Data Protection in the Private Sector - Options for a Uniform Statute 1996

ANNEX I - Summary of Recommendations

It should be emphasized that these recommendations are the result of consultations with approximately 30 selected government, private sector and consumer representatives and other data protection experts. Not all of the 30 provided responses. There were only six private sector responses to the questionnaire (of a total of 22 responses). It cannot be said that the consultations followed a scientific sampling approach.

1. Is a legislated approach desirable?

The responses to the first consultation paper revealed that there is strong consensus that such a law should apply to everyone in the private sector, regardless of size and including non-profit organizations, and should apply to all personal information, using standard definitions of personal information (any information about identifiable persons).

2. What should the statement of data protection principles contain?

RECOMMENDATION: Data protection principles are fairly universal, even though they can differ from one data protection instrument to another. The principles in the CSA Model Code represent a good base on which to build a Uniform statute and these principles are consistent with the principles in the Quebec Act which regulates data protection in the private sector. There do not appear to be significant differing options with respect to the selection of data protection principles.

3. What kind of oversight mechanism should exist?

RECOMMENDATION: Of the various options (courts only; new agencies; sectoral commissions; panels of mediators/arbitrators appointed sectorally; existing data protection commissions) there is a large consensus for using existing data protection bodies to oversee laws regulating data protection in the private sector. This is the model adopted in the Quebec legislation.

4. What powers should an oversight body have?

RECOMMENDATIONS: Based on the above, a uniform statute should provide the data protection commission with a mandate for public education, powers to receive complaints (but generally only after the organization's process had been tried first), conduct investigations, mediation and adjudication. Whether the adjudication would be better done by a single Commissioner, full-time hearing officers, or from an ad hoc roster should be the subject of further consultation. Also, the law should not expressly provide for compliance audits or for technology assessments (although it is probable and acceptable that a Commission might issue papers or reports on how certain technologies affect privacy).

The law should provide the Commission with the power to publicize the names of organizations with poor performance (although even if the law did not expressly provide for this, the Commission's decisions and reports would be public in any event). It would be useful to conduct more consultation on whether and how the law might recognize to private standards registration processes. The law should contain an offence provision similar to the one in the Quebec Act.

5. What should be the subject matter of a Model Data Protection Law?

RECOMMENDATION: The Uniform statute should express universally applicable data protection principles and an implementation mechanism, and should not attempt to set out specific rules for medical information, credit reporting or deal with privacy issues that are broader than data protection, such as workplace surveillance and invasion of privacy torts. More consultations should be undertaken with respect to the use of sectoral codes.

RECOMMENDATION: The ULCC should approve and support the drafting of a uniform statute based on the directions and recommendations set out in this report (subject to specific changes the 1996 meeting of the ULCC might suggest), and based on further consultations and research with respect to sectoral codes, adjudication mechanism, remedial powers and standards registration processes.

Next Annual Meeting

2020 Annual Meeting

Place to be Announced

August 9 – 13, 2020