In July 1996, the Minister of Justice submitted to the Legislative Assembly, for review by the
Law Amendments Committee, a Discussion Paper entitled A Proposed Privacy Act for New
Brunswick. The Paper made recommendations for the content of legislation to protect the
privacy and confidentiality of personal information in the possession of the government of New
The Law Amendments Committee held public hearings in October and November 1996, and
reported in February 1997. Its report made two recommendations. The first gave general
approval to the proposals in the Discussion Paper. Legislation based on those proposals, the
Protection of Personal Information Act, was enacted in February 1998; preparations for its
proclamation will begin shortly. The Act will be referred to in the remainder of this paper as the
Public Sector Act.
- The Law Amendments Committee's second recommendation was this:
- RECOMMENDATION 2
- Your Committee strongly recommends that the government prepare a discussion paper forthwith,
for referral to public hearings, with regard to the extension of privacy legislation to the private
- Explaining this recommendation, the Committee stated:
- Your Committee heard from various presenters that privacy legislation should apply not only to
government bodies and agencies, but should be extended to the private sector. It was submitted
that whether the body controlling personal data is within a government department or a private
sector firm, personal information on private individuals must still be protected from
The present Discussion Paper is prepared in response to the Law Amendments Committee's
A threshold question raised by the recommendation is whether the new Discussion Paper should
adopt a broader or a narrower definition of its subject-matter. The 1996 paper was concerned
with what is often known as "data protection" -- the establishment of rules to govern the handling
of personal information that organizations collect in the course of their activities. On a narrow
view, examining the extension of privacy legislation to the private sector would simply involve a
discussion of private sector data protection legislation comparable to that in the Public Sector
On a broader view, however, "privacy legislation" might go much further. A common analysis
of privacy nowadays speaks of it as having three main elements: `personal privacy', which is
the privacy of one's body, `spatial privacy', which is privacy in relation to one's surroundings,
and `information privacy', which deals with who knows what about you and what they may do
with it. Data protection falls largely within the realms of `information privacy'; it is therefore
just one sub-component of "privacy" in a broad sense. Documents such as Privacy: Where Do
We Draw the Line? a 1997 report of the House of Commons Standing Committee on Human
Rights and the Status of Persons with Disabilities, argue that it is privacy in general, and not just
data protection, that is a matter of social concern and should be the subject of legislative action.
Though it might be possible for this Paper to restrict its attention to data protection legislation, it
is preferable to consider the broader context of privacy law at the same time. There is an
unavoidable connection between the two in relation to the remedies that might be established
under data protection legislation; what would be needed would depend in part on what already
existed, or might be established, under privacy law in general. There is also an important
connection in terms of the focus of any legislative measures that might be taken to promote
privacy interests. Is data protection the only, or the most pressing, area of concern? Examining
privacy legislation in general, as well as its data protection sub-component, enables questions
like this to be opened up for public debate.
This Paper therefore examines "privacy legislation" in a broad sense. It is organized in two
Parts. Part I deals with Data Protection in the Private Sector. This is the direct and narrow
continuation of the 1996 discussion paper and the Public Sector Act. This Part invites comment
on the question of whether data protection legislation for the private sector is desirable, and to
assist in the discussion it sets out the possible content of legislation on the subject. The model
used is based on the Canadian Standards Association's Model Code on the Protection of Personal
Information (hereafter "the CSA Code") and on the Public Sector Act, which itself draws heavily
on the CSA Code.
Part II, Privacy in General, examines existing legal remedies in New Brunswick for invasions of
privacy, and asks whether further legislative measures are called for. Two main questions are
considered. The first is whether New Brunswick should follow the example of several Canadian
provinces (though not all) in establishing legislation which makes an invasion of privacy a
specific `tort' in its own right. A `tort' is a wrongful act for which an aggrieved individual can
seek remedies in the courts; the typical remedies are damages, declarations and injunctions. The
second is whether remedies for infringements of privacy might be provided through agencies
other than the courts. Various options are mentioned, including the possibility that the mandate
of the New Brunswick Human Rights Commission might be expanded to include a role in
privacy protection along with the Commission's existing anti-discrimination functions. Both the
judicial and the non-judicial options considered in Part II would, if adopted, apply across the
board, not only to the private sector but to the public sector as well.
This Paper does not make specific recommendations on the various topics it considers. Instead,
it presents a number of propositions for discussion. Many of these are detailed and could provide
the basis for legislation if the present consultation indicates that legislation along those lines is
appropriate. At present, however, no decisions have been taken. Options range from enacting no
legislation, through various selections or combinations of the items discussed, to legislating on
all of them together. This Discussion Paper aims to assist in determining what the appropriate
policy choices should be.
This Part of the Paper asks two questions: "Is there a need for private sector data protection
legislation?" and "If so, what should it say?" The two questions are closely connected. The
more that can be said about the likely content of the legislation, the better informed the
arguments for or against it will be.
Conveniently, this Discussion Paper is being prepared at a time when a single document, the
CSA Code, dominates the debate in Canada about data protection in the private sector. The Code
was developed for the Canadian Standards Association by a Technical Committee made up of
representatives of the federal government, industry, privacy commissioners and advocacy groups.
The Code was developed as a voluntary one, which private sector organizations could adopt if
they chose, and which they could modify to suit their own particular requirements if they saw fit.
Subsequently, however, it has attracted attention as the possible basis for legislation, rather than
pure self-regulation. The federal government is promoting this position. It has stated its
intention to have data protection legislation in place for the federally-regulated private sector by
the year 2000, and its recently released consultation paper, The Protection of Personal
Information: Building Canada's Information Economy and Society (January 1998), places the
CSA Code at the centre of the discussion. Several Information and Privacy Commissioners in
Canada are among those who have commented favourably on the CSA Code as a basis for
It is not yet clear, however, that any consensus about the substance of the CSA Code will convert
itself into a consensus for legislation based on it. Though industries represented on the CSA's
Technical Committee have, in some cases, developed their own industry codes based on the CSA
Code, few of them have positively advocated the formalization of the Code into legislation.
Even where there is support for legislation in principle, there is a desire to see exactly how the
CSA Code would be turned into law before that support is made concrete.
This need for clarity makes it convenient that New Brunswick's Public Sector Act has been
prepared at the particular time that it has. The Act, which is set out in Appendix B, is squarely
based on the CSA Code. It therefore provides a specific example of how legislation inspired by
the CSA Code might be constructed. It is a model, furthermore, that could easily lend itself to
extension to the private sector if the present consultations determine that this is the right course
That, though, is the question at the heart of Part I of this Paper: whether extending comparable
legislation to the private sector is the right course to take. There is a big difference between the
government adopting legal rules to govern its own conduct and imposing similar rules on
everybody else. There are many Acts in New Brunswick that create special rules for the
operations of the public sector. They deal with things such as hiring practices, purchasing
practices, public finances and pay equity, to name just a few. Many of these Acts establish rules
that do not need to be in legislative form; legislating them is, in effect, a means of giving added
weight to a policy commitment. Arguably data protection rules might fall into this category.
Arguably, also, there may be special factors relating to the activities of the public sector, as
opposed to the private sector, that make it more important in the public sector that laws, rather
than policies, govern the use of personal information. The fact that the Public Sector Act is
capable of being extended to the private sector does not necessarily mean that it should be. The
appropriate policy and legislative choices for the two sectors may well differ.
Data protection legislation is in large measure a response to the increasing computerization of
society. As information can be more and more easily amassed and manipulated, concern is
expressed that organizations may have too much information about individuals, with too few
controls on what they may do with it. The concerns are expressed differently at different times
and in different contexts. The recent federal consultation paper, with its focus on electronic
commerce and "making Canada the most connected nation in the world" (p.1), says this:
- The challenge of the electronic age is that with each transaction we leave a data trail that can be
compiled to provide a detailed electronic record of our personal history and preferences. The
digitization of health, education, employment and consumer records makes it possible to
combine information and create an individual profile with data that most of us consider to be
extremely personal. This information may be sent across provincial and national boundaries
where it can be sold, reused or integrated with other databases without our knowledge or consent.
Other descriptions might broaden the perspective to include other forms of information-gathering, not just electronic ones, and other uses to which information can be put, not just
In response to this, data protection laws attempt to establish a set of `fair information practices'
for organizations to follow. The rules relate to what kinds of personal information organizations
can collect, how long they can keep it and what they can do with it. The rules also give
individuals a right of access to, and correction of, information about themselves. The general
purpose of the rules is to assert the individual's continuing interest in the information that
organizations obtain about him or her, and in what they do with it. The aim is to make it clear
that the information is not simply the organization's information, to do with as it will.
Data protection legislation applying to both the public sector and the private sector has been
adopted in most European states. For members of the European Union such legislation is
mandatory under Directive 95/46/EC (hereafter the "EU Directive").
Outside Europe, however, data protection legislation in general is less well established, and
private sector data protection legislation particularly so. Legislation from Hong Kong and New
Zealand, applying to both the public and the private sectors, was reviewed during the preparation
of this Paper. The Department of Justice is informed that Taiwan and Israel also have such
legislation in place. In other countries which have data protection legislation (e.g. Japan,
Australia and the United States) the focus is on the public sector.
In Canada, Quebec is unique in having data protection legislation for both the private and the
public sectors. Elsewhere (with the exception of Newfoundland and Prince Edward Island) there
is public sector legislation alone, though the public sector is defined more broadly in some places
than in others. In British Columbia, for example, the legislation extends to bodies such as the
governing bodies of self-regulating professions. Manitoba has recently enacted legislation
dealing specifically with the handling of "health information," whether in the public or the
Meanwhile the federal government has committed itself to enacting data protection legislation
for the federally-regulated private sector by 2000, and it is encouraging the provinces to develop
matching legislation for provincially-regulated activities. The federal government's recent
consultation paper mentions that forums such as meetings of Information Highway Ministers and
Consumer Affairs Ministers are being used for discussions of the subject. It also mentions that a
Uniform Data Protection Act is being developed by the Uniform Law Conference of Canada, a
conference at which delegations from the various jurisdictions attempt to develop model
legislation on matters on which harmonization of provincial laws is desirable.
Among the incentives to the federal government's activity in this area is the EU Directive.
Adopted in October 1995, the Directive requires all member states of the European Union to
have data protection legislation in force by October 1998 that meets the standards set out in the
Directive. One of those standards is that member states must prohibit the transfer of personal
information to non-member states unless an "adequate level of protection" for the information
exists there (Art.25), or unless, in the absence of that, the person transferring the information
"adduces sufficient guarantees," by contractual clauses or otherwise, for the protection of the
particular information transferred (Art.26). The recent federal consultation paper says that "This
Directive has the potential to make protection of personal information a major non-tariff trade
barrier with Canada" (p.8).
The argument in favour of extending data protection legislation to the private sector can
conveniently be taken from an address by Allan Rock, then the federal Attorney General, to the
International Conference of Data Protection Commissioners in Ottawa in September 1996.
When the federal government had first enacted data protection legislation, he noted, it had done
so for the public sector alone; at that time government was by far the main collector, storer and
user of information on individuals. Subsequently the government had moved to advocating data
protection in the private sector too, though by means of voluntary self-regulation. Since then,
however, it had reconsidered its view that self-regulation for the private sector was sufficient:
We have done so because it is obsolete. Modern information technology has made it infinitely
more feasible for businesses and other private institutions to amass and exchange data -- within
and across borders. Advances in computer and networking technology have multiplied and
magnified the challenges to privacy.
Meanwhile, Canada has been evolving rapidly from a resource-based economy to one based on
information and knowledge. In this environment, more and more private institutions are
collecting, using, and exchanging information about our consumption habits and services.
In this situation the Government of Canada takes the position that the protection of personal
information can no longer depend on whether that data is held by a public or private institution.
This does not mean that the rules governing the collection, use, communication and disposal of
personal information need to be exactly the same for every individual and organization. It does
mean that they should be based on a common set of principles. And it means that personal
information held in the private sector should be protected by law.
There are, however, differing views on this. In Australia the Commonwealth (i.e. federal)
Attorney General's Department issued a discussion paper in September 1996 examining the
expansion of data protection legislation to the private sector. In 1997, though, it was decided not
to take this step. The stated reasons were concern over the compliance costs for businesses, large
and small, and the need to reduce the regulatory burden rather than to add new compulsory
regimes. Since then there has been consultation in Australia on a national voluntary scheme for
self-regulation, leading to the recent release by the Commonwealth Privacy Commissioner of
National Principles for the Fair Handling of Personal Information (February 1998).
In the United States, too, discussions to date at the federal level have not apparently led to the
conclusion that wide-ranging data protection legislation is required. In Options for Promoting
Privacy on the National Information Infrastructure, a consultation paper issued in April 1997 by
the Information Policy Committee of the National Information Infrastructure Task Force,
legislated data protection was mentioned as an option, but only as one among several. The paper
also referred to arguments that acceptable market standards and practices were evolving and
should be left to do so, or that legislative solutions should be applied, in the future as they had
been in the past, to particular problem areas as they arose rather than on a comprehensive basis.
Wide-ranging private sector data protection legislation for the private sector does not appear to
be in prospect in the United States at present.
Here, then, is the background to this first broad question of "Is there a need for private sector data
protection legislation?" On the one hand there is concern that, especially with modern
information technology, too much personal information is available to too many people, with too
few controls over what they may do with it. There is the desire to establish at least a general
framework of basic principles that reflect the individual's continuing interest in the information
that organizations possess about him or her, and there is the belief that legislation is the only
effective way of establishing a common framework that will be generally respected.
On the other hand there is concern about both the substance of the proposed rules and about their
practical impact on the organizations that will have to observe them. As to the substance the
concern is that the legislation may create obstacles to desirable activities. As to the practical
impact, the complaint is that the legislation may impose excessive administrative burdens and
other costs. Doubt is also expressed about whether there is really enough of a problem in relation
to the handling of personal information to justify a legislative solution.
These are all issues on which input is required from the general public and from interested
parties. It seems unlikely that there will be any major disagreement about the broad principles
that private sector data protection legislation would be designed to promote: that personal
information should not be gathered or used inappropriately, and that, subject to reasonable limits,
individuals should be able to discover and correct what organizations know about them.
Opinions may be more varied, however, as to whether legislation is the right way of advancing
those principles, as to whether the legislation would actually achieve its objectives and as to
whether, on balance, more would be gained or lost by adopting it. Expressions such as
"inappropriately" and "subject to reasonable limits" are easy to use in abstract statements of
principle. They can become controversial, however, when one ultimately confronts the concrete
question of what, exactly, is or is not "inappropriate," or is or is not a "reasonable" limit.
- The general objectives of data protection initiatives are laudable. Key questions for public
- (a) whether legislation is the right way of advancing those objectives,
- (b) whether legislation would achieve its objectives, and
- (c) whether its benefits would justify the costs and restrictions it imposed.
The mere mention of things like the effectiveness of legislation and its costs and benefits
emphasizes the importance of providing the specifics of possible legislation, at least tentative
ones, in order to give respondents to this Paper something solid to react to. Fortunately, the
combination of the CSA Code and the Public Sector Act provide a good framework for a detailed
discussion of what private sector data protection legislation might say. In the current state of the
debate in Canada, the CSA Code is the obvious starting point for the development of possible legislation.
- Possible data protection legislation for the private sector should take the Canadian Standards
Association's Model Code for the Protection of Personal Information as its starting point.
How closely, though, should data protection legislation follow the CSA Code? Some
explanation is needed here of the structure of the Code. It consists of ten Principles and six
Definitions, with a Commentary on each of the Principles, and in two instances, an explanatory
Note. The Notes are important. Their purpose is to explain how the key Principles on "Consent"
and "Individual Access" are to be applied when competing imperatives such as the protection of
public health or security are at issue. These Notes, the Code explains, are considered to form an
"integral part" of the Principle to which they relate (para.3.1.2).
One approach that has been suggested to establishing data protection legislation based on the
CSA Code is simply to adopt the Code in its entirety. According to a paper presented at the 1997
meeting of the Uniform Law Conference of Canada, that would be the preference of some of the
people who have been involved in the consultations on the subject. The mechanism would
presumably be a form of legislative cross-reference, as is done from time to time with CSA
This does not appear to be the right approach to general legislation governing the protection of
personal information. If there is to be legislation on the subject, it is because there are important
social values to assert, and if there are, the Legislature should express them directly rather than
by reference to a non-statutory code. This is even more the case if one of the advantages of
adopting the CSA Code by cross-reference is, as some proponents of this method apparently
suggest, that doing so would make it easier to update data protection standards as the CSA Code
is revised and improved with the benefit of experience. The implication is that the CSA's
judgments on appropriate standards of data protection over time would become authoritative. It
is doubtful that this would be appropriate.
If, then, legislation should not simply adopt the CSA Code by reference, what should it do?
Carrying forward the entire text of the Code into legislation does not seem possible. Much of the
Commentary, in particular, is expressed in terms of explanation, description and examples, and
would be out of place in a legislative text. The result is that data protection legislation that takes
the CSA Code as its starting-point must at best be selective, carrying forward into the legislation
those parts of the Code that belong there, and leaving other material out.
The ten Principles of the CSA Code, its basic statement of `fair information practices', are the
central feature of the Code and can be adopted virtually verbatim as the basis of the legislation.
This is what the Public Sector Act has done. Part of the reason for following the text of the
CSA's Principles so closely is that the consensus they represent was apparently a delicate one
and was not easily attained. The paper presented to the Uniform Law Conference's meeting in
1997 suggested that the consensus might evaporate if data protection legislation adopted different
wording. The CSA Code has also been adopted by the Standards Council of Canada as a
National Standard of Canada. Though some changes in the wording of the Principles seem to be
required if the ten Principles become law, the changes are minor. The details and the
explanations are given in the pages that follow.
As for the Commentary, the Notes and the Definitions, these are best viewed as source material
in determining what needs to be added to the CSA Principles in data protection legislation in
order to give sufficient guidance as to how the Principles are to be interpreted and applied. In the
Public Sector Act, the ten Principles are placed in Schedule A as a "Statutory Code of Practice,"
and a Schedule B is added dealing with "Application and Interpretation of the Statutory Code of
Practice." Private sector legislation could proceed in similar fashion.
- Data protection legislation should adopt the ten "Principles" of the CSA Code verbatim, as
far as possible. The "Definitions," "Notes" and "Commentary" in the CSA Code should serve
as source material for data protection legislation, with key elements being adopted as
B.1 The scope of data protection legislation
As was noted on p.1 of the Department's 1996 discussion paper, there are two preliminary
matters that together determine the scope of a data protection Act: "To whom will the Act
apply?" and "What is meant by `personal information'?"
a. To whom will the Act apply?
In the 1996 discussion paper, this was a relatively straightforward issue. The discussion paper
only dealt with the provincial government, so all that had to be decided was how the provincial
government should be defined. A listing of "government bodies" was the approach
recommended. When one moves beyond the public sector, however, the issue becomes less
clear. There are many kinds of organization to which `private sector' data protection legislation
could apply. Commercial enterprises are obviously one. However, non-profit organizations such
as charities, churches, political parties and trades unions may also collect and use personal
information. They are likely to possess at least such things as membership lists and personnel
files, which are `personal information' that must be maintained in accordance with data
protection principles. Even within the strictly commercial sector, there may be questions as to
how or whether data protection legislation should apply to operations such as small family
businesses or single person professional practices.
The CSA Code is expressed in terms of what "organizations" must do, and "organization" is
defined broadly, as including "associations, businesses, charitable organizations, clubs,
government bodies, institutions, professional practices, and unions" (para.2.1). In context that
definition is of limited significance. The CSA Code is a voluntary one; it only applies to those
organizations that choose to subject themselves to it. Nonetheless, a broad definition along these
lines seems appropriate, even in a legislative context that imposes obligations on anyone who
comes within the definition. Most organizations, even small ones, possess personal information,
and even in small organizations some of that information may be sensitive and susceptible to
misuse. Single-person professional practices such as doctors will possess individuals' medical
records. Small businesses like corner stores may possess things such as records of people's
video rental habits -- misuse of which led in the USA to enactment of the Video Privacy
Protection Act 1988. Data protection legislation must be careful not to impose on small
organizations levels of obligation that they cannot reasonably be expected to attain -- a point to
which this Paper will return periodically -- but at the present stage of this discussion it seems
better to proceed on the basis that organizations of all kinds and sizes may be included in the
One point that the EU Directive makes, though, and seems worth stating, is that data protection
legislation does not apply to the activities of "a natural person in the course of a purely personal
or household activity." A clarification along these lines seems necessary once one says that data
protection legislation might apply to an individual when acting in a business capacity in his or
her own right. In such a case one must differentiate the commercial activities of the individual,
to which the legislation would apply, from the personal ones, to which it would not. The EU
Directive makes the necessary distinction.
- Data protection legislation could apply to all incorporated and unincorporated organizations,
and to individuals when they collect and use personal information for purposes other than
personal and household ones.
The EU Directive contains the further qualification that, while data protection legislation must
apply to all "automatic" (i.e. computerized) processing of personal information, it only needs to
apply to "manual" processing where the personal information forms part of a "filing system" --
i.e. "any structured set of personal data which are accessible according to specific criteria,
whether centralized, decentralized or dispersed on a functional or geographical basis." Similar to
this is the provision in the Quebec legislation that makes `establishing a file' on a person the
triggering point at which the law will begin to apply.
The CSA Code does not differentiate manual and automatic records systems, nor does it
expressly adopt a criterion of `establishing a file' on an individual. On this point the present
Discussion Paper will follow the CSA Code. Given that the objective is to explore the CSA
Code as the basis for private sector data protection legislation, it seems more natural to start
where the Code starts, and see where that leads. If it turns out that the result is too broad, and
that this could be remedied by including some concept of `establishing a file', that concept could
probably be incorporated.
b. What is meant by "personal information"?
The CSA Code contains a definition, and it is a fairly conventional one. Personal information
means "information about an identifiable individual that is recorded in any form" (para.2.1). S.1
of the Public Sector Act is identical in substance, and adds in s.1(3) the clarification that
- An individual is identifiable for the purposes of this Act if
- (a) information includes his or her name,
- (b) information makes his or her identity obvious, or
- (c) information does not itself include the name of the individual or make his or her identity
obvious but is likely in the circumstances to be combined with other information that
Two features of a definition of this sort should be underlined. The first is that "personal
information," does not have to be sensitive or particularly private information. It merely needs to
be "information about an identifiable individual." To that extent the definition, and thus the
scope of the legislation, is broad.
It is narrowed, however, by the requirement that the information be "recorded in any form."
Personal information would not come within the scope of the legislation unless some form of a
record of the information is made. It would be possible, of course, for legislation to be more
encompassing than this. Part III of Ontario's (public sector) Freedom of Information and
Protection of Personal Information Act, for example, extends data protection principles to
personal information which does not exist in a recorded form. Adopting this approach would
widen the scope of the legislation. On the other hand, the reference to "files" in both the EU
Directive and the Quebec legislation, referred to above, appears to be a little narrower. For
present purposes, however, the CSA's definition appears to be relatively standard, and this
Discussion Paper will follow it.
- Data protection legislation could adopt the CSA Code's definition of personal information:
"information about an identifiable individual that is recorded in any form."
B.2 The CSA Principles
The next several pages will analyze the CSA Principles as the possible elements of a statutory
code of practice. The discussion will look at each of the Principles in turn. In a few cases minor
changes of wording will be suggested, but in all cases the major question will be whether the
Principle would need to be supplemented, in data protection legislation, by additional material
designed to govern its interpretation and application. Once the Principles have been reviewed,
other key elements of a legislative package based on the CSA Code will be examined.
Enforcement of the legislation is the major element here. This is something that the CSA Code
did not have to deal with, because of its voluntary nature, but which legislation must.
In considering the Principles, the broad definitions of "organization" and "personal information"
must be borne in mind. The Principles are designed to apply to all organizations, whether small
or large, to light users of personal information as well as heavy ones, and to all kinds of personal
information, whether sensitive or not. The Principles therefore set out a broad framework for a
wide variety of situations. Their application in specific cases will often require the exercise of
judgment by the organization in question.
CSA Principle 1 - Accountability
- An organization is responsible for personal information under its control and shall designate an
individual or individuals who are accountable for the organization's compliance with the
The purpose of this principle is to state each organization's responsibility for making the
legislation work, and to make sure that in every organization somebody is clearly assigned that
task. There are, however, some practical issues raised by the way in which the principle is
worded. One is that the Principle may leave open the possibility of there being a gap in
`accountability' unless and until the organization takes the positive administrative step of
`designating' somebody. Another is that the Principle applies more naturally in a large
organization than a small one. In a small organization (which under Proposition #4 may be no
more than a single individual) it will sometimes seem odd to speak of "the organization" as
"designating an individual" to be accountable for compliance with the Code.
In the Public Sector Act the first problem was dealt with by amending the wording of CSA
Principle 1 to make the "chief executive officer of a public body, and his or her designates,"
accountable for compliance. The second problem did not arise, because "public bodies," though
some are actually surprisingly small, all have an organizational structure in which a "chief
executive officer" (by whatever official title) can be readily identified.
In the private sector, where organizational forms may be more diverse, a slight variant of this
approach is required. The legislation should establish a default position which should apply
unless and until the "organization" takes positive steps to alter it. If the organization has an
identifiable Chief Executive Officer, that person should initially be accountable for compliance with the legislation. In organizations with a less clear internal administrative
structure, a comparable default position would be to place accountability for compliance with the
data protection principles on the person or persons who control the activities of the organization.
In most cases it should be obvious who fits this description. Occasionally, though, it may not be.
An example might be a three-person partnership where the partners had equal voting rights. In a
case such as this it would be the partners collectively who controlled the activities of the
organization. Under the suggested default rule, therefore, the partners collectively would be
accountable for compliance unless and until they made some other "designation".
- Unless and until a designation is made under CSA Principle 1, the person accountable for an
organization's compliance with the data protection principles should be
- (a) the organization's Chief Executive Officer, if it has one; or
- (b) in an organization without a Chief Executive Officer, the person or persons who control
the affairs of the organization.
- CSA Principle 2 -- Identifying Purposes
- The purposes for which personal information is collected shall be identified by the organization at
or before the time the information is collected.
The idea that the "purposes" for which personal information is collected should be "identified" is
one of the central principles of the CSA Code and of other data protection documents. The
identified purposes become key to decisions under CSA Principles 4 and 5 about what pieces of
information an organization should collect and what it can do with the information once
collected. There are, however, both conceptual and operational challenges connected with the
identifying of purposes.
A small point that can be disposed of quickly is the question of whether there are limits on the
purposes for which organizations can collect personal information. The CSA Code is entirely
open-ended on this. By contrast, the Public Sector Act (Sch.B, para.2.1), along with the
comparable legislation of other Canadian provinces, specifies that public bodies can only collect
personal information for purposes that directly relate to the activities of the public body. A
similar restriction should be acceptable in the private sector too.
- The purposes for which an organization collects personal information
must be legitimate and must directly relate to an existing or proposed activity of the organization.
More complex are some issues relating to what `identifying purposes' really involves. Studying
the CSA Code suggests that there are really two aspects to this. One is a purely internal process,
in which an organization identifies to itself why it wishes to obtain personal information. The
other is an external process, which relates to what the individual must be told about the purposes
of the collection. On the face of things, CSA Principle 2 applies more naturally to the latter.
However, the Commentary complicates this. It adds that an organization "shall document" its
purposes, thus emphasizing the internal aspect of the identification of purposes. It is less
categorical, though, about what kind of external explanation must be given to the individual.
Para. 4.2.3 says that "The identified purposes should be specified at or before the time of
collection to the individual from whom the information is collected," but the use of the word
"should" is both deliberate and significant. Para. 3.1.3 points out that the use of the word
"should" indicates a "recommendation" as opposed to a "requirement."
In the Public Sector Act CSA Principle 2 (which is Principle 2 of the Statutory Code of Practice
in Schedule A) is considered to be substantially a requirement for an `external' explanation of
purposes, but not necessarily a formalistic one. In the ordinary nature of things, most collections
of personal information will be accompanied by at least some indication of why the organization
wants the information. Perhaps this might be as little as a brief introduction to a conversation or
to a letter. A requirement to "identify purposes" in this sense does not seem over-burdensome.
Schedule B of the Public Sector Act also contains a requirement that public bodies "document,
in relation to any personal records system, the purpose or purposes for which the information in
the system is held" (para.2.2). A personal records system is defined as "a computerized or
manual records system that contains information about individuals and is structured in such a
way as to permit information about specified individuals to be easily recovered" (para.2.3).
Under this definition, virtually any organized repository of information about individuals (in the
plural) will be a "personal records system". Documenting the purpose for which the information
in the system is held effectively attaches that purpose to the use of the information in the system.
Would a similar obligation to "document . . . purposes" be appropriate in the private sector? Its
advantage is administrative clarity, especially in large organizations where it would help to
establish a shared understanding of what information can be collected and of the uses to which it
can be put. In small organizations, however, there is a danger that a general duty to document
purposes may merely create an administrative obligation that contributes little to the privacy of
the individual. Is it really worthwhile, for example, to require a formal `documentation of
purposes' by an organization such as an individual businessperson when the purposes for which
he or she holds personal information are obvious and he or she is the only person who will be
using it? Even in large organizations, some people might argue, `documentation of purposes'
will normally occur in practice without the need for a formal requirement to be imposed by the
- CSA Principle 2 could be supplemented by a requirement that organizations document the
purposes for which they maintain personal records systems, but if it is, such a requirement
should not apply where documentation would be superfluous to proper administrative
One point which the CSA Code does not deal with is this. What happens if, in particular cases,
the internally documented purposes do not match the explanation that is given to the individual?
In such a case it would be the explanation that was given to the individual that must prevail. The
use that could be made of the information would depend not on the `documented' purpose that
the organization had failed to explain adequately, but on the explanation actually given, and what
the individual could properly be considered to have `consented' to (in the sense described under
CSA Principle 3, below) in the light of that explanation.
This would not mean that an organization that is collecting personal information must, in all
cases, mechanically recite to the individual the `internal' purposes as the organization has
centrally documented them. Though in some cases this might be relatively straightforward and
appropriate, in others it might not. It is likely, for example, that an organization's documented
version of its purpose will be expressed in general, and perhaps bureaucratic, language. If so,
reciting it may have little explanatory value. In other cases doing so will be merely stating the
obvious -- perhaps because the individual's approach to the organization has clearly established
the context in which the information is requested and given. More often, perhaps, whatever
purpose may be documented internally will be accompanied by some other explanation more
directly tailored to the particular contact between the organization and the individual. Perhaps
different explanations may be better at different times or for different pieces of information. It
does mean, however, that the onus is on the organization to ensure that whatever it identifies
internally as being its purposes must be adequately explained to the individual, by whatever
means the organization chooses to do so, if it wants to be sure that its `documented' purpose will
actually match what it is permitted to do in accordance with the `consent' of the individual.
- Where an organization's documented purposes do not match the explanation given to the
individual, the latter should prevail, in accordance with CSA Principle 3 -- Consent.
CSA Principle 3 -- Consent
- The knowledge and consent of the individual are required for the collection, use or disclosure of
personal information, except where inappropriate.
There are three key issues arising under this principle. The first relates to its wording. The
second relates to the issue of "implied consent" as opposed to "express consent." The third
relates to determining when a requirement of consent is "inappropriate".
CSA Principle 3 refers to "knowledge and consent" as being required not only for "collection"
but also for "use and disclosure". Para.4.3.2 of the Commentary makes it clear that the
expression "knowledge and consent" was used deliberately. There is, however, an inconsistency
of language with CSA Principle 5, which also deals with "use and disclosure" but which only
requires "consent," not "knowledge and consent."
In a legislative text, inconsistencies of this sort should be avoided. The best way of doing this is
to remove the words "knowledge and" from CSA Principle 3. In relation to "collection," nothing
seems to be lost by doing so, since "consent" is the broader term; it is hard to see that one can
"consent" to a collection without having "knowledge" of it. In relation to "use and disclosure,"
by contrast, it would be problematic if both "knowledge" and "consent" were required as separate
criteria. One can presumably "consent" to a use without ever "knowing" whether it actually
occurs. If "knowledge" here were an additional requirement, the result would be to impose an
obligation which could be difficult to meet.
- The essence of CSA Principle 3 is "consent." Data protection legislation should not include
"knowledge" as a separate and independent criterion which must be satisfied.
b. Express and implied consent
- The CSA Code makes it clear that "consent" may be express or implied (para.2.1). The
- Express consent is consent given explicitly, either orally or in writing. Express consent is
unequivocal and does not require any inference on the part of the organization seeking consent.
Implied consent arises where consent may reasonably be inferred from the action or inaction of
the individual. (Para.2.1)
The idea of implied consent seems essential to a workable data protection statute. To require
express consent for every collection, use or disclosure of personal information would be
impossible. When an individual requests a service, for example, there is only an implied
consent, not an express one. Consent might also often be implied when an organization took
action for the benefit of the individual. Implied consent is especially important to legislation
based on the CSA Code. Unusually among the data protection documents that have been
reviewed in the preparation of this Paper, the CSA Code does not explicitly allow organizations
the flexibility of using information for a purpose that is "consistent with" the purpose that is
actually identified to the individual. In the conceptual framework of the CSA Code it is apparently the notion of "implied consent" that must cover the ground that, in other
codes, is addressed through the statutory authorization to act for "consistent purposes."
The CSA Commentary suggests that it is the "reasonable expectations of the individual" (para.
4.3.5) that are the key to determining when "implied consent" exists. This seems an acceptable
approach. It rightly focuses attention on what the individual should expect to be done with the
information he or she provides, rather than on what the organization might consider reasonable
from its own point of view.
- Proposition #11
- Data protection legislation must include the concept of implied consent, based on the
reasonable expectations of the individual.
Is it necessary for data protection legislation to explain "implied consent" more extensively than
by simply referring to the "reasonable expectations of the individual"? It would be impossible
to give an exhaustive definition, but the Public Sector Act contains a provision that expands on
the idea in two ways. It states that an individual must be "unlikely to disapprove of" an action if
consent is to be implied, and it sets out the major factors that a public body should take into
consideration. The following Proposition is taken directly from Sch.B, para.3.2 of the Public
Sector Act, with a few minor changes of expression:
- The actions for which consent can be implied should be those that the individual should
reasonably expect the organization to take, and would be unlikely to disapprove of, having
- (a) the nature of the personal information in question, including whether it is or is not
sensitive or confidential,
- (b) any benefit or detriment to the individual,
- (c) any explanation that the organization has given of its intended actions,
- (d) any indication that the individual has given of his or her actual wishes, and
- (e) the ease or difficulty with which the actual wishes of the individual might be
c. "Except where inappropriate"
Principle 3 requires consent for collection, use or disclosure "except where inappropriate". In its
Note to Principle 3 (which "forms an integral part of the principle" -- para 3.1.2) the CSA Code
In certain circumstances personal information can be collected, used or disclosed without the
knowledge and consent of the individual. For example, legal, medical, or security reasons may
make it impossible or impractical to seek consent. When information is being collected for the
detection and prevention of fraud or for law enforcement, seeking the consent of the individual
might defeat the purpose of collecting the information. Seeking consent may be impossible or
inappropriate where the individual is a minor, seriously ill, or mentally incapacitated. In
addition, organizations that do not have a direct relationship with the individual may not always
be able to seek consent. For example, seeking consent may be impractical for a charity or a
direct marketing firm that wishes to acquire a mailing list from another organization. In such
cases, the organization providing the list would be expected to obtain consent before disclosing
personal information. (para.4.3)
The concept of "except where inappropriate" is one of the trickiest to set out in legislation.
Canadian public sector data protection Acts bear ample witness to difficulty of the task. Over the
years they have developed increasingly long lists of permitted non-consensual collections, uses
and disclosures. These include some substantial and obvious provisions, such as permitting
disclosure to protect the health or safety of another individual. They also sometimes include
provisions that raise more questions than they answer, such as disclosure to legal counsel. It
seems surprising that disclosure to one's legal counsel should need express authorization under
the Act. And if it does, what does this imply about possible disclosures to other professionals or
consultants that the Act does not expressly mention? The lists in the existing Acts also normally
include a general provision permitting collection, use or disclosure without consent if the public
interest clearly outweighs any invasion of privacy that may result.
The Public Sector Act makes an effort to shorten the list, and to rely on general statements rather
than specific ones. It also adopts a two step approach, so that a public body must satisfy itself
not only that it is acting for a specified purpose but also that the action it is proposing is justified
in the circumstances. The following Proposition is based on the comparable provisions
of the Public Sector Act (Sch.B, paras.3.4 to 3.7), with some small changes of terminology, and
with the omission of para.3.5, which provides for disclosures in the interest of open government
and is specific to the public sector.
- Consent should not be required when an organization collects, uses or discloses personal
- (a) to protect the health, safety or security of the public or of an individual,
- (b) for purposes of an investigation related to the enforcement of an enactment,
- (c) to protect or assert its own lawful rights, including lawful rights against the individual,
- (d) to verify to a government body the individual's eligibility for a program or benefit for
which the individual has applied to that body,
- (e) for purposes of legitimate research in the interest of science, of learning or of public
policy, or for archival purposes,
- (f) as required or expressly authorized by law, or
- (g) for some other substantial reason in the public interest, whether or not it is similar in
nature to paragraphs (a) to (f).
Before collecting, using or disclosing personal information without consent an organization
should consider the nature of the information in question and the purpose for which it is
acting, and must satisfy itself that in the circumstances that purpose justifies the action
Any collection, use or disclosure of personal information without consent should be limited to
the reasonable requirements of the situation.
- Proposition #13 does not, on its face, differentiate between collection, use and disclosure because
CSA Principle 3, to which it relates, deals with the three things together. In practice, however,
the different elements of Proposition #13 would have different impacts for different
organizations, depending on their activities and the particular decisions they had to reach. For
example, few private sector organizations would collect information for the purposes of
enforcing an enactment; this would not `directly relate to their activities' under Proposition #7.
Similarly, private sector organizations might rarely have a "substantial reason in the public
interest" for disclosing personal information, yet it seems important to keep the possibility open -- to ensure, for example, that they could at least disclose the information to the responsible public
authority. Use of "personal" information for research purposes is also likely to be unusual, since
normally the information could and should be used in an anonymous format and would therefore
not be personal information within the meaning of the CSA Code.
- CSA Principle 4 -- Limiting Collection
- The collection of personal information shall be limited to that which is necessary for the purposes
identified by the organization. Information shall be collected by fair and lawful means.
The Public Sector Act sets out the sources from which personal information can be collected.
These are (a) from the individual, (b) from another person with the individual's consent, (c) from
a source and by means available to the public at large, and (d) from any source in cases in which,
under the Act's equivalent of Proposition #13, a public body can collect information without
consent (Sch.B, para 4.1). In private sector legislation, too, clarity on these points seems
The Public Sector Act also includes a provision stating that an individual shall not be refused any
service or benefit because he or she declines to provide information which is not in fact
necessary for a legitimate purpose of the public body (Sch B, para.4.2). The provision reflects
para.4.3.3 of the CSA Code.
One thing that the Act does not contain is any clarification of what "fair and lawful means" are.
The "lawful" part of this is self-explanatory, but while the Act was being prepared some thought
was given to whether the "fair" element could be clarified. The CSA Commentary says that "The
requirement that personal information be collected by fair and lawful means is intended to
prevent organizations from collecting information by misleading or deceiving individuals about
the purpose for which information is being collected" (para.4.4.2). This would certainly be one
example of an unfair collection method, but it is doubtful that the idea of `fairness' should be
limited by the legislation to specific situations such as this. `Fairness', though a general notion,
appears to be a clear enough idea that it can stand alone in the legislation without further
- Data protection legislation should state the sources from which personal information may be
collected, and should state that an individual shall not be refused any service or benefit
because he or she declines to provide personal information which is not necessary for the
identified purpose of the organization.
- The requirement that personal information be collected by fair and lawful means does not
need further explanation in data protection legislation.
CSA Principle 5 -- Limiting Use, Disclosure, and Retention
- Personal information shall not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by law. Personal information
shall be retained only as long as necessary for the fulfilment of those purposes.
There is one point of wording in CSA Principle 5 that seems to need addressing. The Principle
refers to uses and disclosures that are "required by law." On a conventional legal reading of the
word "required," this would cover uses and disclosures that an organization was legally
compelled to make, but would not include situations in which there might be express legislation,
or perhaps an express ruling from a court or other legally authoritative agency, which authorized,
but did not require, a particular use or disclosure. This is a gap that the Public Sector Act filled
by expanding the phrase "except . . . as required by law" to become "except . . . as required or
expressly authorized by law" (Sch.A, Principle 5). The gap is particularly important in the public
sector, where many Acts confer discretions on Ministers or other government officials.
However, the same gap may exist in relation to the private sector.
- CSA Principle 5 should permit uses and disclosures that are "expressly authorized by law"
as well as those that are "required by law."
b. Inter-relation of "purpose", "consent" and "the law"
What is the relationship between the three possible justifications for a use or disclosure that CSA
Principle 5 sets out, namely, the purpose for which the information was collected, the consent of
the individual, and a legal requirement or authorization? In particular, what is the result when
these factors point in different directions?
In principle, the three bases set out in CSA Principle 5 should be seen as alternatives. If any one
of them exists, that is sufficient. On this basis one would say, for example, that an express
refusal of consent cannot bar an organization from taking an action that the law has expressly
authorized the organization to take.
In practice, however, there may be cases in which the relationship between identified purposes,
consent and the law may be more subtle. One might be where the individual, while voluntarily
providing information, expressly requests that it not be used in one particular way that falls
within an organization's documented purposes. If an organization accepted personal information
on this basis, it could not then rely on its documented purpose as governing the use of the
information. Others might arise where an individual's actual or likely wishes were relevant to
the balancing test for non-consensual action described in Proposition #13; those wishes would
then partially determine what was "expressly authorized by law." In preparing the Public Sector
Act, some thought was given to whether it was possible to provide any useful statutory guidance
on how the three alternative bases for the use and disclosure of personal information inter-related.
The conclusion reached was that it was not. The basic idea that the three were alternatives seemed
clear from CSA Principle 5, and the possible subtleties of their inter-relation in specific situations
could not be captured in a form that did not cause more confusion than it resolved.
- Data protection legislation need not elaborate upon the relationship between "purposes,"
"consent" and "the law" as alternative bases for the use or disclosure of personal information.
CSA Principle 5 requires that personal information shall only be retained for as long as is
necessary for the fulfilment of the purposes for which it was collected. In many cases
compliance with this obligation may lead to the destruction of personal information that is no
longer needed. Another way of ceasing to retain personal information, however, is to convert it
into a form in which the individuals to whom it relates are no longer identifiable. For clarity, it
may be wise for data protection legislation to spell out this second alternative.
- Data protection legislation should make it clear that an organization's duty not to retain
personal information can be satisfied by converting the information into a form in which the
individuals to whom it relates cease to be identifiable.
Another thing that should normally be clarified is how long the acceptable retention period is.
This is more easily done in relation to personal information in "personal records sytems" than
other personal information. So far as "personal records systems" are concerned, part of the
process of establishing the system should include taking a decision on how long the information
will be needed, and what will be done with it when it has served its purpose. Some kind of time-lag is likely to be necessary so that personal information is not disposed of too soon. Both for
the organization and the individual there may be a need for information to be retained for some
time after it has been used.
Outside "personal records systems" -- in places such as policy or product development files
where "personal information" will sometimes appear incidentally -- a more flexible approach to
retention and destruction seems to be appropriate. To attempt to purge all incidental "personal
information" from such files would be a laborious task, and these kinds of files are, in the long
run, quasi-anonymous. Once the file is closed, any personal information it contains is relatively
inaccessible. Of course, if the `non-personal' file is later re-opened, any use or disclosure of the
personal information that remains there would still be subject to the legislation.
- Organizations should not be required to purge all personal information from `non-personal'
files in which the personal information appears incidentally.
CSA Principle 6 -- Accuracy
- Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes
for which it is to be used.
This Principle is self-explanatory. The main point that the CSA Commentary makes on it is that
"An organization should not routinely update information, unless such a process is necessary to fulfil the purpose for which the information was collected" (para.4.6.2). The
Principle should not, therefore, be mis-read as imposing a general obligation to keep personal
information up-to-date: an appropriate degree of "accuracy" is only really called for when
information is "used." This, though, seems clear enough from the relative terms in which CSA
Principle 6 is expressed.
CSA Principle 6 is self-explanatory. Data protection legislation would not need to provide
additional guidance on its application and interpretation.
CSA Principle 7 -- Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the
The Public Sector Act removed the word "security" from CSA Principle 7. The reason was that
this word seemed to under-represent the scope of the Principle. The CSA Commentary says that
the safeguards must protect the personal information from "loss or theft, as well as unauthorized
access, disclosure, copying, use, or modification" (para.4.7.1). It also mentions that the methods
of protection should include physical, organizational and technological measures, as well as
making employees aware of the importance of maintaining the confidentiality of personal
information (paras.4.7.3 and 4.7.4). Though the word "security" catches some of the flavour of
this, it diverts attention from the idea that one of the principal safeguards against "unauthorized .
. . disclosure [or] . . . use" will be a proper appreciation of what kinds of use and disclosure are in
fact "authorized". Viewed in this broad sense, what CSA Principle 7 amounts to is placing an
obligation on organizations to take the necessary steps internally to make the legislation work.
Including the word "security" in the Principle seems to narrow its scope.
- The word "security" should be removed from CSA Principle 7 so as not to narrow its
b. What kinds of safeguards?
As noted above, the CSA Commentary specifically mentions various kinds of measures as being
intended to be included in the broad expression "safeguards." For clarity, it seems appropriate
that data protection legislation should do the same. On the further question of what kinds of
safeguards will be, in the language of CSA Principle 7, "appropriate to the sensitivity of the
information," consideration has been given to whether any further legislative explanation could
be given of what will make a safeguard "appropriate." It seems, though, that the simple
statement in the Principle is as satisfactory as a more detailed formulation is likely to be.
- Data protection legislation should specify that the safeguards to be implemented include
training and physical, technical, administrative and other measures, as appropriate in the
circumstances. It should not attempt to define what will make a safeguard "appropriate to
the sensitivity of the information."
c. Transfers to third parties
An important sub-issue that arises in relation to safeguards is this: what kinds of safeguards, if
any, should an organization put in place when it transfers personal information to another body?
The guiding principle here is that an organization is responsible for personal information under
its control (CSA Principle 1), and that this responsibility continues to exist at least until the time
when the personal information is transferred. The organization must ensure, therefore, that the
transfer is authorized by law, by consent or by the purpose of the original collection (CSA
Principles 3 and 5), and under the Safeguards Principle it must take appropriate steps,
commensurate with its responsibility under CSA Principle 1, to protect the personal information.
What those steps will be will depend on the circumstances. In many cases compliance with CSA
Principles 3 and 5 will be sufficient. This will be the case if the receiving organization is also
subject to the legislation, since the receiving organization's use will be limited to the legitimate
purpose for which the transferring organization is disclosing it. In other cases the receiving
organization may be under a professional or contractual obligation of confidentiality which the
transferring organization can rely on as making additional safeguards unnecessary. In some
cases, however, there may be no such context of legal protection for the information, and the
transferring organization may have to take steps to ensure that the terms of the transfer are
consistent with the organization's responsibilities.
Can data protection legislation go further than this, and spell out what those steps should be?
This seems doubtful. Contractual terms may sometimes be effective, particularly in the context
of an ongoing relationship between the organizations in question, but it would be very difficult to
identify particular situations in which a transferring organization must put contractual measures
in place. Unless the legislation were prepared to identify those situations, it would effectively be
leaving the decision to the organization, and this, in turn, would amount to little more than the
general statement that the transferring organization must put in place `appropriate safeguards'.
- Data protection legislation should make it clear that "appropriate safeguards" may be
required when an organization transfers personal information to another organization, but
it should not require specific forms of safeguards.
CSA Principle 8 -- Openness
- An organization shall make readily available to individuals specific information about its policies
and practices relating to the management of personal information.
Like others among the CSA Principles, Principle 8 seems to apply more naturally in large
organizations, which are likely to have formalized "policies and practices," than in small ones.
Even in small organizations, however, it seems possible to give the Principle an intelligible
meaning. The individual can ask what the "policies and practices" are. The organization, in
reply, must explain whatever the true state of affairs is. All organizations should presumably be
able to do this much.
- CSA Principle 8 is self-explanatory. Data protection legislation need not attempt to clarify its
CSA Principle 9 -- Individual Access
- Upon request, an individual shall be informed of the existence, use and disclosure of his or her
personal information and shall be given access to that information. An individual shall be able to
challenge the accuracy and completeness of the information and have it amended as appropriate.
- a. Wording
- CSA Principle 9 is the second of the two Principles that are acommpanied by a Note -- which is
an "integral part of the principle" (para.3.1.2). The Note explains why the right of access cannot
- Exceptions may include information that is prohibitively costly to provide, information that
contains references to other individuals, information that cannot be disclosed for legal, security,
or commercial proprietary reasons, and information that is subject to solicitor-client or litigation
- Data protection legislation elsewhere regularly includes exceptions along these lines. In the
Public Sector Act, the words "except where inappropriate" were added at the end of the first
sentence of CSA Principle 9 to indicate that the individual's right to information is not
unqualified. The same addition would seem to be called for in private sector legislation.
- The words "except where inappropriate" should be added to the right to information in CSA
b. The nature of the right
Though CSA Principle is headed "Individual Access," it actually appears to include two
elements: a right to "be informed" as well as a right to be "given access." In practice, the right
to information may well be more used than the the right to access, which is in effect a right to
documents. The organization's obligation under the Principle is triggered by a request from the
individual. In most cases it seems likely that the individual will simply ask for information, and
a straightforward reply will satisfy CSA Principle 9.
There may be cases, of course, in which an individual specifically requests access to documents.
In this case, assuming that it is not unduly onerous or expensive to allow the request (see c.
Exceptions to access, below), and that none of the other substantive exceptions apply, the
documents should be made available. In some cases, perhaps, documents may be withheld on
the basis of one of the exceptions, but information as to at least part of their contents should still
be provided in order to meet the organization's obligation under this Principle.
In the Public Sector Bill there was no need to clarify this relationship between "information"
and "access," since the matter is dealt with by the Right to Information Act. In private sector
legislation, however, the relationship should be made clear.
- Data protection legislation should make it clear that, under CSA Principle 9, providing
information is sufficient unless access to documents is specifically requested.
c. Exceptions to access
Under the Public Sector Act the Right to Information Act is relied upon to provide the exceptions
to the individual's right to information. Most "public bodies" are subject to that Act already.
Private sector legislation, however, should spell out its own list of exceptions.
Part of the list would be a counterpart of the one in Proposition #13, which describes when it is
appropriate to collect, use or disclose personal information without consent. In several of the
situations described, non-disclosure to the individual would be equally appropriate. There are
also, however, some grounds for non-disclosure that are specific to the context of `individual
access'. There is also the question of whether the list should include a general provision to deal
with situations not foreseen by the specific items listed, and of whether, if information is
withheld, an organization might nonetheless be expected in some cases to provide some
explanation of the substance of the information.
- An organization should not be required to disclose personal information to the individual
(a) where disclosure would be harmful to the health, safety or security of the public or an
individual, including the applicant;
(b) where disclosure would be prejudicial to an investigation related to the enforcement of
(c) where non-disclosure is required or expressly authorized by law, or where the
individual would have no right to obtain the information in legal proceedings;
(d) where the information was provided by another person in confidence, or is confidential
(e) where the information requested is inextricably linked to the personal information of
(f) where the information requested would be unduly expensive or onerous to provide.
Consideration should also be given to authorizing non-disclosure when there is some other
legitimate and substantial reason for not providing the information requested.
Non-disclosure should be limited to the reasonable requirements of the situation. If it is
practicable to explain the substance of the information withheld without prejudicing the
reason for withholding it, the organization should do so.
CSA Principle 9 says nothing about the procedure by which individuals may obtain the
information, materials or corrections to which they are entitled. By inference, it leaves it up to
each organization to establish its own procedures.
This appears to be acceptable. CSA Principle 9 covers many possible scenarios, ranging from
entirely informal requests, which organizations may readily and easily respond to, to situations
which may become adversarial. To establish a statutory procedure for all of these would not be
easy; it would also risk bureaucratizing the process. If data protection was silent on the question
of access procedures, it would operate on the premise that the individual has rights and the
organization must respect them. Implied in this would be that the organization must deal with
the individual's request within a reasonable time, and that anything less than a genuine attempt to
permit the exercise of the individual's rights will be a violation of the Principle.
- Data protection legislation could be silent on the question of access procedures under CSA
Broadly speaking, the idea that an individual should be able to "challenge the accuracy and
completeness of the information and have it amended as appropriate" seems self-explanatory and
self-operating. An organization will presumably have little interest in having inaccurate or
incomplete information in its files. The problem of implementation that seems most likely to
arise under this element of CSA Principle 9, therefore, is that the individual and the organization
may disagree as to whether personal information is incorrect. If this occurs, the organization
should not be required to alter the information it possesses, but it should note that the individual
disputes its accuracy. It seems likely that this would occur in the ordinary course of events, even
without legislative reinforcement, but since CSA Principle 9 is silent on the question of
disagreements between the parties, legislative clarification is probably appropriate.
- When the individual has challenged the accuracy or completeness of personal information, but
fails to convince the organization, the organization should make a note that the individual
disputes the information in question.
CSA Principle 10 -- Challenging Compliance
- An individual shall be able to address a challenge concerning compliance with the above principles
to the designated individual or individuals accountable for the organization's compliance.
This Principle, it must be noted, is concerned with an internal review of compliance by the
organization itself; issues relating to external review by some other body are dealt with below,
under the heading Enforcement.
In an internal review process the main issue is maintaining the credibility of the process. In all
cases the organization is reviewing its own conduct, and in some cases, especially in small
organizations, the person conducting the review may well be the very person whose decision is
being questioned. This is unavoidable. What legislation can attempt to do, however, is
emphasize that the review process must be a genuine one. No doubt this is implicit in CSA
Principle 10, but for clarity, there is value in setting out in data protection legislation both the
organization's obligation to investigate in good faith and its duty to take appropriate measures if
it finds the complaint to be justified.
- An organization should be required to investigate in good faith the complaints it receives and
to take appropriate measures when a complaint is found to be justified.
B.3 Other Issues Arising
In Part 2 of the federal government's 1998 consultation paper two main issues that are not dealt
with in the CSA Code have been identified as requiring attention. The first is "Sectoral Codes".
The second is "Enforcement".
a. Sectoral Codes
The issue here is whether data protection legislation might permit or encourage particular sectors
of industry to develop their own codes, whether customized versions of the CSA Code or entirely
home-grown products, and if so, what the legal effect of those codes should be. The issue arises
out of a concern that the CSA Code, and data protection legislation based on it, is expressed in
terms that may not be totally applicable to all organizations or that it may be too general to give
useful guidance to what actually is or is not permissible in specific situations. A sectoral code
would allow an industry to develop rules that were sensitive to the particular requirements of its
The critical issue here is whether the sectoral code should have legal force, and in particular
whether it would prevail over the statutory Code if the two were in conflict. If so, it would be
necessary for the sectoral code to receive some kind of official approval from a body that had
legal authority under the Act. Otherwise, industries would effectively be being given the
authority to write themselves out of the legislation. If, on the other hand, the sectoral code could
not prevail over the statutory Code, there would be less need, if any, for an official approval
process. Whatever the sectoral code said, the statutory Code would still provide the governing
principles. The sectoral code, of course, would then be of less value from the industry's point of
view, since reliance on the sectoral code could never be a guarantee that the industry was
complying with the legislation.
While sectoral codes do have advantages -- as, indeed, do codes and policies internal to particular
organizations -- the better approach here seems to be that codes and policies should operate
within the framework set out in the legislation, and the legislation must prevail in case of
conflict. Admittedly the framework is expressed in general terms, but data protection is far from
the only context in which legal rules are stated in general terms, and organizations have to
develop policies and practices based on their best understanding of what the rules mean. If
specific kinds of organization, or specific activities, require more detailed legal rules than the
general principles in the statutory Code, it would be better to establish these by regulations under
the Act than by way of industry codes.
- Sectoral codes should not be given the force of law under data protection legislation. Data
protection legislation should include regulation-making authority under which, if necessary,
more detailed provision can be made in relation to particular kinds of organization or
information, or particular activities.
Enforcement is an issue that the CSA Code did not need to address, since the CSA Code was a
purely voluntary one, and would be entirely self-policed. In a legislative framework, however,
the question of what happens when the rules are broken must be dealt with. If the legislation
were silent on the subject, it would ultimately be the courts that interpreted the legislation and
decided what was implied by way of remedies.
The three basic approaches to the enforcement of legislation are (a) the penal remedy, (b) the
civil remedy, and (c) the administrative remedy. The penal remedy involves prohibiting
unacceptable conduct and punishing offenders; government lawyers are normally the
prosecutors, and fines are paid to the court. The civil remedy is a means by which individuals
can go to court in their own right, seeking compensation for, or the prevention of, a wrong done
to them. Any compensation is paid to the individual. The administrative remedy involves the
establishment of an agency outside the courts to enforce a particular piece of legislation; this
agency can be given a variety of remedial powers. The position of the individual and the role of
the courts will vary depending on what those powers are.
The penal remedy
The Public Sector Act makes it an offence for a public body, or an officer, employee or agent of a
public body, to collect, use or disclose personal information in wilful contravention of Principles
3 (Consent), 4 (Limiting Collection), or 5 (Limiting Use, Disclosure and Retention) of the
Statutory Code of Practice. A conventional interpretation of a "wilful" violation of an Act is that
it involves doing a wrongful act either knowing that it is wrong or acting with reckless disregard
as to whether it is wrong or not. Legislation prohibiting the wrongful disclosure of information
is more familiar in the public sector than the private sector, but an offence along these lines
might be appropriate in private sector legislation, too. Private sector legislation might also
establish an offence of wilful refusal to provide information, or to make a correction, to which an
individual is entitled under CSA Principle 9. This is a subject that does not arise under the
Public Sector Act, since enforcement of the individual's right of access takes place under the
Right to Information Act.
- Data protection legislation could make it an offence to wilfully violate CSA Principle 3
(Consent), 4 (Limiting Collection), 5 (Limiting Use, Disclosure and Retention), and 9
The civil remedy
Is there a place for civil remedies in data protection legislation? The basic civil remedies are
declarations, injunctions and damages. A declaration simply states what the law is or how it
applies to a particular set of facts. Injunctions also involve a ruling on how the law applies to a
particular set of facts, but add to this a mandatory element, requiring people either to take or not
to take a particular course of action. Awards of damages, finally, require one party to
compensate another for the harm arising out of a wrongful act.
What part might civil remedies play in the enforcement of data protection legislation? This
paper will first consider these remedies in isolation. It will then revisit the question in the light
of its discussion of administrative remedies. If a substantial administrative enforcement
mechanism were put in place, the part to be played by civil remedies might be much reduced.
The main function of the civil remedy, as opposed to the penal remedy, is to give an individual
who is the victim of a wrongful act a personal right to protect his or her own interests. It also has
a more general effect. While dealing with individual cases, the civil remedy allows courts to
provide authoritative and binding rulings as to what particular provisions of the legislation mean.
There is then a ripple effect as the court decision sets a standard to be followed by all
organizations that are subject to the Act. Court proceedings are often considered costly and
inconvenient. Nonetheless, people are sometimes prepared to litigate over matters that are
important to them, and the litigation can settle important points of principle. A prime example in
the `personal information' field would be McInerney v Macdonald (1992) 126 NBR (2d) 271, a
New Brunswick case in which the Supreme Court of Canada eventually established the right of a
doctor's patient to see a consultant's report.
Generally speaking, unless there is some administrative remedy making recourse to the courts
inappropriate, one would think that if a law is enacted, the courts should be able to say what it
means. Declarations, therefore, would appear to be a natural part of the scheme. Injunctions
would naturally follow. It would be odd to allow the courts to say what an Act means but to give
them no authority to require an organization to act as the legislation says it should. The idea that
organizations might be ordered to comply with the legislation is something to be borne in mind
when considering the detailed wording of legislation; it would be essential that the legislation
did not impose obligations that organizations could not reasonably be expected to live up to.
Unless unreasonable obligations are imposed, however, injunctions should not be problematic.
Awards of damages require more careful thought. A review of data protection materials from
elsewhere suggests that one may legitimately ask both (a) whether damages should be available
at all for breach of the data protection principles and (b) if so, in what circumstances. Most
existing public sector data protection Acts in Canada do not provide for awards of damages. In
Quebec, where legislation covers the private sector as well, the basic data protection provisions
are in the Civil Code, and awards of damages are available. In private sector data protection
statutes from common law jurisdictions outside Canada (there are none in Canada at present), awards of damages are approached with care. New Zealand's
Privacy Act 1993 expressly states that it creates no legal rights enforceable through the courts.
Compensation can be ordered by the Complaints Review Tribunal, but this is discretionary, not a
matter of entitlement. In the U.K., under the Data Protection Act 1984, damages can be awarded
in some situations, but not where an organization has taken "such care as in all the
circumstances was reasonably required" to prevent the violation from occurring. When the
amount of the compensation is assessed, the "distress" suffered by the individual can be taken
into account, but apparently "distress" by itself is not enough to entitle the individual to
compensation. The existence of "damage," it seems, is an essential precondition to the claim.
(See sections 22 and 23.)
There is good reason for caution in making awards of damages available for violation of data
protection principles. The principles set standards of good practice, but it is not necessarily the
case that every act that falls short of these standards, and is therefore less than `good', is
necessarily so `bad' that it should give rise to a claim for compensation if damage or distress
results. If "personal information" is defined as suggested in Proposition #5 -- as any information
about an identifiable individual, recorded in any form -- it will cover a wide range of material,
some of it sensitive, much of it not. The handling of personal information, and thus the
possibility of error, will abound in the everyday operations of most organizations, and the
implementation of the legislation will regularly involve decisions being made about what is
"appropriate" or not, or what is "reasonable" or not. The legislation could become burdensome if
every decision reached were liable to be questioned in the courts, with a potential liability to
damages arising out of any error in judgment, even where the organization had made genuine and
substantial efforts to comply with the legislation.
For this reason it seems wise, in relation to awards of damages, to build a margin of error into
data protection legislation, so that the mere fact that an organization falls short of the standards in
the Act, and damage results, would not of itself be sufficient to support a claim for
compensation. This margin of error might be defined in different ways. The U.K. legislation, as
noted above, uses lack of reasonable care as the test for an award. An alternative might be to
look at the consequences of the non-compliance, and say that it was only where these amounted
to a true `invasion of privacy' that compensation could be awarded. Preferable to either of these,
perhaps, would be to provide a test of `manifest inconsistency with the Act' as the threshold that
a plaintiff had to establish in an action for damages. Under such a test, reasonable but mistaken
actions would not expose organizations to liability for damages.
- Unless data protection legislation adopts administrative remedies that make civil remedies
unnecessary, declarations, injunctions and awards of damages should be available for the
enforcement of the legislation. However, awards of damages should only be made where an
organization's non-compliance with the Act causes loss and satisfies some additional criterion
such as being manifestly inconsistent with the Act.
The administrative remedy
In the public sector the issue of administrative remedies was relatively straightforward. A
statutory agency already existed -- the provincial Ombudsman -- with a mandate that naturally
included information-handling issues of the type that data protection principles involve. This
connection was officially recognized when the Province adopted its Personal Privacy Code in
1994; the Ombudsman was identified then as the body to oversee compliance with the Code.
The Department of Justice's 1996 Discussion Paper suggested that the Ombudsman should have
the same role under public sector data protection legislation. The Law Amendments Committee
confirmed that role, and this is now the effect of the Public Sector Act. Under that Act, the
administrative remedy through the Ombudsman is in fact the primary remedy, with judicial
remedies having a much more limited scope.
In the private sector, however, things are not so simple. There is no existing agency with a
mandate that naturally extends to data protection in all, or even many, of the "organizations" that
Proposition #4 suggests data protection legislation might cover. There are, however, many fields
of activity where there are statutory regulators whose mandates either do or could include data
protection issues. Regulated bodies include insurance companies, financial institutions,
collection agencies, private investigators and nursing homes, to name just a few. Self-regulating
occupations like lawyers and doctors also have statutory complaints mechanisms in place that
might deal with data protection matters -- and probably already do so in contexts such as client
confidentiality. Non-statutory complaints mechanisms have also been put in place by voluntary
standards-setting bodies such as industry associations. The recent federal consultation paper
mentions all of these bodies as potentially having a part to play in the non-judicial enforcement
of private sector data protection legislation (p.21).
Discussion of administrative remedies for data protection legislation tends to focus on whether a
designated data protection agency should be established to oversee compliance. The expression
`Privacy Commissioner' is often used to identify this agency, but the term is misleading. It
suggests that the agency might be concerned with `privacy' in the broad and more natural sense
of Part II of this Paper, rather than with the more limited `data protection' issues that are in fact
the agency's role. This Paper will therefore use the expression `data protection agency' rather
than `Privacy Commissioner'.
It must also be noted, of course, that establishing administrative remedies for data protection
legislation does not necessarily require the creation of a data protection agency. There are other
There are two broad reasons why one might establish administrative remedies for data protection
legislation. One would be to reduce the role that the courts might otherwise play in enforcing the
Act. This might be done if, for example, the obligations created by the legislation did not readily
lend themselves to judicial enforcement, or if there was concern that the legislation might expose
organizations to too much litigation over too many issues. The other would be that judicial
remedies, though appropriate to data protection legislation, could not cover enough of the
ground. They might be thought to be too slow and expensive to deal with ordinary non-compliance issues, and unable to deal with things such as prevention and education, which some
people would argue a data protection scheme must include.
The first of these reasons is essentially an assertion that judicial remedies are not appropriate to
data protection legislation. Some people might argue, for example, that the CSA Code must be
seen as an ethical statement rather than a legal one, that organizations cannot realistically be
expected to maintain the standards that it sets, and that they should not be exposed to law-suits
every time they fail to do so. On this basis an administrative remedy based substantially on
moral suasion might be seen as more appropriate than the courts.
The strength of such an argument depends on whether the CSA Code, and data protection
legislation based on it, does or does not accurately describe realistic standards of good practice.
It also depends on the nature of the judicial remedies proposed -- which, on the basis of
Propositions #31 and #32, would be (a) prosecutions for "wilful" violations of specific principles,
(b) damages where loss is caused by an action that is "manifestly inconsistent with" the
legislation, and (c) declarations and injunctions in any case of non-compliance. Whether this
balance of obligations and remedies is appropriate and realistic is an important subject for public
One point that is worth making, though, is that the obligations in the CSA Code are of a kind
that courts do enforce in other contexts. The Code incorporates flexible ideas like "except where
inappropriate" (CSA Principle 3) and the "reasonable expectations of the individual" (para.4.3.5).
The courts regularly deal with flexible concepts such as these; examples include "reasonable
care" in the law of negligence, and "reasonable expectations of privacy" under s.8 of the
Canadian Charter of Rights and Freedoms, to mention just two. The courts are, indeed,
probably more familiar than most administrative agencies with enforcing generic standards such
as these, and particularly so in applying them across a broad sweep of activities. It seems
unlikely, therefore, that the obligations in data protection legislation can be said not to lend
themselves to interpretation and enforcement by the courts. One might, perhaps, limit the role of
the courts on the ground that organizations and individuals would have a greater `comfort level'
in dealing with an administrative body when a dispute under the legislation arose. This, though,
is different from saying that the courts are not well suited to interpreting principles such as those
in the CSA Code.
This leads to the second of the reasons identified above for establishing administrative remedies
under data protection legislation -- that though judicial remedies might be appropriate to data
protection legislation, administrative remedies would be preferable. There are two main aspects
to this. One relates to complaints and the nature of the dispute resolution process. The other
relates to issues such as prevention and education, which, if they were part of the legislative
scheme, could obviously not be the function of the courts.
In relation to complaints, the argument for establishing an administrative remedy can be stated
quite bluntly. It is that litigation is expensive and intimidating, and most people, in most
situations, will not sue over the kinds of issues involved in data protection legislation. On this
argument, unless there is administrative enforcement, there will effectively be no enforcement at
all. Administrative enforcement, one might add, could operate largely by mediation and
conciliation, whereas judicial remedies tend to be confrontational.
Countering this is the view that administrative remedies are the exception rather than the rule for
most legal disputes. Though agencies such as rentalsmen, employment standards officers and
human rights commissions exist, normally the parties to legal disputes must sort things out
between themselves, or take their lumps, or sue. This is the position that the law takes on
`personal information' matters such as defamation or breach of confidence. The same applies in
relation to the fundamental human rights set out in the Canadian Charter of Rights and
Freedoms, including the right of privacy that the courts have held it implies. It is also largely
true of consumer protection statutes (under which consumers will probably use the small claims
procedure if the matter eventually comes to litigation). The consumer analogy is a relevant one
because much of the discussion of private sector data protection legislation, including the recent
federal consultation paper, places data protection in the context of the need to protect consumer
rights, especially on the information highway.
The creation of an administrative complaints procedure in data protection legislation should not,
therefore, be taken for granted. A choice is involved about costs, about benefits and about
priorities. On the one hand, administrative resources devoted to the enforcement of data
protection legislation should presumably improve the likelihood that `fair information practices'
will be observed in practice. On the other hand, there are always many claims for administrative
resources, and it would not diminish the values promoted by data protection legislation if it were
simply left up to individuals to pursue their remedies by legal proceedings if they so chose.
Existing regulators would of course continue to be available to receive complaints within their
spheres of responsibility.
If an administrative complaint process for data protection legislation appears to be, in the
abstract, desirable, one must also ask what the process should involve. One possibility is that it
should be a process of mediation and conciliation, with no compulsory powers attached.
Arguably this would improve the prospects of reaching amicable solutions; on the other hand, it
might be criticized as being weak. If one moves beyond this, however, and adds compulsory
powers to the administrative remedy, a range of issues arises as to what those powers should be.
If binding orders could be issued, formal powers to hold hearings would presumably be
required. Along with them would probably go the power to summon witnesses and compel the
production of evidence. Powers to enter premises and inspect books and records might also be
called for. Enforcement mechanisms designed to ensure that the binding orders were complied
with would also have to be considered.
In short, one step leads to another. The issue for public discussion at this point is just
how far it is right to go in establishing an administrative complaint process. Three credible
points on the scale are (1) to rely on judicial processes entirely, (2) to have an administrative
process with no compulsory powers (the judicial process might still perhaps be available if
mediation failed), or (3) to have an administrative process with compulsory powers that would
probably be quite extensive. Which of these approaches is better suited to the goal of ensuring
that organizations follow `fair information practices' in their handling of personal information?
The other issue that was raised earlier in relation to administrative remedies was whether
an administrative process could provide things that judicial remedies, being strictly complaints-based, could not. One item mentioned previously was prevention; another was education.
If functions such as these enter the picture, the administrative remedy under data protection
legislation begins to take on the shape of a permanent body -- not necessarily a single-purpose
data protection agency, but at least a body with a continuing existence and data protection as one
of its functions. By contrast, a pure complaints mechanism, as described in previous paragraphs,
could be a more temporary entity, established to deal with complaints as they arose.
Nonetheless, some of the issues raised by these additional functions are comparable to those
raised in relation to the complaints mechanism. Prevention, on the face of things, seems
desirable. But if, in practice, prevention means that an administrative agency has the compulsory
power to enter the premises of any organization and inspect its records and practices, even in the
absence of a complaint, is it an appropriate power to confer in the interests of the proper handling
of personal information?
Prevention in another sense might mean giving advice to organizations so that they can ensure
that their practices comply with the legislation. Yet this too can be problematic, because
whatever advice the agency might give, it would also have to reserve the right to re-investigate
the matter with an open mind if an individual subsequently made a complaint about the action in
question. The agency's advice, therefore, could not be authoritative, and unless authoritative it
would be of questionable value to the organizations that sought it.
Education, in the pure sense of providing general information to the public about the legislation,
and advocacy, in the sense of trying to encourage governments and organizations to pay greater
attention to data protection issues in their decisions and practices are perhaps less likely to cause
practical or technical difficulties. There is, however, a question of priorities and resources to be
addressed. As part of the mandate of a substantially complaints-oriented agency they might well
be desirable. As a mandate in themselves, however, in the absence of a substantial volume of
complaints, one might wonder whether they were justified.
It may be worth noting here that the volume of complaints received by the Ombudsman under
New Brunswick's public sector Personal Privacy Code in the first three years after its adoption
was small -- less than 25 complaints each year. Few conclusions can be based on these figures,
but they may at least indicate that policies under data protection legislation should not be based
on the assumption that the volume of complaints will be large. It will be interesting to see
whether the replacement of the non-statutory Personal Privacy Code in the public sector by the
Protection of Personal Information Act makes a difference to these figures.
- Administrative remedies are not essential to data protection legislation, but are a policy option.
Key issues for public discussion are
(a) whether judicial remedies alone would be appropriate and sufficient,
(b) whether an administrative complaints mechanism without compulsory powers would
serve a purpose,
(c) whether an administrative complaints mechanism with compulsory powers would be
over-intrusive or counter-productive,
(d) whether a non-complaints function can be identified that is substantial, viable, and a
strong reason in itself for devoting resources to an administrative agency with a specific
data protection mandate.