REGULATING PRIVACY IN CANADA:

V The Oversight Functions
1) The Receipt, Verification and Approval of Privacy Codes
2) The Receipt, Investigation and Resolution of Complaints
3) Audit Powers
4) Enforcement Powers
5) Advice on the Privacy Implications of New Technologies
6) Public Education and Research
7) Sanctions and Remedies

VI Summary: The Elements of an Oversight System in Canada

Conclusion: Questions for Further Analysis

Appendix 1: Powers granted to Information and Privacy Commissioners in Complaints investigation and resolution
Appendix 2: Enforcement Powers of Information and Privacy Commissioners
Appendix 3: Advisory Functions of Information and Privacy Commissioners/Commissions on Privacy Implications of Legislation and Technologies
Appendix 4: Public Education and Research Functions of Information and Privacy Commissioners
Appendix 5: Terms of Office of Information and Privacy Commissioners

Introduction

On March 25th, 1996 Industry Canada hosted a workshop on Exploring the Oversight Function for Personal Data Protection in the Marketplace. In the morning session representatives from the Netherlands, New Zealand, Quebec, Hong Kong and the United States explained how data protection law is administered and enforced in their respective societies. In the afternoon, the participants engaged in a roundtable discussion on the implementation of data protection policy in the Canadian context. The Canadian representatives included officials from federal government departments, the Office of the Privacy Commissioner (OPC), the provincial Information and Privacy Commissioner and Ombudsman offices, and the Canadian Standards Association (CSA).

I was asked by Industry Canada to be the rapporteur for this workshop and to write a report on the day's events. The views expressed in this paper, however, are not a strict report of all that was said at the workshop and no views are attributed to any of the participants. Rather the paper is a set of personal reflections on the various options for extending privacy protection rules to the private sector in the light of the very informative discussion on this occasion. These views are mine and mine alone, even though they have been shaped by numerous conversations with experts and officials both before and after the March 25th workshop.

The paper also builds upon my own previous work on the implementation of privacy protection policy in other countries, especially Regulating Privacy: Data Protection and Public Policy in Europe and the United States, and upon the research conducted on the implementation of the Canadian Standards Association's Model Code for the Protection of Personal Information (Q830). The paper also draws upon other comparative and Canadian analysis of the implementation of privacy protection policy. In particular, the 1995 report by Ian Lawson set out a complete range of regulatory options for the protection of privacy on the information highway. This paper attempts to narrow the focus, and to concentrate on the most practical regulatory options for Canada.

Although there is plenty of scope to draw lessons from Canadian and overseas experience, we are not working with a tabula rasa. There are public sector laws at the federal level, and in most provinces. In Quebec's Bill 68, we have the only legislation in Canada that regulates private sector practices. Each of these statutes grants a different range of powers and responsibilities to the respective offices of Information and Privacy Commissioners (see Appendices). In addition, there are a plethora of other provisions within provincial and federal statutes that relate to the collection, storage, processing and transmission of personal data. Many businesses have also developed voluntary "codes of practice." It is impossible to "wipe the slate clean" and to build a privacy protection regime from the ground up. The policy process will be inescapably incremental. It must build upon the instruments and provisions that are already in place.

The paper will also not grapple with the complicated issue of federal/provincial constitutional authority. To a large extent, questions about the appropriate oversight and compliance mechanisms will apply whether or not legislation is crafted with a comprehensive scope, or whether it applies more narrowly to federally regulated entities. This paper addresses the functions that need to be performed in any effective regime for personal data protection. Those functions will require careful analysis whether they are performed at the federal and/or provincial levels, or on a comprehensive or sectoral basis. This paper is about the level of regulation. Jurisdictional conflicts will continue to occur under any legislated or self-regulatory scheme.

I am, therefore, indebted to those people who attended the March 25th workshop. This paper cannot purport to offer any consensus on the results of that meeting. Nevertheless, I hope that those present recognize from this paper the most important themes and issues discussed on that occasion. I am also grateful to Ritu Mahil for her research assistance.

I. The National Standard for Privacy Protection

In its 1995 report the Information Highway Advisory Council (IHAC) advised the federal government to:

create a level playing field for the protection of personal information on the Information Highway by developing and implementing a flexible legislative framework for both public and private sectors. Legislation would require sectors or organizations to meet the standard of the CSA model code, while allowing the flexibility to determine how they will refine their own codes.

The report goes on to recommend that the federal government "in cooperation with the CSA Working Group on Privacy and other interested parties, study the development of effective oversight and enforcement mechanisms." This paper is a contribution to that effort.

On May 23, Industry Minister Manley released the government's response to the IHAC report in which it was concluded that "the right to privacy must be recognized in law, especially in an electronic world of private databases where it is all too easy to collect and exploit information about individual citizens." Hence:
As a means of encouraging business and consumer confidence in the Information Highway, the Ministers of Industry and Justice, after consultation with the provinces and other stakeholders, will bring forward proposals for a legislative framework governing the protection of personal data in the private sector.

The government's response explicitly mentions the Model Code for the Protection of Personal Information from the Canadian Standards Association as a legislative framework. The following principles have been widely agreed by representatives from government, industry and consumer associations. They represent an important consensus on the basic principles of a privacy protection policy:

… Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
… Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected
… Consent
The knowledge and consent of the individual are required for the use, or disclosure of personal information, except where inappropriate.
… Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
… Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
… Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
… Safeguards
Personal Information shall be protected by security safeguards appropriate to the sensitivity of the information.
… Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
… Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
… Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

The goal of any national privacy protection policy should be to implement these principles throughout all organizations that process personal data (in both public and private sectors).

This goal requires voluntary action from the "bottom-up" as well as regulatory action from the top-down. There are a range of tools within the repertoire of possible policy instruments. Four are outlined within Industry Canada's 1994 publication Privacy and the Canadian Information Highway: legislation and regulation; voluntary codes and standards; technological solutions; and consumer education. Although this paper concentrates on the relationship between law, regulation, codes and standards, it should never be forgotten that technologies of privacy (such as public-key encryption) have a crucial role to play in any privacy policy. Moreover, no policy can succeed without the actions of an informed and vigilant citizenry. Each of these four approaches contributes to a "mosaic of solutions." Each is a necessary condition for privacy protection on the information highway; none is a sufficient condition.

II. The Value of the Privacy Standard

The status quo has been described as a "privacy patchwork." A comprehensive data protection law covering all private sector organizations in Quebec contrasts with a hodgepodge of voluntary codes and isolated statutory provisions in the rest of the country. Partly as a response to this incoherence, the Canadian Standards Association (CSA) has recently developed a Code for the Protection of Personal Information in association with stakeholders from government, consumer groups and key industry sectors (banking, telecommunications, insurance, direct-marketing, credit-reporting). This Code was ratified without any dissent in September 1995 and was released in March 1996. It was designed to add some uniformity to data protection policy and practice within the Canadian private sector.

At first glance, the CSA Model Code might seem a Canadian version of the OECD Guidelines -- a rearrangement and translation of the key principles into the Canadian context. At the moment, it is just that -- a model that any organization can use and adapt to their specific circumstances. But it does represent a very important consensus, brokered among the major stakeholders. Moreover, it has doubtless been very valuable for participants in the process to think about the privacy protection problem from scratch and to grapple with these complex issues.

Although no decision has yet been made about the mechanisms for implementation and oversight, the CSA Model Code is a "standard" that might be subjected to the same kind of certification and registration procedures that are used for other standards. Privacy, of course, is not the kind of "hard" standard typically used within manufacturing industry. Nevertheless it does have certain parallels with the range of "quality management standards" within the ISO-9000 series that have been rapidly permeating the Canadian and American private sectors, as well as with environmental standards in the ISO 14000 series. Thus, in the same way that a company might be forced to register to ISO-9000 to convince its clients and customers that it has adopted a level of "quality assurance" the same system of accreditation could be developed to the privacy standard, where effective data protection is demanded within the Canadian or international marketplace. The price of maintaining a registration to the standard would be an agreement to have independent and regular privacy audits.

Of course, not all businesses would be expected to go to the kind of trouble and expense of registering to ISO-9000. The registration scheme for privacy would also require procedures applicable to the smaller business. The scheme requires an appropriate balance between the encouragement of registration on the one hand, and the prevention of symbolic claims about policies and practices on the other. It also requires an appropriate publicity vehicle, so that any consumer can find out who has registered to the standard and who has not. A "Privacy Good Book" in the form of a Privacy Register would have to accompany the registration scheme.

If a credible registration process is established, the CSA Model Code ceases to be a "voluntary" mechanism. Organizations would have to produce a code and a related set of operational guidelines and be subjected to regular and independent auditing of their practices. The system would build a more consistent and credible system of verification than occurs at the moment. It could satisfy international and contractual requirements. It could provide a more common and consistent yardstick by which to observe and evaluate company practices. Such a system would be able to monitor the claims made by organizations about their policies and practices.

I have suggested that the privacy standard might filter throughout the marketplace by a number of different inducements to registration: by moral suasion; by the desire to avoid adverse publicity; by the desire to gain a competitive advantage; by the reference to the standard in private contract; by the registration to the privacy standard in conjunction with registration to ISO-9000; by the reference to the standard when government "contracts out" data processing services; by pressure from research-funding agencies; by the regulation of interprovincial data flows in Quebec's Bill 68; and by the use of the "adequacy" provisions by European data protection authorities. Canadian and foreign regulatory bodies can insist that the receipt of personal data within Canada be accompanied by a registration to the CSA Model Code.

As outlined, the registration to the CSA Model Code would provide a better yardstick for the evaluation of personal information practices. It could promote higher levels of consumer awareness. It could raise the levels of responsibility and accountability within Canadian business. It can initiate more and better privacy auditing. But the process would still be incremental and piecemeal. It could never achieve the kind of uniform legal standard in Canada, the "seamless protection" that the Federal Privacy Commissioner has called for.

III. The Value-Added of Data Protection Law

Leaving aside the peculiar constitutional dilemmas within Canada, what would a legal regime add to the standards-approach monitored through a registration regime administered through an accredited standards-registration body? Five arguments are persuasive.

First, only law can express the standards of the community, the line beyond which no organization should be allowed to cross. This is what Bruce Phillips has in mind when he argues that "unless some sensible rules of traffic management are a part of these systems, the first roadkill will be our personal privacy and dignity." The metaphor of the "information highway" does lead naturally to the undeniable argument that there needs to be some consistent "rules of the road." For many businesses the rules of the road might be attractive to create a "level-playing field" ­ a clear and consistent set of privacy rules that apply across the entire Canadian marketplace.

Law does not necessarily provide that standard. "Far too frequently," Oscar Gandy reminds us, "we tend to talk about the law as the even-handed instrumentality that ensures that the universal values claimed for any society are protected and guaranteed." Any advocate for a legal regime must recognize the vast inequalities within the operation of the law, especially when it is used as a "strategic weapon" rather than as "an expression of a basic moral vision, a set of guiding principles that serve as foundations supporting relations among persons."

Second, those "rules of the road" are more likely to be even-handedly applied under the guidance of an impartial "traffic cop." The CSA Model Code states that each organization shall designate an individual who is responsible for compliance, and that organizations shall make it clear how consumers might challenge compliance with the principles (Principles One and Ten). Under current circumstances, the highest mechanism for complaint resolution within most sectors is within the business that is processing the personal data. Only legislation can establish a final arbiter external to the organization. Only legislation can involve the institutions that to date have the best experience with resolving privacy complaints within Canada -- the offices of the federal and provincial Information and Privacy Commissioners.

Third, only law can bring the recalcitrants into line. However successfully the CSA Model Code can regulate the practices of the most responsible businesses, there will always be a minority that will see a competitive advantage in processing personal data in contravention of the standard. Undoubtedly, the fear of the CDMA that the image of its responsible members is being tarnished by a minority of non-members motivated its call for national legislation based on the CSA standard. This move is fascinating. It indicates that at a certain point for some sectors, legislation becomes the acceptable alternative to continued bad publicity.

Fourth, an economic argument can be advanced. As Ian Lawson has argued: "To the extent that business obtains and uses personal information without a market mechanism to govern the exchange, business is a classic free rider in the economy. It consumes a common property resource without covering the externalities related to its extraction and use." So when organizations benefit from the use of the information, either themselves or by trading that information to third parties, no benefits accrue to the original information provider. That situation has perpetuated because of the reluctance of many businesses to be transparent about their practices and to establish mechanisms to obtain informed consent when they wish to use personal information for "secondary uses." Business remains a "free rider" so long as individuals are kept in the dark about how their information is being used and disclosed.

Classic economic theorizing would contend that an imperfect marketplace can be rectified by two mechanisms. First, one can give a value to personal information so that the costs and benefits of transactions are allocated more appropriately. There have been some proposals for market-based solutions to this imbalance; all rest on schemes to give individuals some property rights over their information with appropriate compensation when it is used for purposes other than those for which it was originally supplied. The other solution is regulatory intervention to redress the marketplace imbalance. It is contestable, of course, that economic theorizing has any role to play in the protection of a fundamental human right. Nevertheless, even according to the principles of neoclassical economic reasoning, the arguments for regulatory intervention are hard to resist.

Fifth, only the law can harmonize the standards of the public and the private sectors. Where the "public" sector ends and the "private" sector begins is increasingly difficult to determine. Questions raised about the application and meaning of the privacy provisions in the Federal Privacy Act and related provincial statutes will have an evolving impact on the practices of the private sector. It can also be expected that the increased publicity that privacy issues will receive in the media as a result of the efforts of the Privacy Commissioners will continue to have some spill-over effect. The need for "seamless protection" between the private and public sectors was one key factor behind the passage of the New Zealand Privacy Act.

The distinction is also being eroded by efforts to privatize or hive-off government functions. Thus "private" organizations are increasingly performing "public" functions, and often require the use of "public" data to fulfill those obligations. Illustrations include: the use of smart cards and ATM machines for the dispensing of government benefits; the matching of data on welfare recipients with bank or financial records to ascertain eligibility; the trading of government personal information to enhance revenue; the use of credit reports for security checks, and so on. The pervasiveness and flexibility of the new technologies will make it increasingly difficult to determine which data are "in" the public sector, and which "in" the private.

Finally, and the least important reason, concerns the interpretation of Article 25 of the new European Directive on data protection:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

Notwithstanding the stipulation in Article 26 that "professional rules and security measures which are complied with" may be taken into account in determining the "adequacy of protection," Article 25 could mean that European regulators might legitimately interrupt flows of data to every part of Canada except Quebec, unless legal protections are forthcoming. An "adequate level of protection" could be interpreted to mean a legislated regime, overseen by an independent "supervisory authority." At the very least, it should be noted that any professional rules (such as codes of practice) have to be complied with. Any data protection system in Canada has to demonstrate that it is seriously and effectively implemented.
IV. Legislating to the Standard

Unlike voluntary codes of practice, the CSA standard can be referenced in law. Around one-third of CSA's published standards have been referenced either in federal and/or provincial legislation. Most of these standards relate to the technical standards for products procured by government. Increasingly, however, performance standards, such as those for quality management or environmental protection, are being used in order to implement statute, regulation and court-order. There is nothing to stop federal and/or provincial authorities using Q830 in a similar way.

The report of the Information Highway Advisory Council, however, envisages a more comprehensive approach -- a "flexible legislative framework for both public and private sectors. Legislation would require sectors or organizations to meet the standard of the CSA model code, while allowing the flexibility to determine how they will refine their own codes." This seems to contemplate "framework" or "shell" legislation at the federal level; a statement of principles and obligations, leaving the functions of complaints resolution, investigation, auditing, and so on, as a matter for further analysis "in cooperation with the CSA Working Group on Privacy." But there have been a number of different interpretations of what IHAC means and of what it means to "legislate to the standard."

The Canadian Direct Marketing Association, for example, called upon Minister Manley:

to place before Parliament framework federal legislation that requires each industry sector to develop its own specific privacy code that meets a national standard. We do not think this legislation needs to be complex, nor would it be expensive to administer. We suggest a similar model to that of the Canada Health Act that sets minimum national standards but allows each province to develop and run its own health care system to meet its specific needs.

The CDMA goes on to explain that "each code would reflect the needs of the individual sector and meet the standards set by the OECD and/or draft CSA codes." Moreover, the CDMA also has "concerns that regulatory authority could be used to make the principles more onerous. We think the concept of allowing industries to create standards that protect privacy and meet their particular needs will prevent undue regulatory interference." The CDMA would delegate a small complaints-resolution function to the Federal Privacy Commissioner.

There is a key distinction between voluntarism and self-regulation. The former implies that public policy should remain indifferent to the policies and practices pursued. It implies that government should simply trust business to pursue privacy-friendly practices but has no interest in setting an overall standard. This has been the position of the Canadian and American federal governments to date. A self-regulatory regime, on the other hand, establishes in law the standard and grants business the authority to regulate its own practices. The key difference is that a legislated standard is set, and that both individual and organization knows that when self-regulation breaks down, the policy instruments established under the law can intervene.

The Federal Privacy Commissioner has a slightly different vision, suggesting that the CSA Model Code could form an amendment to the Privacy Act. This option is attractive to the Privacy Commissioner as it would "embody in law a set of rules devised by a committee representing a broad cross-section of Canadian private enterprise." However, the Privacy Commissioner says nothing about "codes." For him the advantage of legislating to the standard is that "observance of the CSA standards would become a legal obligation and would be supported by a system of independent oversight."

Ian Lawson also recognizes the "unique consensus that is emerging between government, consumers and industry players" and that is reflected in the CSA Model Code. For him, the "higher purpose of the Model Code is for it to be adopted-by-reference as a legislative standard to which the private sector must comply as a condition of using personal information on the information highway."

Lawson outlines three possible options for federal regulation based on standards-enforcement. Under his "Light Version", framework legislation is enacted by the federal government with the operating provision that data users must comply with the CSA Model Code by developing an appropriate code that meets the industry standard. The model would rely entirely on the CSA as the monitoring instrument, and embodies no obvious role (beyond moral suasion) for the Privacy Commissioners.

Under his "Medium Version", the Privacy Commissioners would be "mandated to receive complaints from consumers relating to the data user's compliance with its code." The Commissioners apply "existing problem-solving techniques, including education, persuasion, and mediation." This then adds a layer of oversight to the CSA Model Code, in addition to any code verification and registration process established through an accredited registrar. It perhaps adds a more coherent and focussed method of redress for the aggrieved individual, and locates overall oversight responsibility within the institutions that have sole responsibility for, and expertise in, the privacy issue.

Under Lawson's "Heavy Version", the Privacy Commissioners would not only resolve complaints but would be "empowered to issue orders requiring data users to comply with their codes; disobedience of such orders is a criminal offence." The legislation would also establish civil liability for failure of a data user to comply with its code." Only under Lawson's "Heavy Version" would registration be underpinned by a set of legally enforceable rights, and be subjected to the general oversight of the Privacy Commissioners. Only under this version would a system of data protection be constructed that brings the full range of compliance mechanisms to bear on the problem.

The remainder of this paper builds upon Lawson's analysis and addresses in more detail the oversight functions under a system in which the CSA Model Code is referenced in federal and/or provincial legislation. If the law says that any business operating in Canada must comply with the CSA Model Code as a condition for using personal information on the information highway, what further responsibilities and obligations need to be assigned?

V. The Oversight Functions

A functional approach to policy analysis begins with a statement of the functions that might be performed within any public policy, and only then considers the public and private agencies that might perform them. The discussion at that workshop on March 25th was organized according to the following functions: the receipt, verification and approval of privacy codes; the receipt, investigation and resolution of complaints; enforcement powers; the auditing of organizations; advice on the privacy implications of new technology practices; education and research; and remedies and sanctions. This analysis is organized according to the same framework.

1) The Receipt, Verification and Approval of Privacy Codes

There are probably more instruments that can be called "privacy codes" in Canada than in any other society. I have concluded that "almost by default, Canada has become the only country in the advanced industrial world that has begun seriously the process of promoting privacy protection from the bottom up." Codes of practice are, and will continue to be, a feature of privacy protection policy in Canada. The question is, what role should they play under a legislated regime?

Peter Hustinx, the President of the Netherlands Registratiekamer (the Dutch Data Protection Authority), has concluded that codes of practice do offer some clear advantages even within a legislated data protection regime. The procedure of negotiating codes enhances the understanding of the privacy problem within different sectors. It also allows his office to gain a better appreciation of the relevant privacy issues and directly to influence the self-regulatory mechanisms. Codes are quite flexible instruments and once negotiated can be adapted to changing economic and technological developments. Codes also allow organizations to publicize their privacy policies and to remove suspicions about the improper collection, processing and dissemination of personal data. They allow an "enhanced measure of understanding on both sides." Similar advantages have been noted by Canadian analyses of the subject.

Codes of practice have been developed for a number of different motivations. Peter Hustinx has noted four: to avoid legislation; to anticipate legislation; to implement legislation; and to supplement legislation. The development of a legislative system in Canada would signal a move from the first two incentives, to the second two. Codes of practice should offer detailed guidance to employees in an organization about how to implement the privacy principles contained within the law. Codes should clarify legal obligations without weakening or obscuring the legislative standard. To the extent that this can be achieved, they should continue to play an important role within a Canadian system of personal data protection.

There is, however, a difficult problem concerning the relationship between privacy codes of practice and the privacy law. There are three subtly different models that have evolved in those countries that use or countenance privacy codes.

The first, and in many ways most stringent, is represented by the system under the New Zealand Privacy Act. The system for negotiating and promulgating codes of practice is spelled out in greater detail in the New Zealand legislation than in any other law. The provisions have also been supplemented by a detailed guidance note from the Privacy Commissioner. Thus, where the Privacy Act specifies the functions of a code, and to whom (or what) a code may apply. The law allows, among other things, for standards that are less stringent than the information privacy principles, as well as for exemptions.

The crucial aspect of the New Zealand approach is that codes of practice negotiated under the Privacy Act have the force of law. The statutory force of codes is expressed as follows:

Where a code of practice is in force --
a) The doing of any action that would otherwise be a breach of an information privacy principle shall, for the purposes of Part VII of this Act, be deemed not to be a breach of that principle if the action is done in compliance with the code;
b) Failure to comply with the code, even though that failure is not otherwise a breach of any information privacy principle, shall, for the purposes of Part VII of this Act, be deemed to be a breach of an information privacy principle.

Codes of practice in New Zealand therefore have "teeth." A breach of a ratified code of practice is as serious as a breach of the information privacy principles expressed in the law, which would then trigger the complaints and enforcement procedures in the legislation. Final remedies for such a breach can be obtained from the Complaints Review Tribunal.

The Privacy Commissioner subsequently published a "Guidance Note" to explain his understanding of these provisions. He notes that a "code of practice is a legal document. It is enforceable through the Commissioner and the Complaints Review Tribunal (although not usually through) the ordinary courts." The codes might restate the principles and provide for "specific departures, procedures, standards or exceptions. Or a new set of rules can substitute for the principles. Either way there must be a rule or standard against which a complaint can be measured. The purpose of a code of practice is to increase relevance, certainty, precision and clarity, not to substitute some other language which might create uncertainty."

Thus far, only three codes have been issued. The first is a comprehensive code for the processing of health information, a fifty-page document that goes through each of the privacy principles and applies them (with commentary) to the health field. The second (produced relatively quickly at the instigation of the Privacy Commissioner) governs the operations of GCS Limited, the government-owned corporation that supplies computer processing services to major government departments. The third was developed in conjunction with the Association of Superannuation Funds. Each is affixed with the "Seal of the Privacy Commissioner" to signify that the code is consistent with the Privacy Act, and was developed in accordance with its procedures. This is the most formal endorsement process in existence in any country. The fact that only three codes have been issued, however, suggests that many associations have been reluctant to devote the necessary time and resources to code development. However, others are currently under development.

The second, slightly more flexible regime, exists in the Netherlands. The Dutch system is similar in most respects to that in New Zealand. There is a lengthy and careful process of code negotiation. At the end of the day, however, the codes are not formally binding on the courts. Certainly if an organization can prove that it has met the requirements of its code, then it will have a strong case. Conversely, if a complainant can demonstrate that the provisions of the code have been breached, then this constitutes prima facie evidence of liability under the law. Codes then have indirect, rather than direct, legal effect. However, the Registratiekamer is still expected to give its approval to the code, a process that often has been difficult and contentious. Several key sectors have still to develop codes of practice under this system. Some codes (such as that in the Dutch banking sector) have been rejected.

In Britain, thirdly, the Data Protection Registrar is empowered by the Data Protection Act to "encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles." Privacy codes had been a feature of the British data protection landscape since the early 1970s. Codes under the 1984 legislation are not "statutory" in this sense, although they do play a significant role in the interpretation of the data protection principles and in the enforcement of the law.

The first Data Protection Registrar, Eric Howe, was initially very enthusiastic about the importance of codes within the British data protection regime. In his very first annual report in 1985, he stated: "I have become increasingly convinced that codes of practice will be a valuable assistance to compliance with the data protection principles. Such codes should be positive and practical. They must support and propagate good practice and not simply consist of well intentioned but vague statements." In his Second Report the following year, he outlined a preliminary statement about how codes of practice ought to be developed: "To command respect Codes of Practice must not simply paraphrase the Act or be exhortative -- they must state clear practical actions which are to be followed."

The purpose and operation of codes of practice in Britain is still somewhat unclear, however. The former Registrar was generally careful not to "endorse" codes, in the fear that their provisions might come into possible conflict with the legislation. He therefore tended to "welcome" them as offering helpful guidance to employees, thus reducing the need for regular intervention from the staff of the office. He also rejected the notion that detailed statutory codes should be prepared for each sector and that compliance with the codes would replace compliance with the law: "The great effort required to define sectors and develop precise codes in fine detail would, in my view, divert resources from encouraging compliance with the powerful and flexible principles." The negotiation of codes can be time-consuming, and possible conflicts can occur in interpretation with unforeseen consequences. This issue still requires discussion in Britain as a result of the provisions within Article 27 of the EU Directive.

Codes of practice therefore have a role under a variety of regulatory conditions. They have also become increasingly popular; they are used most in those countries which have legislated in the 1980s rather than before. The complexities and diversification of personal data processing have produced observed needs for more specific guidance on how the vague and broad fair information principles can be translated into the day-to-day lives of complex organizations.

A measure of the increasing interest in codes is the provision within the EU Data Protection Directive:

1) The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

2) Member states shall make provision for trade associations and other bodies representing other categories of controllers which have drawn up draft national codes or which have the intention of amending or extending existing national codes to be able to submit them to the opinion of the national authority. Member states shall make provision for this authority to ascertain, among other things, whether the drafts submitted to it are in accordance with the national provisions adopted pursuant to this Directive. If it sees fit, the authority shall seek the views of data subjects or their representatives.

This provision also needs to be read in conjunction with Recital 60: "Whereas Member States and the Commission, in their respective spheres of competence, must encourage the trade associations and other representative organizations concerned to draw up codes of conduct so as to facilitate the application of this Directive." It appears that codes of practice are no longer an optional instrument within European data protection systems.

Codes of practice underpinned by a legislative framework obviously embody a greater compulsion that those currently in force in Canada. The role of the data protection agency is more central to code development and enforcement. Moreover, the process of code development can be more valuable than the result. Consultation over codes can ensure that organizations become more familiar with their own practices and more well-versed in their privacy obligations.

On the other hand, there is a central dilemma with the use of codes of practice within systems that have a comprehensive data protection law. If they are not formally endorsed by a data protection authority, then they may contain language that conflicts with the wording of the law, and confusion about applicability and enforcement might ensue (as in Britain). If a more formal ratification process is laid out, then (as in New Zealand and the Netherlands) this can lead to the bureaucratization of a process that, in theory, is supposed to allow the flexibility of self-regulation.

The advantages of codes of practice are mitigated by some other problems. Submission of codes in some sectors is often hindered by competition within sectors, and by unclear boundaries and overlaps that weaken the claim that the association submitting the code is sufficiently "representative." This has sometimes led to the submission of "codes" which merely recite the legislative provisions, to avoid the work necessary to adapt the law into a practical and detailed set of guidelines. Moreover, codes do not always help the data subject. The relationship between the code and the law is often unclear to someone seeking access and correction of personal data, for example. The data subject also rarely knows the difference between a code which has received the approval of the data protection agency, and one that has not.

Finally, under any legislated regime, it is necessary to make a distinction between the Privacy Code, that is the formal expression of policy within business or industry, the set of operational guidelines that are communicated to employees to remind them of their obligations, and the briefer statements of policy designed to give assurances to consumers. To date there has been little consistency in the codification of privacy codes. If these instruments are to have any wider statutory or evidentiary value under a legislated regime, then it will be necessary to distinguish the Privacy Code (with a large 'C') from the other diverse material that is published by business on privacy.

2) The Receipt, Investigation and Resolution of Complaints

The Federal Privacy Commissioner's self-declared mission is first "to be an effective ombudsman's office, providing thorough and timely complaint investigation to ensure Canadians enjoy the rights set out in the Privacy Act." Even Commissioners' offices that are not formally established on the "ombudsman model" are expected to receive and investigate complaints from data subjects. All also act as clearinghouses for more routine inquiries about the respective legislation.

Principle 10 (Challenging Compliance) of the CSA Model Code states that "an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance." One weakness of the CSA Model Code (as it stands) is that complaint resolution mechanisms are largely located within the organization or industry. There are some exceptions: for example, the CRTC accepts complaints about the personal-information handling practices of the telecommunications industry; the CDMA receives complaints about direct-marketing practices. Moreover, complaints also reportedly go to regulatory bodies that have no jurisdiction over privacy. Complaints also go to the institutions with responsibility for privacy, but which have no jurisdiction over the private sector. The current process for the receipt and resolution of privacy complaints is variable and confusing.

The complaints resolution function is central to any effective oversight of personal data protection, but it can also be a time-consuming and a significant drain on resources. It is important not to exaggerate the importance of this function for the overall implementation of the privacy principles within the private sector. More pro-active techniques can be far more effective. The system for complaints-handling needs careful consideration and rationalization. Three questions require consideration: Who should be responsible for the receipt of complaints? Who should then investigate complaints and what further powers are necessary to fulfill that function? And what process of complaints resolution is appropriate at federal/provincial levels?

(i) The Receipt of Complaints

Complaints under a legislated CSA standard would still continue to be resolved principally at the level of the organization concerned. The first principle of the CSA Model Code stipulates the designation of an individual or individuals who shall be responsible for compliance with the privacy principles. Under certain circumstances, trade associations (such as those within the cable or direct-marketing industries) may also play a mediation role. The more credible and effective the complaints resolution at lower levels, the less the need for a complicated regime at governmental levels. Given the fact that complaints resolution is potentially the most time-consuming and least attractive of all the oversight functions that need to be performed, it is appropriate that the Privacy Commissioners should be the avenue of last resort -- the means of redress when resolution within the business, the trade or professional association, or even within a federal or provincial regulatory authority fails.

All Canadian legislation gives a complaints-handling role to their respective oversight offices (See Appendix One). This is emphasised more heavily in the Quebec and federal legislation than in that of BC, Alberta and Ontario. Each office has, therefore, developed expertise in this area and can handle complaints about the private sector more efficiently than any other federal or provincial agencies.

The filtering of complaints about the private sector will obviously require careful coordination between existing commissioners. Problems of jurisdictional competence can arise when for example the federal Privacy Commissioner receives a complaint about a provincially regulated enterprise. Under these circumstances any federal legislation might have to delegate powers of complaints resolution to the provincial commissioners. A regime needs to be established whereby provincial and federal agencies can cooperate through administrative arrangements to handle complaints at the most appropriate level.

(ii) The Investigation of Complaints

The more contentious issue is the investigation of complaints and what powers should be granted to allow this function to be performed. Again each provincial agency has powers of investigation vested in them. Normally these include the power to enter premises, to require records to be produced, and to summon the appearance of responsible persons (see Appendix One). These powers seem to be more extensive at the federal level than anywhere else.

Under Bill 68 in Quebec, the Commissioner may authorize an entrusted agent to make inquiries on his behalf. Any authorized person may "enter at any reasonable time, the facilities of an enterprise carried on by a person collecting, holding, using or communicating personal information to third persons." This reflects the belief that, as in the public sector, the Commissioner does need powers of on-site inspection if he suspects non-compliance with the data protection principles.

The larger question is whether or not the Commissioner be expressly empowered to conduct investigations in the absence of a complaint. Most offices in Canada also have the power to initiate an investigation on their own initiative. Such investigations may result from a pattern of complaints about a particular practice. Complaints tend to highlight concerns of a more general nature. Subsequent investigations would then take on the form of a more systemic "audits" of the personal information practices of an organization and would go beyond the particular grievance of the original complainant(s) (see below).

(iii) The Resolution of Complaints

The resolution of complaints about privacy may take a number of different forms and may also culminate in binding enforcement order. Canadian privacy legislation already displays a variety of procedures for the resolution of complaints that range from along the continuum of possible policy instruments.

The federal Privacy Act is based squarely on the ombudsman approach; complaints are received, investigated and findings and recommendations issued. Under certain circumstances, the Commissioner may apply for review by a Federal Court, if his recommendations are not acted upon. Most of this process, and indeed most complaints at the federal level, relate to the refusal to grant access to personal information. The Federal Commissioner therefore has to rely on conciliation and mediation with the ultimate hope that the willingness to avoid bad publicity will encourage a satisfactory settlement of the complaint.

The emphasis on mediation to settle requests for access and correction of personal information is also apparent in the provincial legislation in BC, Ontario and Alberta. Mediation has become a standard operating procedure in the administration of these laws, before the Commissioner conducts an oral or written inquiry. Quebec's Bill 68 also places great emphasis on access to and rectification of personal information. Any person denied access, or who wishes to have personal information deleted from a file, may seek recourse through the Commission d'acces a l'information. A conciliation process may then follow (Sec. 48), after which the Commission renders a decision.

Each of these processes for complaints resolution at federal and provincial levels is inherently reactive. It should be remembered, moreover, that these laws also enforce freedom of information obligations. The mediation and inquiry processes are written to deal principally with the refusal to grant access to information (personal or otherwise). These procedures may not translate neatly into a context of private sector compliance with the broader range of fair information practices represented within the CSA standard.

Ultimate redress in Canada is normally vested in the courts. Each Canadian law outlines the circumstances under which disputes might be reviewed at the judicial level. Most circumstances for judicial review in the public sector relate to disputes over access requests. There may be an argument for a different review process within the context of private sector compliance.

Some other countries have established small tribunals, ad hoc groups of experts that perform a quasi-judicial function. In Britain, for example, the 1984 Data Protection Act establishes a Data Protection Tribunal to which individuals or data users may appeal a decision of the Registrar. This body is constituted from a panel of experts as is necessary. In New Zealand, an aggrieved individual may appeal a finding of the Privacy Commissioner to the Complaints Review Tribunal established under the Human Rights Commission Act of 1977. Thus Tribunals can serve as an avenue of appeal against enforcement decisions (as in the UK) and against the more advisory findings of an agency like the New Zealand Privacy Commissioner. In the Canadian federal context, appeal to a Privacy Tribunal may have a number of attractive advantages. First, the courts are not the ideal institutions to resolve comparatively specialised and technical issues. Moreover, a tribunal process could provide an important way to span the federal/provincial divide.
3) Audit Powers

Privacy Commissioners may have suspicions about the personal-information practices of a particular organization that arise from a number of sources. The conduct of general audits of an organization or a technology can be a very effective way to implement fair information practices. Audits are more systemic. And they may be less confrontational than an investigation into the circumstances of a specific complaint. Only in the BC legislation, however, is the word "audit" mentioned, even though other offices have had audit programmes for some time.

Audits may be internal or external to the organization. Under some circumstances, an external review of an internal audit might be an effective tool. Some Commissioners (such as the President of the Dutch Registratiekamer) have required audits to be performed by accredited auditors under certain circumstances. The existence of the standard can potentially provide an additional mechanism to extend the investigative process and relieve the offices of the privacy commissioners of some of this investigative responsibilities. If a credible registration process is established, by which businesses may be certified to Q830, the commissioners can simply require registration to the standard, and therein be assured that a verifiable and independent audit program is conducted (see below).

4) Enforcement Powers

At the end of the day, the central question arises as to what powers would be given to a Commissioner to order compliance with the privacy protection principles. This is the key distinction between the "medium" and "heavy" versions of standards-enforcement outlined by Lawson above. Here we see a sharp contrast between the federal and provincial approaches. As mentioned above, the federal Privacy Commissioner's powers are generally limited to those of investigation and recommendation. This approach is defended because it avoids the adversarial relationships that arise when enforcement powers are used or threatened. Besides, it is argued that bad publicity for privacy protection can be a more effective sanction against business than it is against government.

In contrast, others contend that the ability to negotiate with data users is facilitated by the existence of an enforcement power at the end of the day, even if those powers are rarely used. Moreover, government and business organizations need certainty and consistency in the application of data protection rules. The provision of a formal order-making process assures a greater level of consistency, transparency and accountability over time in the implementation of the law.

Most order-making power is related to the release of information in response to access requests. The debate over the appropriate range of powers is invariably conducted with the access and correction rights in mind. However, some provincial commissioners currently enjoy other power that might be more applicable to private sector oversight. The BC Commissioner, for instance, can (independently of the review process): "require a public body to stop collecting, using or disclosing personal information in contravention of this Act; and require the head of a public body to destroy personal information collected in contravention of this Act." The Ontario Commissioner can also "order an institution to, (i) cease a collection practice, and (ii) destroy personal information that contravene this Act." More generally, the Quebec Commission d'Acces "has all the powers necessary for the exercise of its jurisdiction; it may make any order it considers appropriate to protect the rights of the parties on any issue of fact or law."

Any federal legislation to the CSA standard would need to be drafted with careful consideration of such powers. "Cease and desist" powers found in many data protection laws that cover the private sector. But they are only used as a last resort and with regard to the most blatant contraventions of law. These powers are likely to be less enforceable in the private sector, although there may be an argument for their inclusion as a means to encourage mediated settlements under less adversarial conditions.

5) Advice on the Privacy Implications of New Technologies

The foregoing functions are largely reactive. They are performed only after problems arise, complaints are lodged and investigations conducted. The implementation of data protection law is, however, as much an educational effort as a regulatory one. Much can be achieved in anticipation of policy and system development if privacy protection is built in at the outset, rather than "added on" afterwards. All Canadian legislation recognizes this fact, and grants responsibilities to the Commissioners to comment on the privacy implications of proposed legislation or on new automated personal record systems.

The Federal Privacy Commissioner is currently empowered to "make a special report to Parliament referring to and commenting on any matter within the scope of the powers, duties and functions of the Commissioner." This function is performed in addition to the regular submission of the annual report. He, and to a lesser extent his provincial counterparts in Ontario and BC, have occasionally commented on privacy issues that fall outside their formal jurisdiction of the public sector. Privacy issues raised by the contracting-out of government services, for example, demonstrate the vague and shifting boundaries between public and private sectors.

Moreover, the federal Privacy Commissioner already consults with private sector trade associations on their efforts at self-regulation. It would make sense to formalise this responsibility, granting the privacy commissioners the power to advise on the privacy implications of new information systems in both public and private sectors. The requirement of a privacy impact statement whenever a new technology (such as the Call Display) is introduced can go a long way to anticipate future problems and encourage a consideration of privacy and security issues at the outset. Linked with this, is the advice that may be given about the use of privacy-enhancing technologies.

6) Public Education and Research

There is, of course, a fine line between the advisory responsibilities, that are generally conducted in confidence, and the performance of wider educational and research roles. The analysis of wider privacy and surveillance questions and the ongoing education of the general public can do much to anticipate problems and encourage citizens to protect their own privacy.

The provincial Commissioners in B.C., Alberta and Ontario are given an explicit statutory obligation to information the public about their legislation. The federal Commissioner, however, has no mandate for public education and therefore no budget for such activities. Successive Commissioners have consistently pointed this out to successive governments without success.

He can, however, carry out "special studies" "relating to the privacy of individuals" and has used this power to commission substantial research reports on issues such as drug testing, genetic testing and AIDS. Provincial commissioners may also "engage in or commission research." The Ontario office tends to produce shorter and more frequent research publications on new technologies such as smart cards, electronic mail systems and intelligent transport systems. In conjunction with the Registratiekamer in the Netherlands, the Ontario office has also published a study on privacy-enhancing technologies. Research reports are extremely useful techniques alerting public, government and business opinion to the privacy risks inherent in new technologies.

This activity should continue with regard to private sector issues. To a certain extent, this is already occurring. It is important, however, for the education and research function to be explicitly mandated in legislation. These programs can be expensive and require appropriate funding.

7) Sanctions and Remedies

Legal sanctions do not play a significant role in the implementation of public sector privacy law in Canada. Each statute does contain a list of various offences. In Ontario, this list includes the willful disclosure of personal information in contravention of the Act, the willful maintenance of a personal information bank that contravenes the Act, making an access request under false pretences, the willful obstruction of an order of the Commissioner, and willfully misleading the Commissioner. In BC and at the federal level, the list of offences is confined to the willful obstruction of the work or orders of the Commissioner. Under Quebec's Bill 68, penal provisions apply more broadly to the illegal collection, processing and communication of personal information. Those in contravention may be liable for a fine of between $1000 and $10,000 (and up to $20,000 for subsequent offences).

Civil remedies are also little used. One perennial problem in this area of the law is that of proving that damages have occurred through the wrongful collection and processing of personal information. The fact that the provincial privacy torts have been rarely used is a testament to this. One of the advantages of a statutory framework may be to relieve business of its liability under the common law. It has been suggested that this trade-off may be used to convince industry to accept a more consistent, coherent and predictable policy environment.

Nevertheless, there will always be the need for the inclusion of sanctions as a last resort. The CSA standard may indeed have an important role to play in this regard. If the legislation were to give the Commissioners (or indeed the courts) the power to order a registration to the standard, a potentially more effective means of enforcement can be constructed. The costs of registration are passed on to the data user. Moreover, the sanction becomes, not only a fine, but an obligation to change practices, be audited and meet the registration. This technique has been used to enforce environmental regulation, by obliging registration to ISO-14000. There is no reason why it cannot also profitably be used to enforce privacy standards.

A process of registration to the standard adds a compliance instrument that is not present within any other data protection regime. The potential to require (by law or regulation) a registration to the standard can relieve privacy commissioners (and other regulators) of expensive and time-consuming compliance monitoring functions. Registration to the standard is also potentially a more effective sanction than a fine. The loss of the CSA "mark" can have real consequences for business. I quote Jason Meyers, chief economist at the Canadian Manufacturers Association: "The prospect of a $50,000 government fine for breaching the law pales in comparison to losing your entire customer base because the firm fails to meet its ISO-9000 requirements."

VI. Summary: The Elements of an Oversight System in Canada

It is now necessary to summarise the analysis to reach some tentative conclusions about the possible elements of an oversight system for the protection of personal information within Canada's private sector:

… Provincial and federal governments need to apply the full range of available policy instruments to the privacy problem: Self-regulatory codes, legislation, privacy-protecting technologies, and better programs for consumer education. These are the policy instruments. They are not mutually exclusive. They all need to be utilized.

… The three years of bargaining over the CSA standard represents a crucial stage in the policy-making process. The brokering of a consensus has been completed. Any legislated scheme needs to be based on this established accommodation.

… A private sector privacy protection law does not need to be burdensome or overly complicated. Canada should avoid the costly and bureaucratic licensing and registration systems that have been established in some European societies.

… On the other hand, law without an effective mechanism for compliance monitoring can be worse than no law at all, and would not be considered "adequate" to meet European standards.

… The central oversight agencies should be federal and provincial information and privacy commissioners (where they exist). These offices have established an independence, credibility and expertise. They are uniquely located within the regulatory landscape to oversee private sector legislation, and resolve issues that span the public/private divide.

… Any legislated scheme needs to establish a balance of responsibilities for the following functions: complaints resolution and mediation; complaints investigation; audits; advice on the privacy implications of new technologies; the promotion of codes of practice; public education; and research. The most effective remedies may be those that are general in nature and pro-active rather than reactive.

… Dispute resolution should be as non-litigious as possible, and should only be provided after all other avenues have been exhausted. Business will want quick and predictable resolution of privacy problems . There may be a persuasive case for a specialized federal/provincial Privacy Tribunal to resolve disputes over private sector issues.

… Registration to the CSA Model Code contributes a crucial mechanism for enforcement within any potential regulatory system . Registration to the privacy standard can complement almost any current or future, contractual or regulatory, provincial or federal, sectoral or comprehensive, provisions for personal data protection. It can be used to reward good practice, and to bring the recalcitrants into line.

… Privacy codes will obviously continue to play an important role within any legislated regime. The standards-registration process can relieve regulatory bodies of checking and verifying privacy code content. A system that mandates all organizations to develop privacy codes would be unnecessarily burdensome and expensive. Consequently, codes should continue to be developed as a result of market demand and consumer pressure but, only in special circumstances, in response to regulatory fiat.

… Overseas experience suggests that codes of practice that enjoy any form of legal status (beyond the evidentiary value) are difficult and time-consuming to negotiate. Privacy codes should be encouraged and they should use the CSA standard as a template. But under a legislated regime, they should not be given an official "seal of approval", nor the power to qualify the provisions of the law. However, compliance with a code approved by CSA may be taken into account by Commissioners and courts in determining whether there has been a breach of the privacy principles.

… Experience suggests that sanctions in the form of fines are not a significant inducement toward compliance. Civil remedies are also ineffective because of the difficulty of proving actual damages from the willful mistreatment of personal data.

… In the context of private sector oversight, the threat of bad publicity can go a long way to securing compliance with the data protection principles. This incentive is probably a lot higher in the private, than in the public, sectors. The public reporting process is, therefore, crucial within any oversight model.

… It may be that the most effective sanction is a regulatory power to order registration to the standard. Thus if a pattern of complaints arose about a particular business, privacy commissioners or the courts could require registration to the standard, triggering the code development and audit process and passing the costs to the data user.
Conclusion: Questions for Further Analysis

These conclusions are not inconsistent with other recent policy analysis about data protection. They are, however, tentative and incomplete. I conclude with an inventory of some of the complex regulatory questions that still require careful analysis and debate.

The consistency of the CSA Model Code with existing Canadian and international privacy provisions?

If the principles within the CSA Model Code are to be given the force of law, there clearly needs to be careful analysis of the relationship between the wording of these principles and that within existing privacy legislation, including: the federal Privacy Act, the provincial Information and Privacy Acts, Quebec's Bill 68. In addition, we need analysis of its consistency with other private sector privacy provisions including those within the 1993 Telecommunications Act, the 1991 Bank Act, and the provincial consumer credit legislation. We also require careful comparison of the CSA Model Code with the EU Data Protection Directive.

What is the future relationship between the Privacy Commissioners and other federal and provincial regulators?

What should be the continuing role of federal regulators such as the Canadian Radio-Television and Telecommunications Commission (CRTC ) and the Office of the Superintendent of Financial Institutions (OSFI)? The former in particular has been active in regulating uses of new technologies within the telecommunications sector. There is an argument that this regulatory power should not be diluted. At the provincial level, what would be the future role of regulators for insurance and consumer credit?

Should the privacy commissioners be empowered to restrict flows of personal data to societies that do not have adequate data protection?

One concern of the European data protection authorities is that personal data can flow through societies with "adequate" protection, to those without. Ideally each national data protection law would contain a transborder data flow restriction similar to that within Articles 25 and 26 of the EU Directive. If so, how should this power be exercised in Canada, and by whom? At what point do the fleeting and rapid electronic impulses that characterize international data flows become a matter for Canadian regulation?

Will compliance monitoring under the CSA standard be consistent with existing auditing schemes under the public sector legislation?

The Quality Management Institute of CSA is currently deciding on the most appropriate registration scheme to Q830. If registration to the standard is to be employed as a compliance monitoring process, we need a consistent audit guide, an accreditation scheme for privacy auditors, an appropriate publicity mechanism, a method to monitor claims made about business policies and practices, and possibly an appropriate symbol or cachet for the "privacy-friendly" business. Privacy commissioners need to have confidence in the registration process if the Model Code is to be employed in the same way as other quality management standards.

Can regulatory power be given in statute to require a registration to a standard?

This is an interesting innovation and a potentially very effective means of compliance monitoring. But what are the precedents for this power in other fields, such as government procurement, equity policy, environmental policy and so on? If subsequent violations occur within a business that is registered to the standard, who shares the liability for any damages to the data subject?

What are the costs of an oversight regime, and by whom should they be borne? Are there opportunities for cost-recovery?

Oversight that is coordinated among the existing commissioners, systemic rather than specific, anticipatory rather than reactive, and educational rather than regulatory, is also likely to be more cost-effective. The use of the standards-registration process can also relieve Commissioners and other regulators of much compliance work, and pass the costs onto the data user.

What process should be used for federal/provincial coordination?

The federal/provincial constitutional question underpins this entire analysis. Little is possible without a cooperative arrangement between the federal and provincial governments on the appropriate legislative process. Lawson outlined six models, in addition to the "paramount national standards model": mirror legislation; jurisdictional abstention; contract; conditional legislation; concurrent legislation; collaborative/complementary model. To the extent that that process can be agreed, the resolution of these oversight and enforcement issues will be facilitated.

Alberta
€ In conducting an investigation...the commissioner has all of the powers, privileges and immunities of a commissioner under the Public Inquiries Act.
€ The commissioner may require any record to be produced to the commissioner and may examine any information in a record, including personal information whether or not the record is subject to the provisions of the Freedom of Information and Protection of Privacy Act.
€ Despite any other enactment or any privilege of the law of evidence, a public body must produce to the commissioner within 10 days any record or a copy of any record required.
€ If a public body is required to produce a record...and it is not practicable to make a copy of the record, the head of that public body may require the commissioner to examine the original at its site.

Quebec (Public)
The commission may investigate:
€ a confidential file to determine if the nominative information contained therein was entered and used in accordance with the order; whether the confidentiality of personal information contained in a file held by a public body respecting the adoption of a person has been respected;
€ whether the confidentiality of personal information contained in a file held by the Public Curator on a person whom he represents or of whose property he administers has been respected.
€ The investigation is secret. Only a member of the commission of a member of its management staff designated in writing for that purpose by the commission may examine the nominative information entered in the file or the personal information contained in a file. However, a member of the staff of the commission may, if the commission so authorizes in writing, examine the personal information in a file.

Quebec (Private)
Any person authorized by the commission to make inquiries may:
€ enter, at any reasonable time, the facilities of an enterprise carried on by a person collecting, holding, using or communicating personal information to third persons;
€ examine and make copies of any personal information of whatever form.
€ The commission may...inquire into or entrust a person with inquiring into any matter relating to the protection of personal information as well as into the practices of a person who carries on an enterprise and who collects, holds, uses or communicates such information to third persons.

Quebec (Private)
€ The Commission has all the powers necessary for the exercise of its jurisdiction; it may make any order it considers appropriate to protect the rights of the parties and rule on any issue of fact or law.
€ The Commission may...order a person carrying on an enterprise to communicate or rectify personal information or refrain from doing so.
€ A decision by the Commission becomes executory as a judgment of the Superior Court and has all the effects of such a judgment from the date of its homologation by the Superior Court.
€ Following an inquiry relating to the collection, retention or communication of personal information by a person carrying on an enterprise, the Commission may, after giving the person an opportunity to present his observations, recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information.

Ontario
€ The Commissioner may offer comment on the privacy protection implications of proposed legislative schemes or government programs.

B.C.
€ The commissioner may:
€ comment on the implications for access to information or for protection of privacy of proposed legislative schemes or programs of public bodies;
€ comment on the implications for access to information or for protection of privacy of automated systems for collection, storage, analysis or transfer of information;
€ comment on the implications for protection of privacy of using or disclosing personal information for record linkage.

Alberta
€ The Commissioner may:
€ comment on the implications for freedom of information or for protection of personal privacy of proposed legislative schemes or programs of public bodies;
€ comment on the implications for protection of personal privacy of using or disclosing personal information for record linkage;
€ give advice and recommendations of general application to the head of a public body on matters respecting the rights or obligations of a head under the Act.

Quebec (Public)
€ The annual report of the Commission may contain:
€ recommendations in view of promoting the protection of personal information, and the exercise of the right of access to documents, in particular by cultural communities and handicapped persons;
€ proposals relating to technical standards of preservation, classification, retrieval and the method of consultation of documents.

Quebec (Private)
€ The Commission must, not later than 1 October 1997 and every five years thereafter, submit a report to the Government on the application of the Act.

Ontario
€ The Commissioner shall make an annual report to the Speaker of the Assembly. This report shall provide a comprehensive review of the effectiveness of the Act and the Municipal Freedom of Information and Privacy Act, 1989, in providing access to information and protection of personal privacy.
€ The Commissioner may:
€ engage in or commission research into matters affecting the carrying out of the purposes of the Act;
€ conduct public education programs and provide information concerning the Act and the Commissioner's role and activities;
€ and receive representations from the public concerning the operation of the Act.

B.C.
€ The commissioner must report annually to the Speaker of the Legislative Assembly on the work of the commissioner's office, and any complaints or reviews resulting from a decision, act or failure to act of the commissioner as head of a public body.
€ The commissioner may:
€ inform the public about the Act;
€ receive comments from the public concerning the administration of the Act;
€ engage in or commission research into anything affecting the achievement of the purposes of the Act.

Alberta
€ The Commissioner must report annually to the Speaker of the Legislative Assembly on the work of the Commissioner's office, any complaints or reviews resulting from a decision, act, or failure to act of the Commissioner as head of a public body, and such other matters relating to freedom of information and protection of personal privacy as the Commissioner considers appropriate.
€ The Commissioner may:
€ conduct investigations to ensure compliance with any provision of the Act or compliance with rules relating to the destruction of records set out in any other enactment of Alberta, or a by-law or other legal instrument by which a local public body acts;
€ inform the public about the Act;
€ receive comments from the public concerning the administration of the Act;
€ engage in or commission research into anything affecting the achievement of the purposes of the Act.

Quebec (Public)
€ The Commission shall send to the designated Minister, not later than 30 June each year, a report of its activities for the preceding fiscal year. The report must deal...with how the Act is being observed and the means at the disposal of the Commission to enforce it.
€ The report may also contain:
€ recommendations in view of promoting the protection of personal information, and the exercise of the right of access to documents, in particular by cultural communities and handicapped persons;
€ proposals relating to technical standards of preservation, classification, retrieval and the method of consultation of documents;
€ suggestions from the public on any matter within the competence of the Commission.

Quebec (Private)
€ The Commission must, not later than 1 October 1997 and every five years thereafter, submit a report to the Government on the application of the Act.
€ Within the year following the tabling of the report before the National Assembly, a designated committee must examine the advisability of maintaining the Act in force as it stands, or...of amending it, and shall hear the representations of interested persons and bodies on such matters.

Ontario
€ The Commissioner shall hold office for a term of five years and may be reappointed for a further term or terms, but is removable at any time for cause by the Lieutenant Governor in Council on the address of the Assembly.

B.C.
€ The commissioner holds office for a term of 6 years and is not eligible to be reappointed as commissioner.

Alberta
€ The Commissioner holds office for a term of 5 years.
€ A person holding office as Commissioner continues to hold office after the expiry of that person's term of office until that person is reappointed, a successor is appointed or a period of 6 months has expired, whichever occurs first.

Quebec (Public)
€ The term of office of the members of the Commission is not over five years.
€ In no case may the members of the Commission be appointed for more than two consecutive full terms.

Quebec (Private)
€ The Commission d'acces a l'information is established by the Act respecting Access to documents held by public bodies and the Protection of personal information.