1 PRIVACY COMPLIANCE ISSUES FOR LAW FIRMS IN ONTARIO By Sara A. Levine 1 Presented at Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario Ontario Bar Association, May 6, of Fasken Martineau DuMoulin LLP. This paper expresses the personal views of the author and does not necessarily reflect the position of Fasken Martineau DuMoulin or its clients.
2 This paper addresses certain issues that may arise for lawyers and law firms in Ontario in the context of ensuring compliance with the Personal Information Protection and Electronic Document Act (Canada) (the "PIPEDA"). This paper is not intended to present a comprehensive picture of the issues and challenges presented by this new legislation; rather it attempts to highlight particular issues arising as a result of the tension between our traditional duties and modes of practice and the requirements of the statute. 1. Overview of the Legislation The PIPEDA regulates private sector organizations in respect of the collection, use and disclosure of personal information by the organization in the course of commercial activity. Pursuant to the PIPEDA, an organization must obtain the informed consent of the subject individual prior to collecting, using or disclosing his or her personal information in the course of commercial activity. The PIPEDA provides that, subject to certain exceptions, an organization shall not collect, use or disclose an individual s personal information in the course of a commercial activity without that individual s prior knowledge and consent. Although agency law principles arguably raise issues with respect to the application of some privacy law obligations to lawyers, there is little doubt that in most contexts, a law firm is engaged in commercial activities when providing services or otherwise operating its business. Further, the organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. While the impact of this requirement is not further explored in this paper, law firms should be cognizant that it may have implications for the extent to which they use personal information for purposes other than the provision of services, and ask the question: regardless Privacy Compliance Issues for law Firms in Ontario
3 Page 3 of whether we may rely on a consent, is it appropriate in the circumstances to use or disclose this personal information for this purpose? The PIPEDA also imposes a number of administrative obligations on organizations, the first of which is to designate an individual to oversee the firm s privacy compliance (generally referred to as the Chief Privacy Officer ). The Chief Privacy Officer must ensure that the organization establishes, and trains its employees to apply, policies and procedures to ensure that it, among other things: limits the collection of personal information to what is necessary to fulfil the identified purposes; limits use and disclosure of personal information to those purposes for which it has consent or are otherwise permitted by law; limits the disclosure to persons in the organization who need to know the personal information; retains the personal information only so long as is necessary; maintains the accuracy of the personal information; and establishes and maintains security measures against loss, theft, unauthorized access, disclosure, copying, use and modification. The organization must also make public its privacy polices and practices, ensure that an individual may generally within 30 days of a request obtain access to the personal information it has about him or her, and must receive and respond to complaints made by individuals regarding compliance with the legislation.
4 Page 4 The PIPEDA does not apply to information about an organization s employees that is collected, used or disclosed by the organization for employment purposes. Provincial privacy legislation does apply to the collection, use and disclosure of personal information for employment purposes. Accordingly, national law firms must be mindful of the impact of provincial privacy laws on their national privacy policies and practices. Provincial privacy legislation is not discussed in detail in this paper, but it should not be forgotten that Quebec, 2 British Columbia 3 and Alberta 4 each has enacted private sector privacy legislation. Quebec s law has been declared substantially similar" to the PIPEDA and, at the time of writing, the necessary Orders-in-Council to declare B.C. s and Alberta s statutes to be substantially similar have been proposed. When those Orders come into force, organizations to which those Acts apply will be exempt from the PIPEDA within the respective province. In addition, Manitoba, Saskatchewan and Alberta have health sector privacy legislation and Ontario s Bill 31, the Personal Health Information Protection Act, is expected to come into force on January 1, The other provinces do not currently have any generally applicable private sector privacy legislation, and it is expected that they will not enact their own legislation but simply rely on the PIPEDA. 2 An Act respecting the protection of personal information in the private sector, R.S.Q. c. P Personal Information Protection Act, S.B.C. 2003, c Personal Information Protection Act, S.A. 2003, p. P-6.5
5 Page 5 2. Key Definitions Personal information is broadly defined in s. 2 of the PIPEDA as any information about an identifiable individual, with the exception of the name, title, business address or telephone number of an employee of an organization. This includes, but is not limited to, an individual s address, gender, age, ethnic origin, race, ID numbers, financial and credit information, personal health information, shareholdings, criminal records, family status, sexuality, relationships, religious affiliations, employment history, education, personal habits, personal interests and personal history. Obviously, all of these types of information can be found in retainers, s, memos, letters, agreements, wills, trust documents, opinions, pleadings, releases and other documents, and the drafts of any such documents. Departments within a firm, such as accounting, marketing, corporate services and human resources will also contain significant amounts of personal information. An individual s name need not be attached to the information in order for it to qualify as personal information. If it can be linked with identifying information, it will be personal information. Conversely, personal data that has been anonymized" or stripped of any personal identifiers, will not be personal information. Commercial activity is defined in s. 2 as any particular transaction, act or conduct or a regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
6 Page 6 An organization is defined to include a partnership and a person. Obviously, then, based on the sheer breadth of these definitions, the PIPEDA has the potential to impose significant restrictions on the ability of lawyers and law firms to deal with personal information. 3. The Difference between the Right to Privacy and the Duty of Confidentiality The basic premise of the PIPEDA is that organizations have a duty to protect personal information and individuals have a corresponding right to control how the organization handles their personal information. Therefore, regardless of who generated the personal information, the subject individual has the right to control what a law firm does with it, to have access to it upon request, and to have it corrected, subject to limited exceptions. It is this right of control that distinguishes the right to privacy from the duty of confidentiality the obligation of an individual to keep confidential any information communicated in circumstances of confidence. Now, the duty of confidence is incorporated into this broader obligation to protect personal information. This broader duty raises two issues for lawyers. First, PIPEDA mandates protection of all the information the organization has about any identifiable individual, located anywhere in the firm. Accordingly, non-clients now are owed duties in respect of their personal information that a lawyer collects, uses and discloses. All lawyers are familiar with their fundamental fiduciary
7 Page 7 obligations to their clients, but the PIPEDA s imposition of these broader obligations - especially to non-clients - is new. Secondly, the security obligations under PIPEDA require organizations to use safeguards that are appropriate to the sensitivity of the information. These safeguards must protect information against loss or theft, and also against unauthorized access, disclosure, copying, use or modification. More sensitive information should be safeguarded by a higher level of protection. Safeguards include physical measures such as locked filing cabinets, and organizational measures such as limiting access on a need to know basis. 5 The impact of the security obligations on law firms is unresolved and the matter of some debate. In the context of a law firm, which is in the business of providing advice in respect of sensitive personal matters, how is the notion of sensitivity applied to limit access to personal information? When a document contains sensitive personal information, can different members of a law firm utilize it as a precedent? When a research memorandum sets out the particular client s facts in detail including personal information, must access to the memo thereafter be strictly limited? Is use of the document also use of the personal information? How does a law firm engage in the cost-effective provision of service, thereby increasing access to justice, if privacy laws are applied to create what may amount to walls around each client file or matter? How is lawyer training accomplished when young lawyers may not have access to existing research memoranda for reference purposes? How can a law firm effectively supervise, or administer its billing and 5 PIPEDA, clause 4.7.3
8 Page 8 accounting functions, if access to sensitive personal information is strictly limited? In a profession in which the sharing of confidences among partners and associates is a common-law presumption, the tension between these duties and obligations poses real challenges. 4. Access Rights and Privilege The PIPEDA requires organizations to put into place policies and procedures to enable an individual to request from the organization, and with certain limited exceptions, to be provided, access to the personal information about that individual. The PIPEDA contains detailed provisions requiring organizations to disclose to the individual, generally within 30 days of receipt of the written request, any personal information about the individual that the organization has in its possession. These access provisions present very specific problems for lawyers. First, locating all the personal information of an individual may be difficult, depending on the nature of the file or the location of the records. In addition, with limited exceptions, clients are entitled to have access to most of the contents of the client file in any event, but now, non-clients may also be granted access to information in a file, in certain circumstances. What this means for the administration of access requests is uncertain. Access may only be refused for very limited reasons including (per subsection 9(3)(a)) when the information is solicitor-client privileged (but note, there is no statutory exception for litigation or work product privilege, raising issues about the extent of the privilege exception). In light of the
9 Page 9 limits placed on solicitor-client privilege by the Courts in recent years, the question of whether a particular piece of information is solicitor-client privileged is not straightforward. There is also an exception to the right of access if the information is generated in the course of a formal dispute resolution process (ss. 9(3)(d)), but outside the litigation context this exception may provide little assistance. A law firm also possesses a great deal of personal information that is not client-related. For example, personal information includes the information stored on the marketing database, and in employee files (for example, resumes and other information about individuals the firm considered hiring but ultimately did not hire, or information regarding former employees). An individual s right of access extends to the information located in these files as well. 5. General Issues with Respect to the Personal Information Held by a Law Firm The PIPEDA governs a law firm in respect of the personal information it collects, uses and discloses for its own business purposes and in respect of the personal information it collects from its client or on their behalf, to use or disclose in the course of the retainer. A law firm collects from clients and others, personal information that is about clients, non-clients, adverse parties, third parties, witnesses, employees of clients, experts and consultants relied upon by clients, and sometimes personal information about opposing counsel. Such personal information is often located in a number of places. Paper files contain a great deal of personal information about a potentially very large number of identifiable individuals. Personal information about clients and
10 Page 10 others will also be held in electronic form in the documents prepared by lawyers and clerks in the course of the retainer. Further, many lawyers use a customer relationship management database, to collect personal information on clients and others for use by the lawyers in their client development and management activities. Research memoranda may be retained to be used as reference material. A precedents database may also be used to keep and categorize useful precedents. The effect of PIPEDA on these areas should not be overlooked. In the next section of this paper the potential impact of privacy law on the major departments in a law firm is briefly discussed. Regardless of the size of a law firm, the principles of the following discussion remain the same. Information Technology: This is obviously the department with overall responsibility for the way in which much of the information held by a law firm is stored. For the IT department, the major issues will be limiting access to information those individuals who need to know the information to carry out their job function, and developing other security safeguards such as the use of anonymizing technology and operational safeguards. For example, a hierarchy of roles or functions may be assigned, with roles assigned levels or degrees of access. Access may also be limited by department, with walls established between the professionals and their assistants, and the staff who have access to accounting information or human resources information, but not to client information. Passwords, firewalls and secure encryption may also be utilized. Laptops, handheld devices and wireless networking also raise security issues.
11 Page 11 Website: The firm website must also be considered. If personal information is collected through the website, the appropriate procedures will be required. Cookies are frequently used on websites in order to facilitate better utilization of the site by the user. Cookies often collect personal information, which raises privacy issues. For example, in a finding of the Privacy Commissioner of Canada, the use by an airline of permanent and temporary cookies on its website to permanently collect language and country of choice and temporarily collect name, mileage balance, country code and language preference amounted to a collection under the Act. Because the website was coded in such a way that a user could not proceed until the cookie had been stored, a user who had configured his browser to disable cookies could not access the site. The Commissioner found that because the denial of access to the site amounted to a requirement to provide, as a condition of the provision of service, more personal information than was necessary, the organization was in breach of the Act. 6 Human Resources: While the PIPEDA does not apply in respect of employee information, HR departments often contain a great deal of personal information related to prospective employees (i.e., applicants), past employees and partners. Such personal information is subject to the PIPEDA. And, in any event, provincial legislation does apply to to personal information about employees in B.C., Alberta, and Quebec and, accordingly, law firms with offices in those provinces will have to treat such information in accordance with the applicable legislation. 6 PIPED Act Case Summary #162
12 Page 12 Administration: Often an administration department is responsible for third party contracts with service providers, some of which provide services that involve personal information. Accordingly, those contracts will need to be examined to ensure compliance. For example, closed client files are frequently stored in off-site storage, provided by a third party storage company. Mail rooms, copying services and other administrative matters may be outsourced. Where personal information is transferred by a law firm to a third party service provider for processing, the law firm remains responsible for ensuring a comparable level of protection while the information is being processed. Accordingly, those departments must be assessed and the agreements with these service providers will have to be reviewed and updated. Billing and Accounting: Time dockets contain details of the work done on the client s behalf, and client information includes financial and accounts receivable status, record of payments and other financial information. Where this information is about an identifiable individual, it will be personal information. The ways in which such personal information is collected, used and disclosed for accounting purposes must be assessed and the contracts with any third party providers such as systems providers or contract accounting professionals must be examined and updated. In addition, a law firm may wish to consider its policies with respect to, for example, file naming conventions and conflict searches, which may raise issues relating to the security obligations and the "need to know" principle. Marketing: Client databases are often maintained by a marketing department. Contact information and other client details (such as family status, number of children, interests or
13 Page 13 education) may be added to the database in an ad-hoc manner whenever instructions are received from any lawyer or staff member. Frequently law firms communicate with clients for marketing purposes through , newsletters or legal updates. These communications may use personal information (i.e., personal addresses, interests or preferences). An assessment of the number and types of databases maintained for marketing purposes, and the information contained therein, should be undertaken. Corporate Services: Many law firms maintain corporate records on behalf of clients. These records contain personal information about shareholders, officers and directors. This information may reside on a database, and may also be contained in paper files in a corporate records department. The nature and extent of such information will require assessment and the appropriate procedures should be addressed. 6. Balancing Legal Requirements and Business Goals At the foundation of all privacy legislation is the requirement that an organization must obtain the informed consent of the individual prior to collecting, using or disclosing his or her personal information. A large proportion of the personal information held by a law firm is obviously about clients. But an equally large proportion is about non-client third parties: relatives or business associates of individual clients, adverse parties, witnesses, officers or employees of clients, experts and consultants, and various other third parties, many of whom might ordinarily never know that the law firm has such personal information. The administrative obligations imposed
14 Page 14 by the legislation require all organizations, including law firms, to ensure that safeguards appropriate to the sensitivity of the information are implemented to prevent unauthorized access, use, disclosure, modification or destruction of the personal information in its possession. It remains to be seen how the PIPEDA will be applied to law firms, in light of the unique nature of the work that lawyers do and the central function lawyers fulfil within the justice system. There is no doubt, however, that the application of privacy laws to lawyers in private practice is going to change the way we all do business.