Provinces push privacy

Some privacy gurus are recommending that companies start ramping up their internal privacy policies in order to make sure they exceed the minimal requirements of both the federal law and the most recent provincial privacy bills.

Canada already has a federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects individuals from having their personal information disclosed without their consent. Federally regulated companies have had to comply since Jan. 1, 2001, and by Jan. 1, 2004, all private-sector organizations must also comply.

Some provinces are also getting in on the privacy game with their own private-sector laws. In May, Alberta introduced Bill 44, the Personal Information Protection Act (PIPA). If passed, it will take effect on Jan. 1, 2004.

In a statement, the Government of Alberta said the proposed law will limit the kind of personal information businesses can collect to only what is necessary for conducting transactions with customers and employees. Albertans will also have to be told how their personal information will be used.

If a business intends to disclose that information to another party for sales or marketing purposes, individual consent must first be obtained.

The deadline for compliance with both provincial and federal privacy laws is fast approaching and IT departments are “going to have to move on it,” said Frank Work, Alberta’s privacy commissioner. “In terms of IT issues, whoever holds the information is responsible for its security – they know that now, and they have probably known it all along.”

There is a question, however, about what a company is to do if it has offices scattered across the country. In this case, with which law does it comply: provincial, federal or both? Legally, if a company has many branches across the country and is exchanging information across provincial borders, it is bound by federal law.

Personal information that flows across provincial or national borders will be subject to PIPEDA, which will apply within the province to the activities of federal works, undertakings and businesses that are under federal jurisdiction – for example, banking, broadcasting, telecommunications and transportation.

But Peter Cullen, chief privacy officer for the Royal Bank of Canada (who has since moved to Microsoft Corp.), said his organization has a lot more to worry about than just keeping track of provincial and federal rules. As a financial services organization, the Royal Bank must juggle compliance with the regulations of various associations, such as the Investment Dealers Association of Canada, which has its own privacy rules for the bank’s securities business. It also has to keep track of how well it complies with U.S. regulations.

“There are a couple of ways you can manage this situation,” Cullen said. Companies can either take a “hopscotch regulatory approach,” where they ensure compliance jurisdiction by jurisdiction, or they can take the customer-focused approach, where they “meet or exceed the customer’s standards – that way you don’t have to spend a whole bunch of time worrying about specific parts of the legislation.”

One example of this principle in action is the way the Royal Bank deals with PIPEDA’s requirements for an organization to protect personal information in its own control or in the hands of a third party. Instead of just asking its suppliers to meet the non-disclosure requirements outlined in a contract, Royal Bank requires its third-party providers to do a self assessment and report back on their information-handling practices.

Ann Cavoukian, Ontario’s privacy commissioner, says the customer-focused approach is ideal.

“Companies should treat privacy as a business issue, not as a compliance issue,” she said. “Businesses that think that privacy will attract opportunity and serve as a key business differentiator will go farther than if they just follow the letter of law.”

IT managers also have to start thinking about the concept of “privacy by design,” where privacy is “built into the very architecture of the system,” Cavoukian said. “Think of [non-compliance] as a bug that has to be resolved before a product gets out the door. You have to ensure that all privacy issues are factored in at the code level – policy is much softer than software.”

Work said the provinces are “very conscious of the need for a harmonized situation for businesses and have already had discussions about how to make it so, and continue to do so, overall.”

If a business came to him asking about what laws it should follow, Work said he would refer them to the Fair Information Practices found in the Canadian Standards Association (CSA) code, upon which all of the privacy laws are based, and which are incorporated into PIPEDA. “For the most part, if you comply with one [law], you should have complied with all – generally. I’m not aware of any radical wrinkles that change the level of the field.”