- By Bob Stewart

About ten years ago I was chatting with someone about the Freedom of Information and Privacy legislation that was being enacted at the time. Not having much in my archives that came under this legislation, I was breathing a happy sigh of relief that I would not be put through what seemed a confusing and time consuming process of compliance with the new legislation. I was horrified when my colleague said "and what will you do when they bring in the private sector legislation?" It seemed unimaginable at the time, so I said something like "hopefully, it won’t happen until after I retire." Alas, I am not yet retired, and the new Private Sector privacy legislation has been enacted, and is quickly coming down the track, arriving at our station as of January 1, 2004, in both federal and provincial guises. And in particular, the B.C. legislation includes all organizations, from the large corporations to the smallest non-profit bodies.

In order to learn enough about complying with the legislation to be able to sleep at night, and avoid huge fines, I attended the "New Wave of Privacy Protection in Canada – Understanding and Implementing the New Legislation", held at the Hotel Vancouver in late November, 2003. The federal Act covers "commercial" activities of businesses, but the B.C. Act covers all businesses and non-profit organizations in B.C., commercial or otherwise, and will enforce broader and higher standards and practices for the protection of personal information in the private sector than does the federal Act. I attended the event as a complete greenhorn. My institution has not really been affected by earlier legislation, and I had not studied the matter. I am also generally incapable of understanding legalese.

A breach of the privacy rights of employees (and volunteer staff), clients, or customers can lead to fines of up to $100,000. Thus any organization (1) must now follow specific rules; (2) must ensure that adequate policies and procedures are in place to protect such information as the law requires; and (3) must create a process for managing inquiries, complaints and requests from people for access to their own information. The conference aimed to provide the basics on the new federal and provincial legislation, (they are both similar and different!) and practical tools for implementing these principles on a daily basis.

The conference was structured around both plenary presentations and three "breakaway" sessions for managers, for the health care sector, and for the marketers and e-commerce sector. The first Keynote Speaker was David Loukidelis, the B.C. Information and Privacy Commissioner, who spoke on "Making Privacy Law Work in the Real World." This was followed by an excellent expert panel, consisting of lawyer Murray Rankin; Heather Black, Asst. Privacy Commissioner of Canada; the B.C. Management Services Executive Director (Chris Norman); and the Alberta government Executive Director of the Information Management, Access and Privacy, Tom Thackeray. They identified which of the Federal and Provincial laws apply, and where and how they apply. There seems to be a fair bit of a grey area regarding "cross border" information issues – when an organization is sharing personal information within two different provincial jurisdictions, or between a Canadian jurisdiction and other countries.

It must be emphasized that the B.C. law affects all organizations, whether big or small, commercially based or voluntary. Donor records and employment records of non-profit bodies come under the B.C. Act. Alberta and B.C. have worked closely in developing their privacy legislation, though the Alberta legislation has not yet passed third reading.

What is "Personal Information?" It is any information about an "identifiable individual," but does not include the information found on a business card – name, job title, business address, or work phone number. It includes home phone number and address, S.I.N. number, and birth date. It includes the contents of a personnel file, employment history, any medical information, age and education, financial information, credit card information, and salary. It includes photographs; this may affect what we put up on (or perhaps take down from!) our web sites.

Fortunately -- and sensibly -- most privacy complaints up to now have been settled by mediation, rather than by formal orders or fines. I have never attended a conference where I heard the words "sensible" and "reasonable" as frequently as I did at this event. And when I hear the overuse of words like "sensible" and "reasonable," I start thinking I am being snowed. I may be thickheaded, but there are aspects about the legislation that I find simply baffling. I mean this in a practical sense, of how my life will change as an archivist, dealing with historians and researchers, who come through my archival door looking for historical records that may have imbedded in them information that is now declared personal. How long do we deny access? Or how much time will it take me to eliminate personal information, or third party personal information? What did not happen at the conference was any specific archivally-based conversation.

That aside, it was a great conference. The staff of the Privacy Commission genuinely wishes to support organizations as they implement their privacy programs. The provincial government Management Services branch and the Office of the B.C. Privacy Commissioner have been developing various tools on their websites at: www.mser.gov.bc.ca and www.oipcbc.org/private. They are extraordinarily eager to be "sensible and reasonable." But what if the program simply isn’t sensible and reasonable enough for historians and archivists to be able to conduct their business?

A session on "The New Privacy Laws and the Workplace," looked at issues relating to employment records and the physical management of such material and the workplace, and the presenters were lawyers Murray Rankin and Roger McConchie. This was an excellent panel, and without going into details, it is clear that Human Resources offices will have to be sensitive to the new law in their management of employee records, if they are not already.

The final event on the first day was a plenary panel on "How to reap the benefits, reduce the risks and avoid the legal liabilities of privacy laws." The discussion was generally focused on the business risks to inadequate privacy systems, though there was some broader discussion of conducting a "privacy audit" of all records of your organization. Highly sensitive records should be kept in one location, in order to maintain a high degree of control and security. As well, I was reminded of the importance of care regarding donor records for non-profit organizations, and the risks involved in swapping donor lists.

On the second day, the Keynote speaker from was the Privacy Commissioner from Alberta, Frank Work, who spoke on "Creating a Culture of Privacy." While I admit to being no great friend of the phrase "a Culture of Privacy", he gave an excellent presentation, emphasizing the simple human right to privacy, and the challenges that information technology today present to personal privacy. In my view, there is a tension between the "right to know" and the "right to privacy" that is not going to go away. And as our times lead us to think about acts of terrorism, we find ourselves within a "culture of fear." Thus we face increasing demands for surveillance, and we give up our rights as free citizens to create the appearance of security. Even as crime rates decline, we grow increasingly insecure. The Canadian Bankers Association presses for higher standards for identity cards, while the banks send us mail loads of "pre-authorized" credit cards. There seems to me to be something crazy in all of this.

Following this Keynote address, I attended the "breakaway" sessions for managers, on "What every manager needs to know about the new privacy legislation." These three sessions were wonderfully well led by lawyer Janina Kon, a privacy law specialist, and by Charmaine Lowe, a corporate Privacy and Information advisor from the B.C. Ministry of Management Services. Their three sessions were the highlight of a conference loaded with highlights. The central principle in all of this is that people should have control over their personal information. A second principle, implied by the first, is that personal information must not be collected, used, or disclosed without prior knowledge and consent.

In this province, for transactions conducted wholly within provincial boundaries, the B.C. the Protection of Personal Information Act (PIPA) will apply. But where personal information from BC is sent across provincial or international boundaries, or where information originating in other provinces is received in BC, the federal act (the Personal Information Protection and Electronic Documents Act (PIPED Act) will apply. I may be confused about this, as I am also of the impression that those who send personal information across borders must assure that the receivers of such information will meet the B.C. legal standards. Perhaps this is why they describe inter jurisdictional legislation as a "grey area", requiring further interpretation.

The presenter identified ten key principles for implementing a privacy system:

• Accountability: have a Privacy Officer; develop and implement privacy policies; protect all personal information.
• Identify the purposes collecting personal information.
• Obtain consent for collecting, use and disclosure of personal information.
• Limit the collection of personal information.
• Limit the use, disclosure, and retention of personal information.
• Ensure the accuracy of personal information.
• Use appropriate safeguards.
• Communicate your privacy policies and practices.
• Give individuals access to their personal information.
• Have a process in place to deal with complaints or challenges.

To create a privacy policy, the first step is to conduct an internal "privacy audit." While not required by law, it is a useful self-assessment tool for getting to compliance. It is an inventory of where all of the personal information is located, and what the current practices are for managing it. It then asks about the personal information needs of the various functions within your organization. Some functions in the office may not require the personal information they have. The information gathered from your internal privacy audit should help you determine the scope of your privacy program, and help determine your privacy needs and best practices.

Accountability: With the audit completed, and the ten key principles in mind, you are ready to prepare your Privacy Policy. In easy to understand language, prepare it in sections based on the ten key principles. You must ensure that it has contact information on your Privacy Officer. It is best to start with the purpose of the statement first, and then move through the sections. Often it is best to have two different Privacy Policy statements, an external one for customers, clients, and donors, and an internal one for employees or volunteers. It is best to have the statement reviewed by a lawyer who has experience in business or with development of non-profit organizations. Finally, it is the implementation of the Privacy Policy, and not its mere creation, that will bring your organization into compliance. A critical part of implementation is staff training. The staff must know what the policy is, and act as if they actually believed it!

When (or if) your organization transfers personal information to a third party, it is necessary that you include a privacy protection clause in the contract. While this whole area of "outsourcing" personal information is an important issue to some organizations, many will not be touched by it. The important thing is that if you do send personal information, you must continue to take steps to protect that information.

Obtaining consent: The issue of managing consent requirements is a big one. You must identify to the individual the purpose for which the personal information is collected, and limit the amount of information as much as possible. You must also limit the use or disclosure of the personal information to the identified purpose. If you wish to use the personal information for other purposes, you need to get new consent.

Consent may be explicit or implicit. The explicit consent can be either written or verbal, but if verbal you should document it. Implicit or implied consent exists where, in the circumstances, the purpose for which the information is collected is obvious, and the information is given voluntarily. There is also opt-out and opt-in consent. Opt-out consent cannot be used for sensitive information, but can be for things like mailing lists. Opt-in consent is better, as it asks the individual to agree to give permission actively rather than passively. Consent is not required for either medical emergencies, or for the investigation of a breach of agreement, of fraud, or other criminal matters. Consent cannot be made a condition of supplying a product or service. An individual may withdraw consent.

An important distinction needs to be made between personal information generally, and the personal information of an employee. Where employee personal information is to be gathered by an employer for the purpose of establishing, maintaining, or administering the employment relationship, consent is not required – provided that the employee is notified.

The B.C. Act also has a limited grandfather clause. If you have collected personal information prior to the new law, you don’t have to seek new consent, so long as you are continuing to use the information for the original purposes. However, if the prior collection was done for purposes that are not reasonable (that is, they not pass the "reasonable person" test), the information cannot be used.

Complaint Handling Processes: The session then moved on to deal with how to develop an internal complaint handling process. If the Privacy Officer receives a complaint, his office must respond within 30 working days. All complaints must be investigated. Thus it is critical that you have an appropriate record keeping system for personal information. There are several tips that make this system work:

• Start a new file for every complaint.
• Record the date and nature of the complaint.
• Contact the complainant (if necessary) to clarify the complaint.
• Assign a person who has the skills to investigate the complaint fairly and impartially.
• Ensure that the investigator has access to all records, and employees who handled the personal information, or whose actions are related to the complaint.
• Notify the complainant of the outcome of the investigation clearly and promptly.
• Modify policies and procedures based on the outcome of the investigation.

While it is always best to have a complaint made in writing, there are times when an individual is reluctant to do so, and might challenge the right of the organization to require written complaints. Some people with handicaps may have limited ability to write their complaint. The main point in having a complaint in writing is that one needs to control the risk of the nature of the complaint changing as the investigation goes forward. So even if the initial complaint is verbal, it is appropriate for the Privacy Officer to have the complaint written up and signed by the complainant as to its accuracy.

Individuals have the right of access to their own personal information. It follows then that careful filing is important so as to avoid misfiling another employee’s information. It is also best to give a photocopy of the record rather than the original, and that you make a record of what was provided. As well, there may be personal information on several individuals, so you may need to blank out such information on the other individuals on the photocopy you are providing.

Personal Information Records Retention: Under B.C. PIPA law there are records retention requirements. Thus it is important to have personal information properly managed. It must be kept for a minimum of a year, so that individuals affected by any private information decisions can examine the material before it is destroyed. As well, personal information must not be kept after it is no longer necessary for the purposes for which it was collected, or for legal or business purposes.

Never have pejorative records; write them in an objective and neutral language. It is important to know where all personal information is kept, to collect only what you need, and to periodically cull files that contain records no longer needed. Set records retention schedules, and follow them.

Finally, no fees can be charged to an employee seeking to have access to their files.

B.C. PIPA law requires that the personal records be kept secure. Your organization is responsible for the records even when they are not kept in the office. Many recommendations are simply reasonable. Sensitive information requires higher security than does less sensitive information. It is best that there should be stratified access to records. For example, the accounting office needs access to financial records, not personnel records. Sensitive records should not be left lying around on the desk for anyone to casually examine. It is important to have rigorous methods of disposal of records. (The horrible example of the Bella Bella Hospital records being burned on the beach was used!) Internal security threats are also very critical. (The case of the Delta Police officer seeking personal information from license plate information on cars parked near the abortion clinic was raised here.)

The conference was very worthwhile. At the same time, I as an archivist I remain unsure of where the legislation takes us. The conference was not targeted at archivists. As an archivist who works within a church organization in B.C., yet one that is a national body as well, I wonder about our internal personal information records. Do I generate a privacy policy for my archives? Or does the B.C. Conference organization generate one for all of its offices, including the archives? Or do we have two policies, one specific to the archives and the needs of donors and users? Or does the national body of the United Church create a master Privacy Policy that would have regional and archival subsections? While my archives may generate an archival privacy policy and seek to be compliant, it is not clear how such a policy would work within both the regional levels of the church, under the BC PIPA, and within the federal legislation, given that the United Church also operates as a national organization. And what of the privacy policy needs of local congregations? In non-profit and voluntary organizations, unpaid volunteers generate many records, and holding them to privacy standards could be a challenge. Further, many of our offices have no formalized records management program, and I am of the view that at the moment, records management is a prerequisite to an adequate personal privacy system. Thus we are operating with real limitations as to how access and privacy can be efficiently managed under the new law. And if we have difficulty managing our paper records, the management of electronic records remains a distant dream. I may, as archivist, say that I am only responsible for the privacy issues that I encounter in my archives. Perhaps, given the complexities of our life as a voluntary non-profit association, that is enough. If we all look after our own journey toward compliance, we may actually get there.

On top of these systemic or structural problems are the problems of what we do as archivists, dealing with historical researchers. Are archival records going to be lost? I fear that many of the records that we (and our users) have come to expect archives to preserve may well be destroyed. When institutions collect personal records (even photographs!) from individuals, they generally collect them for administrative, operational, and public relations reasons, rather than for historical research in some far off future. I fear that the framers of the Act have not adequately attended to our archival interests. Perhaps some of these matters can be discussed by the upcoming AABC Education Committee workshop on the privacy legislation, as this relates specifically to archives.

The Private Sector legislation is coming down the track. Right now, it does not feel quite like a Glory Train on the track to Privacy Heaven. What happens to the lost souls who are not compliant on January 1^st? The legislation has many grey areas that will require interpretation. To listen to the B.C. and Alberta Privacy Commissioners, there seems to be a certain spirit of grace and a recognition that we are not all going to be on board on January 1^st. Many small, one-person archives are going to need a fair bit of TLC to get to compliance. There are tools available, and more are being created. Sooner or later, and likely sooner, we are all going to have to attend to the privacy issues. Yet I remain confused about the archival consequences of the Acts. While I am perhaps more ready to migrate toward a privacy system at my local archives, I am not sure what the entire "United Church" is going to do, and I trust that those better placed than I will soon be dealing with the "larger picture." Perhaps that is their problem, not mine! Our United Church archival network will likely work to develop some simple tools to help local churches and some other offices work within the new culture of privacy. Yet I doubt that we will be creating "one size fits all" templates!

Back to Table of Contents

© 2004 Archives Association of British Columbia