CSA PLUS 8830 (1st ed. pub 1995)

Introduction

The Model Code for the Protection of Personal Information being developed under the auspices of the Canadian Standards Association (CSA) has the potential to advance the cause of personal-data protection in Canada. No other country has attempted to negotiate and establish on a voluntary basis a general mi nimum standard for privacy protection in its private sector. As an innovation in privacy protection policy, therefore, the implementation of the code does raise a number of intricate questions that have never been addressed before, either in Canada or overseas.

The CSA has commissioned this research in order to gain a better appreciation of how the CSA Model Code might promote the effective and consistent implementation of personal-data protection standards. This research is presented in a report organized into three parts, which may be read cumulatively or separately. Part I consists of a description of how existing p rivacy codes are implemented and overseen both in Canada and in selected foreign countries. This analysis will review the scope and depth of data protection policy in Canada and contrast that cov erage with the position overseas.

Chapter One presents a brief overview of the regulatory provisions currently in force in Canada that affect the coll ection, storage, processing, and disclosure of personal information. This provides some context for the later discussion of codes and highlights some of the current issues that are being debated about policy responses to the privacy problem. The CSA Model Code is being developed at a time when there is a stimulating debate amongst advocates and experts about whether the legislative solutions of the 1970s and 1980s are adequate for the years ahead. The CSA initiative is one of a number of innovative approaches that have been offered to respond to the more complicated challenge of protecting personal privacy within the fluid, decentralized, networked ""information highway"" environment of the 21st century.

Chapter Two analyses the meaning of voluntary or self-regulatory data protection. It describes the evolution of privacy codes in Canada and presents a typology of the diverse range of instruments that have that label. Chapter Three provides a more detailed discussion of the major codes of practice from the Canadian Bankers Association, the insurance industry, Stentor, the Canadian Direct Marketing Association, and the Cable Television Standards Foundation. These codes are compared according to the way they perform certain essential functions of consumer education, complaints resolution, employee training, and oversight.

Chapter Four analyses the function of privacy codes of practice under different regulatory systems in other countries, with a particular emphasis upon Britain, the Netherlands, and New Zealand. This will highlight the advantages (and disadvantages) of developing codes of practice within the statutory framework of a general data protection law. Chapter Five provides an overview of the current state of personal-data protection in Canada's private sector and outlines the ways in which the CSA Mo del Code might facilitate the effective implementation of privacy codes of practice.

Part II of the report draws what I regard to be the most useful l essons from historical and comparative experience about the drafting of codes of practice, about promoting greater consumer awareness, about providing effective redress and participation for the data subject, and about raising the level of accountability within organizations that process personal information. This analysis will be directed toward the operational guidelines to be presented in the accompanying Workbook.

Part III of the report addresses the central question of what it should mean to ""adopt"" the CSA Model Code. I analyse the roles that various organizations might play in monitoring its implementation, bearing in mind the diversity of private sector practices and the different legal, technological, and economic environments in which different sectors have to operate. The analysis will consider the ways that the implementation of the privacy code might be integrated into existing standard-setting mechanisms, and attempt to draw lessons from the oversight of standards in related policy fields. Part III concludes with an analysis of the incentives that might be at work to encourage organizations to ""sign on"".

There are several questions that this research will not, and cannot, address. This report is not going to evaluate the adequacy of existing codes of practice in different sectors. I will make some comments on the overall picture for privacy protection in Canada. But I cannot judge the effectiveness of individu al sectoral or company policies in order to rank their relative success in meeting privacy standards. Whether or not data protection codes or laws ""work"" is a question that is extremely difficult to answer in any definite way. Data protection rules (including codes of practice) encompass an intricate blend of organizational obligations and consumer/citizen rights. There is not, then, one overall standard of workability. Moreover, the success of these instruments will obviously vary within individual sectors, within individual firms, and across time and space. The context of rapid technological, economic, and regulatory change and uncertainty also means that an evaluation today could be dated tomorrow.

This report will also not comment on the wording of the CSA Model Code. It will focus instead on the process through which organizational obligations may be fulfilled and individual rights exercised. Thus an evaluation of the substantive content of the code and the wording of different principles is beyond the scope of this research. Moreover, I have concluded from my research on this subject, over some 15 years in Europe and North America, that debates on personal-data protection in most societies have centered as much on questions of implementation and enforcement as on the wording of principles. That is not to deny the intricate problems that arise over the interpretation of key words like ""consent,"" ""collection,"" ""processing,"" ""disclosure,"" and so on.

Finally, this report cannot discuss in any great depth the particular privacy challenges in individual sectors of the economy. The analysis obviously has to be cognizant of the shifting and indistinct boundaries between industry ""sectors."" Moreover, future implementation of the CSA Model Code must remain sensitive to variations in community needs, according to their size, the importance and sensitivity of the information collected, and whether personal data are employee- or consumer- related. The privacy issue spans all sectors. It has legal, economic, technological, and political dimensions in every corner of advanced industrial societies.

Thus I bring to this research neither an in-depth expertise in any one sector, nor a particular competence in computer and communications technologies, management information systems, or network security. Instead, I bring the expertise of the policy analyst: a grasp of the general philosophy behind privacy claims, how that theory has been translated into a public policy of ""personal-data protection"" in different societies, and how that policy has been implemented in different jurisdictions. Two of the intriguing and perennial features of this area of public policy are its constant attention to the experiences of others and its abiding need to draw lessons. The central purpose of this research is just that - to draw lessons.

The research methodology has involved the following activities (see Appendix 1 for the Terms of Reference). First, a substantial quantity of documentary evidence has been collected and analyzed. This includes codes of practice, regul