Legislative Update

A couple of recent legislative changes and initiatives will be of interest to due diligence and investigative researchers.

Amendments to PIPEDA

The Digital Privacy Act, recently passed by Parliament and soon to come into force, amends the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private sector organizations that collect, use, or disclose personal information in the course of commercial activities. As the Data Protection Report notes:

The revised PIPEDA will specifically permit the sharing of personal information without individuals’ consent in the context of due diligence for business transactions, such as M&A, a partial sale of assets or transfer upon insolvency, provided certain conditions are met by the parties to the transaction. Organizations engaging in these types of business transactions will need to ensure compliance with the statutory requirements that resemble those found in Alberta’s privacy legislation. For example, under the PIPEDA amendments, only information necessary to the transaction may be communicated pursuant to an undertaking to protect the information with appropriate security measures and to use it solely for purposes related to the transaction. If the transaction does not proceed, the information must be returned. Otherwise, it may only be used after completion of the transaction for the purposes for which it was originally collected and if certain conditions are met, including notice to the individuals concerned.

The updated legislation also gives organizations the ability to disclose personal information to other organizations for the purposes of investigating a breach of an agreement, or a contravention of a Canadian law, or in connection with detecting, preventing or suppressing fraud.

Limits to Ontario Police Record Checks

A proposed bill in Ontario will standardize and limit the kinds of information released in police record checks. Police would no longer be able to disclose mental health information and would only release non-conviction records, such as acquittals, in limited circumstances to potential employers and others in background checks.

The Ethics of Social Media Cyber-Sleuthing

social media

Without a doubt, social media and social networking sites like Facebook, Twitter, LinkedIn, and countless others have become indispensable tools in conducting background investigations, due diligence, employment pre-screening, and other types of investigations. Pursuit Magazine recently had a good two-part series that covered not just pointers to some lesser-known social media sites, but also discussed the importance of adequately capturing and presenting the information found on these sites.

The articles also highlighted some ethical and legal issues around gathering such information, advising, for example, against using shady techniques like pretexting and password cracking to gain access to protected material. Additionally, in Canada, a number of laws – notably human rights and privacy laws – govern the types of information that may be gathered on social media and elsewhere, the methods used for gathering the information, and the decisions made based on the information.

To stay on the side of the law, it is crucial for organizations and investigators to exercise caution when researching, collecting, and disclosing personal information about individuals. The Information and Privacy Commissioner of British Columbia has released some guidelines for social media background checks (PDF), identifying some pitfalls and issues to keep in mind:

  • Accuracy of information (Is it the right profile? Was the profile created by the individual himself or herself? Is the information current?)
  • Collecting irrelevant or too much information
  • Over-reliance on consent

Exercising good judgment when trawling social media sites isn’t just a matter of law and ethics; it can also save the organization from embarrassment, a lesson that the Toronto Star learned the hard way when it published false allegations against an Ontario MPP based on an old Facebook photo. The newspaper issued a rare front-page apology, citing an “egregious lapse” of standards.

Photo source: Jason Howie, Flickr

Recent Developments in Privacy Law

In Canada, we have some of the most stringent privacy legislation in the world, and in my public records research, I’m constantly coming up against privacy laws that complicate my work and keep me from finding as much information about private citizens as I’d like. As a private citizen myself, however, I’m grateful for these laws, which seem to get strengthened whenever they’re challenged in the courts.

Even with police searches, the trend seems to be toward recognizing privacy interests. In a recent ruling, for example, the Supreme Court of Canada declared unanimously that a specific search warrant  is required to search the contents of a personal computer or cellphone. The Court drew a distinction between computers, which contain a large amount of personal information, and other types of receptacles in the home. When it comes to privacy concerns, the computer must be treated as a separate place:

In effect, the privacy interests at stake when computers are searched require that those devices be treated, to a certain extent, as a separate place. Prior authorization of searches is a cornerstone of our search and seizure law. The purpose of the prior authorization process is to balance the privacy interest of the individual against the interest of the state in investigating criminal activity before the state intrusion occurs. Only a specific, prior authorization to search a computer found in the place of search ensures that the authorizing justice has considered the full range of the distinctive privacy concerns raised by computer searches and, having done so, has decided that this threshold has been reached in the circumstances of a particular proposed search. 

In another recent decision, however, the Supreme Court highlighted the importance of freedom of speech when it conflicts with privacy concerns. In a case that involved a union photographing and videotaping people crossing a picket line during a strike, the Court struck down Alberta’s privacy legislation. The Court stressed the basic importance of freedom of expression in the context of labour disputes, saying the law imposed undue restrictions on the union’s ability to communicate and promote its case during a legal strike. It gave the province a year to make appropriate changes.

Meanwhile, Manitoba, which recently enacted its Privacy Information Protection and Identity Theft Prevention Act (“PIPITPA”), may also have to make some changes, as it based its legislation on the Alberta model. Manitoba is now the fourth Canadian province to enact general private sector privacy protection legislation (the others are British Columbia, Alberta and Quebec), the key feature of which is the breach notification provision: an organization must notify affected individuals if personal information under the organization’s control is lost, accessed or disclosed without authorization.

Finally, this news is a good reminder that being in contravention of privacy laws can cost businesses: the Federal Court recently ordered Bell Canada to pay $21,000 in damages in connection with conducting a credit check on a customer without consent.

Wondering about the various public and private sector privacy legislations in Canada? This site has a good overview.