Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© McInnes Cooper, 2020
Privacy 101 for Engineers
and Geoscientists
David Fraser / [email protected] / @privacylawyer
APEGNB Annual General Meeting
February 2020
En anglais seulement
© McInnes Cooper, 2020
• Privacy means different things to different people.
• In this context, it usually means giving people control
over their personal information:
– What information they have to share
– With whom they share it
– Where it goes
• People also DO NOT LIKE being surprised
• Any intrusion without consent has to be justified.
What is privacy?
2
© McInnes Cooper, 2020
• For a service provider like an Engineer, often depends
on the client and it’s complicated …
• PIPEDA applies to all collection, use and disclosure of
personal information in the course of “commercial
activities”.
• Provincial FOIPOP/RTIPPA/ATIPPA applies to all
provincial “public bodies”.
• Federal Privacy Act applies to all federal “government
institutions”.
• Personal information collected by engineers for their
own business is subject to PIPEDA
Question 1: What law applies?
3
© McInnes Cooper, 2020
• If it’s personal information from your client,
then the law that governs your client will apply.
– When you handle personal information for your
client, they are ultimately accountable.
• If it’s personal information about your clients
and prospects, then PIPEDA will apply.
– When you handle personal information on your own
behalf, you are accountable.
• No statute regulates your employee information
in New Brunswick.
What law applies?
© McInnes Cooper, 2020
• Addresses “personal information” – information
about an identifiable individual:
– NOT business contact information when used to
contact someone in their business role.
– Would include name, address, income, health
information, demographics, preferences, birth date,
SIN, customer numbers, unique identifiers,
surveillance video
– Information about a client’s property can be personal
information
What is “personal information”?
5
© McInnes Cooper, 2020
• Also includes information that may be traced
back to an individual
• The same information may be personal
information about more than one individual.
• Doesn’t matter if the information is public or well
known; not talking “private information” but
“personal information”.
What is personal information?
6
© McInnes Cooper, 2020
CSA Model Code
• Ten principles from the code now baked into law
• Fundamentally about:
– Reasonable purposes
– Notice
– Consent (and then only using the information for those purposes).
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Challenging compliance
7
© McInnes Cooper, 2020
An organization is responsible for personal information
under its control and shall designate an individual or
individuals who are accountable for the organization’s
compliance with the principles contained in the Canadian
Standards Association model code for the protection of
personal information.
– Must appoint a privacy officer
– Organization remains accountable even if info has been
transferred to another organization for processing or using a
contractor.
– Must implement practices and procedures to implement the
standards
Principle 1 - Accountability
8
© McInnes Cooper, 2020
The purposes for which personal information is collected
shall be identified by the organization at or before the time
the information is collected.
– Must document (internally) why you collect personal
information;
– Must identify the purposes to the individual at or
before the time personal information is collected
(may be oral or in writing);
Principle 2 – Identifying Purposes
9
© McInnes Cooper, 2020
The knowledge and consent of the individual are required
for the collection, use or disclosure of personal information,
except where inappropriate.
– Requires informed consent – organizations must make a
reasonable effort to advise the individual (in an intelligible way)
of the purposes for which the information is being collected;
– Form of consent is dependent upon the sensitivity of the
information;
– Cannot require consent for collection, use or disclosure of
personal information beyond that required to fulfil the explicitly
stated and legitimate purposes;
– Consent may be withdrawn.
Principle 3 - Consent
10
© McInnes Cooper, 2020
The collection of personal information shall be limited by
that which is necessary for the purposes identified by the
organization. Information shall be collected by fair and
lawful means.
– Organization needs to identify the purposes
(Principle 2) and then limit their collection to that
which is necessary for those purposes;
– Must be honest – no collection by misleading
means;
Principle 4 – Limiting Collection
11
© McInnes Cooper, 2020
Personal information shall not be used or disclosed for purposes other
than those for which it was collected, except with the consent of the
individual or as required [or permitted] by law. Personal information
shall be retained only as long as necessary for the fulfilment of those
purposes.
– Limited to using and disclosing personal information to the purposes
for which it was collected, unless you get further consent and
document the new purpose;
– Need to have a document retention plan – must keep information used
to make a decision about someone long enough for them to have
access to the information;
– Information no longer needed can be destroyed or made anonymous;
Principle 5 – Limiting use, disclosure
and retention
12
© McInnes Cooper, 2020
Personal information shall be as accurate, complete, and
up-to-date as is necessary for the purposes for which it is
to be used.
– Only really an issue when personal information is
used to make a decision about someone;
Principle 6 - Accuracy
13
© McInnes Cooper, 2020
Personal information shall be protected by security safeguards
appropriate to the sensitivity of the information.
– CRITICAL PRINCIPLE;
– Must protect from many threats:
“The security safeguards shall protect personal
information against loss or theft, as well as
unauthorized access, disclosure, copying, use, or
modification. Organizations shall protect personal
information regardless of the format in which it is
held.”
– Must use secure disposal methods;
Principle 7 - Safeguards
14
© McInnes Cooper, 2020
An organization shall make readily available to individuals
specific information about its policies and practices relating to
the management of personal information.
– Means that an organization must have a privacy policy;
– “The information made available shall include
(a) contact info for the privacy officer;
(b) how to exercise access rights;
(c) a description of the type of personal information held by the
organization, including a general account of its use;
(d) what personal information is made available to related
organizations (e.g., subsidiaries).”
Principle 8 - Openness
15
© McInnes Cooper, 2020
Upon request, an individual shall be informed of the existence, use, and
disclosure of his or her personal information and shall be given access
to that information. An individual shall be able to challenge the accuracy
and completeness of the information and have it amended as
appropriate.
– Subject to some exceptions;
– Must respond within 30 days;
– Need to let the individual know to whom the information has been
disclosed, so must keep a record of how your data is used.
– Should be at “minimal or no charge”;
– Must be comprehensible to the individual;
Principle 9 – Individual Access
16
© McInnes Cooper, 2020
An individual shall be able to address a challenge
concerning compliance with the above principles to the
designated individual or individuals accountable for the
organization's compliance.
– Have to have a method to receive complaints and
address them properly;
– Need to let individual know they have a right to
complain to the appropriate authority.
Principle 10 – Challenging compliance
17
© McInnes Cooper, 2020
• Individual (not just customer!) can make a written complaint to the
Privacy Commissioner (s. 11).
– Commissioner may initiate a complaint of his own accord.
– Commissioner investigates the complaint
– Powers in s. 12(1): Compel evidence, administer oaths, accept any
evidence whether ordinarily admissible (or not), enter any premises
other than a dwelling, review documents, etc.
• Commissioner’s Report
– To contain findings and recommendations, whether there was a
settlement
– Commissioner can decline to issue a report if the complainant has
other recourse available
Consequences - PIPEDA
18
© McInnes Cooper, 2020
• Court hearing
– A complainant (not the organization), after receiving the
Commissioner’s report, may apply to the Federal Court – Trial
Division for a hearing.
• Court’s remedies include:
– Order the organization to correct its practices in order to
comply with ss. 5-10 of the Act;
– Order the organization to publish a notice of actions taken to
correct its practices; and
– Award damages, including damages for humiliation the
complainant may have suffered.
Consequences - PIPEDA
19
© McInnes Cooper, 2020
• Commissioner has the power to “make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so.” s. 20(2).
• Commissioner can publicize information handling practices, even before the Court has been given the opportunity to consider the matter.
• Commissioner’s pronouncements are privileged for the purposes of any law related to libel or slander, so long as it is said in good faith.
Power of Publicity
20
© McInnes Cooper, 2020
Getting sued for breaches
of privacy
© McInnes Cooper, 2020
One who intentionally [or recklessly]
intrudes, physically or otherwise, upon
the solitude or seclusion of another or
his private affairs or concerns, is
subject to liability to the other for
invasion of his privacy, if the intrusion
would be highly offensive to a
reasonable person.
Intrusion upon seclusion
© McInnes Cooper, 2020
• Damages are presumed by the act of the offensive
intrusion – plaintiff does not have to prove any harm.
• Intentional or “reckless”
• Court of Appeal set a range for general damages, which
compensate for non-financial harm: nominal damages
to $20,000
• Generally not viable for individual claims, but class
actions are a different matter
Intrusion upon seclusion
© McInnes Cooper, 2020
Publicity given to private life: One who
gives publicity to a matter concerning the
private life of another is subject to liability to
the other for invasion of his privacy, if the
matter publicized, or the act of publication, is
of a kind that (a) would be highly offensive
to a reasonable person, and (b) is not of
legitimate concern to the public.
Public disclosure of private facts
© McInnes Cooper, 2020
(i) Confidential Information - Did Plaintiff supply
Defendant with information having a quality of
confidence about it?
(ii) Communication in Confidence - Did Plaintiff
communicate this information to Defendant in
circumstances in which an obligation of confidence
arises?
(iii) Misuse of Information - Did Defendant
misuse or make an unauthorized use of the
information?
Breach of confidence
© McInnes Cooper, 2020
• Traditional claims for breach of contract if
there’s a confidentiality agreement or
confidentiality provisions in your engagement
letter.
Contract claims
© McInnes Cooper, 2020
New Data Breach Reporting
Requirements
© McInnes Cooper, 2020
• Amendments to PIPEDA (Bill S-4: Digital Privacy Act)
mandated breach response (reporting, notification and
record-keeping) – in force on November 1, 2018
• There may be a common law duty to notify if the
individual would be able to take steps to mitigate the
effect of the breach
• Will spawn many, many more privacy class actions
Breach notification requirements
© McInnes Cooper, 2020
• Be very careful about the definition of a
“breach” – From the Digital Privacy Act
amendments to PIPEDA:
“breach of security safeguards” means the loss of,
unauthorized access to or unauthorized disclosure
of personal information resulting from a breach of
an organization’s security safeguards that are
referred to in clause 4.7 of Schedule 1 or from a
failure to establish those safeguards.
Breach notification
© McInnes Cooper, 2020
Report to Commissioner
10.1 (1) An organization shall report to the Commissioner any breach of security
safeguards involving personal information under its control if it is reasonable in the
circumstances to believe that the breach creates a real risk of significant harm to
an individual.
Report requirements
(2) The report shall contain the prescribed information and shall be made in the
prescribed form and manner as soon as feasible after the organization determines that
the breach has occurred.
Notification to individual
(3) Unless otherwise prohibited by law, an organization shall notify an individual of any
breach of security safeguards involving the individual’s personal information under the
organization’s control if it is reasonable in the circumstances to believe that the
breach creates a real risk of significant harm to the individual.
Notification obligations
© McInnes Cooper, 2020
4.7 Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to
the sensitivity of the information.
4.7.1 The security safeguards shall protect personal information against
– loss or theft, as well as
– unauthorized access,
– disclosure,
– copying,
– use, or
– modification.
Organizations shall protect personal information regardless of the format in
which it is held.
Safeguarding obligations
© McInnes Cooper, 2020
4.7.2 The nature of the safeguards will vary depending on the
sensitivity of the information that has been collected, the amount,
distribution, and format of the information, and the method of storage.
More sensitive information should be safeguarded by a higher level of
protection.
• Not defined in PIPEDA, but some examples are given:
“Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
Safeguarding - sensitivity
© McInnes Cooper, 2020
• Use common sense and “risk management” concepts and possible harm.
• Think about the context:
– Your name on a list of people who went to a hockey game (probably not sensitive)
– Your name on a list of people who are being treated by a psychiatrist (sensitive)
Safeguarding - sensitivity
© McInnes Cooper, 2020
• Has to be reasonable and appropriate
• What does that mean?
• Think of the “standard of care” that has
developed in the industry. Adopt that and go
one better
• Also, imagine being cross-examined and asked
“why didn’t you do this”?
Safeguarding – what’s the standard?
© McInnes Cooper, 2020
• “Real risk” depends on the sensitivity of the
personal information involved in the breach and
the probability that the personal information has
been, is being or will be misused. May be other
prescribed factors.
• Compare a Condon v Canada to Ashley
Madison. lost hard-drive to intentional data
theft. Where the info was targeted, you can
more readily assume malevolent intent or
likelihood of misuse.
“Real Risk”
© McInnes Cooper, 2020
• “Significant harm” includes
– bodily harm,
– humiliation,
– damage to reputation or relationships,
– loss of employment, business or professional opportunities,
– financial loss,
– identity theft,
– negative effects on the credit record and damage to or loss of
property.
• Ties pretty closely to the sensitivity concept.
“Significant Harm”
© McInnes Cooper, 2020
Report — content, form and manner
2 A report of a breach of security safeguards referred to in subsection 10.1(2) of the Act
must be in writing and must contain
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) an estimate of the number of individuals in respect of whom the breach creates a real
risk of significant harm;
(e) a description of the steps that the organization has taken to reduce the risk of harm to
each affected individual resulting from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify
each affected individual of the breach in accordance with subsection 10.1(3) of the Act;
and
(g) the name and contact information of a person who can answer, on behalf of the
organization, the Commissioner’s questions about the breach.
Report to Commissioner
© McInnes Cooper, 2020
From the Act:
10.1(4) The notification shall contain sufficient information
to allow the individual to understand the significance to
them of the breach and to take steps, if any are possible, to
reduce the risk of harm that could result from it or to
mitigate that harm. It shall also contain any other
prescribed information.
Notice to individuals
© McInnes Cooper, 2020
Contents of notification
3 The notification provided by an organization, in accordance with subsection 10.1(4) of
the Act, to an individual affected by a breach of security safeguards must contain, in
addition to the information set out in that subsection,
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) a description of the steps that the organization has taken to reduce the risk of harm to
the affected individual resulting from the breach or to mitigate that harm;
(e) a description of the steps that the affected individual could take to reduce the risk of
harm resulting from the breach or to mitigate that harm;
(f) a toll-free number or email address that the affected individual can use to obtain
further information about the breach; and
(g) information about the organization’s internal complaint process and about the affected
individual’s right, under the Act, to file a complaint with the Commissioner.
Notice to individuals
© McInnes Cooper, 2020
• Companies will have to document every, single
breach, regardless of how trivial:
Records
10.3 (1) An organization shall, in accordance with any prescribed
requirements, keep and maintain a record of every breach of security
safeguards involving personal information under its control.
Provision to Commissioner
(2) An organization shall, on request, provide the Commissioner with
access to, or a copy of, a record.
• Creating a discoverable paper trail for future
litigation.
Record keeping requirements
© McInnes Cooper, 2020
• Recall the definition of a “breach”
“breach of security safeguards” means the loss of, unauthorized
access to or unauthorized disclosure of personal information resulting
from a breach of an organization’s security safeguards that are
referred to in clause 4.7 of Schedule 1 or from a failure to establish
those safeguards.
• A few scenarios:
– An employee violates the “clean desk policy” and a customer record is
seen by an employee from another department who had no need to
know the information;
– An employee lets his kid use her smart phone that contains customer
information;
– Employee works on a report in a plane, where the screen can be seen
by the person behind them;
Record keeping requirements
© McInnes Cooper, 2020
• Every such breach has to be documented in the
prescribed manner and must be provided to the
Commissioner on request.
• It is an offense to not keep records and an
offense to not provide the records to the
Commissioner.
Record keeping requirements
© McInnes Cooper, 2020
• Develop policies for responding to all kinds of breaches
• Make sure that definitions align with the law.
• Internal reporting is essential – someone has to know what’s going
on and able to notice trends
• Soon, all trivial breaches will have to be documented
• Develop a culture that allows breaches to be reported without
unreasonable fear of reprisals or discipline
• Carry our regular vulnerability assessments – be aware that most
breaches are caused internally: accidental and malevolent
• Have a documented plan and practice it
Preparing for data breaches
© McInnes Cooper, 2020
Canada’s Anti-Spam Law
© McInnes Cooper, 2020
How did we get here?
• Canada’s Anti-spam task
force
• Established in May 2004
• Reported in May 2005
• This law addresses
spam as it existed
almost 10 years ago
• CASL in effect in 2014
© McInnes Cooper, 2020
• Spam (commercial electronic messages)
• Installation of software (Spyware)
• Alteration of transmission data
The Act covers …
© McInnes Cooper, 2020
…a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
“Commercial Electronic Message”
© McInnes Cooper, 2020
• Rules apply to “electronic messages” (no
minimum number), when sent:
– by telecommunication
– to an “electronic address” – email, IM, phone or
similar account
– for the purpose of encouraging participation in a
commercial activity
– if a computer system located in Canada is used to
send or access the message
Anti-spam Rules
© McInnes Cooper, 2020
6. (1) No person shall send or cause or permit
to be sent to an electronic address a
commercial electronic message unless
(a) the person to whom the message is sent has
consented to receiving it, whether the consent is
express or implied; and
(b) the message complies with subsection (2).
[regarding the form of message]
The “consent rule”
© McInnes Cooper, 2020
(2) The message must be in a form that
conforms to the prescribed requirements and
must
(a) set out prescribed information that identifies the
person who sent the message and the person — if
different — on whose behalf it is sent;
(b) set out information enabling the person to whom
the message is sent to readily contact one of the
persons referred to in paragraph (a); and
(c) set out an unsubscribe mechanism in
accordance with subsection 11(1).
The “content rule”
© McInnes Cooper, 2020
• Providing a quote or estimate
• Facilitates, completes or confirms a transaction
• Warranty, recall, etc.
• Factual information about a transaction,
membership, etc.
Limited exceptions to consent rule, but not content
rule
© McInnes Cooper, 2020
• Employee-to-employee within same
organization, about the organization’s activities
• Employee-to-employee in other organizations, if
(i) orgs have a “relationship” and (ii) about the
org’s activities
• In response to a request, inquiry, complaint, etc.
• Some messages in closed messaging systems
• Registered charity or political party fund-raising
Some exclusions from consent and content rules
© McInnes Cooper, 2020
• Need express or implied consent to send CEM
• Onus is on YOU to prove consent
• Consent is implied only if:
– There is an existing business relationship (EBR) or existing non-business relationship (ENBR) between sender and recipient; or
– Recipient has published or disclosed the electronic address without indicating that does not want to receive unsolicited CEMs and CEM is relevant to person’s business role.
Consent
© McInnes Cooper, 2020
• Transaction within past two years
• Acceptance of opportunity within past two
years
• Bartering transaction within past two years
• Written contact in force or expired within past
two years
• Inquiry or application in past six months
• EBR passes to purchaser of business
“Existing business relationship”
© McInnes Cooper, 2020
• Donation to sender, if registered charity, in last
two years
• Donation to sender if registered political party or
candidate, in last two years
• Past volunteer to registered charity, political
party or candidate, in last two years
• Member of club, association, etc in last two
years – definitions in regulations
“Existing non-business relationship”
© McInnes Cooper, 2020
• Disclosure requirements for consent:
– Purpose
– May be requested orally or in writing
– Identity and contact information
– Consent withdrawal statement
• A request for consent is considered a CEM
Seeking Consent
© McInnes Cooper, 2020
• Information required in any CEM (from CRTC regs)
– Name of sender or person on whose behalf the CEM is sent
– Mailing address and telephone number, email address or
website address of sender or person on whose behalf the CEM
is sent
• Unsubscribe mechanism - must be capable of being
readily performed.
• Mandatory information and unsubscribe mechanism
must be set out clearly and prominently
Form of CEMs
© McInnes Cooper, 2020
• Unsubscribe mechanism must:
– Allow recipient to indicate, at no cost to them, desire not to receive CEMs from sender
▪ Using same electronic means by which original CEM was sent or other electronic means if not practical
– Specify an electronic address or web page where the recipient can unsubscribe
• Electronic address or web page for unsubscribing must be valid for 60 days
• Must give effect to unsubscribe request “without delay” but no later than 10 days
Unsubscribe Mechanism
© McInnes Cooper, 2020
Violations and penalties
• CRTC is main regulatory body responsible for enforcement
• Contravention involves “administrative monetary penalties” - not a “punishment” but intended to ensure compliance
• Max penalties - individual: $1M; corporation: $10M
• Factors to be considered in determining amount of penalty
• Offender can give an “undertaking” that halts enforcement
• Officers and directors of companies may be personally liable
• CRTC can name and shame violators
• Due diligence defence
© McInnes Cooper, 2020
• Was supposed to kick in on July 1, 2017
• Individual can sue for actual damages and maximum of
$200 per contravention, not exceeding $1,000,000 per
day for unsolicited CEMs
• Lists factors for court to consider in assessing statutory
damages
• No private right of action if sender served with notice of
violation or entered into undertaking with CRTC.
• Thankfully put on hold.
Private right of action
© McInnes Cooper, 2020
Subscribe
Get Legal Alerts & Updates:
mcinnescooper.com/subscribe/
© McInnes Cooper, 2020
McInnes Cooper has prepared this document for information only; it is not
intended to be legal advice. You should consult McInnes Cooper about your
unique circumstances before acting on this information. McInnes Cooper
excludes all liability for anything contained in this document and any use you
make of it.
© McInnes Cooper, 2019. All rights reserved. McInnes Cooper owns the
copyright in this document. You may reproduce and distribute this document in
its entirety as long as you do not alter the form or the content and you give
McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any
other form of reproduction or distribution. Email us at
[email protected] to request our consent.
Legal Notes
© McInnes Cooper, 2020