

two years

• Donation to sender if registered political party or

candidate, in last two years

• Past volunteer to registered charity, political

party or candidate, in last two years

• Member of club, association, etc in last two

years – definitions in regulations

“Existing non-business relationship”


• Disclosure requirements for consent:

– Purpose

– May be requested orally or in writing

– Identity and contact information

– Consent withdrawal statement

• A request for consent is considered a CEM

Seeking Consent


• Information required in any CEM (from CRTC regs)

– Name of sender or person on whose behalf the CEM is sent

– Mailing address and telephone number, email address or

website address of sender or person on whose behalf the CEM

is sent

• Unsubscribe mechanism - must be capable of being

readily performed.

• Mandatory information and unsubscribe mechanism

must be set out clearly and prominently

Form of CEMs


• Unsubscribe mechanism must:

– Allow recipient to indicate, at no cost to them, desire not to receive CEMs from sender

▪ Using same electronic means by which original CEM was sent or other electronic means if not practical

– Specify an electronic address or web page where the recipient can unsubscribe

• Electronic address or web page for unsubscribing must be valid for 60 days

• Must give effect to unsubscribe request “without delay” but no later than 10 days

Unsubscribe Mechanism


Violations and penalties

• CRTC is main regulatory body responsible for enforcement

• Contravention involves “administrative monetary penalties” - not a “punishment” but intended to ensure compliance

• Max penalties - individual: $1M; corporation: $10M

• Factors to be considered in determining amount of penalty

• Offender can give an “undertaking” that halts enforcement

• Officers and directors of companies may be personally liable

• CRTC can name and shame violators

• Due diligence defence


• Was supposed to kick in on July 1, 2017

• Individual can sue for actual damages and maximum of

$200 per contravention, not exceeding $1,000,000 per

day for unsolicited CEMs

• Lists factors for court to consider in assessing statutory

damages

• No private right of action if sender served with notice of

violation or entered into undertaking with CRTC.

• Thankfully put on hold.

Private right of action


Subscribe

Get Legal Alerts & Updates:

mcinnescooper.com/subscribe/

http://www.mcinnescooper.com/subscribe/


McInnes Cooper has prepared this document for information only; it is not

intended to be legal advice. You should consult McInnes Cooper about your

unique circumstances before acting on this information. McInnes Cooper

excludes all liability for anything contained in this document and any use you

make of it.

© McInnes Cooper, 2019. All rights reserved. McInnes Cooper owns the

copyright in this document. You may reproduce and distribute this document in

its entirety as long as you do not alter the form or the content and you give

McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any

other form of reproduction or distribution. Email us at

[email protected] to request our consent.

Legal Notes

mailto:[email protected]


Documents

Privacy 101 for Engineers and Geoscientists© McInnes Cooper, 2020 The knowledge and consent of the individual are required for the collection, use or disclosure of personal information,