Cloud computing, identity theft, database security, surveillance, privacy policies, and access to information: individuals and organizations, both large and small, are increasingly faced with challenging issues in the area of privacy and information handling. The Field Law Privacy + Data Management Group is a recognized leader in the area of privacy law, offering a full range of services to guide our clients through the complex landscape of privacy law.
Field Law helps public bodies and organizations protect their businesses and strengthen their relationships with their customers and the public. We work with our clients to conduct privacy audits, prepare privacy impact assessments, and draft and review internal and external privacy policies and procedures. We facilitate corporate transactions by reviewing contracts and other legal documents involving non-disclosure agreements, waivers, confidentiality agreements and releases. We provide our clients with sound and practical advice on records management issues, confidentiality matters, employee and customer information management, reporting privacy breaches and compliance with mandatory reporting legislation. We provide responsive research and legal opinion services, and offer training and seminars on a full spectrum of privacy related topics.
Field Law offers a full range of services in judicial and administrative proceedings involving privacy matters. We advise and act for public bodies, health service providers, individuals and other organizations in Information and Privacy Commissioner reviews, inquiries and investigations. Specific services we provide to our clients include:
- Providing advice on information handling practices and the collection, use and disclosure of information under the applicable legislation, including the Personal Information Protection Act (Alberta), the Freedom of Information and Protection of Privacy Act (Alberta) and the Health Information Act (Alberta).
- Assisting clients in understanding what information needs to be provided to an individual who requests access to information and assisting in responding to access requests.
- Providing advice to clients with respect to the circumstances in which personal information can be disclosed without breaching applicable privacy statutes.
- Assisting clients with the management of employee information.
- Working with clients who have inadvertently disclosed personal information to manage the privacy breach, including whether the breach must be reported to the Office of the Information and Privacy Commissioner.
- Representing clients before privacy commissioners, whether provincial or federal, in the context of complaints, inquiries and investigations.
- Representing clients before courts in applications for judicial review from decisions of privacy commissioners.
- Representing clients before courts in applications to produce records under rule 5.13 of the Alberta Rules of Court.
- Defending clients who have been sued for breach of privacy.
- Drafting privacy policies, procedures, and operational manuals to assist clients in ensuring that policies and procedures are compliant with applicable privacy legislation.
- Providing customized training to clients and their employees on applicable legislation and the implementation and enforcement of their policies, procedures and operational manuals.
Federal Privacy Matters and Canada’s Anti-Spam Legislation
On July 1, 2014, Canada’s Anti-Spam Legislation (CASL) came into force. CASL regulates the form and content of electronic communications and imposes consent requirements. Failure to comply with CASL could lead to the imposition of large fines and ultimately will give affected individuals a private right of action. In light of CASL’s broad application, stringent standards for consent, and penalties for non-compliance, organizations that send electronic messages should develop a compliance plan.
CASL is complex legislation, with detailed regulations, and with various federal bodies involved in its interpretation and enforcement. Field Law’s Privacy and Data Management Group can help your organization understand requirements under CASL. We can assist with a review of your organization’s marketing and communication practices and have experience in the following areas:
- Providing practical advice to clients concerning compliance with the Personal Information Protection and Electronic Documents Act (Canada) and CASL.
- Representing clients before the Canadian Radio-television and Telecommunications Commissioner in the context of proceedings under CASL.
- Reviewing and auditing client organization’s current marketing and communications practices for CASL compliance.
- Developing and implementing CASL compliance action plans.
- Preparing CASL-compliant consent forms and processes, unsubscribe mechanisms, and identification notices.
- Reviewing client agreements with third party providers to ensure compliance with CASL.
Access to Information Requests
We were approached by an insurance company whose insured had made an access to information request for records relating to an insurance claim. The insurance company wanted to preserve its relationship with the insured while protecting internal records.
Working with the client and insurance adjuster, we reviewed the records being sought by the insured and devised a fair approach to the access request. We gave the insured access to a substantial amount of records to alleviate concerns over the claim's handling while maintaining a firm approach in withholding records that were sensitive to the client. The insured sought a review of our response to the Office of the Information and Privacy Commissioner. We maintained our position, taking into account the need to set a precedent for future access requests that may be made to the client by other individuals.
We successfully defended our position before the Privacy Commissioner and also managed to avoid further Inquiry. Processes before the Privacy Commissioner can take time to resolve, and we were able to provide regular updates on the status and minimize expenses incurred.
Identifying Anonymous Wrongdoers
A client was being anonymously defamed on an online review platform and needed assistance identifying the name of the defamer to determine the appropriate party to commence legal action against.
Using an extraordinary pre-litigation Court remedy available, called a “Norwich Order,” we were able to compel the IP address of the anonymous wrongdoer from the review platform. This information allowed us to identify the Internet Service Provider (ISP) associated with the IP address and obtain a subsequent Norwich Order to compel the ISP to provide the subscriber information. With the subscriber information, we could expose the otherwise anonymous wrongdoer and give our client access to justice.
Access to Information Under PIPA
A client, who is an organization governed by the Personal Information Protection Act (PIPA), received an access request where the applicant was seeking all personal information in the organization’s custody or control.
Working with the organization’s Privacy Officer, we helped her to understand the applicable requirements under PIPA, identify which records needed to be reviewed in response to the request, and understand the timelines that they needed to follow to comply with the request. After reviewing the records, we advised the client which records constituted the applicant’s personal information.
Given that the client was concerned about disclosing the records, we also provided advice on the records that they could potentially withhold according to the exceptions in PIPA. We then assisted the client in providing a written response to the applicant, explaining what records would be disclosed, which records were being withheld, and the reasons for withholding the records.
The client also wanted to understand her obligations under PIPA better so that they had the tools needed to respond to similar access requests in the future. We were able to assist by educating them regarding the requirements in PIPA, and by providing a framework that could be used to deal with future access requests.
Providing practical advice on the FOIPP Act
A public institution needed advice about its obligations under the Freedom of Information and Protection of Privacy Act (FOIPP Act). While the FOIPP Act can be complicated, Leanne helped break that complexity down by offering an opinion clearly setting out the public institution’s obligations and providing specific and practical recommendations to the public institution on how to meet those obligations.
Access to Information Under the FOIP Act
A public body client with a highly controversial and newsworthy matter was looking for advice on how to respond to a request for information under the Freedom of Information and Protection of Privacy Act (Alberta) (FOIP Act).
By working with the client, we crafted a message to the public without violating the privacy interests and competitive business and financial information that the client was obligated to protect from disclosure. This approach was compliant with the statutory legal obligations of the public body while also protecting the client’s interests and avoiding unwanted media attention.
Policy Drafting
A client approached us for help in drafting a privacy policy. The policy needed to be robust because failing to protect personal information could be detrimental to the services delivered by the client, the client’s public image and could result in regulatory penalties.
Collaborating with the client, we prepared a policy which addressed the wide array of circumstances and persons providing personal information to the client. The policy helped the client meet its statutory obligations under the Personal Information Protection Act (Alberta) and regulatory obligations unique to the client as a utility provider.
Custom Tools to Empower Clients
The client, a public body, required tools and rules on confidentiality and privacy laws applicable to its role as an administrative tribunal.
We drafted the documents and rules to be used by the public body to help guide their compliance with their statutory obligations when making decisions about confidentiality requests.
This work empowered the client with models and tools to use when addressing confidentiality issues and insulated the client from judicial review, and complaints to the Privacy Commissioner.