Law firms should prepare now for the Personal Information Protection Act (Bill 38)
The Personal Information Protection Act (Bill 38) passed second reading in the Spring session of the provincial legislature. While the Bill did not receive third reading prior to the adjournment of the legislature at the end of May, it is expected to pass into law sometime in the Fall.
Bill 38 will govern the personal information that businesses, non-profit organizations and other private sector entities in the province can collect from clients, customers, employees and volunteers and how that personal information is to be used, disclosed and stored. This legislation will apply to law firms and to lawyers in private practice and will affect how firms handle the personal information of employees and clients, as well as personal information gathered by lawyers about non-clients in the course of a retainer.
Why is this legislation necessary?
In 1998 the European Union issued a directive to prohibit EU businesses from sharing personal information with businesses from other countries unless those countries had privacy requirements that satisfied the EU. Canada responded by enacting the federal Personal Information and Protection of Privacy Act ("PIPEDA"). That Act, which has met with EU approval, governs the protection of private information of individuals that is collected, used or disclosed within the federally regulated sector in the course of commercial activities. PIPEDA also covers all organizations engaged in interprovincial commercial activity.
As of January 1, 2004 PIPEDA will also purport to cover the collection, use and disclosure of personal information in the course of any commercial activity within provinces, including provincially regulated organizations. However, the federal government is permitted to exempt organizations or activities in provinces that have their own privacy laws if those laws are deemed to be "substantially similar" to the federal legislation.
Bill 38 was drafted following widespread consultation by the BC government over the past year. The Bill is intended to protect personal information within the private sector in BC as well as to protect employee information in provincial organizations, something which PIPEDA, for constitutional reasons, could never do.
An overlying issue is that PIPEDA requires any provincial privacy legislation intended to govern the private sector to be substantially similar to the federal legislation, which means that Bill 38 could not vary too significantly from PIPEDA.
Bill 38 has not yet been determined to be substantially similar to PIPEDA. The federal cabinet will make that determination on recommendation of Industry Canada after the Bill becomes law. While the former federal Privacy Commissioner, George Radwanski, had earlier stated that Bill 38 had "grave deficiencies," the Information and Privacy Commissioner for BC, David Loukidelis, has expressed the view that Bill 38 provides broader coverage than the federal act and is less complex.
The purpose of privacy legislation
The general purpose of privacy legislation, including Bill 38, is to ensure that the collection, use or disclosure of personal information about an individual does not occur without that individual's consent or unless the information falls within specific exceptions.
Privacy legislation also gives an individual the right to see and ask for corrections to his or her personal information that an organization may have collected.
The obligations on law firms to protect privacy
Law firms are vast repositories of personal information. In addition to maintaining information about employees, firms possess sensitive personal information about both clients and non-clients.
The personal information of clients is already protected by a lawyer's professional responsibility to protect client confidences. Moreover, the law of solicitor-client privilege protects privileged information, which a lawyer must never disclose without client instructions. Bill 38 provides that nothing in the legislation affects solicitor-client privilege.
In order to properly discharge their duties and professional obligations in the practice of law, however, lawyers must be able to collect, use and disclose personal information. Sections 12, 15 and 18 of Bill 38 set out the circumstances in which an organization governed by the legislation can do so without the consent of an individual, and these sections should be reviewed closely by lawyers. For example, personal information may be collected without the consent of an individual if:
- it is for use in an "investigation" or a "proceeding" (both are defined terms), provided that it would reasonably be expected that the accuracy or availability of the information may be compromised by having to obtain consent;
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way; or
- the collection is already authorized by law.
There are similar provisions for the use and disclosure of personal information without consent.
Access to and correction of personal information is governed by Part 7 of Bill 38. Lawyers, of course, already have professional obligations to disclose to a client information in that client's file at his or her request. Bill 38 will also permit access to, and correction of, personal information about a third party (including witnesses, for example) in the possession of a lawyer. Exceptions to this requirement are enumerated in section 23(3), and include situations where:
- the information is the subject of solicitor-client privilege;
- the information was collected without having to obtain the consent of the individual for the purposes of an investigation or proceeding that has not yet completed.
Like all other employers in the province, law firms will also have to address the personal information of their employees. Lawyers should therefore become familiar with the definition of "employee personal information," the provisions on the collection, use and disclosure of such information and the right of an employee to access such information.
How should law firms prepare for Bill 38?
Section 5 of Bill 38 will require a law firm to:
- develop and follow policies and practices necessary for the firm to meet its obligations under the legislation, and
- develop a process to respond to complaints that may arise respecting the application of the legislation to the organization.
A law firm should consider appointing someone within the firm to coordinate the development of such policies and practices. That person should become familiar with Bill 38, consider how the principles of the legislation apply to the firm and organize an audit of the kinds of personal information collected by the firm. Consideration should be given to whether consent is needed in order to collect, use or disclose personal information and, if so, how such consent can be obtained. These steps are often referred to as a "privacy diagnosis." There are general resources available for assistance in performing such a diagnosis on the BC Information and Privacy Commissioner's website at www.oipc.bc.ca/private.
Law firms should also be familiar with the requirements of PIPEDA in the event that Bill 38 is not determined to be "substantially similar" to the federal legislation. Law firms that carry on business interprovincially will need to ascertain their own obligations to comply with the federal legislation.