Data Protection in the Private Sector - Options for a Uniform Statute 1996

ANNEX IV - Questionnaire
Questionnaire on Options for a Uniform statute on
Data Protection in the Private Sector

The following questions are based on the assumption that the Uniform Law Conference will develop a uniform statute regulating protection of personal information in the private sector. It also assumes the uniform statute will adopt the principles set out in the CSA Model Code, that the uniform statute will apply to all private business within a given legislative jurisdiction, will apply to all information about identifiable individuals, and that private businesses may have their own complaint-handling processes in addition to any third party process that might be established.

If you want to expand on an answer, please provide a separate response.

Implementation Option

Pros

Cons

please check

A Commission model? Do you favour a data protection Commission of some kind with some oversight responsibilities for the uniform statute?

can provide credible, neutral, expert views; universal access to an efficient, effective complaint process

can add costs and delays, be excessively intrusive on business; fail to understand business realities

Yes

No

If you do NOT favour a Commission model of some kind, would you favour:

(a) complainants' recourse to civil courts only: Yes
(b) regulatory offences for non-compliance and no other recourse: Yes

If the uniform statute includes a Commission model, which Commission would it be?

existing Information and Privacy Commissions; Human Rights Commissions (or other existing agencies where such do not exist)

Yes

No

sectoral Commissions where they exist (e.g.: CRTC, OSFI, securities commissions, etc.)?

would provide one-stop regulators for business

could weaken expertise & consistency in data protection; make it more difficult for citizens to know where or how to complain; data protection might be a low priority for the sectoral regulator

Yes

No

new agencies

might give more visibility to the laws

would add cost at a time of government downsizing

Yes

No

If there is a Commission model, which of the following functions should a Commission perform?

public education, data protection research, regularly published reports

promotes compliance and awareness of data protection issues.

might produce more complaints and would cost more money.

Yes

No

technology impact assessments

same as above.

would cost more money and might be unnecessary. If the principles are not technology-specific, why would technology-specific assessments be necessary?

Yes

No

compliance audits

can give the law more credibility, more incentive to ensure business compliance; can deal with issues that might not be known to the public or that might otherwise not arise in a complaint context; can prevent problems before they arise

may be an indication of a presumption that business does not obey the law; would add costs; real problems will arise through complaints so compliance audits are unnecessary

Yes

No

primary reliance on company complaint processes? Should the law prohibit complaints to a third party until the company process has been completed?

company processes could provide faster, more direct responses than third party responses; companies should have the chance to set things right before third parties are called in; using the company process first would reduce the workload for other processes

might result in undue delay; might deter complainants who have no confidence in the company's process; or might mean similarly situated persons do not benefit from the complaint resolution

Yes

No

registration component? If the Commission is not to perform compliance audits, would you favour a system where

(a) the Commission is authorized to order companies who have demonstrated poor compliance to obtain third party registration; or

avoids compliance auditing costs for the public body; uses a process well-known to the private sector

registration processes are not mandatory; independent registrars are not accountable to the public; requires the existence of registrars who would provide such audits and registrations; registrars rely on continued good relations with the businesses they register so neutrality or diligence could be called into question; there is a

Yes

No


(b)
where companies of a certain size would be required by law to register their data protection practices with a standards registrar (e.g.: registering compliance with the CSA Model Code), presumably at the expense of the business in the usual way for standards registration

copyright issue with respect to incorporating an official Standard into legislative text; if registrations are mandatory, would it be less expensive or more neutral to use government registrars rather than 3rd party registrars?; if it's mandatory, business should not have to pay

Yes

No

complaint investigation

every dispute resolution function needs an investigation component

it is sufficient to rely on a mediator's role without the added cost of investigation staff; the systemic nature of the job may create incentives to find privacy problems

Yes

No

mediation

the objective is to resolve disputes, not find fault, so mediation is appropriate, and can be efficient and effective

if there is an investigation or adjudication function, the neutrality of the mediation function may be called into question

Yes

No

publicity. The Commission would have the power to publish the names of companies with poor data protection practices (with a right of prior notice and a right of appeal before publication)

perhaps the least expensive, more effective way to ensure compliance

may be the most intrusive of all the penalty options, with respect to its impact on the business in question

Yes

No

adjudication

ensures disputes will be resolved, avoids court costs and delays, may provide more expertise and consistency and fewer costs than a court could do

courts are adequate for adjudication (see federal Privacy Commissioner model); if there is an audit, investigation or mediation function, neutrality of the adjudication function may be called into question

Yes

No

Adjudication panels? If the Commission is not to have an adjudication function, should the function be performed by ad hoc panels of experts?

no full-time salary costs or office overhead for panel members; independent from the Commission; the model is well known in other contexts

rotating panels can reduce consistency, and can take more time than full-time hearing officers

Yes

No

Offence provisions? Should the law contain offence provisions for non-compliance?

this is essential to ensure the law is respected

the federal Access to Information Act and Privacy Act do not contain offence provisions; all jurisdictions have catch-all offence provisions in their summary conviction laws

Yes

No

Subject matter of the uniform statute

Sectoral codes? Should the law give legal recognition to sectoral codes?

sectoral codes permit flexibility; recognize differences in different types of business; may encourage greater support for the law and compliance by business

a variety of codes reduces uniformity; makes it more difficult for citizens to know what provisions apply to them in different contexts

Yes

No

Credit reporting laws? Should the uniform statute incorporate and replace credit reporting laws?

would respond to a concern expressed by a credit reporting agency; would assist in making laws more uniform

would make the uniform statute too unwieldy to develop and gain approval for

Yes

No

"Invasion of privacy" statutes? Should the law incorporate existing statutes making invasion of privacy liable to civil action?

would assist in making laws more uniform and easier to find for the public; would build on an existing ULC uniform statute

confuses privacy with data protection; not all provinces have "invasion of privacy" laws; invasion of privacy torts include much more than private business-consumer contexts; adding this could make the uniform statute too unwieldy to develop and gain approval for

Yes

No

Workplace privacy? Should the law deal specifically with issues surrounding workplace privacy?

workplace privacy is an essential aspect of data protection and privacy; such provisions would promote awareness of the issues; would create a minimum standard for workers' privacy and treat minimum privacy as a human right rather than as a "negotiable" workplace perk; would require legislators to address workplace privacy directly rather than forcing workers and business to deal with these issues on an ad hoc basis in courts and tribunals

these issues are already dealt with in collective agreements, labour codes, and by human rights laws. Another layer is not needed; adding this could make the uniform statute too unwieldy to develop and gain approval for

Yes

No

Medical privacy? Should a data protection uniform statute deal with permitted uses of medical records?

this is one of the most sensitive aspects of data protection and should not be left to ad hoc treatment or identical treatment as other personal information

there should be a specific focus on medical issues. The focus is best ensured by keeping the issues separate from more general data protection principles. Any attempt to include special medical rules in the uniform statute would make the model too unwieldy to gain consensus or approval

Yes

No

Disclosure rules? Should a uniform statute provide aspecific permission or duty to disclose information where it is necessary to protect the health or safety of others?

recently, Ontario doctors approved a resolution where they receive information from patients that indicate the patients are a danger to others; in the legal context, the Bernardo tapes experience shows this issue may need to be dealt with legislatively

general disclosure rules may result in too many disclosures and not enough data protection to protect a person's confidence in their doctor, lawyer, etc.; these issues are too complex for a general data protection uniform statute

Yes

No

Conflicts of laws. In case of conflicts between laws in different jurisdictions (i.e.: fed/prov), should the uniform statute specify that the statute that best protects personal information shall apply?

promotes data protection; avoids the federal paramountcy rule

principle of federal paramountcy is adequate and promotes certainty of the law

Yes

No


Next Annual Meeting

2018 Conference (Centennial)

Delta Hotel

Québec City, QC

August 12 - 16, 2018