Canadian Privacy Law History

Questions and Answers

In Canada, privacy has historically been recognized as a separate right under common law.

False (B)

British Columbia and Alberta passed privacy legislation in the 1990s to cover personal information held by their provincial governments.

True (A)

BC's Freedom of Information and Protection of Privacy Act (FIPPA) was enacted in 2002.

False (B)

The federal law that covers personal information held by organizations in the private sector is called the Fair Information Practices Act (FIPA).

False (B)

The Personal Information Protection Act (PIPA) in BC and Alberta are similar to the federal PIPEDA and were enacted in 2004.

True (A)

Ontario courts were the first to recognize a common law privacy tort that may affect employers in that province.

True (A)

BC courts recognize a common law privacy tort.

False (B)

FIPPA of BC applies to local governments, universities and colleges, and school boards.

True (A)

FIPPA in both BC and Alberta is intended to make public bodies more transparent and less accountable.

False (B)

FIPPA was amended in February 2023 in BC to include new requirements for public bodies, including reporting privacy breaches.

True (A)

PIPEDA directly affects personal employee information held by provincially regulated employers.

False (B)

PIPEDA applies to organizations that collect personal information in the course of both commercial activities and non-profit endeavours, unless provincial legislation exists.

False (B)

An individual can make a complaint to the Office of the Privacy Commissioner of Canada if they believe an organization mishandled their personal information.

True (A)

Personal information is narrowly defined and only includes recorded data such as age and address.

False (B)

According to the Office of the Privacy Commissioner, personal information does not include video or audio recordings.

False (B)

According to BC's PIPA, personal information includes contact information and work product information.

False (B)

Bill S-4, also known as the New Digital Information Act, amended PIPA in June 2015.

False (B)

PIPEDA states that organizations can collect, use, or disclose personal information without an individual's knowledge or consent if the information is publicly available.

True (A)

The principle of 'limit collection' means an organization should collect all available information to ensure accuracy.

False (B)

The fair information principles are explicitly stated in the BC PIPA and Alberta PIPA.

False (B)

When personal information is transferred to a third party for processing, organizations do not need to ensure the information receives a comparable level of protection.

False (B)

Providing consent must always be compulsory for supplying a product or service.

False (B)

If use or disclosure of out-of-date or incomplete information wouldn't necessarily cause harm to the individual, the employer should ensure that the information is accurate and current.

False (B)

In both BC and Alberta, OIPC stands for Ontario Information and Privacy Commissioner.

False (B)

A privacy commissioner has the power to issue binding orders against an organization.

False (B)

The Alberta OIPC was established in 1995 and ensures that both statutes are administered so as to effectively serve their objectives.

True (A)

Personal information related to health is excluded from the 'employee personal information' definition under BC's PIPA.

False (B)

According to both BC and Alberta's PIPAs, employers would never be able to collect, use, or disclose any personal information unless they received express employee consent.

False (B)

The law on video survelliance must only consider privacy rights, and not safety concerns or other factors that contributed to its implementation.

False (B)

The BC privacy commissioner indicated that, in the 2015 Atwell report, the information that municipality managers had been collecting by spying on staff was of value for IT security.

False (B)

A major challenge faced by data protection legislation is successfully adapting the guidelines and policies of said data regulation act while maintaining the culture of permissiveness previously established.

False (B)

When an employer allows a employee to use a computer for personal reasons, without limitations, and raises a reasonable expectation of privacy.

True (A)

Flashcards

Right to Privacy in Canada

The right to privacy has not historically been recognized as a separate right under common law in Canada, but is now safeguarded by legislation.

PIPEDA

The federal law that covers personal information held by organizations in the private sector in Canada.

FIPPA

Privacy legislation passed by British Columbia and Alberta that covers personal information held by the provincial government and other public bodies.

Fair Information Principles

The principles that underlie the collection, use, protection, and disclosure of personal information, as outlined in Schedule 1 of PIPEDA.

personal information

Any factual or subjective information about an identifiable individual, whether recorded or not.

Solicitor-Client Privilege

Rule of evidence that protects a client from having to divulge confidential communications with their lawyer.

Privacy Commissioner

The commissioner appointed to investigate complaints of failure to comply with the requirements of privacy legislation.

Employee Personal Information (BC Definition)

Personal information about an individual that is collected, used, or disclosed solely for the purposes reasonably required to establish, manage, or terminate an employment relationship.

Personal Employee Information (Alberta Definition)

In respect of an individual who is a potential, current, or former employee of an organization, personal information reasonably required by the organization for employment or volunteer work relationships, but not unrelated info.

BYOD (Bring Your Own Device)

The trend of employees using their own personal devices for work-related as well as personal purposes.

Freedom of Information

BC's Freedom of Information and Protection of Privacy Act allows individuals to request access to records held by public bodies.

BC's Privacy Act

BC's Privacy Act can influence IT-monitoring cases and reinforces privacy violations can become issues in lawsuits.

Employers in Election

When electing whether or not to monitor the personal information of employees by video surveillance, email, keystroke monitoring, or biometric data, employers would be wise to keep foremost in their minds the underlying principles of PIPEDA and their reflections in the BC and Alberta statutes.

Study Notes

• Historically, privacy wasn't legally recognized in Canada due to the difficulty of compiling records
• Digital age necessitates privacy laws as personal information is easily compiled and transferred
• Current legislation and legal decisions reflect the need to protect personal information
• Canada's initial privacy laws focused on information held by the government itself

Privacy Legislation in BC and Alberta in the 1990s

• British Columbia and Alberta enacted legislation covering personal data held by their governments and public entities
• BC's Freedom of Information and Protection of Privacy Act (FIPPA), enacted in 1992, allowed individuals to request information
• Alberta passed a similar statute in 1994 which functions in the same manner
• All provinces and territories now possess privacy legislation governing the collection, use, and disclosure of personal data managed by government bodies

Federal Legislation in 2000

• In 2000, the federal government, followed by BC and Alberta, introduced laws for personal information held by the private sector
• The federal law is known as the Personal Information Protection and Electronic Documents Act (PIPEDA)
• In BC and Alberta, the statute is called the Personal Information Protection Act (PIPA)
• The provincial Acts are equivalent to the federal PIPEDA, all enacted in 2004

Amendments to Alberta’s PIPA

• In November 2013, the Supreme Court of Canada struck down Alberta's PIPA
• Reason for the ruling was a violation of the Canadian Charter of Rights and Freedoms
• It gave the province a year to align with the Charter due to overly broad restrictions on union communication during legal strikes
• Alberta's legislation was subsequently revised; amendments came into effect on December 17, 2014
• Changes focused on the collection, use, and disclosure of personal data by unions involved in lawful labor disputes

Tort of Invasion of Privacy

• Employers and employees should be aware of potential liability for the tort of invasion of privacy
• Ontario courts were the first to recognize a common law privacy tort for employers
• An Alberta court case, ES v Shillington recognized a common law privacy tort in 2021
• BC courts do not recognize a common law privacy tort
• The BC Privacy Act, enacted in 1968, establishes a statutory tort for privacy violations
• Employers may be held liable for privacy breaches committed by their employees
• BC’s and Alberta’s privacy statutes, federal PIPEDA, and their information/privacy offices are outlined below

Freedom of Information and Protection of Privacy Act (British Columbia and Alberta)

• BC's FIPPA applies to provincial government ministries, Crown corporations, local governments, universities, colleges, school boards, municipal police forces, health boards and hospitals, and the self-governing professions
• Alberta's version of this FIPPA applies to public entities listed in section 1(p) of the Act
• Section 2 of the BC Act serves to increase public body accountability and safeguard personal privacy, granting public access to records
• The underlying principle in both provinces ensures governmental fairness, transparency, and credibility through citizen access
• FIPPA limits the amount and type of information that provincial government and other public institutions can gather from people
• Citizens have access to a lot of the information that is held by government agencies and other organizations
• Amendment of BC’s FIPPA was done in February 2023 to enforce rules for public bodies regulated by the Act
• Privacy breaches which includes unauthorized access, theft, loss, collection, or use, must be reported
• A privacy management program must be developed, that includes appointing a privacy officer, conducting privacy impact assessments etc.
• provincial private sector legislation or PIPA, is more likely to be involved in privacy disputes regarding employment

PIPEDA vs PIPA

• PIPEDA applies to all federally regulated organizations and their collection, use, disclosure, and retention of personal data from employees, customers, patients, and suppliers
• The PIPAs of BC and Alberta have stricter regulations
• Employees in these provinces should handle personal information following the rules of PIPEDA

Federal PIPEDA key features

• Its purpose is to balance the individual's right to have personal data kept private with the organization's need to collect, use, and disclose it where necessary
• PIPEDA applies to all organizations—both federally & provincially regulated—in Canada that collect use, or disclose personal information in the course of commercial activities unless the province in which the organization is based has passed comparable legislation, such as Alberta and BC PIPAs
• It also applies to interprovincial and international transactions involving personal information
• PIPEDA does not apply directly to personal employee information in provincially regulated workplaces as federal legislation
• Broadly defined, "personal information" includes any factual or subjective information about "an identifiable individual"
• Consent must be obtained before personal data is collected used, or disclosed, with information used only for the purpose for which consent was obtained
• Organizations must take precautions to safeguard personal data in their possession
• Individuals have a right to gain access to their personal data as well as the right to challenge an employer’s treatment of that data and or accuracy
• A complaint may be filed regarding the organization, potentially ordering the organization to change its practices

What qualifies as personal information?

• Section 2 of PIPEDA gives a broad definition
• It means any factual or subjective information about an identifiable individual, “recorded or not.”
• Examples; age, home address, and identification numbers (including social insurance number); residential telephone numbers and personal email address, sex, religion, ethnicity, social status, and marital status, employee files, photographs, opinions, and income, relevant dates, credit records, loan records, and purchasing and spending habits, and blood type, genetic information, and medical records
• According to the Office of the Privacy Commissioner, include pay and benefit records, video and audiotapes, and records of web browsing, emails, and keystrokes
• Stored on paper, electronically, a recording, or on a fax machine

Definition of Personal Information according to British Columbia's and Alberta's PIPA

• BC’s PIPA, "personal information" is defined as information about an identifiable individual and includes employee personal information excluding contact information or work product information
• Alberta’s PIPA, "personal information" means information about “an identifiable individual,” although no exceptions are articulated for “work product information” or for “contact information,” while “business contact information” arises as a specific exception
• Following the ten PIPEDA principles is essential for collection, use, protection, and disclosure

PIPEDA Amendments

• June 18, 2015, Bill S-4, the new Digital Privacy Act, was proclaimed, amending PIPEDA
• Important changes to PIPEDA, like what must occur if security has been breached
• Name, title, business address, or telephone number of an employee are now included in the definition of "personal information" exception
• PIPEDA now includes covers job applicants as well as employees and business contact information is exempt where it is collected, used, and disclosed solely for communicating with the individual for purposes related to their business or profession.

Restrictions to PIPEDA Amendments

• In cases of breaches of agreements, fraud, and financial abuse, information may be disclosed without individual’s consent to third-party organization’s
• The privacy commissioner can create compliance agreements that include conditions necessary for statutory compliance
• Federal government introduced Bill C-27 in the House of Commons (June 16, 2022): the Digital Charter Implementation Act, 2022, including substantial changes to PIPEDA
• Included; enacting the Consumer Privacy Protection Act, which would replace part 1 of PIPEDA, enacting the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act

PIPEDA Ten Fair Information Principles

• Individuals have the right to stay private about their personal data, organizations have a need to collect, use, and disclose personal data for purposes
• Under Schedule 1, here are 10 PIPEDA principles to underline collection, use, protection, and disclosure, Section 5(3) states that it can be done only "for legitimate purposes"
• Be accountable
• Identify the purpose of the collection
• Obtain valid, informed consent
• Limit collection
• Limit use, disclosure, and retention
• Be accurate
• Provide safeguards
• Be open
• Give individuals access
• Provide recourse

The Privacy Commissioner

• To report or complain to the privacy commissioner requires one to do the following
• A refusal to provide information or denial of its existence and broad powers to investigate complaints
• Inability to have an order created against an organization through a federal court in order to force changes to their data related routines
• Knowingly disposing of personal data and retaliation are seen as an offense

The Federal Privacy Commissioner Role

• To oversee the operation of PIPEDA, The Office of the Privacy Commissioner of Canada, reports directly to the House of Commons and Senate
• Can also, conduct audits and investigations into data practices summon witnesses, compel evidence under oath, and mandate the production of records
• Conducting the investigation, allows the OPC to make recommendations with regards to resolution methods
• It can also make public the information it obtains about an organization that it has investigated and have matters referred further to the Federal Court.
• In both BC and Alberta, the OIPC monitors and enforces legislation that relates to the collection of data and privacy
• In BC, established in 1993, it monitors citizen's rights over 2,900 agencies and 380,000 businesses