CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96
2002-2003 Review Comments of Philippa Lawson, Public Interest Advocacy Centre
It has now been six years since the introduction of the CSA Model Code for Data Protection. A number of organizations have modeled their own privacy codes and policies on this standard, and businesses across the country have been attempting to understand their obligations under the Code, now part of the federal Protection of Personal Information and Electronic Documents Act (“PIPEDA”). Similarly, individual consumers have been trying to understand their rights under this new Code and legislation.
It has become clear that some important aspects of the Code are subject to widely differing interpretation. The vagueness of some provisions leaves both businesses and consumers uncertain as to their proper meaning and application, and encourages each interested party to interpret the provision to their advantage. The result is marketplace confusion, increased business expense, reduced utility of the Code, and loss of confidence by consumers in the protections that the Code was meant to afford.
Some of these issues of interpretation have been taken to the Privacy Commissioner by way of complaint under the PIPEDA. A body of authoritative findings is thus gradually clarifying some of the many grey areas of the Code. However, these findings are not legally binding, and are not subject to appeal by respondents. Hence, businesses can decide not to respect a determination by the Privacy Commissioner, and the matter may never be finally resolved.
Moreover, it will take many years for all of the uncertainties inherent in the Code to be addressed by the Privacy Commissioner. Businesses and consumers need certainty earlier rather than later. Businesses want to be able to design their data systems in accordance with the intended meaning of the Code, rather than having to go back and re-design the system, after finding out that their interpretation of a grey area in the Code was wrong.
Finally, it is far preferable for the Code to be clear on its face, than for parties to have to consult jurisprudence in order to understand what the Code means in practice. The latter merely increases business cost and makes it more difficult for organizations to comply.
For all these reasons, the Code should be revised at least so as to clarify certain vaguely worded provisions, and to create greater certainty for businesses and consumers alike.
In addition to uncertainties surrounding key provisions of the Code, it has come to light that some provisions are inappropriately worded, insofar as they fail to provide the level of data protection intended by the Code. These provisions should also be revisited in the review process.
Finally, the Code is deficient insofar as it fails to address some key components of informational privacy.
We note that the PIPEDA will be subject to Parliamentary review in 2005. Given that the PIPEDA is based on the CSA Code, it is important that any updates to the Code be made in advance of this review. The Parliamentary review will then, no doubt, involve a review of the updates to the Code.
Provisions Needing Greater Clarity
At the core of the Code is the concept of individual knowledge and consent. Yet, this critical concept is unclear in the Code and subject to widely differing interpretations in the marketplace. It is essential that the Code address this fundamental issue by distinguishing between the various types of consent and specifying clearly the circumstances under which each is acceptable.
Sub-principles 3.4, 3.5, and 3.6 address this issue, but do so incompletely and confusingly. They need to be revised so as to clarify that there are at least three different types of consent:
- implied, and
- deemed (e.g., via negative option).
Confusion has resulted from the use of the term “implied consent” to cover not only situations in which consent is actually provided (i.e., where the person would have consented if asked, and where the facts clearly suggest that consent was provided), but also situations in which consent is merely deemed (i.e., where it cannot reasonably be determined that the person would have consented if asked).
There is an important difference between “implied consent” and “deemed consent”. In the former, the individual has actually consented; whether consent can be implied is a matter of fact, not of law. In the latter, it does not matter whether the individual has actually consented; the law (or Code) permits organizations to act as if the individual has consented.
This difference is important insofar as it leads to differing standards of notice in each case. Notice is of less importance in the situation where consent can be implied. This is because consent can only be implied where it is reasonable to assume that the individual is fully aware of the collection, use, or disclosure and agrees to it. On the other hand, notice is of critical importance in those situations where consent is deemed, since the onus is then on the individual to “opt out” if they desire (or, in cases where no opt-out is offered, the individual needs at least to be aware of the uses to which their information will be put).
Negative option consent, the most prevalent form of consent for use of personal data in the marketplace, is a form of “deemed consent”, since it deems consent regardless of whether the individual is actually aware of the use, let alone consents to it. Other forms of deemed consent may also exist.
The Code needs to be revised so as to clearly distinguish between these different forms of consent, applying different standards of notice as appropriate.
The Ontario government has provided an excellent model for a definition of “implied consent” in its Draft Consultation Act. A version of this model is as follows:
“The consent of an individual to the collection, use or disclosure of personal information about the individual by an organization may be implied only if,
- in all the circumstances, the purpose of the collection, use or disclosure as the case may be, is or will become reasonably obvious to the individual;
- it is reasonable to expect that the individual would consent to the collection, use or disclosure; and
- the organization uses or discloses the information for no purpose other than the purpose for which it was collected.
As part of making the purpose of the collection, use or disclosure of personal information about an individual by an organization obvious to the individual, the organization may post or provide a notice describing the purpose where it is likely to come to the individual’s attention.”
Negative option consent also needs to be defined and made subject to criteria for validity. As recently determined by the federal Privacy Commissioner, negative option consent is valid only under the following conditions:
- the personal information in question is not sensitive;
- the individual in question would reasonably expect that their consent could be deemed in this circumstance unless they clearly express otherwise;
- the purposes and negative option are brought to the attention of the individual, not merely posted on a website or hidden in contractual fine print where the individual may not notice it;
- the notice is clearly worded, in plain language, so that the ordinary consumer can understand how their information may be used;
- the notice is sufficiently detailed, so that the individual can understand to whom their information may be disclosed,
- the negative option is appropriately dis-aggregated, so as to allow individuals to opt-out of non-essential uses without also opting-out of essential uses; and
- the negative option is convenient, easy-to-use, and inexpensive to execute.
The following is a possible approach to negative option consent in the Code:
“Except where express consent is required, an organization may attempt to obtain the consent of an individual to the collection, use or disclosure of personal information by providing a notice to the individual that meets the following requirements:
- The organization provides the notice to the individual in a manner in which it is likely to come to the individual’s attention.
- The notice is clear and understandable to a reasonable person.
- The notice is accurate and would not mislead a reasonable person.
- The notice clearly states the purpose or purposes of the collection, use or disclosure.
- The notice describes the personal information that is to be collected, used or disclosed.
- The notice clearly explains that the individual has the right to opt out, that the individual may opt out at any time and that, if the individual opts out, the opt-out is not limited in duration.
- The notice explains the consequences of the individual’s opting out.
- The notice provides a means by which the individual can opt out that involves minimal effort by the individual and no cost to the individual, which may include using,
i. a toll-free telephone number,
- electronic means, if the organization is communicating with the individual by electronic means,
- a form with mailing information and pre-paid postage, or
- any other reasonable approach.”
The Code could also provide clearer guidance to organizations on the question of when express consent, as opposed to negative option consent, is required. Such guidance could state as follows:
“An organization shall not use an opt-out notice to obtain a consent of an individual to the collection, use or disclosure of personal information if a reasonable person would not consider it appropriate in the circumstances, having regard to,
- the sensitivity of the information;
- whether the information is personal health information or financial information ;
- the expectations of a reasonable individual;
- the context in which the collection, use or disclosure is to occur;
- the purpose or purposes for which the information is to be collected, used or disclosed;
- the clarity of whatever statements the organization gives to the individual about the purpose or purposes for which the information is to be collected, used or disclosed;
- the degree to which the purpose or purposes of the collection, use or disclosure are congruent with the statements mentioned in clause (f);
- whether the organization is seeking to disclose the information to a party unrelated to the organization;
- whether the organization is in a business or other relationship with the individual; and
- the length of time since the organization first obtained the individual’s consent to the collection, use or disclosure of the information.”
2.3; 3.2 Notice
The issue of notice to individuals is addressed in two principles: under “Identifying Purposes” in 2.3, and again under “Consent”, s.3.2. Given the extent to which organizations rely upon notice as opposed to actual consent, it is strange – indeed troublesome – that the Code does not highlight the issue of notice. Consideration should be given to creating a separate principle under heading “Notice”, in order to clarify the issue and to remove repetition from the Code.
Section 2.3 addresses timing of the notice, stating:
“The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is being collected.”
Section 3.2 states:
“Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.”
As noted above under “Consent”, the standard for notice will differ according to whether consent can be implied, is being obtained expressly, or is being deemed under a negative option. The importance of notice in the case of negative option consent, at least, is such that it warrants greater attention and stronger obligations than currently exist in the Code.
Specification of purposes to the individual at or before the time of collection, use or disclosure should be mandatory, and any allowable exceptions thereto should be specified. This is more appropriate than the current approach under which timely notice is not required, even in situations where it should be provided.
The Code should also provide clearer guidance to businesses as to what constitutes “a reasonable effort to ensure that the individual is advised”. Is posting on a website sufficient? Is notice via company brochures, available at the company premises, sufficient? Is including the notice as part of a lengthy contract sufficient?
3.0, 5.0 Retention
The Code covers retention of personal information both implicitly, through collection and use, and explicitly, in ss.5.0, 5.2 and 5.3. It has become clear, however, that parties differ as to whether retention for a particular purpose constitutes a “use” under the Code, requiring consent. The Code should clarify this through appropriately worded sub-principles under 3.0 and 5.0.
Provisions in need of Strengthening
3. Refusal to Deal
Section 3.3 states:
“An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”
This section, as currently worded, provides little value to the Code. Meaningful data protection requires that organizations do not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required for the transaction or provision of services in question.
The section as currently worded permits organizations to refuse to deal with individuals even where the personal information requested for a purpose that is neither necessary for the dealing, nor related to it. All that is required is that the purpose be “explicitly specified and legitimate”.
Again, the Ontario government’s consultation draft improved significantly upon the wording of the CSA Code, by addressing the issue of “Tied Selling” as follows:
“An organization shall not, as a condition of dealing with an individual, require the individual to consent to the collection, use or disclosure of personal information beyond that required to fulfill the purpose of the dealing.”
5. Explaining Purposes upon Request
The Code currently states, in s.2.5:
“Persons collecting information should be able to explain to individuals the purposes for which the information is being collected.”
The widespread failure of customer service representative to be able to explain the purposes of their personal information collection to consumers upon request is an ongoing problem in the marketplace. Consumers are unable to exercise their rights under the Code because they cannot, without unreasonable effort, find out why the business is seeking the information. Instead, they are faced with a Hobson’s choice of handing over their personal information for unknown future purposes, or cancelling the transaction (after having spent time and effort selecting the good or service to be purchased). This reality effectively strips the Code of effectiveness for the ordinary consumer the context of ordinary marketplace transactions.
In order for businesses to “get with it” and be able to explain to individuals, at the time that the information is requested, the purposes for which the information is being requested, the Code must make this requirement mandatory.
1. Openness – Disclosing the Source of the Information
This sub-principle merely “encourages” organizations to indicate the source of personal information upon request by the individual. It is unclear why organizations should not be required to do so, where they can determine the source of the information without unreasonable effort.
The scheme set up by this Code is one that relies upon consumer complaints in order to uncover problems. If consumers are unable to determine the source of their personal information obtained by an organization due to the organization’s refusal to indicate the source, they may be unable to formulate a legitimate complaint, and a disgraceful practice may never be uncovered. The Code should require such disclosure to individuals where possible.
New Provisions Needed
Limiting Collection – Other Information
The “Limiting Collection” principle implicitly requires that non-personal information be used wherever it suffices. However, in keeping with the structure of the Code, and given the importance of this point, it would be helpful to make this implicit requirement explicit in an additional sub-principle. Again, the Ontario Consultation Draft provides a useful model:
“An organization shall not collect, use or disclose personal information if other information will serve the purpose of the collection, use or disclosure.”
Limiting Collection – Direct Collection
The Code should include a requirement that personal information be collected directly from the individual to whom it pertains, subject to certain exceptions. Such exceptions could include:
- if the individual consents to having the organization collect the information from the person who has custody or control of it;
- if the individual consents to having the organization that has custody or control of the information disclose it;
- if the person with custody or control of the information is authorized at law to act on behalf of the individual and consents to the disclosure of the information to the organization; or
- if the organization is authorized by law to collect the information in a manner other than directly from the individual.
Collection of Personal Information From or About Children
Many have noted that the Code does not address the specific issue of children’s informational privacy. Consideration should be given to developing a principle addressing this issue.