Legislative Assembly of New Brunswick
Legislative Committees
Home | Franšais

APPENDIX A

SUMMARY OF PROPOSITIONS

I. Data Protection in the Private Sector

A. Is there a need for private sector legislation?

Proposition #1

The general objectives of data protection initiatives are laudable. Key questions for public discussion are

(a) whether legislation is the right way of advancing those objectives,

(b) whether legislation would achieve its objectives, and

(c) whether its benefits would justify the costs and restrictions it imposed.

B. What might data protection legislation say?

Proposition #2

Possible data protection legislation for the private sector should take the Canadian Standards Association's Model Code for the Protection of Personal Information as its starting point.

Proposition #3

Data protection legislation should adopt the ten "Principles" of the CSA Code verbatim, as far as possible. The "Definitions," "Notes" and "Commentary" in the CSA Code should serve as source material for data protection legislation, with key elements being adopted as appropriate.

B.1 The scope of data protection legislation

a. To whom will the Act apply?

Proposition #4

Data protection legislation could apply to all incorporated and unincorporated organizations, and to individuals when they collect and use personal information for purposes other than personal and household ones.

b. What is meant by "personal information"?

Proposition #5

Data protection legislation could adopt the CSA Code's definition of personal information: "information about an identifiable individual that is recorded in any form."

B.2 The CSA Principles

CSA Principle 1 - Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Proposition #6


Unless and until a designation is made under CSA Principle 1, the person accountable for an organization's compliance with the data protection principles should be

(a) the organization's Chief Executive Officer, if it has one; or

(b) in an organization without a Chief Executive Officer, the person or persons who control the affairs of the organization.

CSA Principle 2 -- Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Proposition #7

The purposes for which an organization collects personal information must be legitimate and must directly relate to an existing or proposed activity of the organization.

Proposition #8

CSA Principle 2 could be supplemented by a requirement that organizations document the purposes for which they maintain personal records systems, but if it is, such a requirement should not apply where documentation would be superfluous to proper administrative controls.

Proposition #9

Where an organization's documented purposes do not match the explanation given to the individual, the latter should prevail, in accordance with CSA Principle 3 -- Consent.

CSA Principle 3 -- Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

a. Wording

Proposition #10

The essence of CSA Principle 3 is "consent." Data protection legislation should not include "knowledge" as a separate and independent criterion which must be satisfied.

b. Express and implied consent


Proposition #11

Data protection legislation must include the concept of implied consent, based on the reasonable expectations of the individual.

Proposition #12

The actions for which consent can be implied should be those that the individual should reasonably expect the organization to take, and would be unlikely to disapprove of, having regard to

(a) the nature of the personal information in question, including whether it is or is not sensitive or confidential,

(b) any benefit or detriment to the individual,

(c) any explanation that the organization has given of its intended actions,

(d) any indication that the individual has given of his or her actual wishes, and

(e) the ease or difficulty with which the actual wishes of the individual might be discovered.

c. "Except where inappropriate"

Proposition #13

Consent should not be required when an organization collects, uses or discloses personal information

(a) to protect the health, safety or security of the public or of an individual,

(b) for purposes of an investigation related to the enforcement of an enactment,

(c) to protect or assert its own lawful rights, including lawful rights against the individual,

(d) to verify to a government body the individual's eligibility for a program or benefit for which the individual has applied to that body,

(e) for purposes of legitimate research in the interest of science, of learning or of public policy, or for archival purposes,

(f) as required or expressly authorized by law, or

(g) for some other substantial reason in the public interest, whether or not it is similar in nature to paragraphs (a) to (f).

Before collecting, using or disclosing personal information without consent an organization should consider the nature of the information in question and the purpose for which it is acting, and must satisfy itself that in the circumstances that purpose justifies the action proposed.

Any collection, use or disclosure of personal information without consent should be limited to the reasonable requirements of the situation.

CSA Principle 4 -- Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Proposition #14

Data protection legislation should state the sources from which personal information may be collected, and should state that an individual shall not be refused any service or benefit because he or she declines to provide personal information which is not necessary for the identified purpose of the organization.

The requirement that personal information be collected by fair and lawful means does not need further explanation in data protection legislation.

CSA Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

a. Wording

Proposition #15

CSA Principle 5 should permit uses and disclosures that are "expressly authorized by law" as well as those that are "required by law."

b. Inter-relation of "purpose", "consent" and "the law"

Proposition #16

Data protection legislation need not elaborate upon the relationship between "purposes," "consent" and "the law" as alternative bases for the use or disclosure of personal information.

c. Retention

Proposition #17

Data protection legislation should make it clear that an organization's duty not to retain personal information can be satisfied by converting the information into a form in which the individuals to whom it relates cease to be identifiable.

Proposition #18


Organizations should not be required to purge all personal information from 'non-personal' files in which the personal information appears incidentally.

CSA Principle 6 -- Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Proposition #19

CSA Principle 6 is self-explanatory. Data protection legislation would not need to provide additional guidance on its application and interpretation.

CSA Principle 7 -- Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

a. Wording

Proposition #20

The word "security" should be removed from CSA Principle 7 so as not to narrow its scope.

b. What kinds of safeguards?

Proposition #21


Data protection legislation should specify that the safeguards to be implemented include training and physical, technical, administrative and other measures, as appropriate in the circumstances. It should not attempt to define what will make a safeguard "appropriate to the sensitivity of the information."

c. Transfers to third parties

Proposition #22

Data protection legislation should make it clear that "appropriate safeguards" may be required when an organization transfers personal information to another organization, but it should not require specific forms of safeguards.

CSA Principle 8 -- Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Proposition #23

CSA Principle 8 is self-explanatory. Data protection legislation need not attempt to clarify its meaning.


CSA Principle 9 -- Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

a. Wording

Proposition #24


The words "except where inappropriate" should be added to the right to information in CSA Principle 9.

b. The nature of the right

Proposition #25

Data protection legislation should make it clear that, under CSA Principle 9, providing information is sufficient unless access to documents is specifically requested.

c. Exceptions to access

Proposition #26

An organization should not be required to disclose personal information to the individual

(a) where disclosure would be harmful to the health, safety or security of the public or an individual, including the applicant;

(b) where disclosure would be prejudicial to an investigation related to the enforcement of an enactment

(c) where non-disclosure is required or expressly authorized by law, or where the individual would have no right to obtain the information in legal proceedings;

(d) where the information was provided by another person in confidence, or is confidential in nature;

(e) where the information requested is inextricably linked to the personal information of another individual;

(f) where the information requested would be unduly expensive or onerous to provide.

Consideration should also be given to authorizing non-disclosure when there is some other legitimate and substantial reason for not providing the information requested.

Non-disclosure should be limited to the reasonable requirements of the situation. If it is practicable to explain the substance of the information withheld without prejudicing the reason for withholding it, the organization should do so.

d. Procedure

Proposition #27


Data protection legislation could be silent on the question of access procedures under CSA Principle 9.

e. Corrections

Proposition #28


When the individual has challenged the accuracy or completeness of personal information, but fails to convince the organization, the organization should nake a note that the individual disputes the information in question.

CSA Principle 10 -- Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Proposition #29


An organization should be required to investigate in good faith the complaints it receives and to take appropriate measures when a complaint is found to be justified.

B.3 Other Issues Arising

a. Sectoral Codes

Proposition #30


Sectoral codes should not be given the force of law under data protectionlegislation. Data protection legislation should include regulation-making authority under which, if necessary, more detailed provision can be made in relation to particular kinds of organization or information, or particular activities.

b. Enforcement

The penal remedy

Proposition #31


Data protection legislation could make it an offence to wilfully violate CSA Principle 3 (Consent), 4 (Limiting Collection), 5 (Limiting Use, Disclosure and Retention), and 9 (Individual Access).

The civil remedy

Proposition #32

Unless data protection legislation adopts administrative remedies that make civil remedies unnecessary, declarations, injunctions and awards of damages should be available for the enforcement of the legislation. However, awards of damages should only be made where an organization's non-compliance with the Act causes loss and satisfies some additional criterion such as being manifestly inconsistent with the Act.

The administrative remedy

Proposition #33

Administrative remedies are not essential to data protection legislation, but are a policy option. Key issues for public discussion are

(a) whether judicial remedies alone would be appropriate and sufficient,

(b) whether an administrative complaints mechanism without compulsory powers would serve a purpose,

(c) whether an administrative complaints mechanism with compulsory powers would be over-intrusive or counter-productive,

(d) whether a non-complaints function can be identified that is substantial, viable, and a strong reason in itself for devoting resources to an administrative agency with a specific data protection mandate.

II. Privacy in General

A. Judicial Remedies for Invasion of Privacy

Proposition #34

Discussion of a statutory tort of invasion of privacy should be based on the Uniform Privacy Act prepared by the Uniform Law Conference of Canada, set against the background of existing judicial remedies that may protect privacy interests.

A.1 Existing Remedies

[No Proposition is presented on this subject.]

A.2 A Tort of Invasion of Privacy?

a. "Invasion of privacy"

Proposition #35

An invasion of privacy might be defined as follows:

An act is an invasion of privacy

(a) if it unduly intrudes into the personal affairs of an individual, or into his or her activities, whether in a public or a private place, or

(b) if it gives undue publicity to personal information concerning an individual.

Proposition #36

If a definition along the lines of Proposition #35 would be too limiting, invasion of privacy legislation should at least contain an `unreasonableness' threshold before conduct would be considered to amount to an invasion of privacy.

Proposition #37

A decision on whether `wrongful dissemination of information about an individual' might amount to a tort of invasion of privacy should await the outcome of the consultation on private sector data protection legislation.

b. Defences

Proposition #38

In substance, the defences listed in s.4 of the Uniform Act are appropriate.

c. Remedies

Proposition #39


The remedies described in s.5 of the Uniform Act should be available for an invasion of privacy, though they may not need to be expressly stated in legislation.

Proposition #40

The rules on calculation of damages for a tort of invasion of privacy could satisfactorily be left to be developed by the courts.

d. Technical matters

Proposition #41


Technical questions on matters such as limitation periods, binding the Crown, precedence of Acts and admissibility of evidence should be decided on the basis that the tort of invasion of privacy, if established by statute, would be established as a tort like any other. There should be no right of action for an invasion of the privacy of a person who is deceased.

A.3 To Legislate or Not?

Proposition #42

Key issues for public discussion are

(a) whether an invasion of privacy should be a tort at all,

(b) whether legislation based on the Uniform Act would adequately describe an `invasion of privacy' and pose no threat to desirable activities,

(c) whether caution dictates that the development of the tort should be left to the courts rather undertaken by legislation.

B Non-Judicial Remedies for Infringements of Privacy

B.1 "Infringements of Privacy"

Proposition #43

There are many actual and potential privacy issues that would fall outside the scope of either a judicial remedy for invasion of privacy or a non-judicial remedy under data protection legislation.

B.2 Beyond a Social Sanction?

Proposition #44

The key issue for public discussion is whether infringements of privacy should be left as issues within the social sphere, or whether the involvement of an administrative agency would be beneficial in ensuring proper respect for individual privacy.

B.3. Possible Models

Proposition #45

Models exist on which non-judicial remedies for infringements of privacy could be based. Key issues for public discussion, here as they were in relation to data protection remedies, are

(a) whether non-judicial remedies should include compulsory powers;

(b) whether dealing with complaints should be the full extent of the role.






APPENDIX B

THE PUBLIC SECTOR ACT







APPENDIX C

UNIFORM PRIVACY ACT


Definition
1. In this Act, "court" means [The Court of Queen's Bench of New Brunswick].

Tort
2. Violation of the privacy of an individual by a person is a tort that is actionable without proof of damage.

Proof in absence of contrary evidence
3. Without limiting the generality of section 2, proof of any of the following, in the absence of evidence to the contrary, is proof of a violation of the privacy of an individual:

(a) auditory or visual surveillance of the individual or the individual's residence or vehicle by any means, including eavesdropping, watching, spying, besetting and following, whether the surveillance is accomplished by trespass or not;

(b) listening to or recording a conversation in which the individual participates, or listening to or recording a message to or from the individual that passes by means of telecommunications, by a person who is not a lawful party to the conversation or message;

(c) publication of letters, diaries or other personal documents of the individual;

(d) dissemination of information concerning the individual that has been gathered for commercial or governmental purposes if

(i) the dissemination is contrary to a statute or regulation, or

(ii) the information was provided by the individual in confidence, and the dissemination is made for a purpose other than the purpose for which the information was provided.

Defences
4.(1) An Act, conduct or publication does not constitute a violation of the privacy of an individual if

(a) it is specifically consented to, expressly or impliedly, by the individual, the individual is entitled to consent to it, and the court is satisfied that the consent is freely given;

(b) it is reasonably incidental to the exercise of a lawful right of defence of person or property;

(c) subject to subsection (2), it is authorized or required

(i) under a statute or regulation,

(ii) by a court or by a person, tribunal or agency, other than a commissioner for oaths or a notary public, that is authorized by law to administer an oath for the purposes for which the person, tribunal or agency is authorized to take evidence, or

(iii) by any process of a court, person, tribunal or agency mentioned in subclause (ii);

(d) it is an act, conduct or publication of a peace officer or a public officer engaged in an investigation who is acting in the course and within the scope of his or her duty, it is not disproportionate to the gravity of the matter that is the subject of the investigation and it is not committed in the course of trespass or other unlawful act;

(e) it is reasonable, having regard to any relationship, domestic or otherwise, between the parties to the action; or

(f) the defendant neither knew nor reasonably should have known that the act, conduct or publication would violate the privacy of any individual.

(2) No authorization or requirement under a statute or regulation provides a defence to an action for violation of privacy unless the statute or regulation specifically authorizes or requires the act, conduct or publication for the purpose for which it is undertaken.

(3) A publication of a matter is not a violation of the privacy of an individual if

(a) there are reasonable grounds for belief that the publication is in the public interest; or

(b) the publication is privileged under the law relating to defamation.

(4) Subsection (3) does not apply to any act or conduct by which the matter published is obtained if that act or conduct constitutes a violation of privacy.


Remedies
5. In an action for violation of privacy, the court may do one or more of the following:

(a) award damages;

(b) grant an injunction;

(c) order the defendant to account to the plaintiff for any profits that have accrued or may accrue to the defendant as a result of the violation of privacy;

(d) order the defendant to deliver up to the plaintiff all articles or documents that have come into the defendant's possession as a result of the violation of privacy;

(e) grant any other relief to the plaintiff that the court considers necessary in the circumstances.

Damages
6.(1) In awarding damages in an action for violation of privacy, the court shall consider all the circumstances of the case, including

(a) the nature of the act, conduct or publication and the context in which it occurs;

(b) the effect of the act, conduct or publication on the health and welfare or on the social, business or financial position of the plaintiff or relatives of the plaintiff; and

(c) the conduct of the plaintiff and of the defendant before and after the act, conduct or publication, including any apology or offer of amends made by the defendant.

(2) In an action for violation of privacy, the court may award punitive damages, taking into account the flagrancy of the violation of privacy and the conduct of the defendant.

Right of action in addition to other rights
7.(1) The right of action for violation of privacy conferred by this Act and the remedies available under this Act are in addition to, and not in derogation of, any other right or remedy available under any other law.

(2) Subsection (1) does not require damages awarded in an action for violation of privacy to be disregarded in assessing damages in any other proceedings arising out of the same act, conduct or publication that constitutes the violation of privacy.

Crown bound
8. The Crown is bound by this Act.




APPENDIX D

ALTERNATIVE APPROACH (SUMMARY)


1 An invasion of the privacy of an individual is a tort that is actionable without proof of damage.

2 An act is an invasion of privacy

(a) if it unduly intrudes into the personal affairs of an individual, or into his or her activities, whether in a public or a private place, or

(b) if it gives undue publicity to personal information concerning an individual.

3 Without limiting sections 1 and 2, an invasion of privacy may arise from

(a) surveillance of the individual,

(b) eavesdropping or intercepting an individual's communications, or

(c) publication of the personal documents of an individual.

4 The defences to an action for invasion of privacy are

(a) that the individual consented to the action complained of,

(b) that the action complained of was done in the exercise of a lawful right of defence of person or property,

(c) that the action complained of was authorized or required by law,

(d) that the action complained of was done by a peace officer when acting in good faith and in the course of his or her duty,

(e) that the action complained of was reasonable in all of the circumstances, and having regard to any relationship, domestic or otherwise, between the parties to the action,

(f) that the defendant neither knew nor reasonably should have known that the act, conduct or publication would violate the privacy of any individual, and

(g) that the action complained of was a publication that

(a) the defendant reasonably believed to be in the public interest; or

(b) was privileged under the law of defamation.

[No provisions on remedies are included.]
Minister of Transportation, Sheldon Lee


Legislative Assembly of New Brunswick
Email | Contacts |
Disclaimer