Privacy & Personal Privacy & Personal Information Information

Prepared by the CBC Law Department

CONFIDENTIAL – FALL 2011

AgendaAgenda

1. Introduction & Icebreaker2. Privacy Legislation3. CBC’s Websites4. Transfer to a Third Party5. Transfer Outside of Canada6. Retention & Destruction7. Breaches8. Conclusion 9. Round Table Discussion

2

Privacy LegislationPrivacy Legislation

• Privacy Act – Federal governments, departments & Crown Corporations

• PIPEDA (Personal Information Protection & Electronic Documents Act) – Private-sector legislation– comparable provincial legislation (BC, AB, QC)

• CBC is subject to the federal Privacy Act which governs the collection, use and disclosure of personal information

3

Privacy Act – Personal InformationPrivacy Act – Personal Information

• Personal information is information about an identifiable individual recorded in any form:– Race, national or ethnic origin, colour, religion, age, marital

status

– Education, medical, criminal or employment history

– Financial transaction

– Identifying number, symbol, etc. assigned to a person

– Address, fingerprints, blood type

– Views/opinions of an individual

– Correspondence to government institution / replies

– Views/opinions of someone else about the individual

– Name where it appears with personal information

4

Privacy Act - Collection, Use and DisclosurePrivacy Act - Collection, Use and Disclosure

• Personal information may be collected only for a stated purpose “use” and may only be used for another purpose with consent

• The information must be collected directly from the individual or from a third party with that person’s consent

• Personal information may only be disclosed with consent, subject to some exceptions

5

Privacy Act ExclusionsPrivacy Act Exclusions

• Information gathered only for journalistic, artistic or literary purposes and for no other purpose is excluded from the Privacy Act because of the right to freedom of expression

• If the personal information is being used for any purpose other than, or in addition to, journalistic, artistic or literary (e.g. marketing or research) it is subject to the Privacy Act

6

CBC’s Collection of Personal InformationCBC’s Collection of Personal Information

• Unless otherwise authorized by the Privacy Act– No personal information shall be collected by CBC/Radio-

Canada unless it relates directly to an operating program or activity of CBC/Radio-Canada

– CBC/Radio-Canada shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise

– CBC/Radio Canada shall inform any individual from whom it collects personal information of the purpose for which the information is being collected

7

CBC Website VisitorsCBC Website Visitors

• Individuals who register with the CBC Member Centre or simply visit CBC’s websites, must know:

– how their personal information will be used

– to whom it will be disclosed

• Under the CBC.ca Terms of Use: IF YOU ARE DISSATISFIED WITH THE TERMS, CONDITIONS, RULES, POLICIES, GUIDELINES OR PRACTICES OF THE CBC/R OPERATING WEB SITE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING IT.

8

Personal Information – Third Party Transfer Personal Information – Third Party Transfer

• CBC may transfer information to a third party, acting as its agent, for the original purpose without further consent but CBC remains responsible for the treatment of that information

• This risk should be covered by obligations in CBC’s contract with the third party – if not on CBC’s GSA, then evaluated with the Law Department and custom language provided

• CBC must ensure the personal information is treated in accordance with CBC’s Privacy Policy or applicable legislation

9

Transferring Outside of CanadaTransferring Outside of Canada

• Personal information can be transferred outside of Canada as long as the “purpose” is the same

• CBC cannot override the laws of a foreign jurisdiction

• CBC must inform users when they log on that their personal information may be stored outside of Canada where it will be subject to foreign laws and may be accessed by the courts’ law enforcement and national security authorities

10

Other Jurisdictions - EuropeOther Jurisdictions - Europe

• All western European countries have privacy legislation similar to or stricter than Canada’s

• If CBC’s service provider is in Europe, CBC only needs to ensure that the service provider will comply with its privacy legislation

11

U.S.U.S.

• The U.S. poses the major problem because it has no strong privacy legislation

• Information stored on U.S. servers is subject to the U.S. Patriot Act which permits authorities to enter premises without a warrant and gather personal information

• When information is sensitive, some companies have insisted, even when dealing with a U.S. branch plant, that the personal information gathered be kept on a Canadian server

12

Safe Harbor FrameworkSafe Harbor Framework

• Because the EU threatened to prevent the transfer of personal information to the U.S., the U.S. created a voluntary Safe Harbor Framework

• Companies join the Safe Harbor List by committing to significant personal information protection contained in the framework. If a company is on this list, CBC may rely on this as sufficient privacy protection in a contract, but the fact that the company adheres to the framework needs to be set out in the contract

• SafeHarbor List is at https://safeharbor.export.gov/list.aspx

13

Breaches/DecisionsBreaches/Decisions

• Third Party Breach - Call CBC Privacy Officer who will conduct an audit and advise on next steps

• Internal CBC Breach – Call CBC Privacy Officer• Hot topics in the news: Sony, TJMAX, Facebook,

BC Health

14

Retention/DestructionRetention/Destruction

• Retention – Personal information that has been used by CBC/Radio-

Canada for an administrative purpose shall be retained for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information

• Destruction– CBC/Radio-Canada shall dispose of personal information

under its control in accordance with the regulations and with any directives or guidelines issued by the designated minister in relation to the disposal of that information and with its corporate retention schedule. Use and Disclosure of Personal Information

15

InspectionInspection

• The Privacy Act allows any individual to inquire about their personal information that is in the possession of CBC, and to require that it be corrected if need be.

• As a result, it is imperative that any person or entity that collects personal information to properly maintain the records in a way that is easily managed, and to purge the records as soon as they are no longer required.

16

Conclusion – Practical TipsConclusion – Practical Tips

• USER – Tell user for what purpose the personal information will be used and that it may be transferred outside Canada and accessed by governmental authorities if that is the case

• SUPPLIER - If CBC uses a third party, their contract must cover their responsibility to conform with CBC’s Personal Information & Privacy Protection Policy 2.9.02 or other applicable privacy legislation (also confirm the company’s policy); if outside of Canada consult Law Department

• BREACH - If there is a breach, contact the CBC Privacy Officer immediately

17