We were delighted to have Valerie join us as our guest speaker for our Annual Luncheon meeting this past May.

Valerie was kind enough to give us this summary of her presentation...

PIPEDA is the applicable privacy legislation in most Canadian provinces, but it is important to note that in some cases, other legislation may apply.  For example, BC, AB, ON and Quebec all have provincial legislation that has been deemed comparable to PIPEDA or some sections of PIPEDA.  In these jurisdictions, in some cases, the provincial legislation applies rather than PIPEDA. Additional context for an organization's privacy risk management program comes from the interpretation and application of relevant privacy legislation.  Both regulators and courts provide impactful interpretations of legislation and should be monitored for recent decisions.

There are several interesting issues on the horizon, related to privacy; among them changes to PIPEDA, new Covert Video Surveillance Guidelines, guidelines for dealing with the transfer of personal information outside of Canada, as well as developing trends related to civil action for breach of privacy.  Regarding changes to PIPEDA, as a result of the mandatory statutory review of this legislation, changes that will include a mandatory breach notification to impacted clients and other parties, as well as notification to the Privacy Commissioner in some situations are expected later this year.  There are also expected to be changes to the legislation that will clarify the definition of "work product" and the issue of consent related to the personal information of minors.  Newly introduced Bill C-27 also contemplates changes to PIPEDA, including changes that will introduce a prohibition against unauthorized "trojan" collection of personal information and will introduce new discretionary capacity for the Privacy Commissioner to discontinue investigations when warranted.

The federal Privacy Commissioner is expected to release a new set of guidelines later in May that relate to the practice of covert video surveillance.  These guidelines are expected to introduce a high standard for justification of covert video surveillance and include a requirement to obscure or remove any image that could identify an unrelated third party.  The federal Privacy Commissioner released a set of guidelines in late January that consider the transfer of personal information outside of Canada.  Specifically, these guidelines require that organizations must ensure a "comparable level of protection" for any personal information that they transfer out of country - this may require an enhanced due diligence process during the vendor selection and vendor management process for many organizations.  

Finally, there have been some interesting developments concerning civil liability for breaches of privacy.  The BC Supreme Court awarded an individual $1.3 million in March, in part for damages associated with a breach of privacy (Neumann vs. Revenue Canada).  Bill C-27 proposes a civil right of action for contravention of that act, as well as for contravention of some limited PIPEDA provisions.  Four Canadian provinces, BC, SK, MB and NFLD have existing legislation that provide for civil recourse in the event of a privacy breach.  This all adds up to a good reason to consider a higher profile for the impact of civil liability when considering privacy risk management.

(article donated by Valerie Biggs)