Greetings from the Chair
You’ve Been Stiffed For Your Fees – Now What?
Stop the World – I Want to Get Off! (Practicing Law in the 21st Century)
Bill Regularly and Be a Winner
Maintaining Yourself and Your Practice Through Personal Trauma
Aging Parents/Family - Lawyer Career Stress
PIPEDA Update
Section Executive 2004-2005
Print Entire Newsletter
<< Newsletter Main Page

PIPEDA Update

Printer Friendly   Printer Friendly

Joe McCallum*

As of January 1, 2004 the Personal Information and Protection of Electronic Documents Act1  (hereinafter referred to as “PIPEDA” or “the Act”) began to govern the management of all information collected used or disclosed by organizations involved in a commercial activity.  In fact, the application of the Act can certainly be described in more detail and it may be noted that its application actually developed in various stages, but for the purposes of this paper it is sufficient that we appreciate that the Act applies to the practice of law.  As lawyers we are often, of necessity, entrusted with our client’s most sensitive and personal information.  Alternatively, there may be instances wherein the quantum and delicacy of the information we receive is considerably less significant.  In this writer’s opinion there exists no area of law requiring the client to impart more personal information or place more of his or her trust in counsel than in the practice of family law.  Unlike many facets of law the ability of family counsel to serve their clients needs while protecting their interests, demands intimate familiarity with most if not all aspects of their client’s financial, familial and personal relationships.  While we are, of course, governed by the Rules of Professional Conduct, which I am proud to say are generally well respected, PIPEDA serves to augment and complement those rules.

At the risk of briefly exceeding the intended scope of this paper, a short review of the development of PIPEDA may be appropriate.  It is hoped that this background will assist in understanding why the Act was passed in the first place and why the private sector has been drawn into the world of privacy legislation which was generally heretofore a creature of the public domain.  As a matter of modern history we are well aware that the European Union has developed in recent years for reasons which need not be considered here.  As with any efforts to draw parties together under a degree of common governance concerns arose among the proposed member states on a variety of issues.  A key area of concern arose with respect to the ability of member states to respect and protect the personal information of their citizens.  As a point of clarification, personal information in the context of the Act includes any information that may be associated with an identifiable individual.  Ultimately, it was agreed that legislation must be created to effect this end.  The emerging EU went further and made it clear to its trading nations that in the absence of such legislation being enacted their status with the EU would be seriously downgraded.  In Canada, this caused Industry Canada, the relevant department of the federal government, to call upon the Canadian Standards Association (“CSA”) to develop guidelines for what would become PIPEDA.  In response the CSA developed 10 detailed principles which formed the basis for PIPEDA. Indeed, those principles have been incorporated into the Act.2

Of course, as practitioners the penultimate question remains, what impact does the Act have upon my practice and why should I be concerned about it?  Beyond the obvious responsibility and obligation we share to uphold the law of the land there are serious implications which may arise as a result of complaints being made under the Act. At the risk of stating the obvious the most important business reason to comply with the Act is that none of us can afford to be identified as the lawyer who was investigated by the Office of the Federal Privacy Commissioner for improper management of our client’s information.  In that spirit this paper has been drafted based upon the ten principles of the CSA model code and the writer has attempted with all due humility to offer some degree of insight into the meaning and necessary compliance measures associated with same.

The ten principles noted above may be generally summarized as follows: accountability, identifying purpose, consent, limiting collection, use, disclosure and retention limits, safeguards, accuracy, openness, individual access and compliance challenges.  The requirements that flow from each of these principles may be broadly described but it should be remembered that the actual practices required to obtain their objectives may vary based upon the nature of the business involved.  For example the public’s expectations of a lawyer’s privacy policy would certainly exceed those of a small retail establishment.  It is reasonable to assume the Federal Privacy Commissioner would have similarly divergent expectations.  As in many facets of our professional careers we will be held to a higher standard by the general public, the Office of the Privacy Commissioner and indeed our colleagues.  It is from that perspective that we should examine the principles and their application to the practice of law.

Accountability in its most fundamental form calls for an organization, whether that be a sole practitioner or a large firm, to ensure that an individual or group of individuals has been designated to ensure compliance with the Act.3   The Act required that someone be designated the Chief Privacy Officer who is charged with overseeing compliance.  This position may be divided amongst a group of people.  In determining who should be designated for this position thought should be given to the individual’s place within the infrastructure of the firm.  Lawyers would do well to designate someone who has some experience and familiarity with the information management techniques of the firm.  A certain degree of authority and respect by employees is also an important consideration when allocating the Chief Privacy Officer’s responsibilities.  Lastly, endeavor to make an objective assessment of the individual’s likelihood of remaining with the firm.  As with any other initiatives, there is little point in training an employee only to find they are leaving the firm and you will have to begin the exercise again.

At a minimum, accountability under the Act demands an understanding of the basic requirements of the Act and acknowledgment of responsibility for the personal information held by the organization.  Accountability also requires that organizations develop comprehensive privacy policies.  The role of the privacy policy and its composition will be more fully canvassed under the principle of openness below.

The first practical consideration that a firm needs to concern itself with in attempting to comply with the Act is to identify the purpose for which it requires personal information.4  Only by understanding this can a lawyer advise his or her client of the reasons for the collection use or disclosure of their personal information.  As we will see, providing the client with an explanation of the lawyer’s purposes for dealing with their information is a prerequisite to obtaining valid consent. 

Consent, in this writer’s opinion, may fairly be referred to as the cornerstone of the Act. 5  The basic premise of PIPEDA is that personal information belongs to the individual and, except in limited circumstances that are beyond the scope of this paper, organizations are not at liberty to collect, use or disclose it without the subject’s knowledge and consent.  Having said that it must be remembered that consent under PIPEDA as one might expect means informed consent.  Clearly having clients sign a consent agreement that gives counsel carte blanche to handle the clients personal information with no express limitations or explanation will not suffice.  Alternatively, some organizations have drafted consent forms, which frequently include an acknowledgment by the client of the terms of the privacy policy.  Each of these documents may be several pages long.  This writer does not mean to suggest that either approach is correct in all circumstances.  As family lawyers, one’s client list may comprise executives who are quite familiar with verbose documents written in legalese and less sophisticated clients who would be easily intimidated by such papers. In order to obtain valid informed consent the lawyer must seek to strike a balance between these extremes.  The explanation provided for the collection use and disclosure of information and the consent form acknowledging same must be sufficiently comprehensive to permit the lawyer to serve their client’s needs effectively while at the same time refraining from causing the client to be intimidated or confused.  In the event that a family lawyer practices within a full-service firm it may be appropriate to have different consent forms drafted for each lawyer.  Clearly the information you require to carry a family file is substantially different from that required by the corporate counsel down the hall.   

Another alternative which some full-service firms have adopted is to create a template consent form and leave a blank portion where each lawyer can fill in the particulars that he or she anticipates will apply to the file at hand.  This method may also be helpful for a sole practitioner who practices as a generalist.   The obvious danger with such an approach is it leaves the reliability and validity of the consent form in the hands of individual counsel.  Unless they are particularly sensitive to the needs of PIPEDA there is a strong likelihood that, in time, the particulars will become increasingly vague or brief which could undermine the utility of having received consent in the first instance.

There has been considerable discussion with respect to the form of consent that organizations must obtain in order to collect, use or disclose personal information.  While the Federal Privacy Commissioner has made it clear that consent can be expressed or implied, this writer believes that the opportunity to rely upon implied consent in the practice of law is rather limited. In the context of a law practice this writer would suggest that written consent must be obtained when commencing a new file.  As a practical matter this should not prove to be difficult.  A new client could simply be provided with a copy of the firm privacy policy and consent form along with your retainer form. 

One circumstance in which a less formal consent may be permissible may arise after counsel has carriage of a file.  As discussed above, the purpose of consent must be made known to the client when the consent form is first executed.  Should some ancillary purpose develop that was simply overlooked, this writer would suggest it would be reasonable for counsel to rely upon a less formal or indeed even implied consent.  For example, if a client has executed a consent that confirmed the lawyer’s ability to communicate with certain third parties such as experts on pension valuations and the client’s bank, but failed to refer specifically to their personal accountant it would, I believe, be reasonable to telephone the client and advise of the oversight and seek consent to contact the accountant.  

In addition to obtaining valid consent, identifying the purpose of collection of information not only enables the lawyer to so advise his client it may also permit him to critically consider the utility and necessity of collecting particular information. This brings us to the next basic principle of PIPEDA, limiting collection.6

Limiting the collection of personal information to that which is genuinely relevant will serve lawyers well. As we are all too aware, physical management of client files places a substantial burden upon the resources of a firm.  I believe that from the perspective of the Federal Privacy Commissioner, collection of superfluous information disregards the sensitivity of the information and reflects a certain disregard for the spirit of the Act.  Conversely, reasonable and limited collection of information will demonstrate that a lawyer has given the matter due consideration and will serve him well should he be in the unfortunate situation of having a complaint filed with the Commissioner.  A demonstrable commitment to adhere to the basic tenets of the Act will serve to persuade the Commissioner that the complaint is not well-founded.

Another advantage to limiting collection of personal information relates to the increasing public awareness of PIPEDA.  It is reasonable to assume that as the general public becomes increasingly aware of the purpose of the Act they are more likely to challenge requests for information and seek justification for same.  By narrowing the scope of collection your staff will be better equipped to explain the purpose of collection in a reasoned, effective manner.
  
The practice of limiting collection to that which is necessary is well connected to the next principle of the Act namely, safeguarding.7   Once a lawyer has determined what information is necessary to assist the client and has received it what is to be done to protect it?  We have all been in law offices where the vast majority of files are stored in a central location regardless of which lawyer actually has carriage of the matter.  As a consequence there exist myriad people who have access, authorized or otherwise, to the contents of the file.  Under PIPEDA it is reasonable to assume that this practice would be deemed a contravention of the Act.  Rather, lawyers should adopt a “need to know” approach when determining where files will be located and who will have access to them.  As a general rule the necessary measures to safeguard information will increase in direct proportion to its sensitivity.  Lawyers should also be cognizant of the fact that electronic storage of information has created yet another are of concern with respect to safeguarding client’s personal information.  A variety of programs exist to assist in this regard and firms will be expected to take appropriate steps to ensure that electronic information is secure both from external access and unauthorized internal activity.

The next principle of PIPEDA to examine also relates to the concept of placing limits upon information management. Limiting use, disclosure and retention of personal information assures individuals that the consent that they have provided will not result in their information being released without their authorization.8   Nor should they have to be concerned that the information they provide to an organization today will be forever retained and relied upon by organizations seeking to exploit same for their own purposes.

The issue of limiting use of personal information ties directly to the principle requiring informed consent for the collection of information in the first instance.  In its simplest form, limited use means as a lawyer you are not permitted to use the information that was provided to you for a purpose other than that which was contemplated and agreed to when you first obtained your client’s consent.  Should an unanticipated purpose arise, the Act requires that you obtain a new consent to permit you to use the information for that purpose.  As noted above, the form of consent required may be different than that which was originally secured but the point remains.  In the absence of consent you are not permitted to collect, use or disclose an individual’s personal information.  There are of course exceptions to this blanket prohibition which appear in section seven of the Act but which are beyond the scope of this paper.

Limiting disclosure of a client’s information to that which is necessary and has been consented to is an important principle for lawyers to honour.  In the family law context, counsel may find themselves having to provide various types of their client’s personal data such as financial, medical and familial information.  While the client may have consented to such disclosure, it is this writer’s opinion, that prudent counsel will ensure that the third party receiving the information has been advised of your privacy policy and undertakes to adhere to same.  Rather than seek an acknowledgment of same on each file it may be more practical to provide your regular recipients of information, such as accountants, counsellors and doctors with a copy of your policy and ask that they return a signed acknowledgment that they shall refrain from releasing information and that they will adhere to its spirit. Generally speaking the professionals to which we are likely to disclose information are governed by their own regulatory institutions and have little difficulty signing such acknowledgments presuming your privacy policy is reasonable and has been well drafted.  By keeping these acknowledgments on file you will have protected yourself and streamlined the process.  As an extra note of caution you may wish to include a reference in your cover letter reminding them of their obligations with respect to maintaining the confidentiality of your client’s information.   As a point of clarification it should be noted that much has been made recently of the distinction between disclosure and transfer of personal information.  While a disclosure would require the individual’s consent a transfer would not. Information shared for purposes of administration is frequently referred to as transferred.  While there has been some acceptance of this position this writer prefers a cautious approach and would advise obtaining consent regardless.

Many organizations have responded to the enactment of PIPEDA by commencing a massive document shredding campaign.  The reasoning behind such an undertaking is that by removing personal information from their files they are alleviating their exposure to PIPEDA complaints.  While there is some wisdom in such an approach, lawyers must be careful not to create new problems by destroying documents prematurely.  At the very least lawyers should create a procedure for recording when information is received from clients and when the file was closed.  This will permit you to determine whether or not you need to retain the records.  In this writer’s opinion, there is no perfect answer as to when is an appropriate time to rid your file of a client’s information.  In the family context, one need only look at the situation in which a client returns years after a custody issue is resolved and seeks to revisit the arrangement in order to see the risk difficulties associated with premature destruction of documents.  You should also be aware that disposing of documents in an insecure fashion could potentially expose you to complaints by former clients. Imagine having client’s personal information on your letterhead strewn about the streets due to some mishap when the refuse is placed for collection.  It is reasonable to assume that such a development would quickly draw the attention of both the Commissioner’s office and the Law Society. As suggested in the beginning of this paper the business implications of such a development could be devastating.

In addition to traditional concerns about appropriate destruction of records we must also concern ourselves with ensuring electronic information is dealt with responsibly. While this author would not presume to offer advice on appropriate techniques in this regard, it should be noted that electronic data must be treated with the same degree of care and concern as their paper counterparts.

A final point regarding record retention that must not be ignored is that subsection 8(8) of the Act prohibits the destruction of any records that form the basis of a complaint.  Clearly, if data is destroyed after a complaint has been filed the intent of the Act would be frustrated as no proper investigation could be conducted.  The penalty associated with such conduct could be substantial with provision for a $10,000.00 fine on summary conviction and $100,000.00 by way of indictable offence.  Indeed, given the conciliatory approach the Office of the Commissioner has taken one wonders why anyone would undertake such a course of conduct.

The next principle of the Act relates to the accuracy of personal information.9   In my opinion, this is the least onerous principle from the lawyer’s perspective.  Clearly, your ability to maintain accurate records of a client’s personal information lies primarily with the client.  As a measure of caution I would advise including a brief paragraph in your consent document that requests that the client advise you of any relevant changes to their personal information on an ongoing basis.  Furthermore, you may include an acknowledgment that the information provided is accurate as of the date the document is executed.

Of course, the client’s ability to ensure the information in your control is accurate is dependent upon them having access to same.10   As such, access is another principle enumerated under the Act.  While clients are permitted access to their personal information, subject to certain limits that shall not be discussed in this paper, the lawyer is permitted to recover a reasonable cost for providing same.  Of course, the cost must be justifiable and cannot be used as a mechanism to dissuade clients from seeking access. 

As a matter of caution you should require that the request be made in writing so that you have a record of the date it was made.  This is critical since the Act permits only thirty days for you to respond to the request.  Upon receiving the written request you should acknowledge that you have the information and advise how it has been used or disclosed by your office.  After reviewing the information the client may advise that it contains some erroneous information.  If that is the case and you are satisfied that it should be amended simply do so.  It is a useful practice to have the client record the request for change and to keep that document in the file.  Some circumstances in which access may be denied include but are not limited to information to which solicitor client privilege exists or which contains confidential commercial information or if access may threaten someone’s life or security. 

The openness principle requires that we inform clients about our personal information management practices.11  A key component of the openness principle is that the clients are advised as to the identity and contact information of the Chief Privacy Officer.  Clients should be invited to contact this individual with any concerns or inquiries relating to their personal information.  As the CPO is your best defense at managing concerns and preventing complaints being filed with the Commissioner it is imperative that this person be able to deal well with people and be well-versed in the privacy policies of your firm. 

Another requirement under the openness principle is the creation of a written privacy policy.  Indeed, a written privacy policy is a fundamental component of any firm’s efforts to comply with the Act. A well-drafted policy which is provided to clients at their first attendance and posted on the firm’s website may serve to satisfy client inquiries in their infancy thereby freeing staff from such distraction.  Inclusion of the policy on your website is a useful advertising technique as it provides potential clients with the comfort that their information will be respected and protected.

The final principle to examine under PIPEDA involves the management of complaints under your firm’s privacy protocols.12  The Act requires that you have a system in place for receiving, investigating and responding to complaints.  As the Office of the Commissioner does not currently have the resources to seek out violations of the Act it is imperative that you endeavor to resolve complaints ‘in-house’. A client who feels that they have been heard and respected is much less likely to pursue a complaint with the Commissioner.  As such, it is important that the complaint be taken seriously, investigated carefully and responded to in writing. 

The business justification for effective complaint management is overwhelming.  The Commission has a mandate to investigate all complaints and has powers that could easily impact upon the well-being of your practice.  Disruptions during the course of an investigation can be extensive and the negative publicity that could arise if you are named publicly as having violated the Act could have devastating effects upon your practice.  On a note of guarded optimism it should be noted that the Commissioner has adopted the approach that except in the most egregious cases it shall act in a conciliatory role to assist organizations in adhering to the Act rather than impose harsh sanctions.  Nevertheless, it is this writer’s belief that effectively managing complaints in the first instance is the better course.  It should also be remembered that the individual who filed the complaint with the Commission is able to rely upon all of the findings in the Commissioner’s report in bringing an action to the Federal Court of Canada.  The Court has been given unfettered discretion in allocating damages arising from a violation of the Act.

Of course, there are some people who simply cannot be satisfied. As the old adage goes ‘the person most likely to sue you tomorrow is the client you have today’.  In those cases being visibly compliant with the Act and forthright in any investigation will establish your firm’s credibility with the Office of the Commissioner and improve your chances of coming through an investigation relatively unscathed.

While PIPEDA is subject to a mandatory review in 2006, it is this writer’s opinion that substantial changes are unlikely given the universal acceptance of the basic principles articulated in the CSA model code.  A greater impact is likely to be felt if and when Ontario passes its own private sector information management legislation.  Indeed, several provinces have now passed legislation that applies in the place of PIPEDA.13  This development was contemplated when the Act was passed requiring that substance and effect of the provincial legislation be ‘substantially similar’ to that of PIPEDA. 

In Ontario, first efforts to draft substantially similar legislation were unsuccessful.  Should legislation be enacted in the future it will likely expand the scope of privacy legislation to include employee information which currently, excepting employees in federal undertakings, is exempt.  In summary, it is safe to assume that the core values that formed the base of the CSA model code shall form the basis of private sector privacy legislation in the future. The likely expansion of its application suggests that all lawyers in the private sector should undertake to ensure that all of the information management techniques conform to the spirit of PIPEDA. Doing so will position them well to comply with any provincial legislation which may emerge in the future while minimizing their exposure to complaints and their associated cost and distraction.

* Joe McCallum practices with the firm of Heelis, Williams, Little & Almas LLP in St. Catharines, Ontario.  He can be contacted at jmccallum@14churchstlawoffice.com.

 1 S.C. 2000, c.5
 2 S.C. 2000, c.5 schedule 1
 3 S.C. 2000, c.5 schedule 1, section 4.1
 4 S.C. 2000, c.5 schedule 1, section 4.2
 5 S.C. 2000, c.5 schedule 1, section 4.3
 6 S.C. 2000, c.5 schedule 1, section 4.4
 7 S.C. 2000, c.5 schedule 1, section 4.7
 8 S.C. 2000, c.5 schedule 1, section 4.5
 9 S.C. 2000, c.5 schedule 1, section 4.6
 10 S.C. 2000, c.5 schedule 1, section 4.9
 11 S.C. 2000, c.5 schedule 1, section 4.8
 12 S.C. 2000, c.5 schedule 1, section 4.10
 13 specifically Quebec, British Columbia and Alberta


 
 
 
 
Copyright © Ontario Bar Association                                                                                                                                                      Privacy Policy