McCague Borlack LLPLitigation Boutique, GLOBAL Litigation Law Firm

 

 

 

Articles and Publications

January 2014

Overview of PIPEDA

Hot Topics in Privacy Law - Topic 2 of 5

 

First presented at MB's Privacy and Investigations Seminar on December 17, 2013

a. Application of PIPEDA

The key concept of PIPEDA is that it applies to "commercial activities". What constitutes a commercial activity can be open to interpretation. Section 2(1) defines "commercial activity" as "any transaction, act or conduct or any regular course of conduct that is of a commercial character." This definition has been subject to debate, particularly in the context of deciding whether or not entities such as non-profits would be considered as engaging in commercial activity for the purposes of the act. To err on the side of caution, if there is any confusion as to whether an organization is engaged in "commercial activities," it is advisable that the organization obtain an individual's consent prior to the collection, use and disclosure of the individual's personal information.

b. What is "personal information"?

"Personal information" is defined in s. 2 as "information about an identifiable individual." An individual is "identifiable" where there is a possibility that the person could be identified through the use of that information.

Personal information is considered to include, but is not limited to:

  • age, name, ID numbers such as a SIN, income, or ethnic origin;
  • opinions, evaluations, comments, social status;
  • employee files, credit records, loan records; and
  • medical and health information.

Personal information does not include publicly available information, nor does it include the name, title or business address or telephone number of an employee of an organization. This is referred to as the "business card exception."

c. 10 Privacy Principles of PIPEDA

PIPEDA requires that organizations, including law firms, collect, use and disclose personal information in accordance with the following legal principles:

  1. Accountability - Organizations like law firms are responsible for personal information under their control and shall designate an individual (or individuals) such as a chief privacy officer, who is accountable for the organization's compliance with PIPEDA's principles.

  2. Identifying Purpose - The purposes for which personal information is collected shall be identified by the organization, at or before the time of collection.

  3. Consent - Knowledge and consent of the individual are required for the collection, use or disclosure of the personal information, except where certain exceptions apply.

    Exceptions to consent are enumerated in s. 7 of PIPEDA. For example, organizations may collect personal information without the individual's knowledge or consent if obtaining knowledge or consent would compromise the availability or accuracy of the information, and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law.

  4. Limiting Collection - The collection of personal information shall be limited to that which is necessary for the purposes previously identified by the organization.

  5. Limiting Use, Disclosure and Retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected. The only exceptions are when the individual consents, or as required by law. The information shall be retained only as long as necessary for the fulfillment of those purposes.

  6. Accuracy - The personal information shall be accurate, complete, and up to date.

  7. Safeguards - Personal information shall be protected by administrative, technical, and physical safeguards.

  8. Openness - Organizations shall make available information about their policies and practices with respect to the collection, use, disclosure and retention of personal information should be readily available to persons.

  9. Individual Access - Organizations shall provide individuals with the opportunity to access and make corrections to their personal information.

  10. Challenging Compliance - Individuals must have a mechanism through which they can challenge an organization's compliance with PIPEDA's privacy principles.

d. Privacy issues in the context of litigation

  1. Collection, use, and disclosure of personal information - The collection, use, and disclosure of clients and potential clients' personal information occurs at the earliest stages of litigation. For instance, if the potential client is an individual (not an insurance company or other business entity), the retained lawyer may request that the individual provide a copy of his or her driver's license for the purpose of confirming the individual's identity. Clients should understand why collection of this information is necessary, and be given the opportunity to provide consent to the collection.

    Use refers to the handling of personal information within an organization.

    Disclosure means making the personal information that has been collected available to others outside the organization.

  2. Knowledge and consent - As part the file opening process, potential clients must have knowledge of the information required for clearing conflicts and opening a file. They must also be given the opportunity to provide their consent to such collection.

    Law firms and other organizations subject to PIPEDA must obtain an individual's consent for the collection and subsequent use and disclosure of personal information. Consent can be either express or implied. Consent can be provided orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent may be reasonably inferred from the individual's reasonable expectations.

    In instances where the personal information collected is to be used for a purpose other than that for which the personal information was originally collected, the lawyer must obtain the individual's consent to this secondary purpose.

  3. Drafting pleadings - While it is accepted that certain personal information will be contained in pleadings, and be disclosed without obtaining the consent of those persons to whom that information pertains, it is considered to be a best practice to keep the amount of personal information revealed in a pleading to a minimum. Consider whether the personal information is material to the claim; if it is not, then it should not be disclosed in the pleading.

  4. Deemed undertaking rule - The ‘deemed undertaking rule' comes from the SCC decision of Juman v Doucette, 2008 SCC 8, and provides that "whatever is disclosed in the discovery room stays in the discovery room unless eventually revealed in the courtroom or disclosed by judicial order." (para 25)

    This rule runs parallel to the principles of PIPEDA, whereby organizations, such as law firms, are able to collect, use, or disclose personal information, but only for purposes that a reasonable person would deem acceptable; further, the information gathered must not be disclosed for any purpose other than those for which it was gathered.

  5. Credit checks and surveillance - Both of these are tools commonly used by law firms in the beginning stages of litigation. Credit checks are usually done to ensure that a prospective client has sufficient assets to pay for litigation, while surveillance is done to scope out the true nature of the claim and to what extent the allegations are truthful.

    Being aware of s. 7 of PIPEDA will help law firms avoid running afoul of privacy legislation. Personal information obtained surreptitiously through surveillance or the use of private investigators will breach privacy laws unless it either falls under one of the exceptions contained in s 7.1 of PIPEDA, or the subject's consent and knowledge of the surveillance has been obtained.

    Similarly, a credit check that is done in the course of business activities without the knowledge and consent of the individual will breach PIPEDA unless it falls within a s. 7 exception. As always, so long as a client has given consent to perform the conflict check, then there will be no issue with the relevant privacy statutes.

  6. Responding to access requests during active litigation - Ongoing litigation is not an excuse for failing to comply with legitimate access to information requests under PIPEDA. It must be remembered that the right to access is considered to be fundamental and is thus not affected by their motive for seeking access.

    Solicitor-client privilege, encompassing both legal advice and litigation privilege, is a legitimate ground for refusing access to documentation. Lawyers should be careful not to extend blanket ‘litigation privilege' over documents; serious consideration should be given to whether the documentation was created with the dominant purpose of actual or reasonably anticipated litigation, just as it is with documentary discovery under the Rules of Civil Procedure. Furthermore, lawyers would do well to consider whether or not litigation privilege has expired over the requested documents or information.

    While it remains open to an individual to file a complaint with the Privacy Commissioner created by PIPEDA, the Commissioner has the ability to decline to investigate. If the complaint is best dealt with by the court/litigation system — for e.g. whether or not litigation privilege is properly asserted over a document — then the Commissioner can direct the individual to pursue their complaint in the proper channel.

  7. Privacy and electronic discovery - Electronic discovery is primarily dealt with in the Sedona Canada Principles, and, as those principles highlight, PIPEDA must be a primary concern for lawyers and clients alike when dealing with information stored electronically. Computers, smart phones, and other personal electronic devices contain highly personal information, most of which will be irrelevant to any litigation that compels their production. The Courts have either refused to compel people to produce these devices, or appointed third party experts to review their contents and produce only what is relevant. When producing personal information stored electronically, lawyers must be vigilant to ensure that no more information than is necessary is inadvertently produced.

e. Employee personal information

While PIPEDA is inapplicable to employee personal information (excluding federally-regulated organizations and any organization operating in one of the three Territories), lawyers and law firms may be subject to Provincial privacy legislation. Even if there are no Provincial statutes governing, lawyers and law firms would be well-advised to protect their employees' personal information.

Surveilling employees to determine whether or not they have been acting contrary to their terms of employment or if they have broken the relationship of trust with their employer should not be done prior to evidence that something to this effect is happening; merely suspecting that an employee has done so is will not suffice.

f. International issues and using foreign service providers

PIPEDA provides to the Commissioner jurisdiction to look into complaints that stem from the cross-border flow of information. The test for determining whether or not PIPEDA will govern the transmission of information is whether there is a ‘real and substantial connection' to Canada1; therefore, a Canadian company transmitting information abroad, or a foreign company transmitting information into Canada that discloses personal information about Canadians might both lead to a complaint to the Commissioner.

Further, the increased use of foreign corporations and service-providers raises important privacy concerns, especially as these suppliers are often dealing with personal information provided in the context of litigation. Lawyers and law firms should consider implementing strict contractual obligations regarding the handling of personal information; they should also consider informing clients of these practices, as they may ultimately bear the burden of responding to a PIPEDA complaint from the people whose information was transmitted.

Another consideration to keep in mind is information that is taken across borders during travel — security measures at airports are such that documents or personal electronic devices may be searched by authorities. Devices and documentation should be properly secured prior to braving airport security.


1 Lawson v Accusearch Inc, 2007 FC 125.

 


Topic 1 - Ontario Privacy Laws for Lawyers
Topic 2 - Overview of PIPEDA
Topic 3 - Tort of intrusion upon seclusion (Jones v Tsige)
Topic 4 - New CASL legislation
Topic 5 - Key privacy cases for consideration

 

TORONTO | OTTAWA | KITCHENER | BARRIE | LONDON

Copyright McCague Borlack LLP - Legal Notice | mccagueborlack.com | Follow us on Twitter twitter

McCague Borlack LLP is a member of the Canadian Litigation Counsel, a nationwide affiliation of independent law firms. Through CLC's association with The Harmonie Group, our clients have access to legal excellence throughout North America, the U.K. and Europe.

clcnow.com | harmonie.org