INTRODUCTION

privacy rights and trade

the 2001 federal legislation

four dimensions of privacy

Introductory Provisions: Key Definitions in the Personal Information Protection Act:
Sections 1 to 3

eleven exceptions within the BC private sector

General Rules Respecting Protection of Personal Information By Organizations:
Sections 4 and 5

Consent: Sections 6 to 9

withdrawal of consent

Collection of Personal Information: Sections 10 to 13

Use of the Personal Information: Sections 14 to 16

Disclosure of Personal Information: Sections 17 to 22

Access to and Correction of Personal Information: Sections 23 to 24

Administration: Sections 25 to 32

Care of Personal Information: Sections 33 to 35

Role of the Commissioner: Sections 36 to 44

Review and Orders: Sections 45 to 53

General Provisions: Sections 54 to 60

REMEDIES

powers of the Commissioner

criminal charge

statutory right of action

class action

arbitration

CONCLUSIONS

APPENDICES

Until recently, it seems that many of us in this country knew surprisingly little about the concept of privacy. Indeed, if we were to pause and reflect about what privacy meant to us, I would suspect that we might proceed no further in our exploration than thinking in terms of the location of a hedge on the border of our property to provide us with visual privacy while enjoying our home; or the video surveillance notice by the local bank’s ATM machine. Those of us practicing commercial law, in which confidential information may be worth millions, might worry about the privacy of our telephone conversations or our e-mail exchanges.

I have adopted four objectives in writing this paper. They are:

• assisting you in understanding the British Columbia Personal Information Protection Act;
• identifying the rights and obligations relating to privacy issues in the workplace;
• assisting clients in navigating the different areas where consent is required for obtaining and using information; and
• identifying areas of the legislation that may require revision.

Whatever the source of our original understanding of the meaning of privacy may have been, we owe much of our current privacy literacy in this country to the fact that some years ago, the European Community decided to attach a vital human right – the right to privacy - to instruments that, at first glance, really only involved international trade.

The grafting of a human right, or for that matter an environmental right, or a labour right, onto an international trade agreement, or trade law has long been resisted, based on the rather simple proposition that these rights had no place in international trade agreements. That argument is best captured by the following statement by an officer of the Canadian Exporters’ Association, who opined:

"…. freer trade should not be held ransom for environmental or labour reasons."

Thus, these rights are typically left off the trade agenda for negotiations.

The Personal Information and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), which provided the genesis for the British Columbia Personal Information Protection Act, S.B.C. 2003, c. 63 ("PIPA"), was in fact made necessary by an eight-year old directive from the European Union, Directive on Data Protection of Personal Data and on the Free Movement of Such Data. The directive requires any jurisdiction engaging in trade with the European Union to have a system of privacy protection that complies with the directive.

The rapid and complete acceptance of statutory privacy rights across this country is dramatic evidence of the effect of combining of trade rights with highly valued human rights protections.

the 2001 federal legislation

Federally regulated companies, engaged in such fields as telecommunications, interprovincial transportation, navigation and shipping, aeronautics, banking, as well as federal crown corporations, and any organization that discloses personal information for consideration outside a province or the country, have been covered by PIPEDA for some time. PIPEDA’s first stage took effect January 1, 2001. It was the first Canadian legislation to respond to the trade directive.

A great deal has been written and spoken on that particular piece of legislation. Those of you here today whose clients are regulated by the federal legislation will be familiar with its terms. Its website, listed in Appendix 2 to this paper, is a very sophisticated and complete source of information about that statute and its application. Little more will be said about that statute in this paper, for that reason.

four dimensions of privacy

Whatever our conventional notions of privacy might be, it is generally considered that in our society it is a complex concept involving a number of rights, interests and values, all of which are interconnected in one fashion or another to each other. Most consider that there are four dimensions to our notion of privacy:

(a) privacy of the person

This refers to the integrity of an individual’s body, and covers issues such as compulsory immunization, blood transfusion, or sampling of body fluids or tissues.

(b) privacy of personal behaviour

This dimension refers to the right of privacy relating to such matters as sexual preferences and habits, political activities, and religious practices.

(c) privacy of personal communications

This includes the right to communicate with others without routine monitoring, or being overheard by others.

1.  
2. privacy of personal data

This is referred to often as information privacy, and refers to the right to determine when, how, and to what extent we will share personal information about ourselves.

All of these dimensions are captured in PIPA, the new BC legislation which received royal assent on October 23, 2003. It takes effect January 1, 2004 (section 60).

It is estimated that the BC legislation will cover 1,272,300 employees and 389,400 self-employed. As far as the breakdown of organizations covered by the legislation, there are approximately 382,811. The numbers are:

Businesses 355,200

Religious organizations 1,908

Trade unions 207

Independent schools (Independent School Act) 346

Cooperatives (Cooperative Association Act) 650

Societies (Society Act) 24,500

This paper will take the reader through all aspects of the BC legislation. I have attached as Appendix 1 a list of the various provincial and federal websites, should you wish additional information. The PIPA and other provincial and federal legislation is easily accessible through those websites. I have also attached as Appendix 2 a compliance checklist adopted with substantial changes for provincial purposes from the federal website. It is written from the perspective of an organization, but uses language that will enable an individual/employee to readily ascertain his or her rights.

I also recommend to you the Government’s Ministry of Management Services training document, available at www.mser.gov.bc.ca/FOI_POP/Privacy/psp_training.htm. The material is generally very helpful, although there is at least one statement that is simply wrong in law. At page 16, the material attempts to explain the diminished privacy rights employees have with respect to consent, by asserting that the statute "….recognises [the] true nature of employee relationship – [that it is] not consent based". That reflects a rather feudal notion of the employment relationship.

There are others, such as the treatment of the different categories of circumstances in which consent is not required, that do not do justice to the extraordinary number of situations in which that is so. See Appendix 2 for details of the numerous exceptions to the requirement for consent.

Finally, I strongly recommend the text that I found most helpful in the preparation of my paper. It is The Law of Privacy in Canada by B. McIsaac, Q.C., R. Shields, and K. Kline (published by Carswell in 2000, as updated). Another helpful source of law is the 93-page book by J.C. O’Reilly, An Employer’s Guide to Surveillance, Searches and Medical Examinations: A CLV Special Report (Toronto: Thompson/Carswell, 2003).

It may assist in navigating through the legislation to begin by addressing a few of the key definitions.

The first of these is a definition of the term organization.

In addition to its ordinary meaning, the term includes a person, an unincorporated association, a trade union, a trust, and a not-for-profit organization. Expressly excluded from coverage of the legislation are the following:

1. an individual acting in a personal or domestic capacity, or acting as an employee;
2. a public body;
3. any court in the province;
4. the Nisga’a Government; and
5. a private trust of which the beneficiaries are friends or members of the settler's family.

Of these five exceptions, the most significant is the exclusion of any public body from the application of the legislation.

The term public body is defined in PIPA as including a ministry of the provincial government, as well as any agency or board covered by Schedule 2 of the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 ("FOIPPA") - British Columbia’s 1996 statute providing for both freedom of information, as well as the protection of privacy with respect to the public sector. There are approximately 250 boards or agencies excluded from PIPA under this definition. These range from the tiny and obscure (for example, the BC Raspberry Development Council) to the larger and better known (for example, BC Hydro and Power Authority).

A local public body, as defined in FOIPPA is also excluded. This is defined in Schedule 1 of FOIPPA as including, perhaps not surprisingly, a local government body such as the City of Vancouver; a health care body (which is also defined in Schedule 1 of FOIPPA to include most major hospitals), and an educational body (similarly defined in FOIPPA to include universities, colleges; and most other post-secondary institutions, as well as a school boards). It is only the provincially-regulated private sector within the province that is covered by PIPA.

Personal information is defined under the legislation as meaning information about an identifiable individual, including employee personal information. The following matters are not expressly referred to in the definition, but they are typically covered by that term:

1. race, national or ethnic origin
2. colour
3. religion
4. age
5. sex
6. sexual orientation
7. marital or family status

Personal information may also cover:

8. educational attainment
9. the individual’s history relating to medical, psychiatric, psychological, criminal or employment matters, or any financial transaction in which the individual has been involved
10. views or opinions of the individual
11. fingerprints or blood type

The two main exceptions under the legislated definition relate to contact information, including name, work position, business title, and so on; or work product information – i.e. information prepared or collected by an individual or group of individuals as part of their activities related to their employment or business.

Employee personal information is also the subject of a definition that assumes considerable importance under the legislation. The definition reads:

"…means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment."

Section 3(2) and (3) sets out eleven exceptions to the general application of the Act:

1. documents used for personal or domestic purposes only;
2. documents used for journalistic, artistic or literary purposes, and no other purpose;
3. documents to which the federal Act applies;
4. documents to which FOIPPA applies;
5. court documents, and other related documents;
6. personal information in a document of a decision-maker in an administrative proceeding;
7. personal information of a member of the Legislative Assembly that relates to his or her work;
8. prosecution documents where the prosecution is incomplete;
9. personal information collected prior to the Act coming into force;
10. solicitor-client privilege documents (subsection (3)).

Section 3(5) of the Act provides:

"If a provision of this Act is inconsistent or in conflict with the provision of another enactment, the provision of this Act prevails unless another Act expressly provides that the other enactment, or a provision of it, applies despite this Act."

This language, requiring an express override of privacy interests in the conflicting legislation, is unusual. The more common rule is found, for example, in section 2(1) of the Interpretation Act, R.S.B.C. 1996, c. 238, in which that Act applies unless a contrary intention appears in another Act.

Another illustration of how the legislators deal with apparently conflicting Acts comes from the Public Service Labour Relations Act, R.S.B.C. 1996, c. 388, section 23. That Act applies where it is contrary to, or in conflict with, or inconsistent with, the Labour Relations Code.

It should also be emphasized here that on several occasions courts in this country have acknowledged that the privacy legislation, along with the access to information legislation, holds a quasi-constitutional status. The authorities for this proposition are catalogued in an excellent text entitled Federal Access to Information and Privacy Legislation Annotated 2003, by M.W. Drapeau & M.A. Racicot (Toronto: Carswell, 2002) (pages vi, 264-265, 300, and 1029-1030). This issue will be returned to when I deal with remedies.

These two relatively simple and straightforward sections impose some important duties on organizations. Section 4 requires an organization to consider the test of reasonableness in meeting its responsibilities under the Act. It assigns a responsibility to an organization for information under its control, as well as information not in the custody of the organization. This would appear to have important implications for organizations. It appears to expand their responsibility significantly beyond data under their immediate control.

It also requires the designation of a specific individual to ensure compliance with the legislation, although that may be delegated. This individual’s contact information must also be made available to the public.

The decision in R. v. Plant, [1993] 3 S.C.R. 281 provides some assistance in assessing the issue of reasonableness, but at the same time demonstrates some of the difficulties in finding agreement amongst parties. In the Plant case the basic formulation of the test was shared by all members of the quorum.  The majority wrote at paragraph 16 that:

"The limits on such state action are determined by balancing the rights of citizens to have respected a reasonable expectation of privacy as against the state interest in law enforcement." 

McLachlin J., in a separate judgment concurring with the result, stated that she agreed with her colleagues that the question of whether records are protected centres on a person’s reasonable expectation of privacy.  She went on to say at paragraph 41:

"The question in each case is whether the evidence discloses a reasonable expectation that the information will be kept in confidence and restricted to the purposes for which it is given." (paragraph 41)

Where the two judgments diverge is with respect to the contextual factors applied to flesh out the reasonable expectation of privacy test.  For the majority, Sopinka J. listed these factors as:

1. the nature of the information itself;
2. the nature of the relationship between the party releasing the information and the party claiming confidentiality;
3. the place where the information was obtained;
4. the manner in which it was obtained; and
5. the seriousness of the crime being investigated.

McLachlin J. rejected the fifth criteria at the end of her reasons, stating at paragraph 46:

"My colleague finally argues that the seriousness of the offence outweighs any privacy interest in the records.  I confess to reservations about a case-by-case balancing approach to whether a warrant is required or not to obtain information…such a regime would provide little comfort to the person whose privacy interest is at stake and would breed uncertainty and litigation."

She also diverged from the majority’s interpretation of the second factor to apply.  Sopinka J. for the majority focused on whether the relationship between the Accused and the record holder was a "relationship of confidence."  In contrast, McLachlin J. wrote at paragraph 43:

"It seems to me that the question is not so much whether the relationship is one of confidence, so much as whether the particular records disclose a reasonable expectation of confidence."

The other three criteria, McLachlin J. seems to accept.  However, when applying them to the evidence, she reaches different conclusions than Sopinka J.

In summary, both the majority judgment of Sopinka J. and the concurring reasons of McLachlin J. agree that the basic test to be applied in relation to s. 8 is whether the applicant’s right to a "reasonable expectation of privacy" has been violated.  However, they diverge on the factors to be applied in analyzing whether the test has been met.  McLachlin J. rejected the seriousness of the offence as a factor to consider.  She also applied a lower threshold in relation to the "nature of the relationship" factor, requiring only a "reasonable expectation of confidence" rather than an actual relationship characterized by confidence.

Finally, in section 5, an organization is required to develop and follow policies and practices in order to meet its obligations under the Act. It also must develop a process to respond to complaints and to make information available on request about both its policies and practices, as well as the complaint process.

Surprisingly, given the role that consent plays in the BC legislation, one would have thought that the statute would include a short, precise definition of consent.

There is much to be said for the simplicity of the approach adopted in FOIPPA (the B.C. public sector statute referred to at page 7 above). That statute is, in many significant respects, in pari materia with PIPA. The objects of the two statutes are similar insofar as, for example, section 2(1) of FOIPPA provides that one of the two purposes of the Act is:

1. "….to protect personal privacy …."; and

2. ….preventing the unauthorized collection, use or disclosure of personal information …."

Section 2 of PIPA states:

"The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."

The definition of consent in FOIPPA is found in section 6 of the Freedom of Information and Protection of Privacy Regulations:

"The consent of an individual to a public body disclosing any of the individual’s personal information under Section 33(b) of the Act must

1. be in writing, and
2. specify to whom the personal information may be disclosed and how the personal information may be used."

As we shall see shortly, PIPA adopts a much more complex and unfortunate system of express, statutory, deemed, and ‘default’ consent.

The provisions of our legislation dealing with consent are extensive. They are set out in four rather lengthy sections (sections 6, 7, 8 and 9).

Section 6 begins with a very clear statement prohibiting an organization from collecting, using or disclosing personal information about an individual. Subsection 2 of section 6 then immediately proceeds to provide three exceptions:

1. where the individual consents;
2. where the Act provides the necessary authorization, or makes consent unnecessary; and
3. where the Act deems consent

Jumping ahead for a moment, the section heading to section 8 then refers to ‘implicit’ consent. In fact, the section deals with deemed consent, the same consent covered by section 6(3).

Section 7 then sets out what does not constitute consent. There is no valid consent under the Act unless the purpose for their collection of the information is communicated to the person, as set out in section 10, along with a number of other requirements; and the consent is otherwise in accordance with the Act. An organization cannot require a person to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.

If, on the other hand, an organization does attempt to obtain consent for collecting, using or disclosing that personal information by providing false information, or using misleading practices, the consent is void.

Under section 8(1), an individual is deemed to consent to the collection, use or disclosure if at the time the consent is deemed to be given the purpose would be considered to be obvious to a reasonable person and the individual voluntarily provides the personal information to the organization for that purpose.

Under subsection (2) a person is deemed to consent for the purposes of enrolment and coverage under an insurance, pension, benefit, or similar plan if he or she is a beneficiary of or has an interest as an insured under the plan.

Section 8 continues in its elaboration of implicit or deemed consent by providing in subsection (3) for what appears to be a form of default consent. Subsection (3) allows an organization to collect information for a specified purpose if certain events occur, all of which are judged by a standard of reasonableness. Thus an organization can collect, use or disclose personal information if:

1. it provides the person with a notice in a form that person can reasonably be considered to understand. The notice must indicate that it intends to collect, use or disclose the personal information for those purposes,
2. and the organization gives that person a reasonable opportunity to decline within a reasonable time, and
3. the individual does not decline, and the collection, use or disclosure of that information is reasonable, having regard to the sensitivity of the personal information in the circumstances.

Section 8, subsection (4), provides that there may be no deemed consent under subsection (1) for a purpose different than the purpose to which that subsection applies. One must ask why that restriction applies only to the deemed consent in subsection (1), and not also to subsections (2) and (3). The logic making it applicable to subsections (2) and (3) seems rather compelling, but the omission of those two subsections from the specific reference in subsection (4) leaves it open to organizations to argue for a broader utilization if the consent is deemed under subsection (2) or is a default consent under subsection (3).

Let’s pause here to summarize where we are on the issue of consent.

Despite the government’s claims, and the claims of some of the advocates of the legislation, of simplicity, the conceptualization of consent appears to be unnecessarily complex, and at the same time somewhat ambiguous. It is interesting to note that the general rule stipulated in the European Community Directive provides that the person has:

"…. unambiguously given his consent …."

It is an interesting question as to whether or not our legislation complies with that requirement (see section II, Article 7).

There appear to be four kinds of consent under the legislation:

• express consent: section 6(2)(a)
• statutory consent: section 6(2)(b)
• deemed consent: sections 6(2)(c) and 8(1) and (2)
• default consent: section 6(3)

Subject to two exceptions, consent may be withdrawn at any time on reasonable notice (section 9(1)). Once an organization receives notice, it must advise the person of the likely consequences of withdrawal of the consent (subsection (2)). The organization must not prohibit an individual from withdrawing his or her consent (subsection (3)).

The organization must then stop collecting, using or disclosing that personal information. The only real exception is section 35. That section allows or requires the organization to retain the information for at least one year after using it, so the individual has a reasonable opportunity to obtain access to it.

In addition, an individual may not withdraw consent if by doing so he or she would frustrate the performance of a legal obligation. It is not clear, but one would assume the performance of a legal obligation by the organization, as well as by the individual, is covered.

Finally, there may be no withdrawal of a consent to a credit reporting agency in certain limited circumstances (section 9(6)).

The three major activities covered by the legislation include:

• the collection of personal information;
• the use of personal information; and
• the disclosure of personal information.

I will consider each of these in turn.

Either before or at the time of the collection of personal information from the individual, an organization must disclose to the individual, either verbally or in writing, the purposes for the collection and, if requested, the name and contact information for an employee of the organization able to answer the person’s questions about the collection (section 10(1)). Similarly, where one organization is seeking information about an individual from another organization without the consent of the individual, the first organization must provide the other with sufficient information regarding the purpose of the collection to allow the latter to determine whether the disclosure would be in accordance with the Act (section 10(2)).

Neither of these conditions apply, however, in the case of deemed consent: section 10(3). It would appear, therefore, that they apply in the case of an express consent under section 6(2)(a), or a default consent under section 6(3). It would make no sense for these to be a requirement in the case of a statutory consent under section 6(2)(b), although the matter is not entirely clear.

Section 11 limits the collection of personal information to purposes that a reasonable person would consider appropriate in the circumstances, and that achieve the purposes disclosed under section 10(1), or for purposes otherwise permitted under the Act.

Section 12 then sets out eleven circumstances in which consent is not required. They are, generally, where:

1. the collection is in the interests of the individual, and consent cannot be obtained in a timely way;
2. the information is necessary for medical treatment of the person, and the person is unable to give consent;
3. seeking consent would compromise the availability or accuracy of the information, and the collection is reasonable for an investigation or a proceeding;

(Both investigation and proceeding are defined under section 1, and generally in very broad terms. Investigation means an investigation relating to the breach of an agreement, the violation of a federal or provincial statute, circumstances or conduct that may result in a remedy being available under an enactment or the common law or an equity, the prevention of fraud, or the trading in a security.)


A proceeding means a civil, criminal or administrative proceeding relating to an allegation involving a breach of an agreement, a contravention of a federal or provincial statute, or a wrong or breach of a duty for which a remedy is claimed under an enactment under the common law or in equity.

Thus, it is clear under section 12(1)(c) that an employer, a union, or an employee is free to collect personal information in reasonable circumstances for the purposes of an arbitration, or a labour board hearing, or litigation.

4. consent is not required where the information is to be collected by observation at a performance or a sports meet that is open to the public;
5. the personal information is available to the public from any of the other sources set out in section 12;
6. the collection necessary to determine the individual’s suitability for an honour, or the selection for an athletic or artistic purpose;
7. where the organization is a credit reporting agency collecting the information to create a credit report, and at the time of the original collection the individual had consented;
8. the collection is required or authorized by law;
9. the information was disclosed to the organization under sections 18 to 22 of the legislation (which will be dealt with shortly);
10. the personal information is necessary to collect or pay a debt owed to or by the organization; and
11. an organization can collect personal information from or on behalf of another organization without consent if the individual had previously consented to its collection by that other organization, and the collection or disclosure is for the purposes for which it was previously collected and being used to assist the organization to carry out work on behalf of the other organization (subsection (2)).

We next come to the collection of what is referred to as "employee personal information by an employer" for which special rules apply.

First, employee personal information is defined as personal information about that employee that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual. It does not include personal information that is not about an individual’s employment. That appears to be a sub-set of the broader definition of personal information also in section 1, and referred to above.

The general rule is that an employer may collect employee personal information without consent where it is available to it without consent under the terms of section 12 above, or where:

"the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual." (section 13(2))

In such circumstances, the employer must provide notice to the employee that it will be collecting personal information, and the purposes for which it will be doing so. No notice is required if section 12 permits the collection without the consent of the individual.

Section 14 begins by limiting the use of the personal information "only for purposes that a reasonable person would consider appropriate in the circumstances". In addition, the purpose must fulfill the purpose disclosed under section 10(1), or be otherwise permitted under the Act. With respect to the collection of information that predates the Act, the use must fulfill the purpose for which it was collected.

Part 5 then proceeds, in section 15, to provide for a series of thirteen usages which largely parallel the eleven collections in section 12 without consent. Subsections (k) and (l) have no parallel in section 12.

With respect to employment information – employee personal information that is subject to section 16 – section 16 parallels the collection of personal information requirements in section 13.

Section 17 follows the pattern set in section 14 for the use of personal information. The former permits an organization to disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances, and that fulfill the purposes that the organization discloses under section 10(1), or that are otherwise permitted under the Act. With respect to the disclosure of information collected prior to the Act coming into force, the disclosure must fulfill the purpose for which it was collected.

Section 18 provides for a series of circumstances in which disclosure is permitted without consent. The circumstances generally parallel those provided for in section 15 involving the use of personal information without consent, with a number of significant additions. The additions include disclosure pursuant to a treaty (section 18(1)(h)); compliance with a subpoena, warrant or order (section 18(1)(i)); the disclosure to a public body or law enforcement agency in Canada concerning an offence under the laws of Canada to assist in the investigation, or the making of a decision to undertake an investigation (section 18(1)(j)); regarding compelling circumstances affecting the health and safety of any individual (section 18(1)(k)); the disclosure for the purposes of contacting the next-of-kin, or the friend of an injured, ill or deceased individual (section 18(1)(l); disclosure to a lawyer representing the organization (section 18(1)(m)); and disclosure to an archival institution in some certain circumstances (section 18(1)(n)).

Disclosure may be made to another organization in circumstances similar to those set out for the use of information in section 15(2).

Section 19 parallels section 13 in the former’s treatment of the disclosure of employee personal information.

The balance of this part then deals with three purposes for which personal information may be transferred.

Section 20 deals with the sale of an organization or its business assets. This issue was of considerable concern to both businesses and unions during the drafting stages of the legislation. In my view, the provisions deal adequately with most of those concerns. The scheme of section 20 provides for the disclosure of the information relating to employees, customers, directors, officers or shareholders without consent to a prospective party as long as certain conditions are met.

First, the information must be necessary for the prospective party to determine whether to proceed with the transaction. Second, the organization and the prospective party must have entered into an agreement limiting the use of that personal information solely for purposes relating to the prospective business transaction.

If the prospective party proceeds with the purchase, the disclosure may be made without consent, as long as material is used only for the same purpose for which it was collected, used or disclosed; the personal information relates only to the part of the business covered by the transaction; and the employees, customers, directors, officers and shareholders whose information is disclosed are notified of the transaction and the disclosure. If the transaction does not proceed or is not completed, the prospective party must either destroy the information or return it to the organization.

There are additional safeguards, including one that the disclosure may proceed only if the transaction involves "substantial assets" of the organization, other than the personal information: subsection (7).

Section 21 authorizes the disclosure in certain narrow circumstances for research or statistical purposes. The purposes do not include "market research purposes" (section 21(2)). The other conditions that must be met are:

1. the research purpose cannot be accomplished without that personal information;
2. the persons not be contacted to ask them to participate in the research;
3. linkage of the personal information to other information is not harmful to the individuals, and the benefits to be deprived from any linkage are clearly in the public interest ;
4. the organization to which the information is to be disclosed has signed an agreement with respect to five specified conditions.

Subject to a substantial number of exceptions, an organization is obliged to provide a person with three kinds of information (section 23(1)):

1. that individual’s personal information controlled by the organization;
2. information about the manner in which that information has been and is being used;
3. the names of the individuals and organizations to whom that information has been disclosed.

There are special provisions requiring a credit reporting agency to also provide the individual with the names of the sources in most circumstances (subsection (2)).

Under section 23(3), there is no obligation to disclose the following:

1. information protected by solicitor-client privilege;
2. certain confidential commercial information;
3. certain information gathered for the purposes of an investigation;
4. where the organization is a credit reporting agency and there was disclosure within the preceding 12 months;
5. information collected or created by an arbitrator or by a court.

There is an absolute prohibition on disclosure under section 23(4) of the following:

1. where the disclosure would threaten the physical or mental safety or health of someone other than the individual making the request;
2. where the disclosure could reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the person making the request;
3. where the disclosure would reveal personal information about another individual;
4. where the disclosure would reveal the identity of an individual who has provided personal information in certain circumstances.

That prohibition is then qualified under subsection (5) under the provision that if the information that is not to be disclosed can be deleted from the document, then the document can be disclosed with that information deleted, in certain circumstances, and the organization must make those required changes.

We have reviewed the federal legislation, including the Privacy Act, R.S.C. 1985, c. P-21; the Access to Information Act, R.S.C. 1985, c. A-1; and the Personal Information, Protection and Electronic Document Act, S.C. 2000, c. 5. We have also reviewed the provincial legislation, including FOIPPA (referred to above), and the Privacy Act, R.S.B.C. 1996, c. 373. That phrase is not found in any of these statutes.

These sections set out the procedure for an individual making a request of an organization for information under sections 23 or 24. The organization is required to assist the applicant, and to respond as accurately and completely as is reasonably possible. The initial time limit is 30 days and there is a provision for certain extensions.

Similarly, if information is refused, the reasons for the refusal must be provided along with the name of an individual representing the organization to answer questions about the refusal.

These provisions set out the requirement that an organization take reasonable care to ensure that the information is accurate and complete. It must also protect that information in its custody.

Until early in this month, privacy advocates were very concerned that the Privacy Commissioner would receive no additional funding from the provincial government for his hugely onerous additional responsibilities. The Information and Privacy Office, which he administers, had its budget cut by 20% over the past two years and was scheduled for another 15% cut in April. On November 4, 2003, an announcement was made by the government that most of the $313,000 request for setup costs and extra staff to deal with the new Act until the end of the year will be found. The estimate for the next fiscal is approximately $500,000, although no formal request has been submitted by the Commissioner.

Many of these sections are of the standard variety that one finds in legislation creating an administrative tribunal of one form or another. I do not propose to refer to these in this paper.

With respect to the Commissioner’s powers and duties, these are set out in section 36. The Commissioner is Mr. David Loukidelis, an experienced senior legal counsel who is highly regarded in the legal community, and in the FOI and privacy community in British Columbia. He has the power to initiate investigations and audits to ensure compliance, irrespective of whether or not a complaint has been received. He has extensive powers to comment on and research into matters involving privacy. He also has the power to investigate complaints, deal with extension of time requests, fee issues, correction of personal information, and so on.

He may also authorize an organization to disregard requests under sections 23 and 24 that are frivolous or vexatious, or interfere unreasonably with the organization because they are repetitious or systematic.

When he conducts an inquiry, he has the power to summons witnesses, as well as documents. He also has the power to punish for contempt as though he were a judge of the Supreme Court.

An individual who has asked an organization for access to or the correction of their personal information may seek a review of the decision from the Commissioner. There is a 30-day time limit, with the possibility of extensions permitted (section 47).

Section 50 provides that the Commissioner has the power to conduct an inquiry and decide all questions of fact and law arising in the course of the inquiry. It may be conducted in private. He also has the jurisdiction to decide whether representations are to be made verbally or in writing, and whether a person is to be entitled to be present.

Section 51 provides that generally the burden of proof is on the organization to prove that the individual has no right of access to his or her information, or to the information requested.

Section 52 sets out the orders that the Commissioner may make for the individual to be given access to documents; or provided with the other information sought; or details as to the way in which that personal information has been used; or the names of the individuals or organizations to whom that information has been disclosed. The Commissioner has a series of other rather modest powers that one would expect to find in connection with these types of inquiries.

Section 53 is indeed a strange provision. It requires the organization to comply with the Commissioner’s order no later than 30 days after being given a copy. If the organization files an application for judicial review before that 30-day period, the Commissioner’s order is stayed until the court orders otherwise.

It appears there is none of the usual provisions enabling the Commissioner to file his order in court, so that it is in force as though it were a Supreme Court order. There appears to be no ability on the part of the Commissioner to directly enforce his order. Nor does there appear to be any ability to an applicant to obtain specific compliance through a court order.

Such provisions are routinely included in the governing statues of various administrative bodies. For example, section 135 of the Labour Relations Code, R.S.B.C. 1996, c. 244 provides:

135 (1) The board must on request by any party or may on its own motion file in a Supreme Court registry at any time a copy of a decision or order made by the board under this Code, a collective agreement or the regulations.

(2) The decision or order must be filed as if it were an order of the court, and on being filed it is deemed for all purposes except appeal from it to be an order of the Supreme Court and enforceable as such. …

A similar clause exists in the Human Rights Code, R.S.B.C. 1996, c. 210, s. 30:

30 (1) If there has been a breach of the terms of a settlement agreement, a party to the settlement agreement may apply to the Supreme Court to enforce the settlement agreement to the extent that the terms of the settlement agreement could have been ordered by the tribunal.

Section 54 sets out a protection clause prohibiting an organization from dismissing or disciplining, or in any way disadvantaging, an employee because that employee has acted pursuant to rights set out in the Act.

There is a companion provision enabling the Commissioner to keep an applicant’s or informant’s name confidential (section 55).

Then there are the rather surprising provisions set out in section 56 which make it a quasi-criminal offence to do any of the following:

(a) use deception or coercion to collect personal information in contravention of the Act;

(b) dispose of personal information with an intent to evade a request for access to the personal information;

(c) obstruct the Commissioner or an authorized delegate of the Commissioner in the performance of his or her duties or powers under the Act;

(d) knowingly make a false statement to the Commissioner, or knowingly misleads or attempts to mislead the Commissioner, in the course of the Commissioner's performance of his or her duties or powers under the Act,

(e) contravene section 54, or

(f) fail to comply with an order made by the Commissioner under the Act.

Finally, section 57 provides that an individual may sue for damages for "actual harm". It would appear, however, that an applicant covered by a collective agreement may not be subject to the same adjudicative and remedial constraints as one proceeding to the Commissioner or to the courts. A recent decision of the Supreme Court of Canada has made it clear, for example, that notwithstanding a management rights clause contained in a collective agreement, the substantive rights and obligations of the Human Rights Code are incorporated into each collective agreement. The Court stated:

"Under a collective agreement, the broad rights of the employer to manage the enterprise and to direct the work force are subject not only to the express provision of the collective agreement, but also to statutory provisions of the Human Rights Code and of employment related statutes."

District of Parry Sound, Ontario Public Service Employees’ Union, Local 324, and Ontario Human Rights Commission, [2003] S.C.C. 42 at paragraph 23

In that case, an alleged violation of the Human Rights Code was found to have constituted an alleged violation of the collective agreement, and fell squarely within the Board’s jurisdiction (paragraph 55).

There can be no question that PIPA is an employment-related statute, in the sense that the human rights legislation is, and in the sense in which the Supreme Court of Canada referred to it.

Having reviewed the relevant provisions of the legislation on a section-by-section basis, it may assist to now focus on an assessment of the remedial options available to a person seeking to exercise a right under the legislation. We will consider here the powers of the Commissioner; the possibility of laying a criminal charge; the statutory right of action; a class action; and, finally, arbitration.

powers of the Commissioner

The Commissioner’s primary enforcement mechanism appears to be his or her ability to investigate and deal with "requests" made by aggrieved individuals. The definition of "request" refers to either a complaint under section 36(2) or a review. A "review" is a:

…review of a decision, act or failure to act of an organization

A complaint under section 36(2), in turn, is one that:

1. a duty imposed by this Act or the regulations has not been performed,
2. an extension of time for responding to a request is not in accordance with section 29,
3. a fee required by an organization under this Act is not reasonable,
4. a correction of personal information requested under section 24 has been refused without justification, and
5. personal information has been collected, used or disclosed by an organization in contravention of this Act.

The procedure of making such a request is detailed in sections 47 and 48 of the Act. Typically, an individual has 30 days to deliver a written request to the Commissioner. Once that request is received, the Commissioner must give notice by providing a copy of the request to the organization concerned and "any other person that the Commissioner considers appropriate".

It appears from the Act that recourse to mediation and other informal dispute resolution techniques will be the Commissioner’s initial response to a request. Section 49 authorizes the Commissioner to appoint a mediator "to investigate and to try to settle the matter on which a request is based". Section 36(2) permits the Commissioner to "investigate and attempt to resolve complaints…"

If the request is not referred to a mediator or settled under section 49, then section 50 authorizes the Commissioner to hold an inquiry, possibly in private. The Commissioner determines whether submissions, referred to as "representations", are to be made verbally or in writing and also who is entitled to be present or to have access to representations to the Commissioner under section 50(4). The Commissioner must complete the inquiry within 30 days of receipt of a request regarding a complaint under section 50(6) or within 90 days of receipt of a request regarding a review under section 50(8).

At the end of the inquiry, the Commissioner must make an order under section 52. Possible orders include:

• requiring an organization under section 52(2)(a) to

1. to give the individual access to all or part of his or her personal information under the control of the organization,
2. to disclose to the individual the ways in which the personal information has been used, or
3. to disclose to the individual names of the individuals and organizations to whom the personal information has been disclosed by the organization;

• requiring an organization to stop collecting, using or disclosing personal information in contravention of this Act (section 52(3)(e)); or

• requiring an organization to destroy personal information collected in contravention of this Act (section 52(3)(f)).

In the face of an adverse ruling by the Commissioner, the organization must comply within 30 days after being given a copy of an order by the Commissioner unless it brings an application for judicial review during that period. Once a judicial review application has been brought, then the Commissioner’s order is stayed from that point "until a court orders otherwise" under section 53(2).

In addition to the Commissioner’s request and inquiry powers, he or she also possesses general powers. For example, section 36(2)(a) allows the Commissioner to investigate and resolve complaints. Section 36(1)(b) permits the Commissioner to make the orders described in section 52(3), such as requiring an organization to destroy personal information collected improperly, even if a review is not requested. The Commissioner is also empowered under section 36(1)(j) to "bring to the attention of any organization any failure of the organization to meet the obligations established by this Act." Finally, the Commissioner may initiate investigations and audits to ensure compliance with the Act. Audit is not defined. However, an investigation:

means an investigation related to

(b) contravention of an enactment of Canada or a province,

(c) a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity,

(d) the prevention of fraud, or

(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities Commission to be appropriate for carrying out investigations of trading in securities,

if it is reasonable to believe that the breach, contravention, circumstance, conduct, fraud or improper trading practice in question may occur or may have occurred.

criminal charge

The Act also contains a quasi-criminal enforcement provision. Section 56 provides for fines up to $10,000 against an individual or $100,000 against "a person other than an individual" for willful breaches of the statute, such as where the organization or person:

1. uses deception or coercion to collect personal information in contravention of this Act,
2. disposes of personal information with an intent to evade a request for access to the personal information,
3. obstructs the commissioner or an authorized delegate of the commissioner in the performance of his or her duties or powers under the Act,
4. knowingly makes a false statement to the commissioner, or knowingly misleads or attempts to mislead the commissioner, in the course of the commissioner’s performance of his or her duties or powers under this Act,
5. contravenes section 54 (which protects employees from retaliation), or
6. fails to comply with an order made by the commissioner under this Act.

In reality, the protection offered by section 56 is largely illusory. A similar offence section exists in the companion Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, section 74. No fine has ever been levied under the provision.

As well, successful prosecution requires proof beyond a reasonable doubt. Examples of the application of this demanding onus include the cases of R. v. White, 2000 BCSC 1080 and R. v. Taylor, 2002 BCPC, 321. White, supra, involved prosecution of offences under the Securities Act, R.S.B.C. 1985, c. 83. Taylor, supra, involved a prosecution under the Wildlife Act, R.S.B.C. 1996, c. 488.

The higher standard of proof involved in the prosecution of quasi-criminal offences makes them less attractive to those wishing to enforce compliance with the statutory scheme. The onus has contributed to the offence provisions in the FOIPPA have been largely ignored. The offence section in PIPA is also likely to suffer the same fate.

For some time now, the consensus has been that the use of criminal or quasi-criminal sanctions to enforce compliance with or punish for violation of the kinds of statutes providing for rights such as PIPA is ineffective. Rather than legislate what are really illusory quasi-criminal sanctions, it would have been far preferable for the Legislature to implement a truly effective enforcement mechanism, such as we find in the Labour Relations Code, the Human Rights Code, and the Commercial Arbitration Act – the filing of the Commission’s order in Court.

Before leaving this point, it should be emphasized that, in addition to the other problems referred to earlier, it is a longstanding policy of the Attorney General in this province not to permit utilization of these kinds of offence sections when dealing with what is largely an administrative scheme. It should also be pointed out that the Ministry has a general rule of not permitting private prosecutions to proceed.

Given the significance of privacy legislation, the inclusion of a largely ineffective enforcement mechanism in PIPA seems inconsistent with the goals of the new Act.

statutory right of action

Section 57 provides another enforcement mechanism. It states that if the Commissioner has made a final order against an organization, then the individual affected by the order has a cause of action against the organization for "damages for actual harm". This statutory right of action also applies when an organization has been convicted of an offence under the Act. "Actual harm", however, is not defined.

"Actual harm" is used in tort claims for the intentional infliction of mental suffering, where courts have equated the phrase with a "visible and provable illness": Rahemtulla v. Vanfed Credit Union, [1984] B.C.J. No. 2790 (S.C.) (Q.L.).

It is unclear how the concept of "actual harm" will work with respect to privacy violations.  For example, will the courts require proof of actual economic loss? Non-economic loss? Compensation for mental distress? Or the humiliation of the disclosure of true facts that never need to have been disclosed? There were surely simpler, clearer formulations available to the Legislature.

Interestingly, British Columbia’s Privacy Act, R.S.B.C. 1996, c. 373, states in section 1(1) that tort actions under that Act are "actionable without proof of damage".

class action

Another remedial possibility, although not referred to in the Act is the use of class actions. In the U.S., for example, two class actions have been brought alleging that two of the largest American information brokers, ChoicePoint Inc. and Reed Elsevier, invaded the privacy of millions of Florida drivers by obtaining sensitive personal information from Florida’s Department of Highway Safety and Motor Vehicles and then reselling it.

Class actions in British Columbia are permitted under the Class Proceedings Act, R.S.B.C. 1996, c. 50. Thus, a suit similar to those launched in Florida is possible in this province. Indeed, the British Columbia legislation would appear to offer more protection than its Florida counterpart, since the British Columbia Act permits class actions against the province. In the two Florida privacy class actions, the state was not named as defendant, even though a state agency sold the driver records. The federal Driver’s Privacy Protection Act, 18 U.S.C. § 2721 et. seq., does not allow individuals to sue states for violations.

arbitration

The final enforcement mechanism is arbitration, also not referred to in the Act. The Supreme Court of Canada held in Parry Sound (Ontario) Social Services Administration Board v. O.P.S.E.U., Local 324, 2003 SCC 42, that human rights statutes and other employment-related statutes are, by implication, incorporated into collective agreements. In consequence, labour arbitrators have an obligation to consider and to apply those statutes in resolving disputes.

The Supreme Court, in an earlier line of cases, affirmed the special status of human rights legislation. In Winnipeg School Division No. 1 v. Craton, [1985] 2 S.C.R. 150, McIntyre J. wrote at paragraph 8: "Human rights legislation is of a special nature and declares public policy regarding matters of general concern."

The Supreme Court of Canada has also recognized the constitutional significance of the right to privacy in several decisions. For example, Wilson J. suggested that the liberty right of section 7 of the Canadian Charter of Rights and Freedoms encompasses a privacy component in R. v. Morgentaler, [1988] 1 S.C.R. 30 at paragraph 245. McLachlin J. in her dissenting reasons in Rodriguez v. British Columbia (Attorney General), [1993] 3 S.C.R. 519 at paragraph 200 found that the section 7 right of security of the person "has an element of personal autonomy, protecting the dignity and privacy of individuals with respect to decisions concerning their own body." L’Heureux-Dubé held in her majority judgment in R. v. O’Connor, [1995] 4 S.C.R. 411 at paragraph 113 that privacy interests were protected by both the liberty right and the security of the person right in section 7. She reiterated that point in her dissenting reasons in A.M. v. Ryan, [1997] 1 S.C.R. 157 at paragraph 80.

In Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 S.C.C. 53, Gonthier J. for the Court explained that as the federal Privacy Act, R.S.C. 1985, c. P-21 was closely linked to Canada’s constitution, the Court recognized it as having "quasi-constitutional status".

As courts have accepted federal privacy laws as quasi-constitutional documents, provincial privacy laws, too, must enjoy this special status. As quasi-constitutional laws, it is suggested that provincial privacy laws must be impliedly contained in collective agreements, just as human rights statutes are. In consequence, labour arbitrators are bound to consider such laws in the resolution of privacy-related disputes under collective agreements.

That appears to have been the conclusion, although not the reasoning, of Pinard J. in L’Ecuyer v. Aéroports de Montréal, F.C.C.-T.D., [2003] F.C.J. No. 752, with respect to a complaint arising in a workplace covered by a collective agreement:

"Accordingly, the nature of the dispute between the parties and the scope of the applicable collective agreement lead the Court to conclude that the grievance arbitrator appointed under the Code and the collective agreement has exclusive jurisdiction ratione materiae to decide the dispute in question, to the exclusion of the federal privacy commissioner and also of this Court, before which the dispute has come as a result of the latter’s report." (paragraph 22)

Thus, employees working under the terms of a collective agreement appear to have the best opportunity at meaningful enforcement of their privacy rights.

An arbitrator, enforcing an individual’s privacy rights after an arbitration hearing, has the extensive remedial powers set out in sections 89 and 92 of the British Columbia Labour Relations Code, R.S.B.C. 1996, c. 244.

The praise for this legislation has been fulsome. The Minister responsible for the Act made the following comments at the time of the introduction of the legislation on April 30, 2003:

"This bill is important for British Columbia for a number of important reasons, but certainly there is no reason more important to British Columbia business than providing a plain language, easy to implement alternative to the confusing and cumbersome federal Private Sector Privacy Act that will cover British Columbia in January 2004 if the province does not pass its own legislation."

Later, the Minister described the Act as providing British Columbians with ‘broad privacy protection’, while being ‘easy for businesses to administer’. The statement referred to the work of approximately 170 stakeholders consulted by the Ministry over a year purporting to result in a streamlined Act that goes further than the federal legislation.

In fact, the Act has been universally praised. The BC Chamber of Commerce called it a "vast improvement". The BC Freedom of Information and Privacy Association (BC’s premier privacy advocacy group) referred to it as "an enormous leap for privacy rights". Even the BC Civil Liberties Association, while levelling some criticisms, was generally happy with the legislation.

The legislation is no doubt an extremely important and valuable improvement in the recognition of privacy rights in our society. It extends by statute some privacy rights to over one and a quarter of a million employees in British Columbia, as well as approximately four hundred thousand self-employed persons.

However, in my view, the legislation is neither particularly respectful of the province’s citizens’ privacy rights, nor is it easy for businesses to administer. Neither claim by the Minister survives a careful reading of the Act. In fact, it is an unnecessarily complex piece of legislation, poorly drafted, difficult for a non-lawyer to follow, and lacking any effective enforcement procedures – even the most obvious one. It also provides a significantly diminished right of privacy to employees. Finally, the general prohibition against the collection of personal information, as found in section 6, is admirable, but it, as with some of the other protections in the Act, is consumed by the exceptions.

1. Selected Federal and Provincial Government Websites.

2. Checklist of Your Responsibilities Under PIPA.