Area of Law: Internet and Cyber Law
Answer # 346
Privacy and the InternetRegion: Ontario Answer # 346
The popularity of the Internet has raised many questions about the privacy of information that is stored on computers and contained in email messages. This type of information may be protected by laws scattered in various legislation. For example, laws governing industries such as banking and credit reporting agencies contain provisions that may be helpful in protecting certain types of personal information.
Right to privacy
Generally, information such as medical records or financial information is private information that cannot be released without your permission. Private information may also be protected indirectly. For example, it is a criminal offence to break into a computer system, whether to steal or change private information or for other unauthorized purposes. This is called ‘hacking.’ If you think your system has been ‘hacked,’ you should call the police or contact a lawyer.
Personal Information Protection and Electronic Documents Act (PIPEDA)
When doing business online, many organizations need to collect personal information about you for their legitimate business purposes. The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules to ensure that businesses advise you about their intent to collect and use your personal information, and that they obtain your consent to do so. Businesses must also manage your information in a way that safeguards your privacy to help ensure that your personal information is not stolen or inadvertently disclosed to unauthorized people. Compliance with PIPEDA is overseen by The Office of the Privacy Commissioner of Canada.
What businesses are covered by PIPEDA?
With some exemptions, since 2004, PIPEDA applies to organizations across Canada. However, even information collected before 2004 is now covered by the Act. For example, this means that the business would now need to receive the individual’s consent to disclose or use that information.
Under the Act, the word organization is broadly defined and includes, “an association, a partnership, a person and a trade union”. The Act applies to both federally regulated industries, such as banking and telecommunications, and provincially regulated businesses. It also applies to both businesses which operate from a physical location or only online.
What is considered personal or sensitive information under PIPEDA?
Personal information includes information such as a person’s date of birth, address, financial records and health records. Information that is used in commercial activities, such as a person’s name, business telephone number and email, would not be considered personal information. PIPEDA also applies to paper-based documents and other hard-copy and materials, (such as physical files and photographs), as well as online and e-commerce activities.
PIPEDA also protects personal information of a sensitive nature, such as health records, memberships in political or religious organizations, and information about a person’s sexual orientation.
Exemptions from PIPEDA
PIPEDA does not apply to organizations and/or activities in provinces where provincial legislation exists that is substantially similar to the federal legislation. This applies to provincial personal information privacy legislation in Alberta, British Columbia and Quebec. In addition, health information custodians in Ontario, New Brunswick and Newfoundland are exempt from Part 1 of PIPEDA because provincial personal health information privacy laws exist in those provinces that is also substantially similar to PIPEDA.
Digital Privacy Act (DPA)
On June 18, 2015, PIPEDA was amended to include the Digital Privacy Act (DPA). Mandatory data breach response requirements were included in these amendments which have come into effect November 1, 2018. The amendments require that organizations must inform the Office of the Privacy Commissioner of Canada (OPC) and consumers when their personal information has been lost or stolen, referred to as a data breach, in cases where it is reasonable to believe that the breach poses a “real risk of significant harm” to the affected individuals. Organizations are also required to keep a record of all data breaches. Companies that fail to report or record a breach could face fines of up-to $100,000.
Privacy of communications
Generally, you also have a right to have your private communications remain private. In most circumstances, it is an invasion of your privacy for someone to monitor or disclose the contents of your private communications. However, different rules may apply for email communications that you send or receive on your employer’s computer system. You should check to see if your employer has a policy that describes what kind of computer activities are permitted.
Even if your employer does not have a policy about Internet and email use, you should assume that your employer can track all the websites you visit and read all the messages you send or receive, even after you have deleted them. If you use the computer system at your workplace to send or receive inappropriate messages, it could be ‘just cause’ for your employer to fire you.
Computer and email use policy
The best way to avoid problems with Internet and email usage at the workplace is for employers to develop a written policy. The policy should include guidelines about topics such as: visiting inappropriate websites, spreading computer viruses, confidentiality, personal use, and copyright infringement. Most employers will also want to include an explicit right to monitor the electronic communications of their employees. A lawyer can help you write an Internet and email policy for your company.
For more information about PIPEDA and privacy laws in Canada, visit the Office of the Privacy Commissioner of Canada.
You now haveoptions: