Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with David Loukidelis

 

November 2003

 

Terry McQuay, Nymity's President, had an opportunity to interview David Loukidelis, British Columbia's Information and Privacy Commissioner (October 24, 2003).

 

Nymity: Mr. Loukidelis, congratulations on the passage of BC's Personal Information Protection Act (PIPA). What is the process for PIPA to be deemed substantial similar and will Industry Canada be able to make the decision before January 1st, 2004?

 

Loukidelis: A few years ago the Federal Government published the process it intends to follow, but it's not clear how that process will get going or when. I suppose someone has to make the first move, whether it's the Provincial Government or the Federal Government. I'd heard a few weeks ago that there's some hope in federal circles that the process can be completed in as little as three months, but it's not at all clear whether that is feasible or when the process will start.

 

I did urge the B.C. government a few weeks ago to initiate that process as soon as possible. There'll be enough jurisdictional issues to face as it is without also having to deal with the spectre of concurrent application, within the provincially-regulated private sector, of both PIPA and the Personal Information Protection of Electronic Documents Act. I've also offered to help in any way I can in getting the ball rolling.

 

Nymity: In 2004, when a complaint against a private sector organization reaches your office, what process will you follow to decide if the organization is governed by PIPEDA or PIPA.

 

Loukidelis: We're dealing with a budget cut of 35% over three years--20% to date and 15% slated to start next April 1--which means our existing duties under the Freedom of Information and Protection of Privacy Act have us stretched to the limit. PIPA received Royal Assent on October 23, and I'm moving quickly to get the resources we need to prepare for the January 1, 2004, go-live date. This work will include getting a handle on a number of enforcement issues, including the one you've mentioned.

 

It seems to me, at this point, that the easier cases will be where the organization is subject to Federal jurisdiction, as with the banks and airlines, although there will be grey areas even there. Privacy Commissioners need to get together, I'd say, to discuss jurisdictional issues and agree on practical, commonsense protocols for deciding whether PIPEDA, and not provincial or territorial privacy legislation, applies. These discussions have already started among some Commissioners and, speaking only for myself, I believe we can come up with some solutions in the next few months.

 

Nymity: To help us better understand jurisdiction, assume a citizen of B.C. complains about an organization whose business activities extend across Canada, including offices or stores in B.C., with the head office outside of B.C. Since that organization would need to comply with PIPEDA, and/or another province's privacy legislation, under what circumstances would your office investigate the compliant?

 

Loukidelis: This is something we're starting to gear up for, as my last answer indicates. Time's short, I know, and we need to get resources quickly so we can prepare the best we can in the time left to us.

 

Nymity: If an organization has offices in B.C. with operations across Canada, under what circumstances would your office investigate complaints from citizens outside of B.C.?

 

Loukidelis: Our focus should be on addressing complaints and other concerns brought to us by B.C. residents. I'm not particularly interested in hanging my hat on a company's B.C. presence as good enough reason for us to even attempt an investigation into a complaint made by someone outside the province, especially if that complaint has to do with something that in its essence happened elsewhere. PIPA is B.C. legislation, designed to balance the rights and needs of B.C. residents and organizations, not to address the privacy practices of a corporation that has operations elsewhere in Canada but happens to have a B.C. presence of some kind.

 

Nymity If an organization has employees in B.C., are the employees always covered under PIPA?

 

Loukidelis: Apart from organizations that are Federal works or undertakings, and are therefore subject to PIPEDA, my view at this point is that provincially-regulated employees will be covered by PIPA even if the Federal Cabinet does not declare PIPA to be substantially similar to PIPEDA. This is because the courts have held that Parliament cannot legislate in respect of the employer-employee relationship under its trade and commerce power, which is PIPEDA's underpinning in the situation I've just described. Of course, if the substantial similarity declaration is made, PIPA will through that route catch the employer-employee relationship outside federal works or undertakings.

 

Nymity: If an organization has operations in B.C., but believes that they are transferring information "for consideration" to another province and thus they comply with PIPEDA, will your office investigate the "for consideration" to ensure jurisdictional correctness?

 

Loukidelis: The fact that PIPEDA does or may apply to a transfer of personal information across borders doesn't necessarily mean we'll always decline to investigate. Our decision on whether to investigate will also depend, in each case, on the protocols or understandings that we work out with the Privacy Commissioner of Canada and other privacy commissioners.

 

Nymity Is your office available for compliance consultation? Where would an organization go for jurisdictional questions?

 

Loukidelis: Yes, we'll be available for consultation, subject to our having the resources to assist. Even if the committee of the Legislative Assembly that deals with our budgets makes the necessary recommendation for further funding by mid-November, I'm unlikely to be able to hire the staff we need for PIPA oversight before the end of this year. So I'm afraid that any assistance we offer will be off the sides of our desks until then.

 

We'd like to help with jurisdictional questions as part of this assistance, but the final responsibility for deciding which laws to comply with rests, of course, with organizations.

 

I should mention that the Corporate Privacy and Information Access Branch (CPIAB) of the Ministry of Management Services has already received resources and organizations could seek their help now and down the road.

 

Nymity: Does the Commissioner's Office have different processes for handling reviews and complaints? What is the difference between a review and a complaint?

 

Loukidelis: Again, we're only now starting to develop the processes that we'll follow in handling complaints and reviews. With limited exceptions, we'll require individuals who come to us to complain to first go back to the organization involved and try to resolve the matter directly. I'm also keen to see if we can identify dispute resolution processes run by business groups or in business sectors that might serve, particularly when it comes to smaller businesses. We have lots of small businesses in B.C. and it'd be a good thing, it seems to me, if they could call on business associations for help in dealing with disputes.

 

As for reviews and complaints, there's some overlap between the two. Complaints can cover a broader range of things than reviews, which are limited to reviews of an organization's decisions, acts or failures to act "respecting access to or correction of personal information". At the same time, an individual can make a complaint that "a correction of personal information requested under section 24 has been refused without justification", and that clearly overlaps with the subject matter of a review.

 

Nymity: PIPA mandates that organizations retain individuals' information for at least one year if the information is used to make a decision that directly affects an individual. Do you expect this to have a major impact on how businesses retain information today? Please comment on what is considered "information used to make a decision".

 

Loukidelis: The one year retention requirement will have an impact on some businesses' records-retention practices. But there'll be many transactions that won't trigger this rule. If I give my name and telephone number to a corner dry cleaner's so they can dry clean my clothes, it seems to me that the dry cleaner can discard my name and telephone number immediately after returning my dry cleaning. They've provided a service, but haven'tused my name and phone number to make a "decision" that "directly affects" me. Contrast this case with a credit union's use of my income and debt information in turning down my loan application. It's used my personal information to make a "decision that directly affects" me and must retain it for one year.

 

Nymity: PIPA requires an organization to provide access to the names of the individuals and organizations to whom personal information has been disclosed. Does this include employees who have accessed the individual's personal information?

 

Loukidelis: : Section 33 of BC's Freedom of Information and Protection of Privacy Act explicitly refers to disclosure to a public body's employees as a disclosure for the purpose of that Act. I don't read PIPA the same way. My view at this point is that an organization is not required to tell individuals about each access to the individual's personal information by an employee of the organization.

But PIPA requires an organization to tell individuals what uses are being made of their personal information and that would obviously include uses by different employees within the organization for different permitted purposes.

 

Nymity: Providing access to the names of individuals and organization to whom personal information has been disclosed would require an organization to update their IT systems to track access. Should organizations implement a tracking mechanism which audits access to individuals' information to be compliant with PIPA?

 

Loukidelis: PIPA will clearly require organizations to keep information that will enable them to comply with their duty to tell individuals about uses and disclosures of their personal information. This may take the form of updated IT systems or audit mechanisms, but that's obviously something various organizations will decide.

 

Nymity: What are your education plans for B.C. citizens?

 

Loukidelis: Once again, in the absence of any funding for PIPA roll-out, we're only now starting the early stages of our implementation planning. At the very least, I'll undertake some sort of media campaign to raise awareness, on the part of organizations and the public generally, of PIPA as it comes into force. I've also commented on an information brochure CPIAB is preparing for citizens and we're working as best we can on PIPA support tools for organizations and the general public. (We've been very lucky that my Alberta colleague, Frank Work Q.C., and the Alberta government have generously agreed to let us use their PIPA support tools to prepare our own.) These will be posted on our website before the end of November, or earlier if we can manage it. I'll also be continuing my round of speaking engagements--which are ramping up now as PIPA approaches--and will continue those into 2004 and beyond.

 

Nymity: The powers conferred on the Commissioner include the power to comment on "programs proposed by organizations", as well as on "automated systems for the protection of personal information" and "document linkage". Does this allow organizations to ask the Commissioner for advance rulings or comfort letters on proposed courses of action in relation to personal information?

 

Loukidelis: I've been saying for over a year now that, in an ideal world, I'd have both the authority and the resources to issue advance rulings or comfort letters on proposed courses of action. And while I believe the necessary authority to do these things exists under PIPA, the question remains: will we have the resources to actually use that authority? At this point, I'd have to say that, while I'm definitely keen on this approach, organizations should be aware that our ability to pursue such a pro-active approach to compliance is open to question, pending our getting the needed resources.

 

Nymity: Can you describe the approach for determining what is reasonable under the circumstances? What information can an organization provide to help determine reasonableness? Are customer statistics helpful?

 

Loukidelis: This is tough to answer, other than to suggest that the generally accepted practices of the particular business sector or activity--as well as the general expectations of individuals involved the sector or activity as customers or consumers-may assist us in deciding whether something is reasonable. I suppose that statistical evidence as to the expectations and attitudes of customers could in some cases be useful.

 

Nymity: Under PIPA, an organization can give notice of its intention to collect, use or disclose personal information. If the individual does not respond to the notice an organization assumes consent. Understanding that section 8(3) provides additional details, please comment on why this was included in the Act.

 

Loukidelis: I can't really comment on why s. 8(3) or any other provision was included in the Act. Sections 8(1) and (3) deal with two different ways of getting consent. Section 8(1) deals with what it calls "deemed" consent--which is where an individual voluntarily provides personal information for a purpose that "would be considered to be obvious to a reasonable person" at the time the information is given. Section 8(3) contemplates a consent process where a reasonable opportunity to decline consent must be given and where the requirement to give notice of the purpose of collection clearly applies. Section 10(3) says that, by contrast, the general requirement to give individuals notice of the purpose of collection does not apply to deemed consent situations under s. 8(1).

 

The corner dry cleaner example works here also. When I give the store my name and telephone number when I hand in my dry cleaning, the purpose for doing so would, I think, be obvious to the reasonable person--to enable the dry cleaner to do the dry cleaning. I'm deemed to have consent under s. 8(1) and there's no need for notice. If, on the other hand, the dry cleaning operator actually intends to use that information for marketing purposes unconnected to the service, she can't do that unless she's given notice of that purpose and I've provided the information, as contemplated by ss. 8(3) and 10.

 

Nymity: Since PIPA grandfathers the collection of personal information prior to January 1st, 2004, how will this restrict an individual's ability to complain about information collected prior to January 1st?

 

Loukidelis: As you say, PIPA doesn't require organizations to get consent for collection, use or disclosure of personal information they've collected before January 1, 2004. But they can only use or disclose that information for the purpose for which it was originally collected and then only to the extent the use or disclosure is reasonable. And if there's a new use or disclosure, the organization has to get consent. So individuals will be able to hold organizations to the original collection purpose.

 

They'll also have the right of access to, and to request correction of, their personal information, regardless of when it was collected. And organizations will still have to take reasonable measures to safeguard all personal information, regardless of when it was collected.

 

Nymity: In closing, what compliance recommendations do you have for provincially regulated organizations with operations inside and outside of B.C.?

 

Loukidelis: As I've already mentioned, a number of Privacy Commissioners' offices are talking about how to co-ordinate our oversight activities across borders. Regardless of the outcome of those discussions, any nationally active organization that is in compliance with the ten principles underpinning PIPEDA will find itself in pretty good shape in B.C.

 

Whatever a particular privacy law says, organizations should see privacy compliance as a business opportunity. It's in many ways a customer relations issue--a question of being transparent about your practices and accountable for them. Tell people what you're going to do with their personal information and then, if they give it to you, stick to your promises. If you make a mistake, fix it quickly and in good faith. I'm far from the first person to say these things, but they bear repeating. Businesses would do well to read Ann Cavoukian's and Tyler Hamilton's book, The Privacy Payoff, for an in-depth examination of the brand-building perspective.

 

For smaller businesses and organizations, I'd say the same thing. But I'll add that if a commissioner's office comes calling about a complaint they've received about you, don't ignore them or try to stonewall them. I think you'll find that all Privacy Commissioners in Canada will try to resolve the matter through mediation, with their role being fact-finding, but also neutral. Sticking your head in the sand and risking forcing the commissioner into a more formal approach is not the way to go.

 

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY