1、PLUS 8830 Implementing Privacy Codes of Practice PLUS 8830 Implementing Privacy Codes of Practice Colin J. Bennett Associate Professor Department of Political Science Universiv of Victoria Victoria, BC V8 w 3P.5 AUGUST 1995 ISBN 0-921 347-44-8 Technicd Editor: Dwayne Mathers O Canadian Standards Ass
2、ociation - i 995 All rights resewed. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior permission of the publisher. CSA PLUSf830-95 ff L750b 0553873 2T2 W frndementinu Privacv Codes of Practice Table of Contents List of Abbre
3、viations. . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . ii Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .III introduction , . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , , .
4、 . . . . . . . . . 1 Part I: The Comparative and Historical Experience of Privacy Codes of Practice Chapter 1. The Regulatory Environment for Personal-Data Protection in the Canadian Private Sector 7 Chapter 2. Privacy Codes and Voluntary Compliance. . , . . . . . . . . . . . . . . . . . . . . . . .
5、 . . 17 Chapter 3. The Formation and Implementation of Privacy Codes in Canada . . . . . . . . . . . . . . . . 25 Chapter 4. Privacy Codes of Practice in Cross-National Perspective. . . . . . . . . . . . . . . . . . . . . 41 Chapter 5. Current Conditions and future Challenges . . . . . . . . . . . .
6、 . . . . . . . . . . . . . . . 51 Part II: Lessons About the Development and Implementation of Privacy Codes of Practice Chapter 6. Lessons About the Development of Privacy Policies . . . . . . . . . . . . . . . . . . . . . . 59 Chapter 7. Lessons About Individual Redress and Participation . . . . .
7、 . . . . . . . . . . . . . . . . . 67 Chapter 8. Mechanisms for fmployee and Organizational Accountability . . . . . . . . . . . . . . . . . 79 Part 111: The Implementation of the CSA Model Code for the Protection of Personal Information: An Analysis of Options Chapter 9. Oversight of the CSA Model
8、Code for the Protection of Personal Information . . . . . . . . . . 91 Chapter 1 O. The Incentives for Adoption of the CIA Model Code for the Protection of Personal Information. . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . 1 05 Appendices Appendix One. Terms of Reference for
9、 Research Assistant. . . . . . . . . . . . . . . . . . . . . . . . 1 1 O Appendix Two. Organizations and Agencies that have Provided Information for the Study . . . . . . . . 1 12 Appendix Three. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data . . . . . . . . . .
10、. . . . . . . . . . . . . . . . . . . . . . . . . . 1 14 Appendix Four. CSA Principles for the Protection of Personal Information . . . . . . . . . . . . . . . . . 1 16 Appendix Five. List of Countries with Comprehensive Private Sector Data Protection Legislation. . . . . . . . . . . . . , . . . . .
11、 . . . . . . . . . . . . . . . . . . . . . 1 1 7 Appendix Six. The Evolution of Privacy Codes in Canada . . . . . . . . , . . . . . . . . . . . . . . . 1 19 Appendix Seven. The Provision for Codes of Practice in Overseas Legislation . . . . . . . . . . . . . . 121 Appendix Eight. fair information Pr
12、actices Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . 1 24 . CSA PLUS*B830-95 * 3875068 0553874 339 Plus 8830 ADAD BBB CAI CBA CCHRA CCTA CDMA CHU CIPS CLHIA CNIL COACH CRTC CSA CTSC DMA EFT EU FIPS I BC ICC IPP MIB MPS NIM NSERC NTIA OECD OIPC OPC OSFI PIN PMRS QMI SCC SIN SSH RC ST
13、PI TPPA TPS List of Abbreviations Automatic Dialing and Announcing Device Better Business Bureaus Commission dAccs a lInformation du Qubec Canadian Bankers Association Canadian College of Health Record Administrators Canadian Cable Television Association Canadian Direct Marketing Association Canadia
14、n Health Record Association Canadian Information Processing Society Canadian Life and Health Insurance Association Commission Nationale de lInformatique et Liberts (France) Canadian Organization for Advancement of Computers in Health Canadian Radio-Television and Telecommunications Commission Canadi
15、an Standards Association Cable Television Standards Council American Direct Marketing Association Electronic Funds Transfer European Union Fair Information Practices Insurance Bureau of Canada International Chamber of Commerce information Privacy Principles Medical Information Bureau Mailing Prefere
16、nce Service National Information Market Natural Science and Engineering Research Council National Telecommunications and Information Administration Organization for Economic Cooperation and Development Information and Privacy Commissioner/Ontario Federal Office of Privacy Commissioner Office of the
17、Superintendent of Financial Institutions Personal Identification Number Professional Marketing Research Society of Canada Quality Management Institute Standards Council of Canada Social Insurance Number Social Sciences and Humanities Research Council Stentor Telecom Policy Inc. Telecommunications Pr
18、ivacy Protection Agency Telephone Preference Service ii Implementing Privacy Codes of Practice Executive Summary he CSA Model Code for the Protection of Personal Information is being developed at a time when T there is a growing debate about a range of innovative approaches to the protection of pers
19、onal data on the “information highway. No other country has attempted to integrate the widely accepted “principles of fair information practice“ into its standards-setting machinery. This innovation raises, therefore, a number of challenging questions about the implementation of a privacy standard t
20、hat have never been fully addressed before. Part I describes existing legislative and voluntary provisions for personal-data protection in Canada. This country is one of the few advanced industrial states that has not passed comprehensive legislation governing the collection, use and disclosure of p
21、ersonal information by a organizations. The public sector is relatively well regulated through the 1 982 Privacy Act and corresponding provincial statutes. But, with the exception of the new Act respecting the protection of personal information in the private sector in Quebec (Bill 68), privacy prot
22、ection in the private sector in the rest of Canada has emerged in an incremental and piecemeal fashion. Most provinces have statutes protecting the collection, use and disclosure of credit-reporting information. The new Telecommunications Act (Bill 62) empowers the Canadian Radio-Television and Tele
23、communications Commission (CRTC) to regulate to protect privacy interests. There exist a number of confidentiality provisions for personal information within other federal and provincial laws and regulations. The overall legislative profile for Canadian personal-data protection, however, has been li
24、kened to a “patchwork.“ This incoherence is confusing to the consumer, potentially damaging to business, and inadequate to meet emerging international standards for personal-data transfer. The principal response in most sectors has been to develop “voluntary“ privacy codes of practice. However, the
25、term “privacy code“ describes a diversity of mechanisms. Five types are identified: Individual Company Codes, Sectoral Codes, Functional Codes, Technological Codes, and Professional Codes. They also vary according to the extent of compulsion. Most operate within a complicated and fluctuating range o
26、f regulatory, international, technological, cultural, and business incentives. The term “voluntary“ needs to be used with considerable caution. An analysis of the major privacy codes existing in Canada bears out these differences. The “Sectoral Codes“ of the Canadian Bankers Association, the Canadia
27、n Life and Health Insurance Association, the insurance Bureau of Canada, and Stentor are models designed by these trade associations for the membership to implement at the company level. The “Functional Code“ of the Canadian Direct Marketing Association gives the association a greater role in mediat
28、ing complaints and promoting consumer awareness, with a threat of expulsion of a member company for non-compliance. The privacy policy of the cable television industry operates according to a foundation model, under which the Canadian Cable Standards Council administers cable television service stan
29、dards (including privacy) under the oversight of the CRTC. None of these codes, however, has any explicit statutory force, in contrast with the privacy codes developed under the mandate of legislation and the oversight of a data protection agency. Codes of practice play a valuable role under a numbe
30、r of regulatory regimes. In the Netherlands and New Zealand, codes are negotiated to the data protection principles in the respective statutes, approved by the respective supervisory agencies, and thus given the force of law. These systems are designed to combine the flexibility of self-regulation w
31、ith the force of legal sanction and redress. Without such framework legislation, the experience of code development and implementation in Canada is diverse. There is variability in the regulatory conditions under which codes have been Plus 8830 promulgated, variability in the scope of coverage, vari
32、ability in the processes through which they have been developed, and variability in the implementation mechanisms. Given these conditions, the CSd Model Code might attain four interrelated objectives: (1 ) To increase the level of consistency for the development and application of data protection (2
33、) To promote greater consumer awareness of privacy rights. (3) To provide a yardstick for the measurement of the adoption and implementation of data (4) To promote an organizational ethos that raises the level of resrionsibilitv for personal policy. protection policy. information management. These o
34、bjectives guide the remaining analysis. Part II of this report provides lessons from Canadian and overseas experience about how a successful organizational privacy policy might be formulated and applied. Previous analysis suggests that a privacy policy should be based on a thorough understanding and
35、 review of the privacy implications of each service and product. This may involve an information audit, a privacy analysis, and a technology analysis. Organizations may also benefit from external consultation with consumer representatives, with the offices of the federal and provincial Information a
36、nd Privacy Commissioners, and with outside experts in privacy and data security. Opinion polls and consumer focus groups also help sensitize organizations to wider perceptions and interests. privacy policy. A distinction may be drawn between the Privacy Code, a set of Operational Guidelines to trans
37、late the Code into practical advice for employees, and a Statement of Consumer Rights for external promulgation. Privacy policies also require a training and implementation plan, a public communications programme, and periodic review. The CSA Model Code also needs to enhance consumer awareness of pr
38、ivacy rights. In addition to companies and trade associations, public interest groups, the Office of the Information and Privacy Commissioners, the Better Business Bureaus, and labour unions might play a useful educational role. The CSA Model Code obliges personal-data users to implement procedures
39、that provide individual redress and participation. These include a notification of data subjects of the reasons for the collection of personal-data and of the permissible uses and disclosures. They also include appropriate procedures for the exercise of access and correction rights. Organizations ar
40、e also expected to put procedures in place to receive and respond to complaints. Suggestions of effective mechanisms to allow individuals to access their data and challenge compliance are offered. One of the chief issues for all data protection regimes is the conditions under which personal data mig
41、ht be employed for secondary uses. The CSd Model Code obliges organizations to obtain “consent” if that information is to be used for purposes other than those identified at the time of collection (unless a legal requirement is involved). Consent may be implied or express. It may be inferred, if an
42、individual does not take the opportunity to opt out of allowing the organization further uses of his or her data. Opt out provisions should be meaningful, easy to execute, offered as early as possible, and at regular intervals, and voluntary. Several illustrations are presented. The CSA Model Code i
43、s based on the assumption that an organization is accountable for the personal information under its control. First and foremost, this requires the appointment of a designated individual who is responsible for the implementation of the principles. This may require a blend of experience in both consu
44、mer complaints resolution and personal information management. Organizations need to ensure that the combination of duties does not place these persons in situations where privacy interests are compromised by other demands on their time and functions. Moreover, privacy responsibility needs There is
45、an advantage in developing a more consistent practice for the codification of an organizational iv Imolementina Privam Codes of Practice to be located at a sufficiently high level in an organization to permit these interests to be articulated at the earliest stages of service and product development
46、. A range of other instruments may be used internally in order to ensure compliance with the privacy principles. Education and training programmes have proven successful in some larger organizations. Many financial institutions require the regular signing of statements of compliance by all employees
47、 who access personal data. Privacy audits can be used to educate employees about their obligations, rationalize information collection and retention with attendant cost-savings, evaluate the effectiveness of the standards, and anticipate potential complaints and problems. Audits may be of four types
48、: internal audits, external audits, external reviews of internal audits, and audit trails through computer programming to identify instances of unauthorized access. The safeguards principle states that securify mechanisms should be applied that are appropriate to the sensitivity of the information.
49、These include a range of technological, organizational and physical measures. Some of the most notable breaches of security could have been prevented by quite mundane and commonsense precautions, such as keeping offices and filing cabinets locked and changing computer passwords on a regular basis. In addition, the recent commercial availability of public-key cryptography offers a technological solution that can anonymise personal-data and at the same time permit a verification of a range of personal data transactions. Contracts can ensure a comparable level of protection whil