Legislative Assembly of New Brunswick
Legislative Committees
Home | Franšais


In July 1996, the Minister of Justice submitted to the Legislative Assembly, for review by the Law Amendments Committee, a Discussion Paper entitled A Proposed Privacy Act for New Brunswick. The Paper made recommendations for the content of legislation to protect the privacy and confidentiality of personal information in the possession of the government of New Brunswick.

The Law Amendments Committee held public hearings in October and November 1996, and reported in February 1997. Its report made two recommendations. The first gave general approval to the proposals in the Discussion Paper. Legislation based on those proposals, the Protection of Personal Information Act, was enacted in February 1998; preparations for its proclamation will begin shortly. The Act will be referred to in the remainder of this paper as the Public Sector Act.

The Law Amendments Committee's second recommendation was this:

Your Committee strongly recommends that the government prepare a discussion paper forthwith, for referral to public hearings, with regard to the extension of privacy legislation to the private sector.

Explaining this recommendation, the Committee stated:

Your Committee heard from various presenters that privacy legislation should apply not only to government bodies and agencies, but should be extended to the private sector. It was submitted that whether the body controlling personal data is within a government department or a private sector firm, personal information on private individuals must still be protected from inappropriate access.

The present Discussion Paper is prepared in response to the Law Amendments Committee's Recommendation 2.

A threshold question raised by the recommendation is whether the new Discussion Paper should adopt a broader or a narrower definition of its subject-matter. The 1996 paper was concerned with what is often known as "data protection" -- the establishment of rules to govern the handling of personal information that organizations collect in the course of their activities. On a narrow view, examining the extension of privacy legislation to the private sector would simply involve a discussion of private sector data protection legislation comparable to that in the Public Sector Act.

On a broader view, however, "privacy legislation" might go much further. A common analysis of privacy nowadays speaks of it as having three main elements: `personal privacy', which is the privacy of one's body, `spatial privacy', which is privacy in relation to one's surroundings, and `information privacy', which deals with who knows what about you and what they may do with it. Data protection falls largely within the realms of `information privacy'; it is therefore just one sub-component of "privacy" in a broad sense. Documents such as Privacy: Where Do We Draw the Line? a 1997 report of the House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities, argue that it is privacy in general, and not just data protection, that is a matter of social concern and should be the subject of legislative action.

Though it might be possible for this Paper to restrict its attention to data protection legislation, it is preferable to consider the broader context of privacy law at the same time. There is an unavoidable connection between the two in relation to the remedies that might be established under data protection legislation; what would be needed would depend in part on what already existed, or might be established, under privacy law in general. There is also an important connection in terms of the focus of any legislative measures that might be taken to promote privacy interests. Is data protection the only, or the most pressing, area of concern? Examining privacy legislation in general, as well as its data protection sub-component, enables questions like this to be opened up for public debate.

This Paper therefore examines "privacy legislation" in a broad sense. It is organized in two Parts. Part I deals with Data Protection in the Private Sector. This is the direct and narrow continuation of the 1996 discussion paper and the Public Sector Act. This Part invites comment on the question of whether data protection legislation for the private sector is desirable, and to assist in the discussion it sets out the possible content of legislation on the subject. The model used is based on the Canadian Standards Association's Model Code on the Protection of Personal Information (hereafter "the CSA Code") and on the Public Sector Act, which itself draws heavily on the CSA Code.

Part II, Privacy in General, examines existing legal remedies in New Brunswick for invasions of privacy, and asks whether further legislative measures are called for. Two main questions are considered. The first is whether New Brunswick should follow the example of several Canadian provinces (though not all) in establishing legislation which makes an invasion of privacy a specific `tort' in its own right. A `tort' is a wrongful act for which an aggrieved individual can seek remedies in the courts; the typical remedies are damages, declarations and injunctions. The second is whether remedies for infringements of privacy might be provided through agencies other than the courts. Various options are mentioned, including the possibility that the mandate of the New Brunswick Human Rights Commission might be expanded to include a role in privacy protection along with the Commission's existing anti-discrimination functions. Both the judicial and the non-judicial options considered in Part II would, if adopted, apply across the board, not only to the private sector but to the public sector as well.

This Paper does not make specific recommendations on the various topics it considers. Instead, it presents a number of propositions for discussion. Many of these are detailed and could provide the basis for legislation if the present consultation indicates that legislation along those lines is appropriate. At present, however, no decisions have been taken. Options range from enacting no legislation, through various selections or combinations of the items discussed, to legislating on all of them together. This Discussion Paper aims to assist in determining what the appropriate policy choices should be.

I. Data Protection in the Private Sector

This Part of the Paper asks two questions: "Is there a need for private sector data protection legislation?" and "If so, what should it say?" The two questions are closely connected. The more that can be said about the likely content of the legislation, the better informed the arguments for or against it will be.

Conveniently, this Discussion Paper is being prepared at a time when a single document, the CSA Code, dominates the debate in Canada about data protection in the private sector. The Code was developed for the Canadian Standards Association by a Technical Committee made up of representatives of the federal government, industry, privacy commissioners and advocacy groups. The Code was developed as a voluntary one, which private sector organizations could adopt if they chose, and which they could modify to suit their own particular requirements if they saw fit. Subsequently, however, it has attracted attention as the possible basis for legislation, rather than pure self-regulation. The federal government is promoting this position. It has stated its intention to have data protection legislation in place for the federally-regulated private sector by the year 2000, and its recently released consultation paper, The Protection of Personal Information: Building Canada's Information Economy and Society (January 1998), places the CSA Code at the centre of the discussion. Several Information and Privacy Commissioners in Canada are among those who have commented favourably on the CSA Code as a basis for legislation.

It is not yet clear, however, that any consensus about the substance of the CSA Code will convert itself into a consensus for legislation based on it. Though industries represented on the CSA's Technical Committee have, in some cases, developed their own industry codes based on the CSA Code, few of them have positively advocated the formalization of the Code into legislation. Even where there is support for legislation in principle, there is a desire to see exactly how the CSA Code would be turned into law before that support is made concrete.

This need for clarity makes it convenient that New Brunswick's Public Sector Act has been prepared at the particular time that it has. The Act, which is set out in Appendix B, is squarely based on the CSA Code. It therefore provides a specific example of how legislation inspired by the CSA Code might be constructed. It is a model, furthermore, that could easily lend itself to extension to the private sector if the present consultations determine that this is the right course to take.

That, though, is the question at the heart of Part I of this Paper: whether extending comparable legislation to the private sector is the right course to take. There is a big difference between the government adopting legal rules to govern its own conduct and imposing similar rules on everybody else. There are many Acts in New Brunswick that create special rules for the operations of the public sector. They deal with things such as hiring practices, purchasing practices, public finances and pay equity, to name just a few. Many of these Acts establish rules that do not need to be in legislative form; legislating them is, in effect, a means of giving added weight to a policy commitment. Arguably data protection rules might fall into this category. Arguably, also, there may be special factors relating to the activities of the public sector, as opposed to the private sector, that make it more important in the public sector that laws, rather than policies, govern the use of personal information. The fact that the Public Sector Act is capable of being extended to the private sector does not necessarily mean that it should be. The appropriate policy and legislative choices for the two sectors may well differ.

A. Is there a need for private sector legislation?

Data protection legislation is in large measure a response to the increasing computerization of society. As information can be more and more easily amassed and manipulated, concern is expressed that organizations may have too much information about individuals, with too few controls on what they may do with it. The concerns are expressed differently at different times and in different contexts. The recent federal consultation paper, with its focus on electronic commerce and "making Canada the most connected nation in the world" (p.1), says this:

The challenge of the electronic age is that with each transaction we leave a data trail that can be compiled to provide a detailed electronic record of our personal history and preferences. The digitization of health, education, employment and consumer records makes it possible to combine information and create an individual profile with data that most of us consider to be extremely personal. This information may be sent across provincial and national boundaries where it can be sold, reused or integrated with other databases without our knowledge or consent. (p.2)

Other descriptions might broaden the perspective to include other forms of information-gathering, not just electronic ones, and other uses to which information can be put, not just consumer profiling.

In response to this, data protection laws attempt to establish a set of `fair information practices' for organizations to follow. The rules relate to what kinds of personal information organizations can collect, how long they can keep it and what they can do with it. The rules also give individuals a right of access to, and correction of, information about themselves. The general purpose of the rules is to assert the individual's continuing interest in the information that organizations obtain about him or her, and in what they do with it. The aim is to make it clear that the information is not simply the organization's information, to do with as it will.

Data protection legislation applying to both the public sector and the private sector has been adopted in most European states. For members of the European Union such legislation is mandatory under Directive 95/46/EC (hereafter the "EU Directive").

Outside Europe, however, data protection legislation in general is less well established, and private sector data protection legislation particularly so. Legislation from Hong Kong and New Zealand, applying to both the public and the private sectors, was reviewed during the preparation of this Paper. The Department of Justice is informed that Taiwan and Israel also have such legislation in place. In other countries which have data protection legislation (e.g. Japan, Australia and the United States) the focus is on the public sector.

In Canada, Quebec is unique in having data protection legislation for both the private and the public sectors. Elsewhere (with the exception of Newfoundland and Prince Edward Island) there is public sector legislation alone, though the public sector is defined more broadly in some places than in others. In British Columbia, for example, the legislation extends to bodies such as the governing bodies of self-regulating professions. Manitoba has recently enacted legislation dealing specifically with the handling of "health information," whether in the public or the private sector.

Meanwhile the federal government has committed itself to enacting data protection legislation for the federally-regulated private sector by 2000, and it is encouraging the provinces to develop matching legislation for provincially-regulated activities. The federal government's recent consultation paper mentions that forums such as meetings of Information Highway Ministers and Consumer Affairs Ministers are being used for discussions of the subject. It also mentions that a Uniform Data Protection Act is being developed by the Uniform Law Conference of Canada, a conference at which delegations from the various jurisdictions attempt to develop model legislation on matters on which harmonization of provincial laws is desirable.

Among the incentives to the federal government's activity in this area is the EU Directive. Adopted in October 1995, the Directive requires all member states of the European Union to have data protection legislation in force by October 1998 that meets the standards set out in the Directive. One of those standards is that member states must prohibit the transfer of personal information to non-member states unless an "adequate level of protection" for the information exists there (Art.25), or unless, in the absence of that, the person transferring the information "adduces sufficient guarantees," by contractual clauses or otherwise, for the protection of the particular information transferred (Art.26). The recent federal consultation paper says that "This Directive has the potential to make protection of personal information a major non-tariff trade barrier with Canada" (p.8).

The argument in favour of extending data protection legislation to the private sector can conveniently be taken from an address by Allan Rock, then the federal Attorney General, to the International Conference of Data Protection Commissioners in Ottawa in September 1996. When the federal government had first enacted data protection legislation, he noted, it had done so for the public sector alone; at that time government was by far the main collector, storer and user of information on individuals. Subsequently the government had moved to advocating data protection in the private sector too, though by means of voluntary self-regulation. Since then, however, it had reconsidered its view that self-regulation for the private sector was sufficient:

We have done so because it is obsolete. Modern information technology has made it infinitely more feasible for businesses and other private institutions to amass and exchange data -- within and across borders. Advances in computer and networking technology have multiplied and magnified the challenges to privacy.

Meanwhile, Canada has been evolving rapidly from a resource-based economy to one based on information and knowledge. In this environment, more and more private institutions are collecting, using, and exchanging information about our consumption habits and services.

In this situation the Government of Canada takes the position that the protection of personal information can no longer depend on whether that data is held by a public or private institution. This does not mean that the rules governing the collection, use, communication and disposal of personal information need to be exactly the same for every individual and organization. It does mean that they should be based on a common set of principles. And it means that personal information held in the private sector should be protected by law.

There are, however, differing views on this. In Australia the Commonwealth (i.e. federal) Attorney General's Department issued a discussion paper in September 1996 examining the expansion of data protection legislation to the private sector. In 1997, though, it was decided not to take this step. The stated reasons were concern over the compliance costs for businesses, large and small, and the need to reduce the regulatory burden rather than to add new compulsory regimes. Since then there has been consultation in Australia on a national voluntary scheme for self-regulation, leading to the recent release by the Commonwealth Privacy Commissioner of National Principles for the Fair Handling of Personal Information (February 1998).

In the United States, too, discussions to date at the federal level have not apparently led to the conclusion that wide-ranging data protection legislation is required. In Options for Promoting Privacy on the National Information Infrastructure, a consultation paper issued in April 1997 by the Information Policy Committee of the National Information Infrastructure Task Force, legislated data protection was mentioned as an option, but only as one among several. The paper also referred to arguments that acceptable market standards and practices were evolving and should be left to do so, or that legislative solutions should be applied, in the future as they had been in the past, to particular problem areas as they arose rather than on a comprehensive basis. Wide-ranging private sector data protection legislation for the private sector does not appear to be in prospect in the United States at present.

Here, then, is the background to this first broad question of "Is there a need for private sector data protection legislation?" On the one hand there is concern that, especially with modern information technology, too much personal information is available to too many people, with too few controls over what they may do with it. There is the desire to establish at least a general framework of basic principles that reflect the individual's continuing interest in the information that organizations possess about him or her, and there is the belief that legislation is the only effective way of establishing a common framework that will be generally respected.

On the other hand there is concern about both the substance of the proposed rules and about their practical impact on the organizations that will have to observe them. As to the substance the concern is that the legislation may create obstacles to desirable activities. As to the practical impact, the complaint is that the legislation may impose excessive administrative burdens and other costs. Doubt is also expressed about whether there is really enough of a problem in relation to the handling of personal information to justify a legislative solution.

These are all issues on which input is required from the general public and from interested parties. It seems unlikely that there will be any major disagreement about the broad principles that private sector data protection legislation would be designed to promote: that personal information should not be gathered or used inappropriately, and that, subject to reasonable limits, individuals should be able to discover and correct what organizations know about them. Opinions may be more varied, however, as to whether legislation is the right way of advancing those principles, as to whether the legislation would actually achieve its objectives and as to whether, on balance, more would be gained or lost by adopting it. Expressions such as "inappropriately" and "subject to reasonable limits" are easy to use in abstract statements of principle. They can become controversial, however, when one ultimately confronts the concrete question of what, exactly, is or is not "inappropriate," or is or is not a "reasonable" limit.

Proposition #1

The general objectives of data protection initiatives are laudable. Key questions for public discussion are

(a) whether legislation is the right way of advancing those objectives,

(b) whether legislation would achieve its objectives, and

(c) whether its benefits would justify the costs and restrictions it imposed.

B. What might data protection legislation say?

The mere mention of things like the effectiveness of legislation and its costs and benefits emphasizes the importance of providing the specifics of possible legislation, at least tentative ones, in order to give respondents to this Paper something solid to react to. Fortunately, the combination of the CSA Code and the Public Sector Act provide a good framework for a detailed discussion of what private sector data protection legislation might say. In the current state of the debate in Canada, the CSA Code is the obvious starting point for the development of possible legislation.

Proposition #2

Possible data protection legislation for the private sector should take the Canadian Standards Association's Model Code for the Protection of Personal Information as its starting point.

How closely, though, should data protection legislation follow the CSA Code? Some explanation is needed here of the structure of the Code. It consists of ten Principles and six Definitions, with a Commentary on each of the Principles, and in two instances, an explanatory Note. The Notes are important. Their purpose is to explain how the key Principles on "Consent" and "Individual Access" are to be applied when competing imperatives such as the protection of public health or security are at issue. These Notes, the Code explains, are considered to form an "integral part" of the Principle to which they relate (para.3.1.2).

One approach that has been suggested to establishing data protection legislation based on the CSA Code is simply to adopt the Code in its entirety. According to a paper presented at the 1997 meeting of the Uniform Law Conference of Canada, that would be the preference of some of the people who have been involved in the consultations on the subject. The mechanism would presumably be a form of legislative cross-reference, as is done from time to time with CSA technical standards.

This does not appear to be the right approach to general legislation governing the protection of personal information. If there is to be legislation on the subject, it is because there are important social values to assert, and if there are, the Legislature should express them directly rather than by reference to a non-statutory code. This is even more the case if one of the advantages of adopting the CSA Code by cross-reference is, as some proponents of this method apparently suggest, that doing so would make it easier to update data protection standards as the CSA Code is revised and improved with the benefit of experience. The implication is that the CSA's judgments on appropriate standards of data protection over time would become authoritative. It is doubtful that this would be appropriate.

If, then, legislation should not simply adopt the CSA Code by reference, what should it do? Carrying forward the entire text of the Code into legislation does not seem possible. Much of the Commentary, in particular, is expressed in terms of explanation, description and examples, and would be out of place in a legislative text. The result is that data protection legislation that takes the CSA Code as its starting-point must at best be selective, carrying forward into the legislation those parts of the Code that belong there, and leaving other material out.

The ten Principles of the CSA Code, its basic statement of `fair information practices', are the central feature of the Code and can be adopted virtually verbatim as the basis of the legislation. This is what the Public Sector Act has done. Part of the reason for following the text of the CSA's Principles so closely is that the consensus they represent was apparently a delicate one and was not easily attained. The paper presented to the Uniform Law Conference's meeting in 1997 suggested that the consensus might evaporate if data protection legislation adopted different wording. The CSA Code has also been adopted by the Standards Council of Canada as a National Standard of Canada. Though some changes in the wording of the Principles seem to be required if the ten Principles become law, the changes are minor. The details and the explanations are given in the pages that follow.

As for the Commentary, the Notes and the Definitions, these are best viewed as source material in determining what needs to be added to the CSA Principles in data protection legislation in order to give sufficient guidance as to how the Principles are to be interpreted and applied. In the Public Sector Act, the ten Principles are placed in Schedule A as a "Statutory Code of Practice," and a Schedule B is added dealing with "Application and Interpretation of the Statutory Code of Practice." Private sector legislation could proceed in similar fashion.

Proposition #3

Data protection legislation should adopt the ten "Principles" of the CSA Code verbatim, as far as possible. The "Definitions," "Notes" and "Commentary" in the CSA Code should serve as source material for data protection legislation, with key elements being adopted as appropriate.

B.1 The scope of data protection legislation

As was noted on p.1 of the Department's 1996 discussion paper, there are two preliminary matters that together determine the scope of a data protection Act: "To whom will the Act apply?" and "What is meant by `personal information'?"

a. To whom will the Act apply?

In the 1996 discussion paper, this was a relatively straightforward issue. The discussion paper only dealt with the provincial government, so all that had to be decided was how the provincial government should be defined. A listing of "government bodies" was the approach recommended. When one moves beyond the public sector, however, the issue becomes less clear. There are many kinds of organization to which `private sector' data protection legislation could apply. Commercial enterprises are obviously one. However, non-profit organizations such as charities, churches, political parties and trades unions may also collect and use personal information. They are likely to possess at least such things as membership lists and personnel files, which are `personal information' that must be maintained in accordance with data protection principles. Even within the strictly commercial sector, there may be questions as to how or whether data protection legislation should apply to operations such as small family businesses or single person professional practices.

The CSA Code is expressed in terms of what "organizations" must do, and "organization" is defined broadly, as including "associations, businesses, charitable organizations, clubs, government bodies, institutions, professional practices, and unions" (para.2.1). In context that definition is of limited significance. The CSA Code is a voluntary one; it only applies to those organizations that choose to subject themselves to it. Nonetheless, a broad definition along these lines seems appropriate, even in a legislative context that imposes obligations on anyone who comes within the definition. Most organizations, even small ones, possess personal information, and even in small organizations some of that information may be sensitive and susceptible to misuse. Single-person professional practices such as doctors will possess individuals' medical records. Small businesses like corner stores may possess things such as records of people's video rental habits -- misuse of which led in the USA to enactment of the Video Privacy Protection Act 1988. Data protection legislation must be careful not to impose on small organizations levels of obligation that they cannot reasonably be expected to attain -- a point to which this Paper will return periodically -- but at the present stage of this discussion it seems better to proceed on the basis that organizations of all kinds and sizes may be included in the legislation.

One point that the EU Directive makes, though, and seems worth stating, is that data protection legislation does not apply to the activities of "a natural person in the course of a purely personal or household activity." A clarification along these lines seems necessary once one says that data protection legislation might apply to an individual when acting in a business capacity in his or her own right. In such a case one must differentiate the commercial activities of the individual, to which the legislation would apply, from the personal ones, to which it would not. The EU Directive makes the necessary distinction.

Proposition #4

Data protection legislation could apply to all incorporated and unincorporated organizations, and to individuals when they collect and use personal information for purposes other than personal and household ones.

The EU Directive contains the further qualification that, while data protection legislation must apply to all "automatic" (i.e. computerized) processing of personal information, it only needs to apply to "manual" processing where the personal information forms part of a "filing system" -- i.e. "any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis." Similar to this is the provision in the Quebec legislation that makes `establishing a file' on a person the triggering point at which the law will begin to apply.

The CSA Code does not differentiate manual and automatic records systems, nor does it expressly adopt a criterion of `establishing a file' on an individual. On this point the present Discussion Paper will follow the CSA Code. Given that the objective is to explore the CSA Code as the basis for private sector data protection legislation, it seems more natural to start where the Code starts, and see where that leads. If it turns out that the result is too broad, and that this could be remedied by including some concept of `establishing a file', that concept could probably be incorporated.

b. What is meant by "personal information"?

The CSA Code contains a definition, and it is a fairly conventional one. Personal information means "information about an identifiable individual that is recorded in any form" (para.2.1). S.1 of the Public Sector Act is identical in substance, and adds in s.1(3) the clarification that

An individual is identifiable for the purposes of this Act if

(a) information includes his or her name,

(b) information makes his or her identity obvious, or

(c) information does not itself include the name of the individual or make his or her identity obvious but is likely in the circumstances to be combined with other information that does.

Two features of a definition of this sort should be underlined. The first is that "personal information," does not have to be sensitive or particularly private information. It merely needs to be "information about an identifiable individual." To that extent the definition, and thus the scope of the legislation, is broad.

It is narrowed, however, by the requirement that the information be "recorded in any form." Personal information would not come within the scope of the legislation unless some form of a record of the information is made. It would be possible, of course, for legislation to be more encompassing than this. Part III of Ontario's (public sector) Freedom of Information and Protection of Personal Information Act, for example, extends data protection principles to personal information which does not exist in a recorded form. Adopting this approach would widen the scope of the legislation. On the other hand, the reference to "files" in both the EU Directive and the Quebec legislation, referred to above, appears to be a little narrower. For present purposes, however, the CSA's definition appears to be relatively standard, and this Discussion Paper will follow it.

Proposition #5

Data protection legislation could adopt the CSA Code's definition of personal information: "information about an identifiable individual that is recorded in any form."

B.2 The CSA Principles

The next several pages will analyze the CSA Principles as the possible elements of a statutory code of practice. The discussion will look at each of the Principles in turn. In a few cases minor changes of wording will be suggested, but in all cases the major question will be whether the Principle would need to be supplemented, in data protection legislation, by additional material designed to govern its interpretation and application. Once the Principles have been reviewed, other key elements of a legislative package based on the CSA Code will be examined. Enforcement of the legislation is the major element here. This is something that the CSA Code did not have to deal with, because of its voluntary nature, but which legislation must.

In considering the Principles, the broad definitions of "organization" and "personal information" must be borne in mind. The Principles are designed to apply to all organizations, whether small or large, to light users of personal information as well as heavy ones, and to all kinds of personal information, whether sensitive or not. The Principles therefore set out a broad framework for a wide variety of situations. Their application in specific cases will often require the exercise of judgment by the organization in question.

CSA Principle 1 - Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

The purpose of this principle is to state each organization's responsibility for making the legislation work, and to make sure that in every organization somebody is clearly assigned that task. There are, however, some practical issues raised by the way in which the principle is worded. One is that the Principle may leave open the possibility of there being a gap in `accountability' unless and until the organization takes the positive administrative step of `designating' somebody. Another is that the Principle applies more naturally in a large organization than a small one. In a small organization (which under Proposition #4 may be no more than a single individual) it will sometimes seem odd to speak of "the organization" as "designating an individual" to be accountable for compliance with the Code.

In the Public Sector Act the first problem was dealt with by amending the wording of CSA Principle 1 to make the "chief executive officer of a public body, and his or her designates," accountable for compliance. The second problem did not arise, because "public bodies," though some are actually surprisingly small, all have an organizational structure in which a "chief executive officer" (by whatever official title) can be readily identified.

In the private sector, where organizational forms may be more diverse, a slight variant of this approach is required. The legislation should establish a default position which should apply unless and until the "organization" takes positive steps to alter it. If the organization has an identifiable Chief Executive Officer, that person should initially be accountable for compliance with the legislation. In organizations with a less clear internal administrative structure, a comparable default position would be to place accountability for compliance with the data protection principles on the person or persons who control the activities of the organization. In most cases it should be obvious who fits this description. Occasionally, though, it may not be. An example might be a three-person partnership where the partners had equal voting rights. In a case such as this it would be the partners collectively who controlled the activities of the organization. Under the suggested default rule, therefore, the partners collectively would be accountable for compliance unless and until they made some other "designation".

Proposition #6

Unless and until a designation is made under CSA Principle 1, the person accountable for an organization's compliance with the data protection principles should be

(a) the organization's Chief Executive Officer, if it has one; or

(b) in an organization without a Chief Executive Officer, the person or persons who control the affairs of the organization.

CSA Principle 2 -- Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

The idea that the "purposes" for which personal information is collected should be "identified" is one of the central principles of the CSA Code and of other data protection documents. The identified purposes become key to decisions under CSA Principles 4 and 5 about what pieces of information an organization should collect and what it can do with the information once collected. There are, however, both conceptual and operational challenges connected with the identifying of purposes.

A small point that can be disposed of quickly is the question of whether there are limits on the purposes for which organizations can collect personal information. The CSA Code is entirely open-ended on this. By contrast, the Public Sector Act (Sch.B, para.2.1), along with the comparable legislation of other Canadian provinces, specifies that public bodies can only collect personal information for purposes that directly relate to the activities of the public body. A similar restriction should be acceptable in the private sector too.

Proposition #7

The purposes for which an organization collects personal information must be legitimate and must directly relate to an existing or proposed activity of the organization.

More complex are some issues relating to what `identifying purposes' really involves. Studying the CSA Code suggests that there are really two aspects to this. One is a purely internal process, in which an organization identifies to itself why it wishes to obtain personal information. The other is an external process, which relates to what the individual must be told about the purposes of the collection. On the face of things, CSA Principle 2 applies more naturally to the latter. However, the Commentary complicates this. It adds that an organization "shall document" its purposes, thus emphasizing the internal aspect of the identification of purposes. It is less categorical, though, about what kind of external explanation must be given to the individual. Para. 4.2.3 says that "The identified purposes should be specified at or before the time of collection to the individual from whom the information is collected," but the use of the word "should" is both deliberate and significant. Para. 3.1.3 points out that the use of the word "should" indicates a "recommendation" as opposed to a "requirement."

In the Public Sector Act CSA Principle 2 (which is Principle 2 of the Statutory Code of Practice in Schedule A) is considered to be substantially a requirement for an `external' explanation of purposes, but not necessarily a formalistic one. In the ordinary nature of things, most collections of personal information will be accompanied by at least some indication of why the organization wants the information. Perhaps this might be as little as a brief introduction to a conversation or to a letter. A requirement to "identify purposes" in this sense does not seem over-burdensome.

Schedule B of the Public Sector Act also contains a requirement that public bodies "document, in relation to any personal records system, the purpose or purposes for which the information in the system is held" (para.2.2). A personal records system is defined as "a computerized or manual records system that contains information about individuals and is structured in such a way as to permit information about specified individuals to be easily recovered" (para.2.3). Under this definition, virtually any organized repository of information about individuals (in the plural) will be a "personal records system". Documenting the purpose for which the information in the system is held effectively attaches that purpose to the use of the information in the system.

Would a similar obligation to "document . . . purposes" be appropriate in the private sector? Its advantage is administrative clarity, especially in large organizations where it would help to establish a shared understanding of what information can be collected and of the uses to which it can be put. In small organizations, however, there is a danger that a general duty to document purposes may merely create an administrative obligation that contributes little to the privacy of the individual. Is it really worthwhile, for example, to require a formal `documentation of purposes' by an organization such as an individual businessperson when the purposes for which he or she holds personal information are obvious and he or she is the only person who will be using it? Even in large organizations, some people might argue, `documentation of purposes' will normally occur in practice without the need for a formal requirement to be imposed by the legislation.

Proposition #8

CSA Principle 2 could be supplemented by a requirement that organizations document the purposes for which they maintain personal records systems, but if it is, such a requirement should not apply where documentation would be superfluous to proper administrative controls.

One point which the CSA Code does not deal with is this. What happens if, in particular cases, the internally documented purposes do not match the explanation that is given to the individual? In such a case it would be the explanation that was given to the individual that must prevail. The use that could be made of the information would depend not on the `documented' purpose that the organization had failed to explain adequately, but on the explanation actually given, and what the individual could properly be considered to have `consented' to (in the sense described under CSA Principle 3, below) in the light of that explanation.

This would not mean that an organization that is collecting personal information must, in all cases, mechanically recite to the individual the `internal' purposes as the organization has centrally documented them. Though in some cases this might be relatively straightforward and appropriate, in others it might not. It is likely, for example, that an organization's documented version of its purpose will be expressed in general, and perhaps bureaucratic, language. If so, reciting it may have little explanatory value. In other cases doing so will be merely stating the obvious -- perhaps because the individual's approach to the organization has clearly established the context in which the information is requested and given. More often, perhaps, whatever purpose may be documented internally will be accompanied by some other explanation more directly tailored to the particular contact between the organization and the individual. Perhaps different explanations may be better at different times or for different pieces of information. It does mean, however, that the onus is on the organization to ensure that whatever it identifies internally as being its purposes must be adequately explained to the individual, by whatever means the organization chooses to do so, if it wants to be sure that its `documented' purpose will actually match what it is permitted to do in accordance with the `consent' of the individual.

Proposition #9

Where an organization's documented purposes do not match the explanation given to the individual, the latter should prevail, in accordance with CSA Principle 3 -- Consent.

CSA Principle 3 -- Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

There are three key issues arising under this principle. The first relates to its wording. The second relates to the issue of "implied consent" as opposed to "express consent." The third relates to determining when a requirement of consent is "inappropriate".

a. Wording

CSA Principle 3 refers to "knowledge and consent" as being required not only for "collection" but also for "use and disclosure". Para.4.3.2 of the Commentary makes it clear that the expression "knowledge and consent" was used deliberately. There is, however, an inconsistency of language with CSA Principle 5, which also deals with "use and disclosure" but which only requires "consent," not "knowledge and consent."

In a legislative text, inconsistencies of this sort should be avoided. The best way of doing this is to remove the words "knowledge and" from CSA Principle 3. In relation to "collection," nothing seems to be lost by doing so, since "consent" is the broader term; it is hard to see that one can "consent" to a collection without having "knowledge" of it. In relation to "use and disclosure," by contrast, it would be problematic if both "knowledge" and "consent" were required as separate criteria. One can presumably "consent" to a use without ever "knowing" whether it actually occurs. If "knowledge" here were an additional requirement, the result would be to impose an obligation which could be difficult to meet.

Proposition #10

The essence of CSA Principle 3 is "consent." Data protection legislation should not include "knowledge" as a separate and independent criterion which must be satisfied.

b. Express and implied consent

The CSA Code makes it clear that "consent" may be express or implied (para.2.1). The paragraph continues:

Express consent is consent given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. (Para.2.1)

The idea of implied consent seems essential to a workable data protection statute. To require express consent for every collection, use or disclosure of personal information would be impossible. When an individual requests a service, for example, there is only an implied consent, not an express one. Consent might also often be implied when an organization took action for the benefit of the individual. Implied consent is especially important to legislation based on the CSA Code. Unusually among the data protection documents that have been reviewed in the preparation of this Paper, the CSA Code does not explicitly allow organizations the flexibility of using information for a purpose that is "consistent with" the purpose that is actually identified to the individual. In the conceptual framework of the CSA Code it is apparently the notion of "implied consent" that must cover the ground that, in other codes, is addressed through the statutory authorization to act for "consistent purposes."

The CSA Commentary suggests that it is the "reasonable expectations of the individual" (para. 4.3.5) that are the key to determining when "implied consent" exists. This seems an acceptable approach. It rightly focuses attention on what the individual should expect to be done with the information he or she provides, rather than on what the organization might consider reasonable from its own point of view.

Proposition #11

Data protection legislation must include the concept of implied consent, based on the reasonable expectations of the individual.

Is it necessary for data protection legislation to explain "implied consent" more extensively than by simply referring to the "reasonable expectations of the individual"? It would be impossible to give an exhaustive definition, but the Public Sector Act contains a provision that expands on the idea in two ways. It states that an individual must be "unlikely to disapprove of" an action if consent is to be implied, and it sets out the major factors that a public body should take into consideration. The following Proposition is taken directly from Sch.B, para.3.2 of the Public Sector Act, with a few minor changes of expression:

Proposition #12

The actions for which consent can be implied should be those that the individual should reasonably expect the organization to take, and would be unlikely to disapprove of, having regard to

(a) the nature of the personal information in question, including whether it is or is not sensitive or confidential,

(b) any benefit or detriment to the individual,

(c) any explanation that the organization has given of its intended actions,

(d) any indication that the individual has given of his or her actual wishes, and

(e) the ease or difficulty with which the actual wishes of the individual might be discovered.

c. "Except where inappropriate"

Principle 3 requires consent for collection, use or disclosure "except where inappropriate". In its Note to Principle 3 (which "forms an integral part of the principle" -- para 3.1.2) the CSA Code continues:

In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate where the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information. (para.4.3)

The concept of "except where inappropriate" is one of the trickiest to set out in legislation. Canadian public sector data protection Acts bear ample witness to difficulty of the task. Over the years they have developed increasingly long lists of permitted non-consensual collections, uses and disclosures. These include some substantial and obvious provisions, such as permitting disclosure to protect the health or safety of another individual. They also sometimes include provisions that raise more questions than they answer, such as disclosure to legal counsel. It seems surprising that disclosure to one's legal counsel should need express authorization under the Act. And if it does, what does this imply about possible disclosures to other professionals or consultants that the Act does not expressly mention? The lists in the existing Acts also normally include a general provision permitting collection, use or disclosure without consent if the public interest clearly outweighs any invasion of privacy that may result.

The Public Sector Act makes an effort to shorten the list, and to rely on general statements rather than specific ones. It also adopts a two step approach, so that a public body must satisfy itself not only that it is acting for a specified purpose but also that the action it is proposing is justified in the circumstances. The following Proposition is based on the comparable provisions of the Public Sector Act (Sch.B, paras.3.4 to 3.7), with some small changes of terminology, and with the omission of para.3.5, which provides for disclosures in the interest of open government and is specific to the public sector.

Proposition #13

Consent should not be required when an organization collects, uses or discloses personal information

(a) to protect the health, safety or security of the public or of an individual,

(b) for purposes of an investigation related to the enforcement of an enactment,

(c) to protect or assert its own lawful rights, including lawful rights against the individual,

(d) to verify to a government body the individual's eligibility for a program or benefit for which the individual has applied to that body,

(e) for purposes of legitimate research in the interest of science, of learning or of public policy, or for archival purposes,

(f) as required or expressly authorized by law, or

(g) for some other substantial reason in the public interest, whether or not it is similar in nature to paragraphs (a) to (f).

Before collecting, using or disclosing personal information without consent an organization should consider the nature of the information in question and the purpose for which it is acting, and must satisfy itself that in the circumstances that purpose justifies the action proposed.

Any collection, use or disclosure of personal information without consent should be limited to the reasonable requirements of the situation.

Proposition #13 does not, on its face, differentiate between collection, use and disclosure because CSA Principle 3, to which it relates, deals with the three things together. In practice, however, the different elements of Proposition #13 would have different impacts for different organizations, depending on their activities and the particular decisions they had to reach. For example, few private sector organizations would collect information for the purposes of enforcing an enactment; this would not `directly relate to their activities' under Proposition #7. Similarly, private sector organizations might rarely have a "substantial reason in the public interest" for disclosing personal information, yet it seems important to keep the possibility open -- to ensure, for example, that they could at least disclose the information to the responsible public authority. Use of "personal" information for research purposes is also likely to be unusual, since normally the information could and should be used in an anonymous format and would therefore not be personal information within the meaning of the CSA Code.

CSA Principle 4 -- Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

The Public Sector Act sets out the sources from which personal information can be collected. These are (a) from the individual, (b) from another person with the individual's consent, (c) from a source and by means available to the public at large, and (d) from any source in cases in which, under the Act's equivalent of Proposition #13, a public body can collect information without consent (Sch.B, para 4.1). In private sector legislation, too, clarity on these points seems desirable.

The Public Sector Act also includes a provision stating that an individual shall not be refused any service or benefit because he or she declines to provide information which is not in fact necessary for a legitimate purpose of the public body (Sch B, para.4.2). The provision reflects para.4.3.3 of the CSA Code.

One thing that the Act does not contain is any clarification of what "fair and lawful means" are. The "lawful" part of this is self-explanatory, but while the Act was being prepared some thought was given to whether the "fair" element could be clarified. The CSA Commentary says that "The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected" (para.4.4.2). This would certainly be one example of an unfair collection method, but it is doubtful that the idea of `fairness' should be limited by the legislation to specific situations such as this. `Fairness', though a general notion, appears to be a clear enough idea that it can stand alone in the legislation without further explanation.

Proposition #14

Data protection legislation should state the sources from which personal information may be collected, and should state that an individual shall not be refused any service or benefit because he or she declines to provide personal information which is not necessary for the identified purpose of the organization.

The requirement that personal information be collected by fair and lawful means does not need further explanation in data protection legislation.

CSA Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

a. Wording

There is one point of wording in CSA Principle 5 that seems to need addressing. The Principle refers to uses and disclosures that are "required by law." On a conventional legal reading of the word "required," this would cover uses and disclosures that an organization was legally compelled to make, but would not include situations in which there might be express legislation, or perhaps an express ruling from a court or other legally authoritative agency, which authorized, but did not require, a particular use or disclosure. This is a gap that the Public Sector Act filled by expanding the phrase "except . . . as required by law" to become "except . . . as required or expressly authorized by law" (Sch.A, Principle 5). The gap is particularly important in the public sector, where many Acts confer discretions on Ministers or other government officials. However, the same gap may exist in relation to the private sector.

Proposition #15

CSA Principle 5 should permit uses and disclosures that are "expressly authorized by law" as well as those that are "required by law."

b. Inter-relation of "purpose", "consent" and "the law"

What is the relationship between the three possible justifications for a use or disclosure that CSA Principle 5 sets out, namely, the purpose for which the information was collected, the consent of the individual, and a legal requirement or authorization? In particular, what is the result when these factors point in different directions?

In principle, the three bases set out in CSA Principle 5 should be seen as alternatives. If any one of them exists, that is sufficient. On this basis one would say, for example, that an express refusal of consent cannot bar an organization from taking an action that the law has expressly authorized the organization to take.

In practice, however, there may be cases in which the relationship between identified purposes, consent and the law may be more subtle. One might be where the individual, while voluntarily providing information, expressly requests that it not be used in one particular way that falls within an organization's documented purposes. If an organization accepted personal information on this basis, it could not then rely on its documented purpose as governing the use of the information. Others might arise where an individual's actual or likely wishes were relevant to the balancing test for non-consensual action described in Proposition #13; those wishes would then partially determine what was "expressly authorized by law." In preparing the Public Sector Act, some thought was given to whether it was possible to provide any useful statutory guidance on how the three alternative bases for the use and disclosure of personal information inter-related. The conclusion reached was that it was not. The basic idea that the three were alternatives seemed clear from CSA Principle 5, and the possible subtleties of their inter-relation in specific situations could not be captured in a form that did not cause more confusion than it resolved.

Proposition #16

Data protection legislation need not elaborate upon the relationship between "purposes," "consent" and "the law" as alternative bases for the use or disclosure of personal information.

c. Retention

CSA Principle 5 requires that personal information shall only be retained for as long as is necessary for the fulfilment of the purposes for which it was collected. In many cases compliance with this obligation may lead to the destruction of personal information that is no longer needed. Another way of ceasing to retain personal information, however, is to convert it into a form in which the individuals to whom it relates are no longer identifiable. For clarity, it may be wise for data protection legislation to spell out this second alternative.

Proposition #17

Data protection legislation should make it clear that an organization's duty not to retain personal information can be satisfied by converting the information into a form in which the individuals to whom it relates cease to be identifiable.

Another thing that should normally be clarified is how long the acceptable retention period is. This is more easily done in relation to personal information in "personal records sytems" than other personal information. So far as "personal records systems" are concerned, part of the process of establishing the system should include taking a decision on how long the information will be needed, and what will be done with it when it has served its purpose. Some kind of time-lag is likely to be necessary so that personal information is not disposed of too soon. Both for the organization and the individual there may be a need for information to be retained for some time after it has been used.

Outside "personal records systems" -- in places such as policy or product development files where "personal information" will sometimes appear incidentally -- a more flexible approach to retention and destruction seems to be appropriate. To attempt to purge all incidental "personal information" from such files would be a laborious task, and these kinds of files are, in the long run, quasi-anonymous. Once the file is closed, any personal information it contains is relatively inaccessible. Of course, if the `non-personal' file is later re-opened, any use or disclosure of the personal information that remains there would still be subject to the legislation.

Proposition #18

Organizations should not be required to purge all personal information from `non-personal' files in which the personal information appears incidentally.

CSA Principle 6 -- Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

This Principle is self-explanatory. The main point that the CSA Commentary makes on it is that "An organization should not routinely update information, unless such a process is necessary to fulfil the purpose for which the information was collected" (para.4.6.2). The Principle should not, therefore, be mis-read as imposing a general obligation to keep personal information up-to-date: an appropriate degree of "accuracy" is only really called for when information is "used." This, though, seems clear enough from the relative terms in which CSA Principle 6 is expressed.

Proposition #19

CSA Principle 6 is self-explanatory. Data protection legislation would not need to provide additional guidance on its application and interpretation.

CSA Principle 7 -- Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

a. Wording

The Public Sector Act removed the word "security" from CSA Principle 7. The reason was that this word seemed to under-represent the scope of the Principle. The CSA Commentary says that the safeguards must protect the personal information from "loss or theft, as well as unauthorized access, disclosure, copying, use, or modification" (para.4.7.1). It also mentions that the methods of protection should include physical, organizational and technological measures, as well as making employees aware of the importance of maintaining the confidentiality of personal information (paras.4.7.3 and 4.7.4). Though the word "security" catches some of the flavour of this, it diverts attention from the idea that one of the principal safeguards against "unauthorized . . . disclosure [or] . . . use" will be a proper appreciation of what kinds of use and disclosure are in fact "authorized". Viewed in this broad sense, what CSA Principle 7 amounts to is placing an obligation on organizations to take the necessary steps internally to make the legislation work. Including the word "security" in the Principle seems to narrow its scope.

Proposition #20

The word "security" should be removed from CSA Principle 7 so as not to narrow its scope.

b. What kinds of safeguards?

As noted above, the CSA Commentary specifically mentions various kinds of measures as being intended to be included in the broad expression "safeguards." For clarity, it seems appropriate that data protection legislation should do the same. On the further question of what kinds of safeguards will be, in the language of CSA Principle 7, "appropriate to the sensitivity of the information," consideration has been given to whether any further legislative explanation could be given of what will make a safeguard "appropriate." It seems, though, that the simple statement in the Principle is as satisfactory as a more detailed formulation is likely to be.

Proposition #21

Data protection legislation should specify that the safeguards to be implemented include training and physical, technical, administrative and other measures, as appropriate in the circumstances. It should not attempt to define what will make a safeguard "appropriate to the sensitivity of the information."

c. Transfers to third parties

An important sub-issue that arises in relation to safeguards is this: what kinds of safeguards, if any, should an organization put in place when it transfers personal information to another body?

The guiding principle here is that an organization is responsible for personal information under its control (CSA Principle 1), and that this responsibility continues to exist at least until the time when the personal information is transferred. The organization must ensure, therefore, that the transfer is authorized by law, by consent or by the purpose of the original collection (CSA Principles 3 and 5), and under the Safeguards Principle it must take appropriate steps, commensurate with its responsibility under CSA Principle 1, to protect the personal information.

What those steps will be will depend on the circumstances. In many cases compliance with CSA Principles 3 and 5 will be sufficient. This will be the case if the receiving organization is also subject to the legislation, since the receiving organization's use will be limited to the legitimate purpose for which the transferring organization is disclosing it. In other cases the receiving organization may be under a professional or contractual obligation of confidentiality which the transferring organization can rely on as making additional safeguards unnecessary. In some cases, however, there may be no such context of legal protection for the information, and the transferring organization may have to take steps to ensure that the terms of the transfer are consistent with the organization's responsibilities.

Can data protection legislation go further than this, and spell out what those steps should be? This seems doubtful. Contractual terms may sometimes be effective, particularly in the context of an ongoing relationship between the organizations in question, but it would be very difficult to identify particular situations in which a transferring organization must put contractual measures in place. Unless the legislation were prepared to identify those situations, it would effectively be leaving the decision to the organization, and this, in turn, would amount to little more than the general statement that the transferring organization must put in place `appropriate safeguards'.

Proposition #22

Data protection legislation should make it clear that "appropriate safeguards" may be required when an organization transfers personal information to another organization, but it should not require specific forms of safeguards.

CSA Principle 8 -- Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Like others among the CSA Principles, Principle 8 seems to apply more naturally in large organizations, which are likely to have formalized "policies and practices," than in small ones. Even in small organizations, however, it seems possible to give the Principle an intelligible meaning. The individual can ask what the "policies and practices" are. The organization, in reply, must explain whatever the true state of affairs is. All organizations should presumably be able to do this much.

Proposition #23

CSA Principle 8 is self-explanatory. Data protection legislation need not attempt to clarify its meaning.

CSA Principle 9 -- Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

a. Wording

CSA Principle 9 is the second of the two Principles that are acommpanied by a Note -- which is an "integral part of the principle" (para.3.1.2). The Note explains why the right of access cannot be unqualified.

Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. (para.4.9)

Data protection legislation elsewhere regularly includes exceptions along these lines. In the Public Sector Act, the words "except where inappropriate" were added at the end of the first sentence of CSA Principle 9 to indicate that the individual's right to information is not unqualified. The same addition would seem to be called for in private sector legislation.

Proposition #24

The words "except where inappropriate" should be added to the right to information in CSA Principle 9.

b. The nature of the right

Though CSA Principle is headed "Individual Access," it actually appears to include two elements: a right to "be informed" as well as a right to be "given access." In practice, the right to information may well be more used than the the right to access, which is in effect a right to documents. The organization's obligation under the Principle is triggered by a request from the individual. In most cases it seems likely that the individual will simply ask for information, and a straightforward reply will satisfy CSA Principle 9.

There may be cases, of course, in which an individual specifically requests access to documents. In this case, assuming that it is not unduly onerous or expensive to allow the request (see c. Exceptions to access, below), and that none of the other substantive exceptions apply, the documents should be made available. In some cases, perhaps, documents may be withheld on the basis of one of the exceptions, but information as to at least part of their contents should still be provided in order to meet the organization's obligation under this Principle.

In the Public Sector Bill there was no need to clarify this relationship between "information" and "access," since the matter is dealt with by the Right to Information Act. In private sector legislation, however, the relationship should be made clear.

Proposition #25

Data protection legislation should make it clear that, under CSA Principle 9, providing information is sufficient unless access to documents is specifically requested.

c. Exceptions to access

Under the Public Sector Act the Right to Information Act is relied upon to provide the exceptions to the individual's right to information. Most "public bodies" are subject to that Act already. Private sector legislation, however, should spell out its own list of exceptions.

Part of the list would be a counterpart of the one in Proposition #13, which describes when it is appropriate to collect, use or disclose personal information without consent. In several of the situations described, non-disclosure to the individual would be equally appropriate. There are also, however, some grounds for non-disclosure that are specific to the context of `individual access'. There is also the question of whether the list should include a general provision to deal with situations not foreseen by the specific items listed, and of whether, if information is withheld, an organization might nonetheless be expected in some cases to provide some explanation of the substance of the information.

Proposition #26

An organization should not be required to disclose personal information to the individual

(a) where disclosure would be harmful to the health, safety or security of the public or an individual, including the applicant;

(b) where disclosure would be prejudicial to an investigation related to the enforcement of an enactment;

(c) where non-disclosure is required or expressly authorized by law, or where the individual would have no right to obtain the information in legal proceedings;

(d) where the information was provided by another person in confidence, or is confidential in nature;

(e) where the information requested is inextricably linked to the personal information of another individual;

(f) where the information requested would be unduly expensive or onerous to provide.

Consideration should also be given to authorizing non-disclosure when there is some other legitimate and substantial reason for not providing the information requested.

Non-disclosure should be limited to the reasonable requirements of the situation. If it is practicable to explain the substance of the information withheld without prejudicing the reason for withholding it, the organization should do so.

c. Procedure

CSA Principle 9 says nothing about the procedure by which individuals may obtain the information, materials or corrections to which they are entitled. By inference, it leaves it up to each organization to establish its own procedures.

This appears to be acceptable. CSA Principle 9 covers many possible scenarios, ranging from entirely informal requests, which organizations may readily and easily respond to, to situations which may become adversarial. To establish a statutory procedure for all of these would not be easy; it would also risk bureaucratizing the process. If data protection was silent on the question of access procedures, it would operate on the premise that the individual has rights and the organization must respect them. Implied in this would be that the organization must deal with the individual's request within a reasonable time, and that anything less than a genuine attempt to permit the exercise of the individual's rights will be a violation of the Principle.

Proposition #27

Data protection legislation could be silent on the question of access procedures under CSA Principle 9.

d. Corrections

Broadly speaking, the idea that an individual should be able to "challenge the accuracy and completeness of the information and have it amended as appropriate" seems self-explanatory and self-operating. An organization will presumably have little interest in having inaccurate or incomplete information in its files. The problem of implementation that seems most likely to arise under this element of CSA Principle 9, therefore, is that the individual and the organization may disagree as to whether personal information is incorrect. If this occurs, the organization should not be required to alter the information it possesses, but it should note that the individual disputes its accuracy. It seems likely that this would occur in the ordinary course of events, even without legislative reinforcement, but since CSA Principle 9 is silent on the question of disagreements between the parties, legislative clarification is probably appropriate.

Proposition #28

When the individual has challenged the accuracy or completeness of personal information, but fails to convince the organization, the organization should make a note that the individual disputes the information in question.

CSA Principle 10 -- Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

This Principle, it must be noted, is concerned with an internal review of compliance by the organization itself; issues relating to external review by some other body are dealt with below, under the heading Enforcement.

In an internal review process the main issue is maintaining the credibility of the process. In all cases the organization is reviewing its own conduct, and in some cases, especially in small organizations, the person conducting the review may well be the very person whose decision is being questioned. This is unavoidable. What legislation can attempt to do, however, is emphasize that the review process must be a genuine one. No doubt this is implicit in CSA Principle 10, but for clarity, there is value in setting out in data protection legislation both the organization's obligation to investigate in good faith and its duty to take appropriate measures if it finds the complaint to be justified.

Proposition #29

An organization should be required to investigate in good faith the complaints it receives and to take appropriate measures when a complaint is found to be justified.

B.3 Other Issues Arising

In Part 2 of the federal government's 1998 consultation paper two main issues that are not dealt with in the CSA Code have been identified as requiring attention. The first is "Sectoral Codes". The second is "Enforcement".

a. Sectoral Codes

The issue here is whether data protection legislation might permit or encourage particular sectors of industry to develop their own codes, whether customized versions of the CSA Code or entirely home-grown products, and if so, what the legal effect of those codes should be. The issue arises out of a concern that the CSA Code, and data protection legislation based on it, is expressed in terms that may not be totally applicable to all organizations or that it may be too general to give useful guidance to what actually is or is not permissible in specific situations. A sectoral code would allow an industry to develop rules that were sensitive to the particular requirements of its own operations.

The critical issue here is whether the sectoral code should have legal force, and in particular whether it would prevail over the statutory Code if the two were in conflict. If so, it would be necessary for the sectoral code to receive some kind of official approval from a body that had legal authority under the Act. Otherwise, industries would effectively be being given the authority to write themselves out of the legislation. If, on the other hand, the sectoral code could not prevail over the statutory Code, there would be less need, if any, for an official approval process. Whatever the sectoral code said, the statutory Code would still provide the governing principles. The sectoral code, of course, would then be of less value from the industry's point of view, since reliance on the sectoral code could never be a guarantee that the industry was complying with the legislation.

While sectoral codes do have advantages -- as, indeed, do codes and policies internal to particular organizations -- the better approach here seems to be that codes and policies should operate within the framework set out in the legislation, and the legislation must prevail in case of conflict. Admittedly the framework is expressed in general terms, but data protection is far from the only context in which legal rules are stated in general terms, and organizations have to develop policies and practices based on their best understanding of what the rules mean. If specific kinds of organization, or specific activities, require more detailed legal rules than the general principles in the statutory Code, it would be better to establish these by regulations under the Act than by way of industry codes.

Proposition #30

Sectoral codes should not be given the force of law under data protection legislation. Data protection legislation should include regulation-making authority under which, if necessary, more detailed provision can be made in relation to particular kinds of organization or information, or particular activities.

b. Enforcement

Enforcement is an issue that the CSA Code did not need to address, since the CSA Code was a purely voluntary one, and would be entirely self-policed. In a legislative framework, however, the question of what happens when the rules are broken must be dealt with. If the legislation were silent on the subject, it would ultimately be the courts that interpreted the legislation and decided what was implied by way of remedies.

The three basic approaches to the enforcement of legislation are (a) the penal remedy, (b) the civil remedy, and (c) the administrative remedy. The penal remedy involves prohibiting unacceptable conduct and punishing offenders; government lawyers are normally the prosecutors, and fines are paid to the court. The civil remedy is a means by which individuals can go to court in their own right, seeking compensation for, or the prevention of, a wrong done to them. Any compensation is paid to the individual. The administrative remedy involves the establishment of an agency outside the courts to enforce a particular piece of legislation; this agency can be given a variety of remedial powers. The position of the individual and the role of the courts will vary depending on what those powers are.

The penal remedy

The Public Sector Act makes it an offence for a public body, or an officer, employee or agent of a public body, to collect, use or disclose personal information in wilful contravention of Principles 3 (Consent), 4 (Limiting Collection), or 5 (Limiting Use, Disclosure and Retention) of the Statutory Code of Practice. A conventional interpretation of a "wilful" violation of an Act is that it involves doing a wrongful act either knowing that it is wrong or acting with reckless disregard as to whether it is wrong or not. Legislation prohibiting the wrongful disclosure of information is more familiar in the public sector than the private sector, but an offence along these lines might be appropriate in private sector legislation, too. Private sector legislation might also establish an offence of wilful refusal to provide information, or to make a correction, to which an individual is entitled under CSA Principle 9. This is a subject that does not arise under the Public Sector Act, since enforcement of the individual's right of access takes place under the Right to Information Act.

Proposition #31

Data protection legislation could make it an offence to wilfully violate CSA Principle 3 (Consent), 4 (Limiting Collection), 5 (Limiting Use, Disclosure and Retention), and 9 (Individual Access).

The civil remedy

Is there a place for civil remedies in data protection legislation? The basic civil remedies are declarations, injunctions and damages. A declaration simply states what the law is or how it applies to a particular set of facts. Injunctions also involve a ruling on how the law applies to a particular set of facts, but add to this a mandatory element, requiring people either to take or not to take a particular course of action. Awards of damages, finally, require one party to compensate another for the harm arising out of a wrongful act.

What part might civil remedies play in the enforcement of data protection legislation? This paper will first consider these remedies in isolation. It will then revisit the question in the light of its discussion of administrative remedies. If a substantial administrative enforcement mechanism were put in place, the part to be played by civil remedies might be much reduced.

The main function of the civil remedy, as opposed to the penal remedy, is to give an individual who is the victim of a wrongful act a personal right to protect his or her own interests. It also has a more general effect. While dealing with individual cases, the civil remedy allows courts to provide authoritative and binding rulings as to what particular provisions of the legislation mean. There is then a ripple effect as the court decision sets a standard to be followed by all organizations that are subject to the Act. Court proceedings are often considered costly and inconvenient. Nonetheless, people are sometimes prepared to litigate over matters that are important to them, and the litigation can settle important points of principle. A prime example in the `personal information' field would be McInerney v Macdonald (1992) 126 NBR (2d) 271, a New Brunswick case in which the Supreme Court of Canada eventually established the right of a doctor's patient to see a consultant's report.

Generally speaking, unless there is some administrative remedy making recourse to the courts inappropriate, one would think that if a law is enacted, the courts should be able to say what it means. Declarations, therefore, would appear to be a natural part of the scheme. Injunctions would naturally follow. It would be odd to allow the courts to say what an Act means but to give them no authority to require an organization to act as the legislation says it should. The idea that organizations might be ordered to comply with the legislation is something to be borne in mind when considering the detailed wording of legislation; it would be essential that the legislation did not impose obligations that organizations could not reasonably be expected to live up to. Unless unreasonable obligations are imposed, however, injunctions should not be problematic.

Awards of damages require more careful thought. A review of data protection materials from elsewhere suggests that one may legitimately ask both (a) whether damages should be available at all for breach of the data protection principles and (b) if so, in what circumstances. Most existing public sector data protection Acts in Canada do not provide for awards of damages. In Quebec, where legislation covers the private sector as well, the basic data protection provisions are in the Civil Code, and awards of damages are available. In private sector data protection statutes from common law jurisdictions outside Canada (there are none in Canada at present), awards of damages are approached with care. New Zealand's Privacy Act 1993 expressly states that it creates no legal rights enforceable through the courts. Compensation can be ordered by the Complaints Review Tribunal, but this is discretionary, not a matter of entitlement. In the U.K., under the Data Protection Act 1984, damages can be awarded in some situations, but not where an organization has taken "such care as in all the circumstances was reasonably required" to prevent the violation from occurring. When the amount of the compensation is assessed, the "distress" suffered by the individual can be taken into account, but apparently "distress" by itself is not enough to entitle the individual to compensation. The existence of "damage," it seems, is an essential precondition to the claim. (See sections 22 and 23.)

There is good reason for caution in making awards of damages available for violation of data protection principles. The principles set standards of good practice, but it is not necessarily the case that every act that falls short of these standards, and is therefore less than `good', is necessarily so `bad' that it should give rise to a claim for compensation if damage or distress results. If "personal information" is defined as suggested in Proposition #5 -- as any information about an identifiable individual, recorded in any form -- it will cover a wide range of material, some of it sensitive, much of it not. The handling of personal information, and thus the possibility of error, will abound in the everyday operations of most organizations, and the implementation of the legislation will regularly involve decisions being made about what is "appropriate" or not, or what is "reasonable" or not. The legislation could become burdensome if every decision reached were liable to be questioned in the courts, with a potential liability to damages arising out of any error in judgment, even where the organization had made genuine and substantial efforts to comply with the legislation.

For this reason it seems wise, in relation to awards of damages, to build a margin of error into data protection legislation, so that the mere fact that an organization falls short of the standards in the Act, and damage results, would not of itself be sufficient to support a claim for compensation. This margin of error might be defined in different ways. The U.K. legislation, as noted above, uses lack of reasonable care as the test for an award. An alternative might be to look at the consequences of the non-compliance, and say that it was only where these amounted to a true `invasion of privacy' that compensation could be awarded. Preferable to either of these, perhaps, would be to provide a test of `manifest inconsistency with the Act' as the threshold that a plaintiff had to establish in an action for damages. Under such a test, reasonable but mistaken actions would not expose organizations to liability for damages.

Proposition #32

Unless data protection legislation adopts administrative remedies that make civil remedies unnecessary, declarations, injunctions and awards of damages should be available for the enforcement of the legislation. However, awards of damages should only be made where an organization's non-compliance with the Act causes loss and satisfies some additional criterion such as being manifestly inconsistent with the Act.

The administrative remedy
In the public sector the issue of administrative remedies was relatively straightforward. A statutory agency already existed -- the provincial Ombudsman -- with a mandate that naturally included information-handling issues of the type that data protection principles involve. This connection was officially recognized when the Province adopted its Personal Privacy Code in 1994; the Ombudsman was identified then as the body to oversee compliance with the Code. The Department of Justice's 1996 Discussion Paper suggested that the Ombudsman should have the same role under public sector data protection legislation. The Law Amendments Committee confirmed that role, and this is now the effect of the Public Sector Act. Under that Act, the administrative remedy through the Ombudsman is in fact the primary remedy, with judicial remedies having a much more limited scope.

In the private sector, however, things are not so simple. There is no existing agency with a mandate that naturally extends to data protection in all, or even many, of the "organizations" that Proposition #4 suggests data protection legislation might cover. There are, however, many fields of activity where there are statutory regulators whose mandates either do or could include data protection issues. Regulated bodies include insurance companies, financial institutions, collection agencies, private investigators and nursing homes, to name just a few. Self-regulating occupations like lawyers and doctors also have statutory complaints mechanisms in place that might deal with data protection matters -- and probably already do so in contexts such as client confidentiality. Non-statutory complaints mechanisms have also been put in place by voluntary standards-setting bodies such as industry associations. The recent federal consultation paper mentions all of these bodies as potentially having a part to play in the non-judicial enforcement of private sector data protection legislation (p.21).

Discussion of administrative remedies for data protection legislation tends to focus on whether a designated data protection agency should be established to oversee compliance. The expression `Privacy Commissioner' is often used to identify this agency, but the term is misleading. It suggests that the agency might be concerned with `privacy' in the broad and more natural sense of Part II of this Paper, rather than with the more limited `data protection' issues that are in fact the agency's role. This Paper will therefore use the expression `data protection agency' rather than `Privacy Commissioner'.

It must also be noted, of course, that establishing administrative remedies for data protection legislation does not necessarily require the creation of a data protection agency. There are other options.

There are two broad reasons why one might establish administrative remedies for data protection legislation. One would be to reduce the role that the courts might otherwise play in enforcing the Act. This might be done if, for example, the obligations created by the legislation did not readily lend themselves to judicial enforcement, or if there was concern that the legislation might expose organizations to too much litigation over too many issues. The other would be that judicial remedies, though appropriate to data protection legislation, could not cover enough of the ground. They might be thought to be too slow and expensive to deal with ordinary non-compliance issues, and unable to deal with things such as prevention and education, which some people would argue a data protection scheme must include.

The first of these reasons is essentially an assertion that judicial remedies are not appropriate to data protection legislation. Some people might argue, for example, that the CSA Code must be seen as an ethical statement rather than a legal one, that organizations cannot realistically be expected to maintain the standards that it sets, and that they should not be exposed to law-suits every time they fail to do so. On this basis an administrative remedy based substantially on moral suasion might be seen as more appropriate than the courts.

The strength of such an argument depends on whether the CSA Code, and data protection legislation based on it, does or does not accurately describe realistic standards of good practice. It also depends on the nature of the judicial remedies proposed -- which, on the basis of Propositions #31 and #32, would be (a) prosecutions for "wilful" violations of specific principles, (b) damages where loss is caused by an action that is "manifestly inconsistent with" the legislation, and (c) declarations and injunctions in any case of non-compliance. Whether this balance of obligations and remedies is appropriate and realistic is an important subject for public debate.

One point that is worth making, though, is that the obligations in the CSA Code are of a kind that courts do enforce in other contexts. The Code incorporates flexible ideas like "except where inappropriate" (CSA Principle 3) and the "reasonable expectations of the individual" (para.4.3.5). The courts regularly deal with flexible concepts such as these; examples include "reasonable care" in the law of negligence, and "reasonable expectations of privacy" under s.8 of the Canadian Charter of Rights and Freedoms, to mention just two. The courts are, indeed, probably more familiar than most administrative agencies with enforcing generic standards such as these, and particularly so in applying them across a broad sweep of activities. It seems unlikely, therefore, that the obligations in data protection legislation can be said not to lend themselves to interpretation and enforcement by the courts. One might, perhaps, limit the role of the courts on the ground that organizations and individuals would have a greater `comfort level' in dealing with an administrative body when a dispute under the legislation arose. This, though, is different from saying that the courts are not well suited to interpreting principles such as those in the CSA Code.

This leads to the second of the reasons identified above for establishing administrative remedies under data protection legislation -- that though judicial remedies might be appropriate to data protection legislation, administrative remedies would be preferable. There are two main aspects to this. One relates to complaints and the nature of the dispute resolution process. The other relates to issues such as prevention and education, which, if they were part of the legislative scheme, could obviously not be the function of the courts.

In relation to complaints, the argument for establishing an administrative remedy can be stated quite bluntly. It is that litigation is expensive and intimidating, and most people, in most situations, will not sue over the kinds of issues involved in data protection legislation. On this argument, unless there is administrative enforcement, there will effectively be no enforcement at all. Administrative enforcement, one might add, could operate largely by mediation and conciliation, whereas judicial remedies tend to be confrontational.

Countering this is the view that administrative remedies are the exception rather than the rule for most legal disputes. Though agencies such as rentalsmen, employment standards officers and human rights commissions exist, normally the parties to legal disputes must sort things out between themselves, or take their lumps, or sue. This is the position that the law takes on `personal information' matters such as defamation or breach of confidence. The same applies in relation to the fundamental human rights set out in the Canadian Charter of Rights and Freedoms, including the right of privacy that the courts have held it implies. It is also largely true of consumer protection statutes (under which consumers will probably use the small claims procedure if the matter eventually comes to litigation). The consumer analogy is a relevant one because much of the discussion of private sector data protection legislation, including the recent federal consultation paper, places data protection in the context of the need to protect consumer rights, especially on the information highway.

The creation of an administrative complaints procedure in data protection legislation should not, therefore, be taken for granted. A choice is involved about costs, about benefits and about priorities. On the one hand, administrative resources devoted to the enforcement of data protection legislation should presumably improve the likelihood that `fair information practices' will be observed in practice. On the other hand, there are always many claims for administrative resources, and it would not diminish the values promoted by data protection legislation if it were simply left up to individuals to pursue their remedies by legal proceedings if they so chose. Existing regulators would of course continue to be available to receive complaints within their spheres of responsibility.

If an administrative complaint process for data protection legislation appears to be, in the abstract, desirable, one must also ask what the process should involve. One possibility is that it should be a process of mediation and conciliation, with no compulsory powers attached. Arguably this would improve the prospects of reaching amicable solutions; on the other hand, it might be criticized as being weak. If one moves beyond this, however, and adds compulsory powers to the administrative remedy, a range of issues arises as to what those powers should be. If binding orders could be issued, formal powers to hold hearings would presumably be required. Along with them would probably go the power to summon witnesses and compel the production of evidence. Powers to enter premises and inspect books and records might also be called for. Enforcement mechanisms designed to ensure that the binding orders were complied with would also have to be considered.

In short, one step leads to another. The issue for public discussion at this point is just how far it is right to go in establishing an administrative complaint process. Three credible points on the scale are (1) to rely on judicial processes entirely, (2) to have an administrative process with no compulsory powers (the judicial process might still perhaps be available if mediation failed), or (3) to have an administrative process with compulsory powers that would probably be quite extensive. Which of these approaches is better suited to the goal of ensuring that organizations follow `fair information practices' in their handling of personal information?

The other issue that was raised earlier in relation to administrative remedies was whether an administrative process could provide things that judicial remedies, being strictly complaints-based, could not. One item mentioned previously was prevention; another was education.

If functions such as these enter the picture, the administrative remedy under data protection legislation begins to take on the shape of a permanent body -- not necessarily a single-purpose data protection agency, but at least a body with a continuing existence and data protection as one of its functions. By contrast, a pure complaints mechanism, as described in previous paragraphs, could be a more temporary entity, established to deal with complaints as they arose.

Nonetheless, some of the issues raised by these additional functions are comparable to those raised in relation to the complaints mechanism. Prevention, on the face of things, seems desirable. But if, in practice, prevention means that an administrative agency has the compulsory power to enter the premises of any organization and inspect its records and practices, even in the absence of a complaint, is it an appropriate power to confer in the interests of the proper handling of personal information?

Prevention in another sense might mean giving advice to organizations so that they can ensure that their practices comply with the legislation. Yet this too can be problematic, because whatever advice the agency might give, it would also have to reserve the right to re-investigate the matter with an open mind if an individual subsequently made a complaint about the action in question. The agency's advice, therefore, could not be authoritative, and unless authoritative it would be of questionable value to the organizations that sought it.

Education, in the pure sense of providing general information to the public about the legislation, and advocacy, in the sense of trying to encourage governments and organizations to pay greater attention to data protection issues in their decisions and practices are perhaps less likely to cause practical or technical difficulties. There is, however, a question of priorities and resources to be addressed. As part of the mandate of a substantially complaints-oriented agency they might well be desirable. As a mandate in themselves, however, in the absence of a substantial volume of complaints, one might wonder whether they were justified.

It may be worth noting here that the volume of complaints received by the Ombudsman under New Brunswick's public sector Personal Privacy Code in the first three years after its adoption was small -- less than 25 complaints each year. Few conclusions can be based on these figures, but they may at least indicate that policies under data protection legislation should not be based on the assumption that the volume of complaints will be large. It will be interesting to see whether the replacement of the non-statutory Personal Privacy Code in the public sector by the Protection of Personal Information Act makes a difference to these figures.

Proposition #33

Administrative remedies are not essential to data protection legislation, but are a policy option. Key issues for public discussion are

(a) whether judicial remedies alone would be appropriate and sufficient,

(b) whether an administrative complaints mechanism without compulsory powers would serve a purpose,

(c) whether an administrative complaints mechanism with compulsory powers would be over-intrusive or counter-productive,

(d) whether a non-complaints function can be identified that is substantial, viable, and a strong reason in itself for devoting resources to an administrative agency with a specific data protection mandate.

Legislative Assembly of New Brunswick
Email | Contacts |