Legislative Assembly of New Brunswick
Legislative Committees
Home | Franšais

PRIVACY: DISCUSSION PAPER #2

EXECUTIVE SUMMARY

This is the second Discussion Paper on privacy that the Department of Justice has prepared recently. The first one, in July 1996, contained proposals for legislation to protect personal information in the possession of the government of New Brunswick. The Paper was referred to the Law Amendments Committee for public hearings. After those hearings, the Committee approved the proposals in the Paper, but also recommended that a second Discussion Paper should be prepared examining the extension of privacy legislation to the private sector.

This Paper is the result of that recommendation. Its purpose is to help establish whether the privacy of New Brunswickers requires greater protection than the law now provides, and if so, by what means. The Paper consists of "Propositions" for discussion rather than "Recommendations." Like its predecessor, it is to be referred to the Law Amendments Committee for review, so that the public may have a clear opportunity to contribute to the development of policy on this issue.

The Paper is in two Parts. Part I focuses on Data Protection in the Private Sector. "Data protection" deals with the establishment of rules to govern the handling of personal information that organizations collect and use in the course of their activities. New Brunswick's recently enacted Protection of Personal Information Act is a data protection Act for the public sector. The Paper asks whether data protection legislation is also needed in the private sector, and if so, what it should say.

Part II extends the discussion to Privacy in General. Data protection is just one part of the broader law of privacy; questions relating to the need for data protection legislation and what it might say depend in part on what already exists, or what might be established, under privacy law in general. There is also an important connection in terms of the focus of any legislative measures that might be taken to promote privacy interests. Is data protection the only, or the most pressing, area of concern? Examining privacy legislation in general, as well as its data protection sub-component, enables questions like this to be opened up for public debate.

In relation to data protection the Paper suggests that, as things now stand in Canada, the obvious starting point for private sector legislation would be the Canadian Standards Association's Model Code for the Protection of Personal Information ("the CSA Code"). The CSA Code is already the basis of New Brunswick's recently enacted Protection of Personal Information Act.

The Paper explains what the scope and content of legislation based on the CSA Code would be likely to be. The scope could be broad. The CSA Code is designed to apply to all commercial or non-commercial organizations, and this includes individuals when they collect and use personal information for commercial or other non-domestic purposes. "Personal information," under the CSA Code, means any "information about an identifiable individual that is recorded in any form." This includes sensitive information as well as non-sensitive information. Every "organization" will almost certainly "collect" and "use" personal information, even if it does no more than maintain membership lists, customer or client information or employee records.

The Paper suggests that the key elements of the CSA Code for legislative purposes would be the Code's ten Principles. The Principles are broadly expressed, as is appropriate to the very wide range of situations to which they would apply.

Principle 1 -- Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Principle 2 -- Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3 -- Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

Principle 4 -- Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5 -- Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Principle 6 -- Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 -- Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 -- Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9 -- Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 -- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

The Paper discusses these Principles. In a few cases it suggests that small changes of wording would be required for legislative purposes, but the most important parts of the discussion relate to what Principle 2 means when it talks about "identifying purposes," what Principle 3 means by "consent" and "except where inappropriate," and what Principle 9 requires in terms of an individual's right to information. These are all things that the CSA Code describes in the Commentary that it attaches to its Principles. This Paper suggests that legislation, too, would need to deal with some of these things.

A recurring theme of the discussion is whether these Principles are as readily applicable in small organizations as in large ones. The CSA Code is stated as being intended to be applicable across the board, but several of its Principles are expressed in language that is more appropriate to large organizations than to small ones. For purposes of discussion, the Paper starts from the CSA Code's premise that it should be all-encompassing, and considers the areas which seem problematic from the point of view of small organizations. An important point for consideration is whether private sector data protection legislation, if adopted, should be as wide-ranging as the CSA Code aims to be, or whether a more focused approach is called for.

The Paper also deals with the enforcement of possible data protection legislation based on the CSA Code. It discusses whether penal remedies (prosecutions and fines), civil remedies (damages, declarations and injunctions) or administrative remedies (which could be of various natures, but would be available from an administrative entity rather than a court) might be appropriate. Contrary to what is often said in relation to data protection legislation, the Paper suggests that administrative remedies are not essential to a data protection Act. However, they are a policy option. Key issues in relation to possible administrative remedies are these. What powers of compulsion, if any, should be given to an administrative entity for data protection purposes? Should the resolution of complaints be the entity's only function?

Part II of the Paper, Privacy in General, focuses on the two central legislative options that are available to the Province if it wishes to reinforce existing legal protections for privacy in New Brunswick at a general level. One is to establish a `tort' of invasion of privacy. (A tort is a wrongful act which would entitle the person whose privacy had been invaded to go to court seeking the ordinary remedies of damages, declarations and injunctions.) The other is to create non-judicial remedies for infringements of privacy -- remedies that would be available from an agency other than the courts.

As to the tort option, the Paper describes briefly the existing legal remedies by which privacy interests may be protected, and then focuses attention on the Uniform Privacy Act prepared by the Uniform Law Conference of Canada. The Paper suggests that legislation establishing a tort of invasion of privacy in New Brunswick would be likely to be substantially similar to the Uniform Act. Several provinces have similar legislation already. The Paper discusses the Act as a possible model for legislation, and suggests that there are three key issues for public discussion. Should an invasion of privacy be a tort at all? Would legislation based on the Uniform Privacy Act adequately describe an invasion of privacy and pose no threat to desirable activities? Does caution dictate that any development of a tort of invasion of privacy should be left to the courts rather than undertaken by legislation?

Finally the Paper examines the possibility of establishing non-judicial remedies for infringements of privacy. The Paper starts by pointing out that there is a difference between the kinds of conduct that might that might amount to a tort, a wrongful act for which damages, declarations and injunctions could be available, and less extreme infringements of privacy. It mentions things such as video surveillance, workplace testing and workplace monitoring as examples of practices which, in some people's view, are symptoms of a progressive loss of individual privacy in today's society. The question is whether non-judicial avenues might be established as a means to addressing some of these privacy issues.

There may be different views on this. Privacy, though a thing that everybody values, is in some people's view best left to be dealt with as an issue in the purely social sphere. On this view, appropriate standards of respect for privacy emerge organically from social interaction; at any given point in time there will be some activities that raise questions about what the appropriate standards are, but in the long run the only true measure of what is acceptable is what persists. Some people may also feel that there is an incongruity in even considering administrative remedies -- a bureaucracy, they might call it -- for the purpose of protecting and promoting privacy.

There are, however, existing models of agencies with a privacy mandate. The Paper mentions examples, and notes that an agency with a broad privacy mandate could include data protection as one of its functions. The Paper suggests that the key issues for public discussion in relation to non-judicial remedies for infringements of privacy in general are much the same as they are in the specific case of data protection. Is a non-judicial avenue needed at all? Should its functions be exclusively complaints-oriented? Should it, or should it not, have compulsory powers? Of course, the answers to these questions might be different in the particular context of data protection as opposed to the broader context of privacy in general.

The items discussed in this Paper are both independent and potentially inter-dependent. Any one, or any two, or even all three of the approaches reviewed might form the basis for legislation designed to promote the privacy of New Brunswickers. On the other hand, some people may feel that there is no need for legislation at all.

The purpose of this Paper is to allow a full public debate on what the appropriate legislative choices should be.


Legislative Assembly of New Brunswick
Email | Contacts |
Disclaimer