Implementing Privacy Codes of Practice
The Model Code for the Protection of Personal Information being developed under the auspices of the Canadian Standards Association (CSA) has the potential to advance the cause of personal-data protection in Canada. No other country has attempted to negotiate and establish on a voluntary basis a general minimum standard for privacy protection in its private sector. As an innovation in privacy protection policy, therefore, the implementation of the code does raise a number of intricate questions that have never been addressed before, either in Canada or overseas.
The CSA has commissioned this research in order to gain a better appreciation of how the CSA Model Code might promote the effective and consistent implementation of personal-data protection standards. This research is presented in a report organized into three parts, which may be read cumulatively or separately. Part I consists of a description of how existing p rivacy codes are implemented and overseen both in Canada and in selected foreign countries. This analysis will review the scope and depth of data protection policy in Canada and contrast that cov erage with the position overseas.
Chapter One presents a brief overview of the regulatory provisions currently in force in Canada that affect the collection, storage, processing, and disclosure of personal information. This provides some context for the later discussion of codes and highlights some of the current issues that are being debated about policy responses to the privacy problem. The CSA Model Code is being developed at a time when there is a stimulating debate amongst advocates and experts about whether the legislative solutions of the 1970s and 1980s are adequate for the years ahead. The CSA initiative is one of a number of innovative approaches that have been offered to respond to the more complicated challenge of protecting personal privacy within the fluid, decentralized, networked information highway environment of the 21st century.
Chapter Two analyses the meaning of voluntary or self-regulatory data protection. It describes the evolution of privacy codes in Canada and presents a typology of the diverse range of instruments that have that label. Chapter Three provides a more detailed discussion of the major codes of practice from the Canadian Bankers Association, the insurance industry, Stentor, the Canadian Direct Marketing Association, and the Cable Television Standards Foundation. These codes are compared according to the way they perform certain essential functions of consumer education, complaints resolution, employee training, and oversight.
Chapter Four analyses the function of privacy codes of practice under different regulatory systems in other countries, with a particular emphasis upon Britain, the Netherlands, and New Zealand. This will highlight the advantages (and disadvantages) of developing codes of practice within the statutory framework of a general data protection law. Chapter Five provides an overview of the current state of personal-data protection in Canada's private sector and outlines the ways in which the CSA Mo del Code might facilitate the effective implementation of privacy codes of practice.
Part II of the report draws what I regard to be the most useful l essons from historical and comparative experience about the drafting of codes of practice, about promoting greater consumer awareness, about providing effective redress and participation for the data subject, and about raising the level of accountability within organizations that process personal information. This analysis will be directed toward the operational guidelines to be presented in the accompanying Workbook.
Part III of the report addresses the central question of what it should mean to adopt the CSA Model Code. I analyse the roles that various organizations might play in monitoring its implementation, bearing in mind the diversity of private sector practices and the different legal, technological, and economic environments in which different sectors have to operate. The analysis will consider the ways that the implementation of the privacy code might be integrated into existing standard-setting mechanisms, and attempt to draw lessons from the oversight of standards in related policy fields. Part III concludes with an analysis of the incentives that might be at work to encourage organizations to sign on.
There are several questions that this research will not, and cannot, address. This report is not going to evaluate the adequacy of existing codes of practice in different sectors. I will make some comments on the overall picture for privacy protection in Canada. But I cannot judge the effectiveness of individu al sectoral or company policies in order to rank their relative success in meeting privacy standards. Whether or not data protection codes or laws work is a question that is extremely difficult to answer in any definite way. Data protection rules (including codes of practice) encompass an intricate blend of organizational obligations and consumer/citizen rights. There is not, then, one overall standard of workability. Moreover, the success of these instruments will obviously vary within individual sectors, within individual firms, and across time and space. The context of rapid technological, economic, and regulatory change and uncertainty also means that an evaluation today could be dated tomorrow.
This report will also not comment on the wording of the CSA Model Code. It will focus instead on the process through which organizational obligations may be fulfilled and individual rights exercised. Thus an evaluation of the substantive content of the code and the wording of different principles is beyond the scope of this research. Moreover, I have concluded from my research on this subject, over some 15 years in Europe and North America, that debates on personal-data protection in most societies have centered as much on questions of implementation and enforcement as on the wording of principles. That is not to deny the intricate problems that arise over the interpretation of key words like consent, collection, processing, disclosure, and so on.
Finally, this report cannot discuss in any great depth the particular privacy challenges in individual sectors of the economy. The analysis obviously has to be cognizant of the shifting and indistinct boundaries between industry sectors. Moreover, future implementation of the CSA Model Code must remain sensitive to variations in community needs, according to their size, the importance and sensitivity of the information collected, and whether personal data are employee- or consumer- related. The privacy issue spans all sectors. It has legal, economic, technological, and political dimensions in every corner of advanced industrial societies.
Thus I bring to this research neither an in-depth expertise in any one sector, nor a particular competence in computer and communications technologies, management information systems, or network security. Instead, I bring the expertise of the policy analyst: a grasp of the general philosophy behind privacy claims, how that theory has been translated into a public policy of personal-data protection in different societies, and how that policy has been implemented in different jurisdictions. Two of the intriguing and perennial features of this area of public policy are its constant attention to the experiences of others and its abiding need to draw lessons. The central purpose of this research is just that - to draw lessons.
The research methodology has involved the following activities (see Appendix 1 for the Terms of Reference). First, a substantial quantity of documentary evidence has been collected and analyzed. This includes codes of practice, regulations, guidance notes, promotional materials, training manuals, and so on. The report will be accompanied by a Sourcebook of the most relevant materials gathered from different Canadian and foreign organizations.
Secondly, non-structured interviews have been conducted with representatives from a range of public and private organizations in Canada, including trade associations, the offices of Information and Privacy Commissioners, offices of other federal agencies, consumer associations and public interest groups, and experts in auditing, management information systems, and computer security. A list of the agencies and organizations contacted is included in Appendix 2.
Thirdly, potentially very useful information has been gathered from overseas data protection authorities. I took the opportunity to attend, in September 1994, the 15th Annual Conference of Data Protection Commissioners, in the Hague, which allowed formal and informal contacts with officials from Britain, France, Germany, the Netherlands, New Zealand, Australia, and Ireland. Each of these countries has experiences of data protection of potential interest to the CSA.
Finally, I have also drawn upon the secondary literature on privacy and data protection in North America and Europe. Whilst there exist a vast number of books and articles on privacy and the laws on privacy, there is, curiously, very little on codes of practice. I am hopeful, therefore, that this research will not only contribute to the resolution of questions relating to the implementation of the CSA Model Code but will also fill a longstanding gap in the literature on privacy and data protection.
At the outset, it is necessary to clarify my use of certain terms. The CSA is developing a Model Code for the Protection of Personal Information. Many organizations, however, describe these instruments as privacy codes, and I shall continue to use this designation from time to time. However, it is necessary to point out that this is something of a misnomer. Most, if not all, privacy codes deal solely with the question of information privacy or personal-data protection. Yet privacy is a broader value that encompasses other interests besides the protection of personal information, including the limitation of intrusiveness by the press, the protection of a rea lm of private intimate decision-making, the right to engage in unconventional lifestyles, and so on. Privacy has become an umbrella value through which is justified the general right to be let a lone. We should be careful, therefore, in not claiming too much from privacy codes of practice, beyond the control over the collection, storage, processing, and transmittal of personal information.
I am grateful to many people for providing me with the raw material for this study. A large number of organizations provided relevant written materials. Representatives from a substantial number of these were contacted and interviewed in person (see Appendix 2). I guaranteed anonymity in all the interviews I conducted. I would like to acknowledge, however, my appreciation for the time that many people spent with me and for the candour with which everyone responded to my enquiries. I am also very grateful to my research assistant, Darren Osadchuk, a graduate student in the Department of Political Science at the Un iversity of Victoria, for his help in collecting and organizing the large amount of material upon which this study is based.
Colin J. Bennett, Associate Professor, Department of Political Science, University of Victoria.