Legislation
Canada’s public sector is regulated at the federal level by the Privacy Act. The Privacy Act safeguards individual’s privacy by explicitly stating the individual’s right to access information about him/herself that is held by government institutions and Crown corporations. The Act also defines how these institutions can collect and use personal information.
The Privacy Act also defines “personal information”, including information about race, national or ethnic origin, religion, age, marital status, information relating to the educational, medical, criminal or employment history of the individual, information relating to financial transactions in which the individual has been involved, any identifying number, the address, fingerprints or blood type of the individual, or information regarding the views or opinions of the individual.
In addition to the Privacy Act, each province and territory has legislation governing provincial/territorial public sectors and their responsibilities in safeguarding private information. These provincial/territorial sets of legislation apply to ministries, colleges and universities, school boards, and local boards, for example. Links to the specific legislation of each province and territory can be found here.
In terms of privacy protection, Canada’s private sector is governed by the Personal Information Protection and Electronic Documents Act, commonly referred to as PIPEDA. This legislation, enacted in 2000, recognizes the increasing ability to collect and store personal information using technology, but also recognizes that corporations and organizations may need to collect some personal information in order to fulfill their mandates. As a result, PIPEDA sets out “rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”. [1]
This private sector legislation is based on the CSA’s model code and its ten principles. These principles define the organization’s responsibilities for protecting and disclosing personal information, including the need to disclose the purposes for which information is collected, the need for obtaining consent, wherever possible, before collecting or using personal information, limiting the information only to that which is necessary for the stated purposes, and the right of the individual to access or view his or her personal information.
In 2015 PIPEDA was updated to specify that “the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
Furthermore, a number of corporations and associations have developed voluntary privacy codes based on the CSA model. While these codes are voluntary and thus not legally enforceable, they still function as a guide for corporations and individuals in terms of privacy and personal information.
Only three provinces, Quebec, Alberta, and British Columbia, have developed legislation pertaining to the private sector. These provincial codes take precedent over PIPEDA in these three provinces, although the content of the legislation is very similar.
In 2008, the Office of the Privacy Commissioner of Canada proposed a resolution dealing with the online privacy of children. Noting the increased frequency with which youth access and require technology to communicate with others, learn and read, and complete school assignments, Canada’s Privacy Commissioners urged websites with child-specific content to redesign their privacy policies so that youth could read and understand them, as well as ensure the compliance of corporations regarding privacy law, particularly when it comes to youth, and to emphasize the need for public education programs to teach youth the value of personal information as well as their right to privacy and control of their information. [2]
In the United States, there is no single overlying legislative approach to privacy and privacy protection. Rather, the U.S. adopts a “piecemeal” approach, where standards and guidelines differ across jurisdictions and are adopted from common law, federal and state constitutions, and statutes that apply across different sectors, issues, and areas. [3] There are, however, several pieces of legislation that effect how personal information can be collected and used.
The most well known of these legislative pieces is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, or the USA PATRIOT Act. This Act was enacted by the U.S. government in October 2001, with the stated purpose of providing greater access to information in order to prevent and combat terrorism. [4] The act reduced previous restrictions on monitoring individuals and collecting and accessing personal information, while also expanding other powers for monitoring and observing individuals and financial transactions.
The PATRIOT Act is of global concern, as it expressly allows the American government to access personal information about citizens of other countries, provided the information is physically present in the United States or accessible electronically. While, to date, the federal government has not disclosed any use of the PATRIOT Act to access personal information about Canadians [5], the provisions included in the PATRIOT Act have the potential to restrict democracy both in the United States and elsewhere.
Internationally, organizations such as the United Nations and UNICEF have explicitly stated that personal privacy is a fundamental human right. Furthermore, the European Union has developed a framework for protecting the personal information and privacy of citizens of all of its member states.
The main principles of the EU agreement state that Member States must ensure that personal data is:
- processed fairly and lawfully;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- adequate, relevant, and not excessive in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; and,
- kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed. [6]
Similar to Canadian privacy legislation, these principles ensure that individuals are informed as to the purpose for which their information is collected, that these reasons for collection are not altered or expanded without obtaining further consent, and that personal information is not to be shared or disclosed except in specific situations, such as when consent is given or in the course of a criminal investigation.
[1] Department of Justice. (2012). Personal Information Protection and Electronic Documents Act. Retrieved 14 May 2012 from http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-2.html#h-4.
[2] Office of the Privacy Commissioner of Canada. (2008). Resolution of Canada’s Privacy Commissioners and Privacy Oversight Officials. Retrieved 14 May 2012 from http://www.priv.gc.ca/media/nr-c/2008/res_080604_e.asp.
[3] Levin, A. & Nicholson, M.J. (2005). Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground. University of OttawaLaw & Technology Journal, 2(2), 357-395.
[4] Treasury Board Secretariat. (2006). Frequently Asked Questions: USA PATRIOT Act Comprehensive Assessment Results. Accessed 14 May 2012 from http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/ usapa/faq-eng.asp
[5] Ibid.
[6] European Commission. (2012). Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences of the execution of criminal penalties, and the free movement of such data. Retrieved 14 May 2012 from http://ec.europa.eu/home-affairs/doc_centre/police/docs/com_2012_10_en.pdf.