The Personal Information Protection Act and you
by Barbara Buchanan, Practice Advisor
PIPA sets out requirements regarding how organizations, including law firms, collect, use, and disclose “personal information” (a defined term) about individuals. The individuals may be your clients, employees and even your partners. You are required to get consent for collecting, using and disclosing an individual’s personal information, except where PIPA excuses consent or if there is deemed consent, as provided in the legislation. Your firm is also responsible for protecting all personal information in your custody or under your control.
I recently had the opportunity to speak with BC’s Information and Privacy Commissioner, David Loukidelis, about PIPA, and he has provided his views about how the legislation applies to law firms.
Barbara Buchanan: Lawyers usually obtain personal information about their clients in the course of their work. Now, with few exceptions, the Law Society’s client identification and verification rules require lawyers to identify their clients and, in many cases, to verify identity using independent source documents. Do you have any particular cautions for lawyers about complying with PIPA while staying onside with the Law Society rules?
David Loukidelis: PIPA allows law firms to collect their clients’ personal information in the form of copies of identification documents because the Law Society’s rules, which have the force of law, require them to do so. At the same time, PIPA’s requirement that lawyers take reasonable measures to protect client information from unauthorized access, disclosure or use continue to operate. This means lawyers must take reasonable steps to ensure that identity documents, which can be very valuable to thieves and fraudsters, don’t fall into the wrong hands. What is “reasonable” may require a high degree of rigour, depending on the circumstances.
BB: What security measures do you recommend for lawyers who use laptops?
DL: The Professional Conduct Handbook, and lawyers’ responsibilities to clients more generally, speak to the need for lawyers to protect client information, including personal information, quite apart from PIPA’s security measures requirements. If a lawyer must store client personal information on a laptop, or another portable computing or storage device, that information should be encrypted. Modern encryption programs are readily available, even as freeware, and should be the default approach to protecting client personal information on laptops, USB keys and other storage devices. And by encryption, I don’t mean four-character passwords. I mean robust encryption, ideally to the level of 256-bit AES standard. There have been too many horror stories in the media in recent years about sensitive personal information being stored on devices without encryption, and then going walkabout because a device is lost or stolen.
BB: What should a law firm do if a lawyer’s laptop is stolen?
DL: Once the police are notified, the law firm should immediately take steps to contain the breach. To decide what other immediate steps should be taken, the firm needs to assess risks associated with the breach, including the sensitivity of the information and the foreseeable harm from the breach. A decision as to whether and how individuals affected by the breach are to be notified should be made as soon as possible. “Key Steps in Responding to Privacy Breaches” is our resource publication to help in assessing the appropriate response to a breach and can be downloaded at www.oipc.bc.ca/pdfs/Policy/Key_Steps_Privacy_Breaches(June2008).pdf.
BB: Do you have any suggestions for lawyers who take laptops containing confidential client information across the border into the US or other countries?
DL: US, Canada and other border authorities these days are asserting the right to undertake suspicionless searches of storage devices, including laptops and USB keys. In these cases, encryption won’t help, since authorities will force you to give up the keys or have your device seized, with other possible consequences for non-cooperation. I would certainly recommend that lawyers consider whether they need to transport client information, whether privileged, confidential or otherwise, across borders on a portable device. A safer option, from the perspective of lawyers’ legislative and other responsibilities, would be to access the necessary information remotely through a VPN or secure Internet connection, once you have arrived at your destination. That way, you avoid carrying sensitive information with you in the first place, yet have easy access to it when you need it.
BB: If a BC law firm is hired by a client residing in Alberta as a result of the firm’s website, which privacy legislation applies, PIPA, the Alberta legislation, or both?
DL: We would certainly see this as involving BC legislation, not Alberta, on the basis that the local law firm has collected and used the client personal information here in BC. Having said that, we do run into situations where jurisdiction is not abundantly clear, and for this reason have developed good working relationships with our colleagues in Alberta and federally to cooperate on investigations where necessary.
BB: What should a firm do with resumés, both solicited and unsolicited?
DL: PIPA says that if an organization has used personal information to make a decision directly affecting an individual, it has to retain that information for at least a year after the decision is made. This is so the individual can request access to that information to ensure that it is accurate and complete — PIPA requires organizations to take reasonable measures to ensure that information used to affect someone’s interests in this way is accurate and complete. If you have solicited resumés and use them to evaluate potential employees, our view is that you have to keep them for a year. If, however, unsolicited resumés come your way, we have taken the position that, if you do not actually consider these resumés, and have a policy to that effect, you do not have to keep them for a year. This is because you have not used the information they contain to actually make a decision about someone.
BB: Facebook and other social networking websites are much in the news these days. Any thoughts on lawyers using these sites, perhaps with respect to potential employees or in litigation research?
DL: If you don’t have consent to indirect collection of personal information, including through social networking sites, you could only use the sites as a source for personal information if you can show that it is reasonable to do so and you’re only collecting that personal information for the purposes of hiring someone. PIPA does have special rules around employee privacy, including in relation to recruitment, but you would still have to give notice to prospective employees that you will be using the social networking sites to assess their applications. And I think law firms should ask themselves whether this is the way they want to be perceived by future colleagues or partners.
At the same time, I urge law students and lawyers alike to use common sense when they are posting personal information — including potentially embarrassing photos — to social networking sites. The reality is, once personal information is posted on the Internet, including on a site like Facebook, it is there forever and you lose control over it for all time. It can come back to haunt you, and there have been many recent cases where people have lived to regret what they have posted on a social networking site.
As for litigation research, PIPA permits the collection of personal information about an individual without consent or from a source other than the individual, including from Facebook, if the collection is necessary for purposes of providing legal services to a third party. A law firm should ensure that collection is necessary.
BB: Does anything in PIPA affect solicitor-client privilege?
DL: Solicitor-client privilege is possibly engaged under PIPA when someone makes a request for access to their own personal information in the hands of a law firm or a request as to how their personal information has been used by an organization. However, PIPA fully protects privilege in these cases. It provides that the law firm or other organization to which the request is made is not required to disclose information if it is protected by solicitor-client privilege.
BB: Any comments on managing outsourcing risks?
DL: If a law firm wants to outsource services involving personal information, whether personal information of clients or employees, it is free to do so. The firm remains responsible, however, for the appropriate use, disclosure and protection of that personal information. So law firms should use diligence in selecting service providers and contractually obligate them to use personal information only for providing the services and to take reasonable security measures. In major cases of outsourcing, law firms might consider following up with the service provider to ensure that these contractual obligations are being respected, including the undertaking of inspections or audits in particularly important cases.
BB: What are some common pitfalls that you see for law firms?
DL: One of the challenges we’re seeing is in the secure disposal of client records. We’ve had a number of cases where law firms have simply dumped client files in the garbage, without securely shredding them or otherwise disposing of them. Quite apart from what the Law Society would have to say about such unacceptable practices, insecure disposal of client personal information violates lawyers’ privacy obligations under PIPA. A law firm should ensure that all of its employees are aware of the need to consistently follow the law on protecting client information.