PIPEDA: The Other “Lawful Access” Proposals
There were a number of letters, news items and posts this past week about the new lawful access proposals before Canada’s Parliament. While the focus has been on telcos and the data they hold, it is important to note that there are also other “access” proposals – ones that significantly change the Personal Information Protection and Electronic Documents Act (“PIPEDA”) when it comes to the disclosure of information.
These amendments to PIPEDA were reintroduced in the House of Commons on 29 September 2011 in Bill C-12 (with the ironic and, one might suggest, “Orwellian” short title of Safeguarding Canadians’ Personal Information Act). A lot of the focus was on the bill’s “breach notification” provisions but of particular interest, in light of this latest discussion about “access”, are the other amendments that dispense with PIPEDA’s consent requirements in a number of instances.
For example, Bill C-12 will change PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of performing police services, preventing, detecting or suppressing fraud, or protecting victims of financial abuse. “Financial abuse” isn’t defined. “Preventing, detecting and suppressing” covers the waterfront. Under the proposed language, even if you haven’t committed fraud, an organization can disclose information about you to “prevent” fraud.
“Performing police services” is also broad language. Especially when the actual text says that performing police services is something other than “for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law” — language already in PIPEDA. Since just about anything a police officer says or does can be captured by the phrase “performing police services”, this means an organization can simply release personal information without consent to the police.
One could say that it will easy to discern when something is not financial abuse or fraud. But in the real world it’s easy to never see all the dots connected in a complete picture. Unless something’s wonky on the face of the request, you may never know if it really is about financial abuse or fraud. And we may never know if anyone is abusing these “reasons” until a complaint sees the full light of day. And even then it may be argued that it’s an “isolated incident”.
But it’s not just the police who can get information without consent. C-12 will also permit disclosure by one organization to another without consent if the disclosure is “necessary” to investigate a breach of an agreement, that has been, is being or is about to be committed, or to prevent, detect or suppress fraud when it is reasonable to expect that the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Again, if you are suspected of being — in any way, shape or form — associated with fraud, the organization can release information about you. That’s a pretty broad “permission slip” for the exchange of information between organizations. Forget about disclosure to investigative bodies. Nobody really needs them anymore.
Currently organizations have to go through a notification process if they receive an access request in connection with the disclosure of personal information without consent to a government institution for purposes enumerated in s. 9(2.1) of PIPEDA. That will be extended under a new provision so that the organization cannot voluntary inform the individual concerned that a disclosure took place. Read the proposed new s. 7(5) of PIPEDA and then ask yourself if you should really concern yourself about the Americans and their PATRIOT ACT?
Finally, you have to admit that the insurance industry has a good lobby. With C-12, personal information can be collected, used and disclosed when the information is contained in a witness statement and the collection, use or disclosure is necessary to assess, process or settle an insurance claim. One might ask why just insurance claims? Is this the thin edge of the wedge?
The lives of privacy officers just became more complicated. Law enforcement and security requests got easier to make; personal information exchanges are likely to increase. At one level, all of these changes to PIPEDA come across as a straightforward “clarifications”; at another level they are ripe for abuse. Remember, it isn’t the rules you have to watch; it’s the exceptions — and how the exceptions will be used in practice.
I sometimes say to stakeholders that I’m “paid to be paranoid”. This is usually in reference to describing to them the scenarios that could occur if privacy were to be breached in an egregious manner.
My ‘paranoid’ reaction to these clarifications is to wonder if the privacy officer that refuses a request, or drags his/her heels to obtain some modicum of reasonable justification from the policy, then qualifies as a person of interest in whatever inquiry is in progress.
This is the nightmare scenario of “If you’ve got nothing to hide, why are you objecting?”
It should also be noted that the entities thus empowered to give out information without consent include technology service providers of law firms.
Does anyone other than me see an ethical problem with breaching client confidentiality in this manner?
[…] points to lawful intercept requirements in the forthcoming spectrum auction, while many others have discussed Bill C-12, which includes provisions that encourage personal information disclosure without court […]
[…] to lawful intercept requirements in the forthcoming spectrum auction, while many others have discussed Bill C-12, which includes provisions that encourage personal information disclosure without court […]