On June 30, 2015, Industry Canada released new federal transparency reporting guidelinesdeveloped in consultation with the Office of the Privacy Commissioner of Canada, government departments and industry stakeholders. The guidelines are intended to assist private organizations with reporting to their customers regarding the management and sharing of their customers’ personal information with government (including law enforcement, national security agencies, and regulatory authorities).
Organizations which collect personal information already have certain transparency and accountability obligations under Canadian privacy legislation (PIPEDA and its provincial counterparts). The new transparency guidelines are voluntary but do not derogate from the already-existing obligation of organizations to provide individuals with access to personal information held about them, including details on how their personal information is used and whether it has been disclosed. Instead, the transparency guidelines represent an attempt to standardize the information provided by organizations who choose to issue public reports on their sharing of personal information with government.
Industry Canada identifies six categories of disclosure organizations may choose to report:
- Voluntary disclosures at the request of a government organization: refers to the voluntary disclosure of personal information at the request of law enforcement or other government organizations.
- Voluntary disclosures on the initiative of the organization: refers to the voluntary disclosure of personal information to government authorities, for the purpose of reporting a crime.
- Disclosures in emergency or exigent circumstances: refers to requests made to assist law enforcement agencies in situations involving serious or imminent harm to any person or property without application to a judge.
- Disclosures made in compliance with federal or provincial law: refers to compellable requests made by government agencies under the express authority of federal or provincial legislation, such as the Customs Act or Income Tax Act, for regulatory enforcement or other government service purpose.
- Court ordered (warranted) disclosures: refers to production orders, summons, subpoenas, and search warrants issued by a judge or other judicial officer.
- Other, including but not limited to, foreign agency requests (court ordered) and preservation demands and orders.
For each category, organizations may report of the following statistics: the number of requests received from government authorities; the number of requests fulfilled; the number of requests rejected or contested; and the number of persons or accounts whose information was disclosed.
The guidelines recommend organizations adopt the following restrictions on the disclosure of information “in order to protect the work of law enforcement, national security, and regulatory agencies”:
- Specific disclosures of numbers less than 100 are discouraged. Instead, figures between 0 and 100 should be represented in a band of ‘0-100′ .
- Figures should be aggregated to reflect Canada-wide statistics, and should not differentiate between law enforcement, national security, and regulatory agencies. Moreover, these figures should also be aggregated such that service type and its associated network technology are not distinguishable.
- There should be a six month delay in reporting timeframe.
Any organization providing or considering providing reporting on government requests and access to personal information ought to review the guidelines and the limitations set out therein. Further explanation of the disclosure categories and limitations is provided by the guidelines, which also include a template report.