Bill C-54: The Government Moves to Protect Privacy in the Private Sector

Article for “Community Law Matters”
by Philippa Lawson, Counsel, Public Interest Advocacy Centre, Ottawa
It may have taken a desire to position Canada in the forefront of global electronic commerce, but the federal government should nevertheless be congratulated for finally moving to protect Canadians’ personal information from unauthorized commercial use. Bill C-54, the Personal Information Protection and Electronic Documents Act, was introduced on October 1st, 1998, to coincide with Ottawa’s hosting of an OECD Ministerial conference on electronic commerce. The Bill has passed second reading, and is now being debated in Committee.
First, some background: for some time now, Canadians have been protected from government misuse of their personal information through federal and provincial legislation applicable to public bodies (e.g., the B.C. Freedom of Information and Protection of Privacy Act). However, with the exception of Quebec,(1) no jurisdiction in Canada has legislated protections against misuse of personal information by private sector actors.(2)
Yet, public concern over unauthorized collection, use and disclosure of personal information by commercial entities has been growing, as Canadians find themselves bombarded by direct marketing, discover that their confidential information has been published, and, in the case of low income consumers, find themselves subjected to invasive and degrading practices (e.g., thumbprinting) in order to transact business.
As new abuses are uncovered daily, people are demanding more control over their personal information. At the same time, the federal government recognizes that electronic commerce will not succeed without the trust and confidence of consumers. Such trust requires legislative intervention; market forces have proven themselves incapable of addressing privacy concerns to the satisfaction of consumers.
Enter Bill C-54, “An Act to support and promote electronic commerce by protecting personal information this is collected, used or disclosed in certain circumstances…” Part I of the Bill sets out privacy rights, and is based on a voluntary code of practice which was developed by a multi-stakeholder group under the aegis of the Canadian Standards Association (CSA), and adopted two years ago by the Standards Council of Canada. In fact, the CSA Model Privacy Code is simply replicated, word for word in a Schedule to the Bill. Compliance with this Schedule is mandatory.
The CSA Code’s ten principles contain the core rights and obligations of the legislation. Most importantly, they require the individual’s knowledge and consent to any collection, use or disclosure of his or her personal information. “Personal information” is defined as “information about an identifiable individual that is recorded in any form”. Consent need not always be express, at least with respect to non-sensitive information. (What constitutes “sensitive” information, however, is left to a case-by-case analysis.) Exceptions to the rule of informed consent are specified in the body of the statute, and include collection, use and disclosure for purely domestic purposes, as well as for journalistic, artistic or literary purposes.
Individuals have the right to access their personal information in the possession of organizations at minimal or no cost, and to do so in alternative formats where necessary.
Complaints regarding non-compliance with the Act are made to the federal Privacy Commissioner, who has broad investigatory and audit powers. The Commissioner is provided with powers to publicize and coerce, but not to make binding orders. Instead, complainants (or the Commissioner himself) must go to the Federal Court for binding remedies, which include corrective practice orders, publication orders, and damages (including damages for humiliation).
The Bill is limited in application to “organizations” (defined broadly as associations, partnerships, persons and trade unions) which collect, use or disclose personal information “in the course of commercial activities”, and to federal employers in respect of employee information. While the term “commercial” is not defined, there will clearly be many non-commercial uses of personal information which do not fall into the scope of this legislation.
Perhaps the most controversial aspect of this Bill is its jurisdictional scope: while limited initially to inter-provincial data flows, it automatically extends to intra-provincial data flows after three years. At the same time, however, Cabinet can issue an exemption order where satisfied that substantially similar provincial legislation will apply. In other words, the federal government is giving the provinces three years to enact their own legislation, but will use the federal trade and commerce power to extend protections to all commercial activities after that time. Some provinces have expressed serious opposition to this perceived intrusion on their jurisdiction.
The Bill has received support from many quarters, including the B.C. and federal Privacy Commissioners. It is viewed by privacy advocates as a significant but incomplete step forward. Criticisms focus on deficiencies in the CSA Code (e.g., no limit on the purposes for which information can be collected); some overly broad exceptions to the rule of informed consent; and lack of an accessible regime for enforcement and remedies. It has been pointed out that organizations can choose not to comply, knowing that only the most determined and financially able individuals will pursue them in court. Hence, some parties advocate the establishment of a more accessible tribunal, instead of relying on the Federal Court for binding orders.
This legislation promises to help Canadians recover control over the use of their personal information in the private sector. It is an important development, that will hopefully spawn similar initiatives in B.C. and other provinces. The Bill, and proceedings of the Industry Committee, can be accessed from the Parliamentary website at http://www.parl.gc.ca. PIAC’s commentary on the Bill can be accessed from the PIAC website at http://www.piac.ca
1. Bill 68: An Act respecting the protection of personal information in the private sector, passed and assented to June 15, 1993.
2. B.C.’s Privacy Act does create a statutory tort of privacy invasion, but this legal tool seems to have been rarely invoked: see Ian Lawson, Privacy and Free Enterprise, 2nd ed. (PIAC, 1997), pp.72-78.
 

Protection of Personal Health Information

PROTECTION OF PERSONAL HEALTH INFORMATION:BILL C-6 AND THE HEALTH CARE SYSTEM

Philippa Lawson
Counsel, Public Interest Advocacy Centre, Ottawa, Ontario
There has been a great deal of polemic surrounding the federal government’s Bill C-6 and its application to the health care system. Let’s get a few things straight.
First, the Bill applies only to “information about an identifiable individual”. Thus, irreversibly anonymized information is not covered. Second, it applies only in the context of commercial activities, and explicitly permits the disclosure to governments of personal information where “requested for the purpose of administering any law of Canada or a province”. Third, it applies initially only to the federally regulated sphere of activity, and allows provinces three years within which to legislate “substantially similar” standards in the health care sector.
A number of concerns have been raised about the Bill’s impact on health care. Some have argued that the Bill “would require the express, informed consent to the collection, use and/or disclosure of personal health information at each step in the delivery of integrated health services”. This is not true. The Bill would not require explicit consent where the individual would reasonably expect such collection, use or disclosure as part of the transaction. Thus, for example, pharmacists can assume implicit consent to the disclosure of patient information to the prescribing physician, or to the patient’s insurance company, for the purpose of delivering the service requested. But they must obtain explicit consent of patients to any secondary uses of their personal information, such as its sale to drug manufacturers for marketing purposes.
It has also been argued that the Bill requires the unrealistic separation of commercial and non-commercial health activities, and that it will lead to a “two-tiered” system under which privacy is better protected in the private sector than in the public sector. While it is true that the Bill applies only to commercial activities, and that health care activities cannot be neatly divided into commercial and non-commercial categories, this does not mean that the two need to be separated, or that non-commercial activities will be subject to a lower standard.
First, Bill C-6 sets out a set of reasonable principles of fair information practice, which should be adopted by all health care organizations, public and private, in any case. Second, the Bill requires that organizations subject to it use contractual or other means to ensure that third parties with whom they share personal information provide a comparable level of protection. Thus, health care organizations not subject to the Bill will be required to comply with it whenever they collaborate with organizations subject to the Bill in the delivery of health care.
The real debate over Bill C-6 and health care is about the appropriateness of informed consent as the principle upon which to base rules for the sharing of personal health information. With some notable exceptions (physicians, dentists, and nurses), many of those involved in health research and administration, as well as primary care, seem to oppose this principle, preferring a regime based upon “consistent use”, or the “best interests of the patient”, as determined by someone other than the patient. This is the heart of the controversy now playing out before the Senate.
According to the Health Minister’s Advisory Council on Health Infostructure, “informed consent should be the basis for sharing [personal health] information” (p.11), and “patients should be able to exercise control over what portion of their electronic record is seen by other professionals and providers” (p.3-6). This reflects the position taken by citizens’ groups, who are calling for quick passage of Bill C-6 and no exemption for health information. As the groups point out, “Canadians deserve to know and to control who has access to their personal health records and for what purposes such access is granted”. If patients fear that their personal information may be shared with others without their consent, they will be reluctant to seek care and will withhold critical information from their doctors. The quality of care will decline, and health costs will rise.
Bill C-6 represents a challenge to all those involved in the delivery of health care in Canada. It sets a new standard for the sharing of personal health information now that we have entered a new age of information technology with all the opportunities it presents for misuse of personal health information. It’s a standard that gives control back to the patient, recognizing that times have changed and that the paternalistic model of “provider knows best” is no longer appropriate when it comes to the sharing of medical records. Let’s get on with it, before abusive information practices become any further entrenched.
For more information, see http://www.piac.ca . See also http://www.nationalcpr.org