Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Jeffrey A. Kaufman

 

June 2003

 

Learn more about Fasken, Martineau, DuMoulin LLP

 

Terry McQuay, Nymity's President, recently spoke with Mr. Kaufman, the National Co-director of the Privacy and Information Protection Practice Group of Fasken, Martineau, DuMoulin LLP, a national law firm, as well as the Co-chair and a founder of the Privacy Section of Ontario Bar Association and a member of the Executive of the new Privacy Section of the Canadian Bar Association. Over the past few years, Mr. Kaufman has spoken at numerous seminars and to various groups regarding privacy legislation. He has authored and co-authored numerous papers on privacy and is currently working as a co-contributor to the newest edition of Privacy Law in the Private Sector: An Annotation of the Legislation in Canada.


Nymity: Are companies ready for privacy compliance?


Kaufman : The vast majority of organizations are now aware that privacy and compliance are issues but are not yet willing to expend the time and resources necessary to be fully compliant by the legislative deadline at year end. In fact, some organizations try to equate this with Y2K and hope that this issue will pass away in a similar manner. Unlike the hype that the surrounded the Y2K "date of reckoning", privacy legislation isn't going to go away. Compliance will have to be integrated into an organization's day to day business. As I say to everyone I advise, "treat this as Y2K that is not going away".


Nymity : In January 2004 will Canadian companies have to comply with both the federal and provincial legislation?


Kaufman : The federal legislation, the Personal Information and Protection of Electronic Documents Act ("PIPEDA") will govern privacy compliance for companies in Canada subject to provinces enacting legislation that the Governor-in-Council declares is substantially similar. Quebec has had this type of provincial legislation for 10 years. Although Industry Canada has taken the view that the Quebec legislation is substantially similar, no exemption order has yet been made. Most recently, B.C. and Alberta have introduced privacy legislation but neither province will be able to pass it until the fall legislative assembly at the earliest. The Commissioners have raised concerns about substantial similarity. Ontario introduced an extensive consultation paper and received over 600 submissions from the community but has not yet committed to introduce privacy legislation this fall. Accordingly, businesses operating in various jurisdictions may be subject to various regimes until governments are able to work out a more harmonized approach to privacy.

 

Nymity: In light of this ever-changing landscape how do businesses get ready for compliance this year?


Kaufman : The best practice we can recommend is that any business operating in more than one jurisdiction should meet the highest standard that doesn't materially impair their business operations. In order to do this properly organizations should perform a comparison of the various privacy regimes that will impact them and then apply the highest standard on a national basis.


Nymity: In your presentations and discussions with business people across Canada have you reached any conclusions as to what issues are of particular concern to business?


Kaufman : There are several issues of concern. The PIPEDA does not have a grandfathering provision for information collected prior to the January 1, 2004. So organizations with existing banks of personal information should be aware that they may be unable to continue to use or disclose that information after January 1, 2004 unless they obtain the individual's consent.

 

A second area of concern is business transactions. The necessity to disclose personal information in the course of a business transaction is not dealt with by the PIPEDA. Therefore it appears that organizations subject to PIPEDA may be required to obtain the individual's consent prior to disclosing personal information to another party to a transaction for due diligence purposes. It also appears that the purpose requirement in the Act may limit the uses that a purchaser may make of data.

 

Organizations planning a merger or acquisition should consider the impact of the PIPEDA on the transaction. Employee personal information is another area that organizations should be concerned with.

 

The PIPEDA does not apply to organizations in respect of the information they collect, use and disclose about their own employees for purposes that are reasonably related to employment. But use for other purposes, such as using employee information for marketing purposes, will be caught by the Act. Or, if they disclose the information to a third party, that third party may be required to comply with PIPEDA. This may have an impact on pension funds, EAP companies, personnel consultants, payroll service providers and others that deal with the personal information of other companies' employees. Consumer preference data used for marketing purposes and CRM tools are another key concern to businesses.


Nymity: Does this mean that companies don't have to worry about employee privacy?


Kaufman : Not at all. The restriction in PIPEDA is based on the Constitution. There's no question that provinces will fill that gap and will make employee privacy a key component of any provincial legislation. In any event, an organization cannot be privacy-compliant without the buy-in of all of its employees. From experience, I can tell you that unless employees believe that their privacy is being respected, they will not make the effort to live up to these obligations for others.


Nymity: In your experience what are the difficulties organizations are presently facing when getting ready for immediate compliance?


Kaufman : Unfortunately, because privacy legislation is so all-encompassing and so new there is little guidance or direction that is currently available about how to comply. For example, Air Canada attempted to draft a proper consent for its Aeroplan program but was unable to get the Federal Privacy Commissioner to give guidance on what an appropriate consent would be. The result was not just a polite slap on the wrist but front-page headlines prompted by the Commissioner's use of the media, and millions of dollars in remediation costs to Air Canada.


Nymity: How do complaints arise that catch the Privacy Commissioner's attention?


Kaufman : Complaints can be made anonymously and can come from any source: an unhappy customer, disgruntled employee or vicious competitor. After any complaints are made the Privacy Commissioner of Canada must investigate. All complaints must be investigated, the Commissioner has no discretion in this regard. Like the Boy Scouts say: be prepared.


Nymity: What are the potential consequences for a business arising out of a complaint to the Federal Privacy Commissioner of Canada?


Kaufman : All privacy practitioners will tell you that privacy is more than a legal obligation. It is good business. Failure to adhere to good privacy practices may impact not just your customer base, but also your business-to-business relationships and ultimately your competitive edge. Compliance is more than simply cobbling together a privacy code and policy. Those organizations that take the time and effort to be fully compliant will come out on top. As Peter Cullen, Chief Privacy Officer of the Royal Bank has explained, privacy adds 9% to the bank's asset base, which translates into almost 900 million dollars for the bank. Now that is thinking ahead.

 

Learn more about Fasken, Martineau, DuMoulin LLP

  

 

 

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY