PLUS 8300 (1st ed. pub. 1996) - Making the CSA Privacy Code Work for You - A Workbook on Applying the CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830) to Your Organization
Introduction - The Purpose of This Workbook
The Publication CAN/CSA-Q830, A Model Code for the Protection of Personal Information, referred to as the CSA Code,
(a) provides the principles for the management of personal information;(b) specifies the minimum requirements for the adequate protection of personal information held by participating organizations;(c) makes the Canadian public aware of how personal information should be protected; and(d) provides standards by which the international community can measure the protection of personal information in Canada.
This workbook is designed to provide practical, useful advice to help organizations understand and apply CSA's Model Code for the protection of personal information. The workbook is intended to be used in conjunction with the CSA Code, but it is not a replacement. The text of the CSA Code in its entirety should be referred to, when required, as the final authority on matters of interpretation. The workbook was developed and reviewed by the CSA Technical Committee on Privacy, to provide guidance on how to apply the CSA Code effectively. Organizations will find it a valuable tool, particularly for those individuals directly responsible for implementing the CSA Code. However, the use of the workbook is not mandatory.
The CSA Code can be applied to all types of organizations, from small sole proprietorships to large corporate enterprises; from service clubs and charities to universities and hospitals; from organizations that hold very little personal information to those that specialize in information collection and use.
While CSA has produced only one workbook to cover this vast range of information users, the principles of the CSA Code are universal and can, accordingly, be applied to all types of organizations whether they are large or small, locally based or multinational, and whether they use the simplest of information management methods or are at the leading edge of electronic information use.
What differs principally between organizations is the amount and variety of information collected, its sensitivity, and its relative value, both to the individuals providing it and the organizations using it. The workbook addresses these differences with examples drawn from a range of organizational experiences and with practical, commonsense solutions. Whatever type of organization you are involved with, this workbook will provide you with basic information you need to implement the CSA Code in an appropriate way.
The CSA Code was developed as a national voluntary standard for personal information protection. As you apply the CSA Code, remember that its ultimate success depends upon an underlying commitment to integrity and fairness in the use of personal information. Organizations must always balance their need for information collection, use, and disclosure with the privacy rights of the individual.
Implementing the CSA Code may be a time-consuming task; however, once implemented, the ongoing maintenance of systems and procedures to meet the Standard should become a routine operation.
CSA has also published (August 1995) the background research report, Implementing Privacy Codes of Practice: A Report to the Canadian Standards Association (PLUS 8830), written by Colin Bennett of the University of Victoria. Readers who seek further background information about the functions and implementation of Privacy Codes in Canada and overseas might also want to obtain this publication. -------------------------------------------------------------------PLUS 8830 (1st ed. pub. 1995) - Implementing Privacy Codes of Practice - Commentary
The Model Code for the Protection of Personal Information being developed under the auspices of the Canadian Standards Association (CSA) has the potential to advance the cause of personal-data protection in Canada. No other country has attempted to negotiate and establish on a voluntary basis a general minimum standard for privacy protection in its private sector. As an innovation in privacy protection policy, therefore, the implementation of the code does raise a number of intricate questions that have never been addressed before, either in Canada or overseas.
The CSA has commissioned this research in order to gain a better appreciation of how the CSA Model Code might promote the effective and consistent implementation of personal-data protection standards. This research is presented in a report organized into three parts, which may be read cumulatively or separately. Part I consists of a description of how existing privacy codes are implemented and overseen both in Canada and in selected foreign countries. This analysis will review the scope and depth of data protection policy in Canada and contrast that coverage with the position overseas.
Chapter One presents a brief overview of the regulatory provisions currently in force in Canada that affect the collection, storage, processing, and disclosure of personal information. This provides some context for the later discussion of codes and highlights some of the current issues that are being debated about policy responses to the privacy problem. The CSA Model Code is being developed at a time when there is a stimulating debate amongst advocates and experts about whether the legislative solutions of the 1970s and 1980s are adequate for the years ahead. The CSA initiative is one of a number of innovative approaches that have been offered to respond to the more complicated challenge of protecting personal privacy within the fluid, decentralized, networked "information highway" environment of the 21st century.
Chapter Two analyses the meaning of voluntary or self-regulatory data protection. It describes the evolution of privacy codes in Canada and presents a typology of the diverse range of instruments that have that label. Chapter Three provides a more detailed discussion of the major codes of practice from the Canadian Bankers Association, the insurance industry, Stentor, the Canadian Direct Marketing Association, and the Cable Television Standards Foundation. These codes are compared according to the way they perform certain essential functions of consumer education, complaints resolution, employee training, and oversight.
Chapter Four analyses the function of privacy codes of practice under different regulatory systems in other countries, with a particular emphasis upon Britain, the Netherlands, and New Zealand. This will highlight the advantages (and disadvantages) of developing codes of practice within the statutory framework of a general data protection law. Chapter Five provides an overview of the current state of personal-data protection in Canada's private sector and outlines the ways in which the CSA Model Code might facilitate the effective implementation of privacy codes of practice.
Part II of the report draws what I regard to be the most useful lessons from historical and comparative experience about the drafting of codes of practice, about promoting greater consumer awareness, about providing effective redress and participation for the data subject, and about raising the level of accountability within organizations that process personal information. This analysis will be directed toward the operational guidelines to be presented in the accompanying Workbook.
Part III of the report addresses the central question of what it should mean to "adopt" the CSA Model Code. I analyse the roles that various organizations might play in monitoring its implementation, bearing in mind the diversity of private sector practices and the different legal, technological, and economic environments in which different sectors have to operate. The analysis will consider the ways that the implementation of the privacy code might be integrated into existing standard-setting mechanisms, and attempt to draw lessons from the oversight of standards in related policy fields. Part III concludes with an analysis of the incentives that might be at work to encourage organizations to "sign on".
There are several questions that this research will not, and cannot, address. This report is not going to evaluate the adequacy of existing codes of practice in different sectors. I will make some comments on the overall picture for privacy protection in Canada. But I cannot judge the effectiveness of individual sectoral or company policies in order to rank their relative success in meeting privacy standards. Whether or not data protection codes or laws "work" is a question that is extremely difficult to answer in any definite way. Data protection rules (including codes of practice) encompass an intricate blend of organizational obligations and consumer/citizen rights. There is not, then, one overall standard of workability. Moreover, the success of these instruments will obviously vary within individual sectors, within individual firms, and across time and space. The context of rapid technological, economic, and regulatory change and uncertainty also means that an evaluation today could be dated tomorrow.
This report will also not comment on the wording of the CSA Model Code. It will focus instead on the process through which organizational obligations may be fulfilled and individual rights exercised. Thus an evaluation of the substantive content of the code and the wording of different principles is beyond the scope of this research. Moreover, I have concluded from my research on this subject, over some 15 years in Europe and North America, that debates on personal-data protection in most societies have centered as much on questions of implementation and enforcement as on the wording of principles. That is not to deny the intricate problems that arise over the interpretation of key words like "consent," "collection," "processing," "disclosure," and so on.
Finally, this report cannot discuss in any great depth the particular privacy challenges in individual sectors of the economy. The analysis obviously has to be cognizant of the shifting and indistinct boundaries between industry "sectors." Moreover, future implementation of the CSA Model Code must remain sensitive to variations in community needs, according to their size, the importance and sensitivity of the information collected, and whether personal data are employee- or consumer-related. The privacy issue spans all sectors. It has legal, economic, technological, and political dimensions in every corner of advanced industrial societies.
Thus I bring to this research neither an in-depth expertise in any one sector, nor a particular competence in computer and communications technologies, management information systems, or network security. Instead, I bring the expertise of the policy analyst: a grasp of the general philosophy behind privacy claims, how that theory has been translated into a public policy of "personal-data protection" in different societies, and how that policy has been implemented in different jurisdictions. Two of the intriguing and perennial features of this area of public policy are its constant attention to the experiences of others and its abiding need to draw lessons. The central purpose of this research is just that - to draw lessons.
The research methodology has involved the following activities (see Appendix 1 for the Terms of Reference). First, a substantial quantity of documentary evidence has been collected and analyzed. This includes codes of practice, regulations, guidance notes, promotional materials, training manuals, and so on. The report will be accompanied by a Sourcebook of the most relevant materials gathered from different Canadian and foreign organizations.
Secondly, non-structured interviews have been conducted with representatives from a range of public and private organizations in Canada, including trade associations, the offices of Information and Privacy Commissioners, offices of other federal agencies, consumer associations and public interest groups, and experts in auditing, management information systems, and computer security. A list of the agencies and organizations contacted is included in Appendix 2.
Thirdly, potentially very useful information has been gathered from overseas data protection authorities. I took the opportunity to attend, in September 1994, the 15th Annual Conference of Data Protection Commissioners, in the Hague, which allowed formal and informal contacts with officials from Britain, France, Germany, the Netherlands, New Zealand, Australia, and Ireland. Each of these countries has experiences of data protection of potential interest to the CSA.
Finally, I have also drawn upon the secondary literature on privacy and data protection in North America and Europe. Whilst there exist a vast number of books and articles on "privacy" and the laws on privacy, there is, curiously, very little on codes of practice. I am hopeful, therefore, that this research will not only contribute to the resolution of questions relating to the implementation of the CSA Model Code but will also fill a longstanding gap in the literature on privacy and data protection.
At the outset, it is necessary to clarify my use of certain terms. The CSA is developing a Model Code for the Protection of Personal Information. Many organizations, however, describe these instruments as "privacy codes", and I shall continue to use this designation from time to time. However, it is necessary to point out that this is something of a misnomer. Most, if not all, "privacy codes" deal solely with the question of "information privacy" or "personal-data protection." Yet "privacy" is a broader value that encompasses other interests besides the protection of personal information, including the limitation of intrusiveness by the press, the protection of a realm of private intimate decision-making, the right to engage in unconventional lifestyles, and so on. Privacy has become an umbrella value through which is justified the general "right to be let alone." We should be careful, therefore, in not claiming too much from "privacy codes of practice", beyond the control over the collection, storage, processing, and transmittal of personal information.
I am grateful to many people for providing me with the raw material for this study. A large number of organizations provided relevant written materials. Representatives from a substantial number of these were contacted and interviewed in person (see Appendix 2). I guaranteed anonymity in all the interviews I conducted. I would like to acknowledge, however, my appreciation for the time that many people spent with me and for the candour with which everyone responded to my enquiries. I am also very grateful to my research assistant, Darren Osadchuk, a graduate student in the Department of Political Science at the University of Victoria, for his help in collecting and organizing the large amount of material upon which this study is based.
Colin J. Bennett, Associate Professor, Department of Political Science, University of Victoria.-------------------------------------------------------------------Q830-03 - Model Code for the Protection of Personal Information
Scope1.1 This model code describes the minimum requirements for the protection of personal information. Any applicable legislation must be considered in implementing these requirements.
1.2 This Standard may be applied to all personal information. Provided the minimum requirements are met, organizations may tailor this Standard to meet their specific circumstances. For example, policies and practices may vary, depending upon whether the personal information relates to members, employees, customers, or other individuals.
1.3 The objective of this Standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information.