Changes to privacy laws vague

For the London Free Press – June 28, 2010

Read this on Canoe

PERSONAL INFORMATION: The language pertaining to ‘lawful authority’ and breach notification is open to interpretation

Bill C-29 was recently introduced to amend the Personal Information Protection and Electronic Documents Act. The bill is an attempt to address a number of shortcomings in the legislation that governs private-sector privacy in Ontario and other provinces.

Most of the changes are welcome. Two changes are controversial: the definition of “lawful authority” and privacy breach notification.

“Lawful authority” determines when an entity can release information to the police without a warrant.

The act permits disclosure of information to government bodies where it has identified its “lawful authority” to obtain the information. Much debate has arisen as to what constitutes “lawful authority.” As a result, some entities won’t release personal information to police without a warrant.

Bill C-29 has attempted to clarify “lawful authority” as follows:

(a) lawful authority refers to lawful authority other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and (b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

So it tells us what “lawful authority” is not, but not how to know when it exists. It really isn’t very helpful.

The second issue deals with breach notification.

The Personal Information Protection and Electronic Documents Act does not require any notification to either customers or the privacy commissioner if personal information has been lost or stolen. The proposed amendments add requirements to notify the privacy commissioner and/or affected individuals in certain circumstances.

That language has threshold tests that are not as clear as they might be. If this language stays, it may take a privacy commissioner or court decision to clarify.

For example, the privacy commissioner must be notified where a “material” breach has occurred. Since “material” remains a subjective test, it is somewhat at the discretion of the entity to determine whether the breach is “material.”

Individuals must be notified only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Again, this requirement is somewhat at the discretion of the entity that would have to notify the individual.

Some will argue that the discretionary component of the notification requirements is valuable as it is not mandatory to disclose minor breaches. That may be a good thing, but it will take some time to figure out how to apply the tests in practice. The difficult part is knowing where the threshold actually is.

The wording of the breach notification provisions leaves the possibility that entities may abuse the discretion provided to them and choose not to report breaches that many would argue are major. That’s especially true since there is no fine or penalty for not doing so.

On the other hand, when it comes to privacy, the “headline risk” of not abiding by the legislation, or being perceived to not be doing the right thing, is perhaps as big a motivator as anything.

3 thoughts on “Changes to privacy laws vague”

  1. Good timing. I just took over the privacy officer role for GoodLife and was wondering why there was little clarity around the definition of a lawful authority.

  2. Have you got any suggestions for clearer wording for a test for requiring notification? The bill has not yet passed, so there is time to improve it. Also, the Uniform Law Conference is preparing a Uniform Breach Notification Act and could end up adopting a similar test to that in C-29 and in Alberta’s Personal Health Information Act. If there is a better test, the sooner they find out about it, the better.

    Some US states just list types of documents whose loss triggers the requirement to notify. Two problems at least with that approach: any list is bound to leave something out, and documents or information that by itself may be trivial may turn out not to be trivial when combined with other information about the same person, from the same or other sources – so the document-list method will sometimes not reflect the real risk caused by the breach of security.

  3. David — Interesting article. I haven’t read C-29 but I assume that the “lawful authority” provisions do not compel one to release information but are meant to act as a catch-all to protect the record holder in circumstances where they feel compelled to release information to authorities under the understanding that they are required to do so by law. Which actually seems like a reasonable thing from the perspective of the record holder (there are probably countless examples of where government departments require information pertaining to employment for example), but since they are not obligated to verify the legality of the “lawful authority” then the vagueness is mainly at the expense of the individual who may have right to be concerned that information could be released to the government without proper authority or cause and without recourse.

Leave a Reply

Your email address will not be published.