In March 1996, the Canadian Standards Association (CSA) published the Model Code for the Protection of Personal Information. Canada was the first country in the world to establish a voluntary, national standard for personal information protection.
The Model Code was largely based on the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the Organization for Economic Cooperation and Development (OECD). While the Code remains a voluntary standard, it enjoys strong support and endorsement by a variety of Canadian companies as the national standard on privacy protection.
In April 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) became law. The CSA Model Code forms an important component of the PIPEDA.
What is the CSA?
The CSA is an independent, not-for-profit association that aims to serve national and international businesses, industries, governments and consumers. As a leader in standards development, the CSA involved with product certification; quality and environmental management systems registration; and information products. The CSA is a membership organization governed by a Board of Directors who are both elected and appointed.
Standards are written and developed by volunteer committees made up of representatives from government, industry, consumer groups and users. Committees are facilitated by CSA employees and use a consensus-based approach to decide on the contents of a standard and to determine if the standard will be published.
Developing the Code
The Code intends to balance the privacy rights of individuals with legitimate data requirements of industries, businesses and institutions. It was developed by a 45-member committee with representatives from the main groups concerned with personal privacy issues in Canada. Committee representatives included:
- Federal and provincial governments
- Consumer advocates
- Organized labor
- Security and IT experts
- Industries including:
- Financial services
- Cable television
- Direct marketing
What does the Code say?
The Code outlines basic guidelines for the protection of personal data. It addresses two main issues:
I) How organizations collect, use, disclose and protect personal information.
II) How individuals access and correct personal information collected by the organizations.
Organizations who choose to follow the Code demonstrate that they are handling the information they collect fairly. The Code offers consumers, employees and other data subjects a means for challenging an organization’s practices.
The Code is based on ten interrelated principles:
This principle states that an organization is responsible for personal information under its control. The organization should designate an individual or individuals to be accountable for the organization’s compliance with the principles stated in the Code. An organization needs to implement policies and practices that will help them respect the principles.
2. Identifying Purposes
An organization should identify the purposes for collecting information at or before the time of collection. This will enable the organization to determine which information needs to be collected in order to meet their needs. This goes hand in hand with the Limiting Collection principle (#4). Depending on the manner in which information is collected, this principle can be fulfilled orally or in writing. For example, an application form may explain the purposes of information collection to an individual.
Where it is appropriate, an individual must have knowledge of and give consent to the collection, use or disclosure of personal information. An organization should make a reasonable effort to inform individuals of the purposes for collecting information. Consent should be meaningful; the purposes should be explained in such a way that the individual can reasonably understand the use and disclosure of their personal information. Individuals are entitled to withdraw consent at any time.
4. Limiting Collection
Personal information should only be collected as necessary for the purposes that the organization has identified. This includes limiting the amount and type of information. The information should be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention
An organization should not use personal information for new purposes, unless it has the consent of the individual, or as required by law. Personal data should only be retained as long as is necessary to fulfill the organization’s stated purposes. An organization should develop specific guidelines and procedures governing the destruction of personal information.
In order to meet the intended purposes, personal information should be accurate, complete and up-to-date. This principle aims to minimize the possibility that incorrect information is used to make a decision about an individual. This also applies to information disclosed to third parties.
An organization should implement appropriate security safeguards to protect the personal information collected. The appropriate safeguard should be determined by the sensitivity, amount, distribution, format and method of storage of the information. Employees in the organization should be aware that confidentiality of personal information should be maintained.
An organization should be open about its personal information policies and practices. Individuals should be able to access an organization’s policies and practices relatively easily. The method of disseminating such information depends on the nature of the organization. This may include brochures, mail to customers, online access or toll-free information lines.
9. Individual Access
Individuals should be informed of the existence, use and disclosure of their personal information. Individuals should have access to their personal information and be able to question and correct the accuracy and completeness of this information.
10. Challenging Compliance
Individuals should be able to challenge an organization’s compliance with the above principles. The person accountable for an organization’s compliance will be responsible for dealing with inquiries, challenges or complaints. An organization should investigate all complaints and if it is necessary, adjust its policies and practices appropriately.
The Code is meant to be used by any organization that collects or uses personal information. Such organizations may include:
- Financial institutions
- Service providers
- Direct marketers
- Telecommunications companies
- Product manufacturers
- Government agencies
As organizational compliance with the Code is purely voluntary, organizations may incorporate the ten principles in its policies to varying degrees. The Quality Management Institute (QMI) has a program that recognizes three levels of compliance:
Tier 1: Declaration
An organization declares its compliance with the code by signing a code of ethics or statement of their information protection principles.
Tier 2: Verification
An organization submits documented policies and procedures to the QMI, which may conduct on-site audits in order to confirm compliance with the Code.
Tier 3: Registration
The QMI reviews the organization’s documentation and carries out an audit. This establishes compliance with the CSA Model Code and with ISO 9001 or 9002.
Since its introduction, a number of critiques of the Code have arisen. Many of these critiques point to the vagueness in interpretation, which have led to confusion, loss of confidence and decreased utility of the Code. Due to differences in meaning and application of the Code, a number of cases have been taken to the Canadian Privacy Commissioner. This process is slowly eliminating some uncertainties in the Code.
Some gray areas of the Code include:
- The issue of collecting personal information from or about children is not mentioned.
- Different types of consent are not distinguished (e.g. express, implied and deemed consent).
- The Code does not elaborate upon the issue of notice. What constitutes a reasonable effort to advise an individual on collection of personal information?
- It is unclear if retention of personal information constitutes a “use” under the Code. If so, retention would require consent from the individual.
- The Code does not require businesses to explain the purposes of personal information collection to its customers. This has led to widespread failure of customer service representatives to reasonably explain the purposes of information collection to the ordinary consumer.
- The principle of openness is only encouraged, rather than required.
The CSA Model Code for the Protection of Personal Information presented a foundation for Canadian privacy protection legislation, such as the PIPEDA. A number of Canadian businesses and organizations have modeled their own privacy codes, policies and practices on this standard. Individuals have also used the Code to understand their privacy rights and protect their personal information. Over time, provisions in need of greater clarity or strengthening have been identified in the CSA Code.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Canadian Standards Association (II.A.a.)
- Model Code for the Protection of Personal Information: CAN/CSA-Q830-96 (II.A.a.i.)