PERSONAL INFORMATION PROTECTION ACT REVIEW QUESTIONNAIRE

Similar documents
PERSONAL INFORMATION PROTECTION ACT

3RD SESSION, 41ST LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 14. An Act with respect to the custody, use and disclosure of personal information

BILL NO. 42. Health Information Act

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 110

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 115

The Freedom of Information and Protection of Privacy Act

The Local Authority Freedom of Information and Protection of Privacy Act

FOIP Bulletin. Definitions. In this issue Introduction 1 1 Definitions. Number 14 June 2003

2017 REVIEW OF THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT (FIPPA) COMMENTS FROM MANITOBA OMBUDSMAN

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

SECURITY SERVICES AND INVESTIGATORS ACT

The Health Information Protection Act

B I L L. No. 30 An Act to amend The Freedom of Information and Protection of Privacy Act

2014 Bill 12. Second Session, 28th Legislature, 63 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 12 STATUTES AMENDMENT ACT, 2014

INCOME AND EMPLOYMENT SUPPORTS ACT

British Columbia. Health Professions Review Board. Rules of Practice and Procedure for Reviews under the Health Professions Act, R.S.B.C. 1996, c.

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

Privacy Law Template. Prepared for The Alberta First Nations Information Governance Centre. By Krista Yao

CANADIAN ANTI-SPAM LAW [FEDERAL]

Frequently Asked Questions for Municipalities LOCAL GOVERNMENT BODIES RECORDS

Financial Dispute Resolution Service (FDRS)

P July 14, 2011

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

JAMS International Arbitration Rules & Procedures

Guide for Municipalities

2.16 Freedom of Information and Protection of Privacy Act

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F December 10, 2018 EDMONTON POLICE COMMISSION. Case File Number

Privacy and Access in British Columbia

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT

HEALTH INFORMATION ACT

INTERNATIONAL DISPUTE RESOLUTION PROCEDURES

HUMAN TISSUE AND ORGAN DONATION ACT

FINANCIAL CONSUMERS ACT

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY POLICY

Queensland FREEDOM OF INFORMATION ACT 1992

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

ARBITRATION RULES. Arbitration Rules Archive. 1. Agreement of Parties

All Personal Information and data obtained through the use of the City s surveillance cameras will be property of the City of Camrose.

PRACTICE REVIEW OF TEACHERS REGULATION

ACCESS TO MOTOR VEHICLE INFORMATION REGULATION

AAA Commercial Arbitration Rules and Mediation Procedures (Including Procedures for Large, Complex, Commercial Disputes)

March 2016 INVESTOR TERMS OF SERVICE

BEST PRACTICES FOR RESPONDING TO ACCESS REQUESTS

BERMUDA PUBLIC ACCESS TO INFORMATION REGULATIONS 2014 BR 79 / 2014

Bill C-58: An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts

RESPONSIBLE ENERGY DEVELOPMENT ACT

OFFICE OF THE INFORMATION & PRIVACY COMMISSIONER for Prince Edward Island. Order No. FI Re: Department of Communities, Land, and Environment

PROTECTION FOR PERSONS IN CARE ACT

CONFLICTS OF INTEREST ACT

COOPERATION AND PROJECT FUNDING AGREEMENT. Agreement made this day of 20, by and BETWEEN

ACCESSING GOVERNMENT INFORMATION IN. British Columbia

2ND SESSION, 41ST LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 203. An Act respecting transparency of pay in employment

GRANT AGREEMENT ( Agreement ) Effective as at the last date of signing.

Department of Labor Relations TABLE OF CONTENTS. Connecticut State Labor Relations Act. Article I. Description of Organization and Definitions

Office of the Information and Privacy Commissioner Province of British Columbia Order No July 11, 1997

Province of Alberta OMBUDSMAN ACT. Revised Statutes of Alberta 2000 Chapter O-8. Current as of April 1, Office Consolidation

ARBITRATION RULES OF THE SINGAPORE INTERNATIONAL ARBITRATION CENTRE SIAC RULES (5 TH EDITION, 1 APRIL 2013)

GUIDE TO OIPC PROCESSES (PIPA)

Code of Procedure for Matters under the Personal Health

SASKATCHEWAN OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

LISTING AGREEMENT STANDARD TERMS AND CONDITIONS Date: March 1, 2016

COMPREHENSIVE FUNDING AGREEMENT

Order P18-01 COMPASS GROUP CANADA LTD. Elizabeth Barker Senior Adjudicator. January 23, 2018

Review and Investigation Procedures

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

THE FREEDOM OF INFORMATION ACT, Arrangement of Sections PART I PRELIMINARY

PROTECTION AGAINST FAMILY VIOLENCE ACT

ADR INSTITUTE OF CANADA, INC. ADRIC ARBITRATION RULES I. MODEL DISPUTE RESOLUTION CLAUSE

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

STORAGE TANK SYSTEM MANAGEMENT REGULATION

CITY OF VANCOUVER BRITISH COLUMBIA

Commercial Arbitration Rules and Mediation Procedures (Including Procedures for Large, Complex Commercial Disputes)

Order F14-57 OFFICE OF THE POLICE COMPLAINT COMMISSIONER. Ross Alexander Adjudicator. December 23, 2014

Consolidated Arbitration Rules

BERMUDA 2004 : 32 OMBUDSMAN ACT 2004

TekSavvy Solutions Inc.

2018: No. 2 June. Filing: File the amended pages in your Member s Manual as follows:

Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No.

Saudi Center for Commercial Arbitration King Fahad Branch Rd, Al Mutamarat, Riyadh, KSA PO Box 3758, Riyadh Tel:

WASHINGTON STATE MEDICAID FRAUD FALSE CLAIMS ACT. This chapter may be known and cited as the medicaid fraud false claims act.

Chapter 36 Mediation and Arbitration 2013 EDITION Declaration of purpose of ORS to

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY BYLAW

FAMILY LAW ACT GENERAL REGULATION

WORKERS COMPENSATION APPEALS TRIBUNAL PRACTICE MANUAL

MARYLAND FALSE CLAIMS ACT. SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, That the Laws of Maryland read as follows:

A Guide to Ontario Legislation Covering the Release of Students

Information Privacy Act 2000

The Canadian Information Processing Society of Saskatchewan Act

Order F17-46 UNIVERSITY OF BRITISH COLUMBIA. Celia Francis Adjudicator. October 19, 2017

CONNECTICT FALSE CLAIMS ACT. Title 4, CHAPTER 55e of the General Statutes of Connecticut

Arbitration Rules. Administered. Effective July 1, 2013 CPR PROCEDURES & CLAUSES. International Institute for Conflict Prevention & Resolution

PROVINCIAL COURT ACT

RULES OF PRACTICE AND PROCEDURE. May 14, 2015

RULES OF PRACTICE OF THE NATURAL RESOURCES CONSERVATION BOARD REGULATION

FREEDOM OF INFORMATION

AS TABLED IN THE HOUSE OF ASSEMBLY

Park View Primary School

Province of Alberta AUDITOR GENERAL ACT. Revised Statutes of Alberta 2000 Chapter A-46. Current as of December 15, Office Consolidation

SINGAPORE INTERNATIONAL ARBITRATION CENTRE (SIAC)

CONSUMER REPORTING ACT

Transcription:

PERSONAL INFORMATION PROTECTION ACT REVIEW QUESTIONNAIRE The personal information on this questionnaire, including your opinions, is collected under the authority of section 33(c) of the Freedom of Information and Protection of Privacy (FOIP) Act for consideration in the deliberations of the Select Special PIPA Review Committee and for preparing its Report. The Report will include the names of respondents an all respondents will receive a copy of the published Report. The submissions will be available to the public in the Legislature Library. If you have any questions about the collection, use and disclosure of personal information, please contact the FOIP Coordinator of the Legislative Assembly Office, 9 th Floor, Legislature Annex, 9718-107 Street, Edmonton, Alberta, T5K 1E4, Tel: (780) 427-1566. Name: Address: ALLAN ROBERT BUTEAU BOX 1205, REDWATER, ALBERTA, T0A 2W0 Phone: (780) 942-3370 Fax: (780) 942-3370 E-mail: ajabuteau@shaw.ca Signature: A. R. Buteau ARButeau Question 1: Is the process for providing access to records containing an individual s own personal information appropriate? If not, please explain why and provide any suggestions for improvement. Access Relevant Legislation: 24(1) Subject to subsections (2) to (4), on the request of an individual for access to personal information about the individual and taking into consideration what is reasonable, an organization must provide the individual with access to the following: (a) the individual s personal information where that information is contained in a record that is in the custody or under the control of the organization; (b) the purposes for which the personal information referred to in clause (a) has been and is being used by the organization; (c) the names of the persons to whom and circumstances in which the personal information referred to in clause (a) has been and is being disclosed. 1

Duty to assist 27(1) An organization must (a) (i) (ii) possible, make every reasonable effort to assist applicants, and to respond to each applicant as accurately and completely as reasonably and (b) at the request of an applicant provide, if it is reasonable to do so, an explanation of any term, code or abbreviation used in any record provided to the applicant or that is referred to. (2) An organization must, with respect to an applicant s personal information, create a record for the applicant if (a) the record can be created from a record that is in electronic form and that is under the control of the organization, using its normal computer hardware and software and technical expertise, and (b) organization. creating the record would not unreasonably interfere with the operations of the The Act further provides that an individual may make a request for access to an organization that he / she believes might have collected and used their personal information. Access requests are to be made in writing and the applicant must provide sufficient detail about the information he or she is seeking. CONCERNS: The wording of these portions is extremely weak and places the burden upon the individual seeking access to their PERSONAL INFORMATION. Firstly, the Applicant must become aware that an Organization has collected and used their Personal Information. Then the Applicant must then specify the nature of the information he or she suspects was collected or used. An Organization may request numerous clarifications and without full disclosure simply supply access to specific records that the applicant might be able to identify. Thus, denying access to the Applicant s Personal Information on the basis that the Applicant does not know the Organization s terminology when attempting to identify records by name or category. The Organization can and usually provides vague general statements regarding the use and purpose of collection of Personal Information. Personal Information collected and distributed can also be explained with general statements. These 2

General statements tend to lead the Applicant to believing that the Organization is hiding something. Under section 27(2)(b) an Organization can deny access on the basis that they are too busy to respond. PIPA does not provide for ongoing disclosure or updated requests were Organizations continue to collect and distribute Personal Information. Examples: In responding to a request for access the Law Society of Alberta will write: We have collected and used your personal information to determine the conduct of our members. Your Personal Information was shared with our members so that they might participate in our process. Thus leaving it up to the Applicant to determine the exact nature of his or hers Personal Information collected and the Applicant must then attempt to determine whom received his or her personal information along with the exact nature of what was disclosed. It is impossible for the Applicant to confirm the completeness and or the accuracy of the disclosed personal information. When an applicant requested updates to his personal Information Organizations such as the Law Society of Alberta will deem the update request as a repeated request and refuse any further disclosure. Suggestions: a. Personal Information must be regarded and treated as the Personal Property of the individual original Owner. b. Organization wishing to use or disclose Personal Information Must in good faith advise the public that they are collecting, using and disclosing a person s information prior to the fact and not only after the Applicant suspects collection and use. c. Organizations must create data base or indexes of records for all personal information collected and must be prepared upon request to provide the applicant with either a printout from their data base or their index of records. d. The Applicant would then be disposed to make specific requests for access to records from the list. In default, an Organization must be prepared to disclose to an Applicant all of the Applicants Personal Information. e. Organizations must be made to copy to individuals duplicate copies of each and every record disclosed to others that contain their Personal Information. Where the record contains information which is not the Information of the Applicant. It would be the Organization s reasonable responsibility to seeking exemption permission from the Commissioner. f. Organizations must make every effort to provide the applicant with access to his or her personal information and must make every effort to refrain from disclosing the Applicants Personal Information. 3

g. Better wording is required under section 24(1)(c) so that it is clear that Organizations track and be able to disclose all releases and access to a person s information and these access would document whom accessed the Information and why. This provision is especially pertinent to electronic files which after accessing ultimately form a permanent part of the hard drive used to gain access. Organizations such as the Law Society of Alberta frequently allow Benchers and other agents to access personal information from remote locations and their in house security polices fail to ensure Protection outside of their immediate premises. h. The Organization must ultimately be held responsible for the actions of any other person, agent, or Organization whom have been provide with a person s information. i. Organizations must ensure that they retain in their files (possession) only the exact amount of Personal Information required to complete the specific purposes for which is was collected with all irrelevant information being returned to the Person (Owner) or shredded. j. Section 27(1) re: duty to assist; should include a provision requiring the Organization to Transcribe Illegible Handwritten Notes. Without this provision it is impossible to suggest that individual interpretations could be regarded as complete or accurate. k. Section 27(2)(b) should be abolished on the premise that the Applicant has little to no control over the Organizations business practices which in the interest of the public should be tailored to be consistent with the law and the Commissioner s recommendation to limit liability by limiting collection, retention and ultimate disclosure. Furthermore, as Organizations may only collect what is reasonable for business purposes it is only fair to require that an Organization be able to prove reasonable collection throughout the request for access process? l. Section 24 (Access) requires a provision for ongoing or periodic updates of one s Personal Information and this provision must take into account all of the aforementioned. Question 2: Are the provisions for refusing access to an individual s own personal information appropriate? If not, please explain why and provide any suggestions for improvement. Relevant Legislation: 24 (2) An organization may refuse to provide access to personal information under subsection (1) if 4

(a) the information is protected by any legal privilege; (b) the disclosure of the information would reveal confidential information that is of a commercial nature and it is not unreasonable to withhold that information; (c) the information was collected for an investigation or legal proceeding; (d) the disclosure of the information might result in that type of information no longer being provided to the organization when it is reasonable that that type of information would be provided; (e) the information was collected by a mediator or arbitrator or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed to act (i) (ii) (iii) (f) discretion. under an agreement, under an enactment, or by a court; the information relates to or may be used in the exercise of prosecutorial (3) An organization shall not provide access to personal information under subsection (1) if (a) the disclosure of the information could reasonably be expected to threaten the life or security of another individual; (b) the information would reveal personal information about another individual; (c) the information would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to disclosure of his or her identity. (4) If, in respect of a record, an organization is reasonably able to sever the information referred to in subsection (2)(b) or (3)(a), (b) or (c) from a copy of the record that contains personal information about the individual who requested it, the organization must provide the individual with access to the record after the information referred to in subsection (2)(b) or (3)(a), (b) or (c) has been severed. CONCERNS: Personal Information by definition is Personal to the Individual (owner) and the Owner should not be exempted from access to his or her personal information excepting for extraordinary circumstances. Discretionary exemptions are particularly damaging and under the Act, the Commissioner is limited in his power to Order disclosure of these so called Discretionary Exemptions. At the same time that an Organization might use its Discretion to withhold Personal Information from the Owner; the Organization may without exemption possibly use, abuse, and wrongfully distribute incomplete or inaccurate information. 5

As grade school students we were taught to treat secrets as bad manners and lies; as Adults we are made to succumb to both Organizations and Government keeping secrets about us and these provisions go to further instill these Lies and Bad Manners This treatment is especially evident in dealings with Selfregulatory Organizations whom claim a mandate to Preserve Public Interest. Secrets being Lies and Bad Manners do nothing towards serving Public Interest. I have cogent evidence that Self-regulatory Organization can manipulate the Act and use their discretionary provisions to delay access to Personal Information for more than 2-years and in doing so cause the Applicant and Tax Payers to expend virtually thousands of dollars. PIPA is the only Privacy Act in Canada that does not clearly acknowledge a Person of Interest s right to disclosure. And, in fact the Law Society of Alberta is attempting to use Section 4 to deny access to Personal Information on the basis that they are acting as a person who is acting in a judicial, quasi-judicial or adjudicative capacity. Organizations are further permitted under the Act to use their discretionary powers to punish or penalize individuals whom seek reviews by the Commissioner under section 50 of the act. Example: In May 2005 the Law Society of Alberta provided the Applicant with access to more than 3000-pages containing the Applicant s Personal Information and the Law Society of Alberta use their discretionary power to exempt the Applicant from viewing almost 1000-pages which contained his Personal Information. Pursuant to Section 50 of the Act; the Commissioner commenced an Inquiry under the act. The Law Society of Alberta responded by upgrading its discretionary power to now exempt the Applicant from viewing any and all of his Personal Information. The Law Society of Alberta has further refused to allow the Applicant to withdraw or vary his Consent. (SEE ALSO: Question #4.) Law Society of Alberta has further placed a formal complaint filed against its director in abeyance pending the completion of the Commissioner s Inquiry. Suggestions: a. All mandatory exemptions must be reviewed by the Commissioner or his designate and at the same time that information might be deemed threatening to another individual any Organization must ready disclose any evidence of threatening information that might harm the Applicant and this should be done with no consideration to alleged privilege. b. The Organization must refrain from disclosing or using harmful information about the Applicant in dealing with others including the employees, agents and partners attached to the organization. c. Organizations Must refrain from collecting or retaining any form of threatening information about any individual as human error often leads to inappropriate release. d. With regards to (section 24(3)) Organizations should be made to treat with skepticism any information that is provided in confidence. The 6

Organization prior to relying on or distributing personal information obtained in confidence must make every effort to seek consent of its release and be prepared to accept full liability for inaccurate reporting or collecting any personal misinformation. e. With regards to the withholding of information protected by any proclaimed privilege; Personal Information by definition belongs to the Person not the Organization and no Organization should be allowed to hold Privileged the personal property of any individual. f. With regards to the withholding of Personal information that was collected for an investigation or legal proceeding; virtually every other Privacy Act in Canada provides that no information may be withheld from a party of interest. Notwithstanding, the fact that private individuals may not be investigated by none government officers; it is clearly not in the Public s Best Interest for Self-regulatory Organization such as The Law Society of Alberta to withhold from a complainant his personal information including legal opinions and or any other pertinent information that might affect the Applicant s Case. g. The ONLY allowable discretionary exemption would be in the event that discloser would inadvertently affect an Investigation and in such extraordinary circumstances, the withheld information must be provided immediately following the Investigation. (This Clause is consistent with FOIP and other Privacy Laws. h. All Personal Information presumably withheld pursuant to Prosecutorial discretion must be reviewed and accepted as such by a Crown Prosecutor. However, as a party of interest to the use of Personal Information it is highly unlikely that a Court would not require appropriate disclosure to the Applicant (Owner). i. Once the Privacy Commissioner has accepted and commenced an Inquiry under section 50 of the Act: It should be further accepted that the Organization must place into abeyance all matters requiring the use of the Applicants Personal Information which is subject to the Privacy Commissioner s Inquiry and until such time as the Commissioner accept that the Organization has acted appropriately. Failing; the Privacy Commissioner might be held jointly liable for any Privacy Breaches which occur during the Inquiry Process and more so when Inquiries are not completed within the timelines set out in Section 50 of the Act. Question 3: Are the provisions relating to fees appropriate? If not, explain why and make suggestions for improvement. Relevant Legislation: 7

Fees 32(1) An organization may charge an applicant who makes a request under section 24 a reasonable fee for access to the applicant s personal information or a record relating to the information. (2) Subject to the regulations, a fee is not payable by an applicant in respect of a request made under section 25. (3) If an organization is intending to charge an applicant a fee for a service, the organization (a) service, and (b) organization. must give the applicant a written estimate of the total fee before providing the may require the applicant to pay a deposit in the amount determined by the Under sections 46 and 50 the Act further provides for a review of a fee estimate and while a fee estimate is being considered, and or reviewed the access to personal information is placed on hold. CONCERNS: This Provision in the Act should be abolished as it costs the Tax Payers and the Organizations more to adjudicate than an organization can ever hope to recover. Charging a Person a fee for access to their Personal Information is extortion and amounts to an Organization being able to hold as hostage your Personal Information. Under FOIP the government or government Organizations may not charge for access to Personal Information. An Organization s right to collect or use Personal Information is not an absolute and fees will only serve to discourage an applicant from his absolute right to access to his or hers own Personal Information. Generally speaking the Applicant has little to no influence over the amount of records generated by an Organization and when an access request is made; Photo copying charges should be done at the Organizations Expense and not at the expense of the Applicant because the need to create a copy is done to protect the Organization and not Applicant. The Applicant has no control over the number of person s accessing his personal information while it is in the Organization s Care and Control. The Applicant has no control over competency of the Organizations representatives and no control over the amount of time spent responding to a request for information. Organizations use the fee provision to attempt to get the Applicant to narrow the scope of his or her request, thus limiting the scope of a request to the point that it might be impossible for the applicant to assess the completeness and or accuracy of his Personal Information as collected and used by the Organization. 8

The Collection of fees turns the Access process into a money making scheme and deters from its intent which is to ensure accountability and transparency. Organizations use the fee provision to secure funds for disclosure which outside of PIPA must be granted freely or as a necessary integral part of their normal business operations. Organizations now incorporate into fees their disclosure requirements under Section 6 (Policies) and time spent exercising and applying discretionary exemptions to the Applicant s Personal Information. In his speeches the Commissioner warned Organizations to limit their Liabilities by Limiting Collection and retention of Personal Information. Again, the Applicant has no control over the sheer amount of information collected or retained. Examples: The Law Society of Alberta now charges a fee for access to complaint files when the request comes from a private citizen yet they offer full disclosure to their members for free. At one point the Law Society of Alberta attempted to charge me for completing Appeal Binders which they provided to the Member s and Panels for free. Wawanesa Insurance charges Fees to Applicants from Alberta while under FOIP in other provinces they are not permitted by law to charge fees to an Individual seeking access to their own Personal Information and this Personal Information may include information that should be voluntarily supplied; such as Insurance and billing calculations. Suggestions: a. Organizations should be forbidden from charging fees for access to Personal Information excepting for charging for a second copy of the Applicant s personal information when the first copy was supplied under PIPA and the Applicant requests a second or duplicate copy. b. Under the Federal Act; the Federal Privacy Commissioner has issued several Orders recommending that Organizations consider charging an administration fee of $5 to $25 and discourages any form of fee estimates. c. The only other fee provision should be considered in the event that the Applicant request access to his Personal Information which was collected prior to PIPA coming into effect and these records are stored and achieved in a remote location. d. Self-regulatory organizations such as the Law Society of Alberta that require Personal Information to complete their mandate of Protecting Public Interest Must Not be permitted to charge fees for access to Personal Information collected to determine the conduct of its members. 9

e. Any and all Organizations, including Self-regulatory organizations such as the Law Society of Alberta, that as part of the business arrangement, proclaim to provide a service to any individual or general public MUST be prepared to without cost to the applicant substantiate or prove the value of the service. (NOTE: prior to PIPA coming into affect; these Organizations, including Self-regulatory organizations such as the Law Society of Alberta, were generally required and provided access to information to the applicant at no cost to the applicant.) Question 4: Are the provisions dealing with forms of consent and the conditions attached to their use appropriate? If not, please explain why and make suggestions for improvement. Relevant Legislation: Consent required 7(1) Except where this Act provides otherwise, an organization shall not, with respect to personal information about an individual, (a) information, collect that information unless the individual consents to the collection of that (b) collect that information from a source other than the individual unless the individual consents to the collection of that information from the other source, or (c) use that information unless the individual consents to the use of that information, (d) information. disclose that information unless the individual consents to the disclosure of that (2) An organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service. (3) An individual may give a consent subject to any reasonable terms, conditions or qualifications established, set, approved by or otherwise acceptable to the individual. Form of consent 8(1) An individual may give his or her consent in writing or orally to the collection, use or disclosure of personal information about the individual. (2) An individual is deemed to consent to the collection, use or disclosure of personal information about the individual by an organization for a particular purpose if 10

(a) the individual, without actually giving a consent referred to in subsection (1), voluntarily provides the information to the organization for that purpose, and (b) it is reasonable that a person would voluntarily provide that information. (3) Notwithstanding section 7(1), an organization may collect, use or disclose personal information about an individual for particular purposes if (a) the organization (i) provides the individual with a notice, in a form that the individual can reasonably be expected to understand, that the organization intends to collect, use or disclose personal information about the individual for those purposes, and (ii) with respect to that notice, gives the individual a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed for those purposes, (b) the individual does not, within a reasonable time, give to the organization a response to that notice declining or objecting to the proposed collection, use or disclosure, and (c) having regard to the level of the sensitivity, if any, of the information in the circumstances, it is reasonable to collect, use or disclose the information as permitted under clauses (a) and (b). (4) Subsections (2) and (3) are not to be construed so as to authorize an organization to collect, use or disclose personal information for any purpose other than the particular purposes for which the information was collected. (5) Consent in writing may be given or otherwise transmitted by electronic means to an organization if the organization receiving that transmittal produces or is able at any time to produce a printed copy or image or a reproduction of the consent in paper form. Withdrawal or variation of consent 9(1) Subject to subsection (5), on giving reasonable notice to an organization, an individual may at any time withdraw or vary consent to the collection, use or disclosure by the organization of personal information about the individual. (2) On receipt of notice referred to in subsection (1), an organization must, subject to subsection (3), inform the individual of the likely consequences to the individual of withdrawing or varying the consent. (3) An organization is not required to inform an individual under subsection (2) if the likely consequences of withdrawing or varying the consent would be reasonably obvious to the individual. (4) Except where the collection, use or disclosure of personal information without consent of the individual is permitted under this Act, if an individual withdraws or varies a consent to the collection, use or disclosure of personal information about the individual by an organization, the organization must, 11

(a) in the case of the withdrawal of a consent, stop collecting, using or disclosing the information, and (b) in the case of a variation of a consent, abide by the consent as varied. (5) If withdrawing or varying a consent would frustrate the performance of a legal obligation, any withdrawal or variation of the consent does not, unless otherwise agreed to by the parties who are subject to the legal obligation, operate to the extent that the withdrawal or variation would frustrate the performance of the legal obligation owed between those parties. (6) A withdrawal or variation of a consent by an individual may be given to an organization in the same manner as a consent may be given. (7) An individual may, subject to this section, withdraw or vary a consent subject to any reasonable terms, conditions or qualifications established, set, approved by or otherwise acceptable to the individual. (8) Nothing in this section is to be construed so as to empower (a) an individual, as part of the withdrawal or variation of a consent, to impose an obligation or a liability on an organization unless the organization agrees otherwise, or (b) an organization, as part of the withdrawal or variation of a consent, to impose an obligation or liability on an individual unless the individual agrees otherwise. CONCERNS: (i). The Provisions regarding consent does not affect Personal Information collected prior to January 2004. Organizations are free to use and distribute Personal Information collected prior to January 2004 without notice to an individual. In most cases the Individual is not even aware that their Information was collected, by whom, for what purpose, nor the names of persons whom have or have had access to their personal information. Example (i): Self-regulatory Organizations such as the Law Society of Alberta invite and encourage private citizens to bring forth concerns regarding its members. The Law Society of Alberta then creates a personal profile and complainant history on that individual which it discloses to its members without the knowledge and or consent of the Private Individual. (ii). Organizations are not always forthright with all the circumstances regarding the collection and use of Personal Information. Nor are Individuals keep up-todate regarding the possibilities of changes regarding their Personal Information and the Individual s right to withdraw consent. Example (ii): 12

Self-regulatory Organizations such as the Law Society of Alberta will not allow individuals to withdraw or vary consent for use and disclosure of personal information when they determine that the Personal Information of the Private Individual is or was collected to determine the conduct of its members. The Act does not require that Self-regulatory Organizations such as the Law Society of Alberta disclose and advise Private Individuals that upon bringing forth a complaint; Consent for usage of that person s Personal Information may not be withdrawn or varied by the Private Individual except for at the sole discretion of the Self-regulatory Organizations such as the Law Society of Alberta. (iii). Organizations are permitted under Section 24 to use its discretionary powers to deny the applicant access to his or her personal information thus ignoring and disregarding all the provisions regarding consent. Organizations are not required to declare their intentions regarding discretionary provision at the time Consent for use of Personal Information is sought. Example (iii): When Organizations declare their discretionary powers; it is impossible for an individual to assess the appropriateness, completeness or accuracy regarding the usage and distribution of his or her Personal Information. Thus, all provisions regarding Consent and Consent Variation might become Mute and Devoid of Merit. (iv). Despite the commencement of a review under section 46 and or Inquiry under section 50 of the act; Organizations are permitted to continue using and disclosing Personal Information without any form of consent and the review / Inquiry Process takes over 2-years to complete. Furthermore, with regards to the discretionary powers provided to Organizations under the act; the timelines might be extended for addition years pending reconsideration by the Organization and additional review by the Commissioner. Example (iv): In May 2005 the Law Society of Alberta provided the Applicant with access to more than 3000-pages containing the Applicant s Personal Information and the Law Society of Alberta use their discretionary power to exempt the Applicant from viewing almost 1000-pages which contained his Personal Information. Pursuant to Section 50 of the Act; the Commissioner commenced an Inquiry under the act. The Law Society of Alberta responded by upgrading its discretionary power to now exempt the Applicant from viewing any and all of his Personal Information. The Law Society of Alberta has further refused to allow the Applicant to withdraw or vary his Consent. (SEE ALSO: Question #2.) The Law Society of Alberta has further placed a formal complaint filed against its Executive Director in abeyance pending the completion of the Commissioner s Inquiry and forbidden the Applicant / Complainant from accessing his personal information being the Executive Director s complete answer and supporting materials to the Applicant s Complaint. (v) Organizations that chose to ignore a written request for Withdrawal or Variation of Consent are not required under the Act to forward or advise all parties who have received the Applicant s Personal Information Directly from the 13

Original Organization of the existence of the Applicant s written request for Withdrawal or Variation of Consent. This concern can lead to multiply Inquiries affecting several Organizations and other third parties. Example (v): In April 2005 the Applicant served a written request for Withdrawal and Variation of Consent upon the Executive Director of the Law Society of Alberta which the Executive Director of the Law Society of Alberta chose to ignore. This issue became an Issue subject to review and Inquiry by the Privacy Commissioner of Alberta. The Executive Director of the Law Society of Alberta further chose to not advise all parties of the existence of either the Notice of Inquiry and or the written request for Withdrawal and Variation of Consent. The Applicant by way of a Facsimile contacted all the Business Contacts whom might be in receipt of his Personal Information and provided a copy of his written notice. The Executive Director of the Law Society of Alberta responded by contacting all those receiving the Applicant s written request for Withdrawal and Variation of Consent advising them to disregard the Applicant s Notice. Due to the Executive Director of the Law Society of Alberta s advice; the Applicant has found and filed two separate complainants with the OIPC against two other Law Firms whom have inadvertently failed to protect the Applicant s Personal Information. All of which MUST be Investigated and pursued by the Privacy Commissioner at the Tax Payers expense. Suggestions: a. Organization requiring the use and distribution of Personal Information Collected Prior to January 2004 MUST obtain and or confirm ongoing consent from the Individual whom the Information relates to. b. With respect to Personal Information obtained or collected prior to January 2004; an Organization MUST not use or disclose Personal Information without compliance to Section 7. and Section 8 of the act. c. Irregardless of how Personal Information is Collected or Obtained Organizations Must clearly advise the Individual of the Organizations intentions and practices regarding providing Access, Access Fees, Discretionary Exemptions, and the Individuals ability to withdraw or vary Consent. NOTE: Notice must be given in a manner that is clearly understood by the Individual and it is not sufficient to quote certain sections or clauses from the Act. d. Upon acceptance by the OIPC of a Review under Section 46 or Notice of Inquiry under Section 50 of the Act, that affects consent or variation provisions; Organizations MUST refrain from using or disclosing to others the Applicant s Personal Information without specific written consent from the Applicant or Order from the Court. IN ALL CASES THE PRIVACY AND RIGHTS OF THE INDIVIDUAL MUST TAKE PRESIDENT OVER ANY OTHER PART OF THE ACT. e. An Individual s right to withdraw and or vary consent to collection and use must be regarded as absolute and any intention by an Organization to ignore any such 14

provision Must be reviewed and accepted by the Commissioner and this Clause should affect Personal Information which was collected prior to January 2004. f. Upon Receipt of a written request for Withdrawal or Variation of Consent; the Organization MUST advise all Persons, Agents, Organizations and Business Contacts whom have been provided with the Applicant s Personal Information of the existence of the written request for Withdrawal or Variation of Consent and this Clause MUST be followed, irregardless of the Organization s intent to comply with the Applicant s written request for Withdrawal or Variation of Consent. THIS IS A NECESSARY REQUIREMENT AND SERVES TO LIMIT POSSIBLE FUTURE LIABILITY TO ANY THIRD PARTY SHOULD THE COMMISSIONER FIND THE ORIGINAL ORGANIZATION IN VIOLATION OF THE ACT. g. Organizations receiving a written request for Withdrawal or Variation of Consent may not require that the Applicant serve his or her written request for Withdrawal or Variation of Consent directly upon any third party or individual that the Organization has or may have provided the Applicant s Personal Information to. SEE ALSO: Section 5 Compliance and Accountability and Section 60 Damages for Breach. Question 5: Are the provisions dealing with the exemptions to consent for the collection, use, and disclosure of personal information appropriate? If not, please explain why and make suggestions for improvement. Relevant Legislation: Collection without consent 14 An organization may collect personal information about an individual without the consent of that individual but only if one or more of the following are applicable: (a) a reasonable person would consider that the collection of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; (b) the collection of the information is pursuant to a statute or regulation of Alberta or Canada that authorizes or requires the collection; (c) the collection of the information is from a public body and that public body is authorized or required by an enactment of Alberta or Canada to disclose the information to the organization; (d) the collection of the information is reasonable for the purposes of an investigation or a legal proceeding; (e) the information is publicly available; 15

(f) the collection of the information is necessary to determine the individual s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary; (g) the information is collected by a credit reporting organization to create a credit report where the individual consented to the disclosure to the credit reporting organization by the organization that originally collected the information; (h) the information may be disclosed to the organization without the consent of the individual under section 20; (i) the collection of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization; (j) the organization collecting the information is an archival institution and the collection of the information is reasonable for archival purposes or research; (k) the collection of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about. Use without consent 17 An organization may use personal information about an individual without the consent of the individual but only if one or more of the following are applicable: (a) a reasonable person would consider that the use of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; (b) the use of the information is pursuant to a statute or regulation of Alberta or Canada that authorizes or requires the use; (c) the information was collected by the organization from a public body and that public body is authorized or required by an enactment of Alberta or Canada to disclose the information to the organization; (d) the use of the information is reasonable for the purposes of an investigation or a legal proceeding; (e) the information is publicly available; (f) the use of the information is necessary to determine the individual s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary; (g) a credit reporting organization was permitted to collect the information under section 14(g) and the information is not used by the credit reporting organization for any purpose other than to create a credit report; (h) the information may be disclosed by an organization without the consent of the individual under section 20; 16

(i) the use of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public; (j) the use of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization; (k) the organization using the information is an archival institution and the use of the information is reasonable for archival purposes or research; (l) the use of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about. Disclosure without consent 20 An organization may disclose personal information about an individual without the consent of the individual but only if one or more of the following are applicable: (a) a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; (b) the disclosure of the information is pursuant to a statute or regulation of Alberta or Canada that authorizes or requires the disclosure; (c) the disclosure of the information is to a public body and that public body is authorized or required by an enactment of Alberta or Canada to collect the information from the organization; (d) (i) (ii) the disclosure of the information is in accordance with a provision of a treaty that authorizes or requires its disclosure, and is made under an enactment of Alberta or Canada; (e) the disclosure of the information is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body having jurisdiction to compel the production of information or with a rule of court that relates to the production of information; (f) the disclosure of the information is to a public body or a law enforcement agency in Canada to assist in an investigation (i) (ii) undertaken with a view to a law enforcement proceeding, or from which a law enforcement proceeding is likely to result; (g) the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public; (h) the disclosure of the information is for the purposes of contacting the next of kin or a friend of an injured, ill or deceased individual; 17

(i) the disclosure of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization; (j) the information is publicly available; (k) the disclosure of the information is to the surviving spouse or adult interdependent partner or to a relative of a deceased individual if, in the opinion of the organization, the disclosure is reasonable; (l) the disclosure of the information is necessary to determine the individual s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary; (m) the disclosure of the information is reasonable for the purposes of an investigation or a legal proceeding; (n) the disclosure of the information is for the purposes of protecting against, or for the prevention, detection or suppression of, fraud, market manipulation or unfair trading practices and the organization that is disclosing the information or to which the information is being disclosed is permitted or otherwise empowered or recognized under an enactment of Alberta or Canada or of another province of Canada to carry out any of those purposes; (o) the organization is a credit reporting organization and is permitted to disclose the information under Part 5 of the Fair Trading Act; (p) the organization disclosing the information is an archival institution and the disclosure of the information is reasonable for archival purposes or research; (q) the disclosure of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about. CONCERNS: Sections 14, 17, & 20 of the Personal Information and Protection Act (PIPA) allow for far too many discretionary provisions and there are not sufficient provisions allowing for Protection of and accuracy of the Information which is clearly the property of the owner (Private Individual). The Commissioner s powers under Sections 36, 52, & 59 are not sufficient or adequate deterrents to keep Organizations from using its discretionary powers and the review process takes years to access and complete. The Act further provides that any Personal Information Collected, Used, and Distributed Without Consent be done solely to the extent that it is reasonably necessary to meet the purpose for which is / was collected. This Provision is impossible to Police as Without Consent presumes an assumption of without notice to the Individual. EXAMPLES: 18

(i) (ii) Self-regulatory Organizations such as the Law Society of Alberta can use the multiple discretionary provisions to collect, use, and disclose Personal Information of an individual whom brings forth a concern regarding one of its members without any insurance to the Private Citizen that the Information is complete and or accurate. Self-regulatory Organizations have sole discretion over which part if any, of the Private Individual s information is maintained, disclosed and applied to a complaint file or files, (where the complainant requests a conduct review of more than one member). Self-regulatory Organizations such as the Law Society of Alberta can without notice to the Private Citizen use and distribute any part of that Individual s Personal Information collected under a particular Complaint File and apply it to various other Complaint files. This Collection, Use, and Distribution while contrary to Act, may include Confidential and privileged Personal Information that the Applicant / Complainant considers damaging and the Personal Private Individual is left with absolutely no means of confirmation or redress. Suggestions: a. Excepting for matters requiring Collection, Use and Distribution by or for a Police or Law Enforcement Agency; Personal Information MUST remain the Property of the Private Individual and any unauthorized Collection, Use, and Distribution must be clearly done to the benefit of that Private Individual. Consent MUST be sought and obtained as soon as reasonably possible without exception. (NOTE: Personal Information Collected for or by a Police or Law Enforcement Agency is governed by FOIP.) b. Prior to any unauthorized Use or Disclosure of Personal Information the Person MUST be notified and provided with an opportunity to object to the Use and Disclosure of his Personal Information. c. The Organization MUST excepting for as provide for by Law; supply the Private Individual with duplicate copies of the exact Personal Information Collected, Used, and Disclosed as well as the Name(s) and contact Information of any other individual or Organization whom might have access to the Individual s Personal Information. (See: also the Canadian Charter of Rights and Freedoms Act) d. Notwithstanding any part of these Sections: As Bailey, to an individuals Personal Information; an Organization MUST ensure that those receiving access to and use of any Person s Personal Information are in full compliance with of Section 5 (Accountability) & Section 6 (Policies and Practices) of the Act (PIPA). And, as Bailey, to an individuals Personal Information; an Organization MUST provide without cost copies of all outsourcing agreements, policies and applicable procedures to the Person whom the Personal Information Applies. e. Self-regulatory Organizations such as the Law Society of Alberta require and solicit Personal Information to govern their membership pursuant to 19

Professional Codes and have a mandate to preserve public Interest. Out of Public Interest; these Conduct Review Processes require Transparency and as such, no part of these sections should be regarded as means to disallow the Complainant or Member from unobstructed access to the complainant s files. Question 6: Are the provisions dealing with the personal information of employees appropriate? If not, please explain why and make suggestions for improvement. CONCERNS: Without completely dissecting the appropriate Sections of the Act that pertain to Employee Information; it should be accepted that amendments to other provisions and sections of the Act will necessitate appropriate amendments to these parts as well. Most but not all Employers seek consent to Collect, Use and Disclose Personal Employee Information. Suggestions: a. In all cases where an employer or prospective employer requires collection, use and / or distribution of Personal Information; consent from the Employee or Prospective Employee MUST be sought. b. This Clause must be expanded as to include Personal Information Collected prior to PIPA, (January 2004) coming into affect. Question 7: Is the application of the Act to non-profit organizations appropriate? If not, please explain why and make suggestions for improvement. Relevant Legislation: Non-profit organizations 56(1) In this section, (a) (i) commercial activity means any transaction, act or conduct, or 20

(ii) any regular course of conduct, that is of a commercial character and, without restricting the generality of the foregoing, includes the following: (iii) the selling, bartering or leasing of membership lists or of donor or other fund-raising lists; (iv) the operation of a private school or an early childhood services program as defined in the School Act; (v) (b) the operation of a private college as defined in the Post-secondary Learning Act; non-profit organization means an organization (i) that is incorporated under the Societies Act or the Agricultural Societies Act or that is registered under Part 9 of the Companies Act, or (ii) organization. that meets the criteria established under the regulations to qualify as a non-profit (2) Subject to subsection (3), this Act does not apply to a non-profit organization or any personal information that is in the custody of or under the control of a non-profit organization. (3) This Act applies to a non-profit organization in the case of personal information that is collected, used or disclosed by the non-profit organization in connection with any commercial activity carried out by the non-profit organization. (4) The Lieutenant Governor in Council may make regulations (a) establishing, for the purposes of subsection (1)(b)(ii), the criteria to be met by an organization to qualify as a non-profit organization; (b) establishing the criteria to be met by non-profit organizations to qualify as non-profit organizations that are restricted or otherwise limited in the scope of their operations and exempting those non-profit organizations from the operation of subsection (3); (c) governing the coming into force of this Act or any provision of this Act with respect to a non-profit organization; (d) providing that this Act or any provision of this Act commences to apply to a non-profit organization at a date that is later than January 1, 2004; (e) providing for and governing any transitional matter relating to the application of this Act to a non-profit organization. (5) Any regulation made under this section may be general or specific in its application. CONCERNS: 21

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback