For the London Free Press – June 28, 2010
PERSONAL INFORMATION: The language pertaining to ‘lawful authority’ and breach notification is open to interpretation
Bill C-29 was recently introduced to amend the Personal Information Protection and Electronic Documents Act. The bill is an attempt to address a number of shortcomings in the legislation that governs private-sector privacy in Ontario and other provinces.
Most of the changes are welcome. Two changes are controversial: the definition of “lawful authority” and privacy breach notification.
“Lawful authority” determines when an entity can release information to the police without a warrant.
The act permits disclosure of information to government bodies where it has identified its “lawful authority” to obtain the information. Much debate has arisen as to what constitutes “lawful authority.” As a result, some entities won’t release personal information to police without a warrant.
Bill C-29 has attempted to clarify “lawful authority” as follows:
(a) lawful authority refers to lawful authority other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and (b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.
So it tells us what “lawful authority” is not, but not how to know when it exists. It really isn’t very helpful.
The second issue deals with breach notification.
The Personal Information Protection and Electronic Documents Act does not require any notification to either customers or the privacy commissioner if personal information has been lost or stolen. The proposed amendments add requirements to notify the privacy commissioner and/or affected individuals in certain circumstances.
That language has threshold tests that are not as clear as they might be. If this language stays, it may take a privacy commissioner or court decision to clarify.
For example, the privacy commissioner must be notified where a “material” breach has occurred. Since “material” remains a subjective test, it is somewhat at the discretion of the entity to determine whether the breach is “material.”
Individuals must be notified only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Again, this requirement is somewhat at the discretion of the entity that would have to notify the individual.
Some will argue that the discretionary component of the notification requirements is valuable as it is not mandatory to disclose minor breaches. That may be a good thing, but it will take some time to figure out how to apply the tests in practice. The difficult part is knowing where the threshold actually is.
The wording of the breach notification provisions leaves the possibility that entities may abuse the discretion provided to them and choose not to report breaches that many would argue are major. That’s especially true since there is no fine or penalty for not doing so.
On the other hand, when it comes to privacy, the “headline risk” of not abiding by the legislation, or being perceived to not be doing the right thing, is perhaps as big a motivator as anything.