Privacy Law for Network Administrators Steven Penney Faculty

  • Slides: 31
Download presentation
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick

Overview • Criminal Code • Public sector privacy legislation • Private sector privacy legislation

Overview • Criminal Code • Public sector privacy legislation • Private sector privacy legislation • Sector-specific legislation

Criminal Code

Criminal Code

Interception and seizure of private communications • Prohibitions – Wire-to-wire communications – Wireless (radio-based)

Interception and seizure of private communications • Prohibitions – Wire-to-wire communications – Wireless (radio-based) communications – Systems manager exception (quality control, unauthorized use, mischief) • Interception (wiretap) warrants – Content – Routing (“envelope”) data • Search and seizure warrants • 3 d party production orders

Public sector privacy legislation • Privacy Act – “Personal information” under control of a

Public sector privacy legislation • Privacy Act – “Personal information” under control of a “government institution” • Provincial legislation

Private sector privacy legislation

Private sector privacy legislation

PIPEDA Personal Information Protection and Electronic Documents Act

PIPEDA Personal Information Protection and Electronic Documents Act

History • EU Directive (1995) – “adequate level of protection” • CSA Model Code

History • EU Directive (1995) – “adequate level of protection” • CSA Model Code (1996) • Phased implementation – Full effect January 1, 2004

Jurisdiction • Commercial activities (federal & provincial) • Employee information (federal only) • Exemptions

Jurisdiction • Commercial activities (federal & provincial) • Employee information (federal only) • Exemptions – Privacy Act – Personal or domestic purposes – “substantially similar” provincial statutes (intraprovincial information only)

Overview • Personal information • Privacy principles • Oversight and enforcement

Overview • Personal information • Privacy principles • Oversight and enforcement

Personal Information • Definition – “information about an identifiable individual. . . [except] the

Personal Information • Definition – “information about an identifiable individual. . . [except] the name, title or business address or telephone number of an employee of an organization” • Intimacy not required • Collection v. generation irrelevant • Anonymity and aggregation

Privacy Principles

Privacy Principles

Interpretive tools • Schedule (“shall” v. “should”) (s. 5(2)) • Reasonableness (s. 5(3)) –

Interpretive tools • Schedule (“shall” v. “should”) (s. 5(2)) • Reasonableness (s. 5(3)) – “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. ”

The Schedule

The Schedule

Accountability • Designated person • 3 d party transfers – Mere processing (contractual protections)

Accountability • Designated person • 3 d party transfers – Mere processing (contractual protections) – Disclosure (must comply with Act)

Notice of purposes • New purposes

Notice of purposes • New purposes

Informed consent • No conditions for non-essential information – e. g. “no SIN, no

Informed consent • No conditions for non-essential information – e. g. “no SIN, no connection” • Form of consent – Sensitivity of information – Express v. implied – “Opt-in” v. “opt-out” • Withdrawal of consent – Subject to legal and contractual restrictions

Exceptions to consent • Collection – – Interests of person and consent can’t be

Exceptions to consent • Collection – – Interests of person and consent can’t be obtained Investigation of breach of contract or law Journalistic, artistic, or literary purpose Publicly available and in regulations • Use – – – Investigation of breach of law Health or security emergency Statistical or scholarly research (restrictions) Publicly available and in regulations Collected under ss. 7(1)(a) or (b)

Exceptions to consent con’t • Disclosure – – – Organization’s lawyer Debt collection Court

Exceptions to consent con’t • Disclosure – – – Organization’s lawyer Debt collection Court order Law enforcement and national security (where legal entitlement) Investigation of breach of contract or law (to or by investigative body) Health or security emergency Statistical or scholarly research (restrictions) Archives 100 years or 20 years after death Publicly available and in regulations Compliance with law

Limiting collection • Only for identified purposes

Limiting collection • Only for identified purposes

Limiting use, disclosure and retention • No additional purposes without consent • Retain only

Limiting use, disclosure and retention • No additional purposes without consent • Retain only for as long as necessary to fulfill purpose for which information collected • Retain long enough to enable access to information used for decision • Guidelines and procedures encouraged, including minimum and maximum retention periods

Accuracy • Accurate, complete, and up-to-date

Accuracy • Accurate, complete, and up-to-date

Safeguards • Loss or theft, unauthorized access, etc. • Measures vary with sensitivity of

Safeguards • Loss or theft, unauthorized access, etc. • Measures vary with sensitivity of information • Technological measures (e. g. encryption) • Employee training

Openness • Policies in readily accessible form • Contact information • Means for access

Openness • Policies in readily accessible form • Contact information • Means for access to information • General description of types of information held

Access • Confirmation of existence • Right of review • Disclosure of information to

Access • Confirmation of existence • Right of review • Disclosure of information to third parties (list) • Minimal or no cost • Due diligence and time limits • Amendment and corrections

Exceptions to Access • 3 d party information • Solicitor-client privilege • Confidential commercial

Exceptions to Access • 3 d party information • Solicitor-client privilege • Confidential commercial information • Health or security of 3 d party • Compromise legal investigation • Information generated from formal dispute resolution process • Notification of access request to government for law enforcement (government veto)

Challenging compliance • Procedures and notification • Duty to investigate • Appropriate remedies

Challenging compliance • Procedures and notification • Duty to investigate • Appropriate remedies

Oversight and Enforcement

Oversight and Enforcement

Privacy Commissioner • Complaints • PC’s power to initiate • Investigative powers and mediation

Privacy Commissioner • Complaints • PC’s power to initiate • Investigative powers and mediation • Reports (confidentiality and shaming) • Audits • Education, research, and compliance assistance

Federal Court • Complainant • Privacy Commissioner • Remedies

Federal Court • Complainant • Privacy Commissioner • Remedies

Provincial Legislation • Non-commercial • Employees in provincial sector • Commissioners’ order-making powers •

Provincial Legislation • Non-commercial • Employees in provincial sector • Commissioners’ order-making powers • Jurisdictional issues

PODER Y AUTORIDAD STEVEN LUKES STEVEN LUKES StevenPODER Y AUTORIDAD STEVEN LUKES STEVEN LUKES Steven
Privacy Law September 13 2007 Privacy Policy LawPrivacy Law September 13 2007 Privacy Policy Law
WWII THE WAR AT HOME J Penney 2014WWII THE WAR AT HOME J Penney 2014
meaning pore bearer GROUP 36 JESSICA PENNEY TONIKAmeaning pore bearer GROUP 36 JESSICA PENNEY TONIKA
A CASE OF BAD MANAGEMENT J C PENNEYA CASE OF BAD MANAGEMENT J C PENNEY
PSC Update GASPA May 7 2010 Penney McPSC Update GASPA May 7 2010 Penney Mc
Fallbeispiel Privacy Was ist Privacy Wie wird PrivacyFallbeispiel Privacy Was ist Privacy Wie wird Privacy
How Privacy Relates to Security Privacy Symposium PrivacyHow Privacy Relates to Security Privacy Symposium Privacy
Case studies Privacy Privacy Privacy Is an EUCase studies Privacy Privacy Privacy Is an EU
Steven Mc Donald TRIUMF Network Computing Services stevenSteven Mc Donald TRIUMF Network Computing Services steven
Administrators and System Administrators Akari Curriculum Management SystemAdministrators and System Administrators Akari Curriculum Management System
Association of California School Administrators What Administrators NeedAssociation of California School Administrators What Administrators Need
Latin American Law Medieval law Canon law LawLatin American Law Medieval law Canon law Law
Latin American Law Medieval law Canon law LawLatin American Law Medieval law Canon law Law
COMMON LAW Common Law definition Judgedeclared law LawCOMMON LAW Common Law definition Judgedeclared law Law
INTERNET LAW BUSINESS LAW INTERNET LAW Internet lawINTERNET LAW BUSINESS LAW INTERNET LAW Internet law
Basic Law Criminal Law Civil Law Criminal LawBasic Law Criminal Law Civil Law Criminal Law
Web Privacy September 25 2007 Privacy Policy LawWeb Privacy September 25 2007 Privacy Policy Law
Introduction To Privacy Law Richard Warner Informational PrivacyIntroduction To Privacy Law Richard Warner Informational Privacy
The Law of Privacy 1 What is privacyThe Law of Privacy 1 What is privacy
Data Privacy October 30 2007 Privacy Policy LawData Privacy October 30 2007 Privacy Policy Law
Privacy Policy Law and Technology Data Privacy OctoberPrivacy Policy Law and Technology Data Privacy October
Informational Privacy Privacy Law Consent and Norms RichardInformational Privacy Privacy Law Consent and Norms Richard
Chapter 4 PRIVACY PRIVACY PROTECTION THE LAW nChapter 4 PRIVACY PRIVACY PROTECTION THE LAW n