Privacy law continues to expand and develop at an amazing pace. Most organizations that control or possess personal information know that they are required to have privacy policies and provide access rights, and understand their obligation to safeguard personal information. However, privacy compliance also involves meeting a “reasonableness” standard, which evolves over time. Recent decisions by the various Privacy Commissioners in Canada and case law developments have imposed upon organizations the need to periodically review their privacy compliance in order to verify whether they meet current standards.
The following is a list of some “hot button” issues that should be considered by organizations when reviewing their privacy compliance:
- Security and Personal Information Breaches – Loss of personal information by an organization requires a quick and informed response. The various Privacy Commissioners have created detailed guidelines on how to assess the severity of the breach and determine what steps should be taken following the breach. Depending on the nature of the personal information in its custody or control, an organization should consider implementing a breach response procedure that engages appropriate levels of management, IT personnel and legal counsel, immediately and as required. In addition, while notifying affected individuals is not mandatory, the Commissioners’ guidelines do require notification when warranted by the circumstances.
- Laptops and Other Mobile Computing Devices – Much personal information can be carried on laptops and other mobile computing devices. Recent decisions indicate that not only are certain technical security requirements necessary, but so are policies which stipulate how employees will safeguard laptops and other mobile computing devices when carrying such devices outside the office, in order to help prevent their theft or loss.
- Employee and Customer Surveillance – An evolving body of decisions from the Commissioners is defining the circumstances where surveillance may or may not be acceptable. Organizations which conduct surveillance of their employees or customers should verify whether their practices are reasonable under current standards.
- Identification Document Collection – A number of decisions have developed specific rules with respect to the collection and photocopying of identification documents, such as social insurance numbers and driver’s licenses, and the circumstances where this is permissible. It is important to ensure that an organization’s practices are in compliance with these new directives.
- Reasonableness of Technical Safeguards – As technology changes, so do threats to the safety of personal information. An organization should periodically review its IT safeguards to ensure that they are reasonable, current and up to date. In addition, organizations should assess their risk of loss of personal information not only from external threats but also from misuse by insiders, whether accidental or otherwise.
- Cross Border Transfers of Personal Information – Case law and recent federal decisions have clarified that the Federal Privacy Commissioner’s jurisdiction follows Canadians’ information as it is transferred abroad. Any time an organization controls or possesses personal information that crosses a provincial or national boundary, it should be aware that its obligations continue beyond such borders. Various Privacy Commissioners have issued specific guidance with respect to cross border and international flows of personal information which include notification requirements.
- Foreign Organizations – U.S. and other foreign organizations need not be located in Canada in order to be subject to Canadian privacy legislation. If a foreign organization has a real and substantial connection to Canada, and possesses Canadians’ personal information, it may be subject to Canadian privacy legislation.
- Electronic Communications and Business – Canada has an anti-spam bill, the Electronic Commerce Protection Act, currently before Parliament. If this becomes law there will be specific rules regarding business communication by electronic means. Consumers will have a right of action for violation of these rules, and there will be an enforcement mechanism. These rules will apply to all electronic communication, and not just email. In addition, there are provisions for the cancellation of the National Do Not Call list. Please see BLG’s bulletin on Bill C-27.
- Social Networking and Alternative Forms of Communication – This is an emerging area which has caught the interest of the Federal Privacy Commissioner with respect to individuals’ personal information. If an organization utilizes social networking as part of its public relations or other processes, it needs to consider the application of privacy legislation to the gathering and handling of personal information.