Читать книгу Genealogy and the Law in Canada - Margaret Ann Wilkinson - Страница 8

CHAPTER 1 Privacy and Personal Data Protection

Why might a genealogist be interested in questions of privacy and personal data protection? The answer to this lies in the changing environment in Canada, at least over the past quarter century, that has resulted in many of our jurisdictions passing laws related to the protection of privacy and personal data.

Vocabulary in this area is confusing. Many of the statutes, like the federal Privacy Act, contain the word “privacy” in their titles for legislation involving personal data protection — and many noted authorities and spokespeople also use “privacy” when discussing personal data protection. In five of our provinces, there are other statutes that deal directly with privacy in terms of being able to sue to force others to leave us alone in certain respects. In Newfoundland and Labrador, Manitoba, Saskatchewan, and British Columbia, these are called Privacy Acts. In Quebec, privacy protection is found in the provincial Charter of Rights and Freedoms as well as under the Civil Code. For this reason, among others, I will continue to refer to the laws with which we are concerned in this book as personal data protection statutes.

Privacy and Access to Information

Two different thrusts of legal activity have moved across Canada since 1977 and both of these affect the activity of genealogical research. First, there has been a movement toward making government-held information available to those who request it. Access-to-information laws mean that records held by government bodies have increasingly become available to genealogists requesting information.

There has been a parallel movement to protect individual privacy by protecting information that individuals provide about themselves to organizations. This second movement is potentially frustrating for genealogists because the information they seek is about other individuals. From the perspective of this area of the law, information about you is your information and information about other people is their information. Even information about other members of your family is considered private. Therefore, if personal data protection law is in effect in a particular situation, you will not be able to gain access to information about the other members of your family, never mind information about members of another family!

Barbara Turner Kinsella wrote in 2008 about her decades long search for her father. For much of that period, she was frustrated in every inquiry of government departments for information about the father she considered “missing” because the agencies would not answer her questions, citing data protection legislation. These agencies did not give her any information they may have held about her father because she was not her father. Finally, she did receive information about her father from a health provider (although this health provider presumably should have been bound by the same type of personal data protection legislation as others had cited) and, eventually, tracked him down. Unfortunately, the article had a bittersweet ending, from its author’s perspective, because her father had died shortly before she located him and there was information about him that she still was barred from accessing because of personal data protection law. On the other hand, her father had abandoned the family in her early childhood and had lived and died without apparently ever wishing to seek her out and his privacy was protected by the agencies with which he had come in contact during the many years prior to his death. 1

Evolution of Personal Data Protection

Exactly what information will be considered personal to an individual is defined in each personal data protection law in Canada. For example, under the Personal Information Protection and Electronic Documents Act [PIPEDA] of the federal government, in the case of private sector businesses, personal information is defined to mean any information about an identifiable individual but does not include the name, title, or business address or telephone number of any employee of any organization. By contrast, in Ontario, under the Public Sector Salary Disclosure Act, you can find the name, organization, and salary of any person working in the public sector and making a salary of over $100,000 because organizations are required to publish this list annually.

Records Held by Government

Various government organizations are now regulated by either access-to-information legislation or personal data protection legislation (often called “privacy” legislation) or both. The government organizations included in such legislation generally include government departments or ministries, frequently include municipal governments, and often include Crown corporations such as the Liquor Control Board of Ontario.

Personal data protection with respect to information held by bodies connected to the federal government was first legislated in 1977 under Part IV of the federal Canadian Human Rights Act but was later re-enacted as the Privacy Act in 1982. Indeed, in an unusual move, Parliament enacted two separate acts, the Privacy Act and the Access to Information Act, together as one bill. Two statutes is the model followed by New Brunswick. In Ontario, access and personal data protection have always been linked in legislation affecting government bodies: the Freedom of Information and Protection of Privacy Act [FIPPA] was passed in 1987 and the Municipal Freedom of Information and Protection of Privacy Act [MFIPPA] in 1989. The combination has become the more common model in the other provinces and territories.

Each of the provinces and territories has its own access legislation governing the public sector and all have companion personal data protection legislation (listed below). Generally, however, it is clear in these laws that records that were specifically created by governments with the intention that they be made available to the public (such as land registry records) will continue to be made available even when they contain personally identifiable information about people. Although in Ontario this “grandfathered” public availability is phrased in general terms, in Quebec, for example, the personal data protection legislation is specifically stated in the law itself not to apply to land registry, civil status, or matrimonial regulations.

Provincial and Territorial Public Sector Access and Personal Data Protection Legislation

Alberta: Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25

British Columbia: Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165

Manitoba: Freedom of Information and Protection of Privacy Act, S.M. 1997, c. 50

New Brunswick: Protection of Personal Information Act, S.N.B. 1978, c. P-19.1

New Brunswick: Right to Information Act, S.N.B. 1978, c. R-10.3

Newfoundland and Labrador: Access to Information and Protection of Privacy Act, S.N.L. 2002, c. A-1.1

Nova Scotia: Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5

Nunavut and Northwest Territories: Access to Information and Protection of Privacy Act, S.N.W.T. 1994, c. 20

Ontario: Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F. 31

Ontario: Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M 56

Prince Edward Island: Freedom of Information and Protection of Privacy Act, S.P.E.I. 2001, c. 37

Quebec: An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, R.S.Q., c. A-2.1

Saskatchewan: Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. F-22.01

Saskatchewan: Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1

Yukon: Access to Information and Protection of Privacy Act, R.S.Y. 2002, c. 1

Personal data protection legislation creates a whole regime for the treatment of information about identifiable individuals from the moment that information is collected by an organization to the moment records containing that information are destroyed or deleted. This type of legislation regulates how an organization can collect information about individuals, how it should store it, how it must use it, how it must disseminate it to others outside the organization, and how it must dispose of it.

In the public sector, where personal data protection is linked to access legislation, if the records you seek are not protected by personal data protection laws or some other validly enacted exception to access, the organization is required to make them available to you. However, not every province and territory has decided to make every provincial and municipal organization subject to access legislation. Even the federal government lists the organizations subject to its access and personal data protection legislation and does not make every organization subject to these statutes. Organizations that are not subject to this legislation can choose whether or not to make any information, including personal data, available to you in your genealogical research.

Each act dealing with personal data protection in Canada has set a different time span on protection of the personally identifiable data held by organizations subject to it. Refer also to the table in Chapter 2, “Legislation and How Long Information Remains Confidential”.

• In Ontario, an organization subject to the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act must protect information about individuals for 30 years after that person’s death.

• In Alberta, Saskatchewan, Prince Edward Island, and the Yukon, it is 25 years.

• In British Columbia, Nova Scotia, and under the federal public sector statute, it is 20 years. In the province of Newfoundland and Labrador, for historical purposes, it is the earlier of 20 years after death or 50 years after the record has been created.

• In Manitoba it is 10 years.

• Access legislation in New Brunswick is constructed differently.² Every exception to the right of access to the information held by the New Brunswick public sector organizations covered is permissive but not mandatory.³ Therefore a government organization can refuse to release information about another person to a requestor but is not required to do so. Similarly, in Quebec, a government body can release personal information “to a [third party] person or a body where exceptional circumstances justify doing so.”⁴

Once the fixed time periods legislated by the federal government and each province and territory for the protection of personally identifiable data held by public sector organizations have passed, that information must be made available to members of the public who request that information. Therefore, once the periods of protection for personally identifiable data held by public sector organizations in this country have expired, genealogists may request such information from public sector organizations and can expect to receive it.

On this reasoning, you might suppose that information held by the federal government from early censuses would gradually become available 20 years after the deaths of the individuals surveyed. However, the federal census-taking itself is governed by its own law. There is controversy about records of censuses taken after 1911 because, when taking these later, twentieth-century censuses, the government told those filling out the census that it would keep census information confidential.⁵ Because no time limit was placed on this promise of confidentiality, the confidentiality promised eventually clashed with legislated time limits for public sector personal data protection legislated by Parliament much later in the twentieth century.⁶ The federal government’s solution, in the twenty-first century, has been to add a question to the 2006 census that asked members of households to consent to the release of information about themselves 92 years after the 2006 census.⁷ The result is that there are years of the census from the twentieth century from which information will never be available to current genealogists except as combined data, because individual data from each census between 1911 and 2001 will only become available 92 years after that census was done.⁸ And, furthermore, for at least the two census-takings beginning with the 2006 census, genealogists working 92 years from now will only be able to access the patchwork of records for those individuals who gave their consent to this access in the 2006 census and who decide to give it in the next census.⁹ This patchwork of availability seems the likely situation for all future censuses.¹⁰

The Globe and Mail has followed the movement of affected individuals to “opt out” of the new Ontario adoption information regime. See Erin Anderson, “Few People Push to Maintain Privacy as Ontario Set to Open Adoption Files,” Globe and Mail, May 26, 2009; available at www.theglobeandmail.com/news/national/opening-adoption-records-in-ontario-prompts-few-requests-for-secrecy/article1152431.

Another area of the law where general personal data protection legislation has been overridden in some instances by specific statutory provisions is in the context of adoption records. In June 2009, Ontario’s new Access to Adoption Records Act came into force. The act dramatically alters the data protection environment for these records in Ontario, bringing it into line with similar laws already in place in British Columbia, Alberta, Manitoba, and Newfoundland and Labrador. This legislation allows birth parents and adopted children access to previously inaccessible, “sealed” adoption records so they can locate each other.

Patchwork Problems in Other Countries

An editorial in a U.S.-based Jewish genealogical association newsletter details similar problems with patchwork legislation in the United States. Concerned with the limited access to information inherent in data protection laws, it discusses whether enforcement techniques often only hinder honest attempts to access data while doing little against determined illegal access. Detailing a personal experience of the author, two branches of a family, separated during the Holocaust, were reunited because of information available in California. If the family had lived in New Jersey, on the other hand, the discovery of the missing family members would never have occurred because New Jersey has stricter data protection legislation. 11

Paradoxically, this legislation may make it easier for children and parents involved in adoptions to locate their parents and children, respectively, than for children and parents not involved in adoptions to locate each other once they have lost track of each other.

Records Held in the Private Sector

Until 2004, personal data protection legislation in Canada (except Quebec) affected only government bodies. In 2004, a new piece of legislation, which the federal government had passed in 2001, came into full effect: the Personal Information Protection and Electronic Documents Act [PIPEDA]. This statute has signalled a new era in Canada — personal data protection is now an obligation imposed on private sector organizations as well as on public sector ones. Indeed, because PIPEDA applies to all organizations engaged in commercial activities, it is possible that we now have a greater scope for personal data protection in the private sector in Canada than in the public. This situation will probably not persist for long. In Ontario, for example, universities were originally not covered by either the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act but the McGuinty provincial government (elected in 2003, re-elected in 2007) brought them all under the Freedom of Information and Protection of Privacy Act in 2006.

There is no corresponding access legislation covering information held in private sector organizations. This means that, although private sector organizations are legally obliged to protect information about identifiable individuals, there is no requirement on a private sector organization in Canada, even after personal data protection time periods have expired, to make any information available to anyone. This will probably signal a general tightening up for genealogists of information held by private sector organizations in Canada.

Federally regulated businesses in Canada, such as airlines and those in the banking industry, as well as businesses in certain provinces and territories (the Maritimes, Saskatchewan, Manitoba, and Ontario) must comply with PIPEDA. Because the constitutional ability of our federal Parliament to pass such a sweeping statute governing the whole business sector in Canada is in some doubt, the federal government has left room for the provinces to pass their own, similar, legislation for the private sector. Quebec already had such legislation, which has been deemed equivalent to PIPEDA. British Columbia and Alberta have followed suit with their own statutes, also deemed equivalent. Thus private sector organizations in Quebec, British Columbia, and Alberta must generally comply with their respective provincial statutes and not with PIPEDA.

Health information is a particular category of personal information that has fallen under a variety of provincial laws as well as, in some respects, under PIPEDA. This is an area of changing laws in Canada and genealogists may wish to keep up to date on changes in this area in the future. (An excellent source is the website of the Privacy Commissioner of Canada at www.priv.gc.ca/index_e.cfm.) Some provinces have enacted specific legislation to deal with personal health information.

Provincial Health Information Legislation

Alberta: Health Information Act, R.S.A. 2000, c. H-5

British Columbia: E-Health (Personal Health Information Access and Protection of Privacy) Act, S.B.C. 2008, c. 38

Manitoba: Personal Health Information Act, C.C.S.M., c. PP33.5

Newfoundland and Labrador: Personal Health Information Act, S.N.L. 2008, c. P-7.01 (not in force as of June 2009)

Ontario: Personal Health Information Act, 2004, S.O. 2004, c. 3, Sch. A

Saskatchewan: Health Information Protection Act, S.S. 1999, c. H-0.021

• In Ontario, the Personal Health Information Protection Act [PHIPA] is specific legislation passed by the Ontario Legislature that has also been approved by the federal government as equivalent to PIPEDA for most of the health sector (for health information custodians, as defined in the Ontario statute). Organizations subject to this act need only comply with it and not with the federal PIPEDA.

• In Alberta, there is a Health Information Act that has not been deemed equivalent to PIPEDA at the federal level and so the private sector organizations affected must currently comply with both Alberta’s HIA and PIPEDA. Public sector organizations covered by HIA need comply only with HIA.

• A similar situation to that in Alberta currently exists for Manitoba’s Personal Health Information Act[PHIA], Saskatchewan’s Health Information Protection Act [HIPA], and British Columbia’s E-Health Act (Personal Health Information Access and Protection of Privacy): all have passed and are in effect but are not deemed equivalent to PIPEDA. Thus private sector health organizations in Manitoba, Saskatchewan, and British Columbia need to comply both with the provincial health information legislation and PIPEDA while public sector organizations are governed only by the provincial health information legislation.

• Newfoundland and Labrador has passed a statute, the Personal Health Information Act, that has not yet come into force (and has not been deemed equivalent to PIPEDA by the federal government) but, when it does come into force in Newfoundland and Labrador, both it and PIPEDA will have an effect on genealogists seeking certain materials from that province.

All this legislation is relevant to those genealogists who might be searching for hospital records. I have been asked questions by people, for example, seeking to know whether their relatives have spent time in the tuberculosis sanitariums in Ontario. In general, because of this legislation and older law relating to medical records, such information is only available to patients (and, in some cases, their legal representatives).

Access, Privacy, and Genealogical Research

If you are trying to find out about someone and you know that a number of public and private sector organizations in Canada may hold information about this person, you can apply to any organization that you believe might have records, any selection of them, or all of them. It is a common practice to apply to more than one organization. Since personal data protection and access legislation differs from province to province and between territories and federal legislation, what is not released to you from one organization may be made available to you from another. You may not get the original letter from the organization that holds it, but you may get a copy of it from another.

In most jurisdictions, if you are acting as agent for the legally appointed personal representative or executor of a person who has died and you are within the number of years that jurisdiction protects personal data held by organizations, you can insist that the personal information about that person be released to you. You can also help a person to whom information relates to apply to an organization governed by personal data protection legislation for information about her- or himself. You cannot, however, represent yourself as agent for people with whom you have no direct connection. For example, you cannot represent yourself as acting as agent for a granddaughter in applying for information about her just because you are working on a genealogy of your family that includes her.

Curiously there is no provision for a deceased’s legal representative to act after death regarding personal information under PIPEDA. So, it would appear that during the 20 years following an individual’s death that PIPEDA applies to that person, organizations covered by PIPEDA will be unable to release information about that individual to anyone at all (if the record in question is under 100 years old). Under the federal public sector Privacy Act, there is a specific provision providing for access by the deceased’s legally appointed personal representative or executor — but only for purposes of administration of the estate, not for genealogy.

Personal data protection in the public sector in Canada is largely complaint-driven. That is, under the statutes, the person whose information has been wrongly handled by the organization involved can complain. At the federal level and in Ontario, British Columbia, Alberta, Newfoundland and Labrador, and Prince Edward Island there are Commissioners to whom the complaint is made (although in Newfoundland and Labrador, the person concerned can choose to go to court instead of to the Commissioner).

In Quebec, there is a Commission. In Manitoba and New Brunswick complaints are handled through the provinces’ Ombudspersons — but New Brunswick also offers the alternative of going to court. In Nova Scotia, a complaint may be taken either to the Review Officer appointed under its Freedom of Information and Protection of Privacy Act or to court.

At the federal level (and in Manitoba, Saskatchewan, Newfoundland and Labrador, New Brunswick, and Nova Scotia), the Commissioner (or other complaints investigator created under that province’s statute) must investigate the complaint against a public sector organization covered by the legislation but then can only make a recommendation. With respect to the federal Privacy Act, if the public sector organization involved does not comply with the Commissioner’s recommendation, the Commissioner may take the matter to the courts. At the federal level, the Privacy Commissioner is a separate office from the Information Commissioner whereas, in the provinces, the roles are combined. In some cases the federal Privacy Commissioner and the federal Information Commissioner (who is focused on public access to government information) have taken different positions before the Federal Court.

In Alberta, British Columbia, Ontario, Prince Edward Island, and Quebec, the decisions of the Commissioners or other reviewing appointees are final and determinative of the complaint. In these provinces, the courts will only become involved if one of the parties to the complaint formally appeals the decision by the Commissioner or other complaints decision-maker under the statutes (or, of course, in New Brunswick, Newfoundland and Labrador, and Nova Scotia if the complainant decides to go directly to the courts for relief, as mentioned above).

With respect to Ontario’s public sector legislation, the Ontario Commissioner him- or herself has legally binding decision-making power — but the individual involved in making the complaint will not receive direct compensation (that is, money) for breaches of the statute. As is evident from the description here about who decides when a complaint is launched in a given jurisdiction, each province and territory has set up its own mechanism to handle violations of its personal data protection regime or regimes.

The Ontario Commissioner’s Office recently released a decision involving genealogical research.¹² The adjudicator found that the names, grades, and dates of students’ attendance at a school are the personal information of the students. As well, the teachers’ names are also personal as part of their employment history. Nevertheless, the information requested that involved students and teachers who died before 1979 was found to not be covered by the Ontario personal data protection legislation and thus would be accessible to a genealogist requesting it from the public sector school board that held it. The adjudicator also dealt with the problem the school board then faced about how to know who had died by 1979 in a large group of photos. The adjudicator looked at life expectancy data produced by Statistics Canada for the relevant period and decided the Board must release, under its legislated access mandate, information on those born before 1919. Endeavouring to gain access to information about those in the pictures born after 1919 as well, the genealogist making the request argued that he was engaged in “research.” The Commissioner’s Office agreed that genealogy is research but held that it did not comply with the statutory conditions of the research exception to personal data protection — that the research meet security and confidentiality conditions — and thus, although engaged in research, the genealogist was not given access to information about students or teachers whose information was still governed by the legislation (those born after 1919).

The federal private sector personal data protection regime, however, legislates different consequences for breach than exist in the federal public sector Privacy Act context we have just mentioned. Under PIPEDA, as under the federal Privacy Act, the federal Privacy Commissioner must investigate the complaint made and must then make a recommendation. However, under PIPEDA, once the report of the Privacy Commissioner has been issued, either the Commissioner or the complainant can take the organization being complained about to the Federal Court. At this point, it is open to the Court, if the complaint is judged to be well-founded, to order, among other things, that the organization involved pay damages (that is, money) to the complainant. This provision makes the risk of non-compliance to a private sector organization governed by PIPEDA different (and some would say, greater) than the risk to public sector organizations in Canada that are governed by public sector personal data protection.

If you are working on genealogy as a private individual, you are not an organization covered by any personal data protection rules in Canada and so you are quite entitled to include information about any individuals, living or dead, in your genealogy once you have the information.This is because PIPEDA does not apply to “any individual in respect of information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose.”¹³ (As discussed earlier, you may be affected by the personal data protection legislation that governs organizations from which you are trying to get information – but once you have information in your possession, you yourself do not have to comply with any personal data protection legislation in your use and dessimination of any information you have.)

Nothing in personal data protection legislation stops you, as an individual working on your own family tree or, as a hobby, on anyone else’s family trees, from publishing your personally created family histories. This assumes, of course, that you avoid libelling the living (see Chapter 5)! It is another paradox in our evolving law about information that you cannot libel dead people but the dead have “privacy” rights under personal data protection regimes in this country for a number of years after death. There may be other legal barriers to publication of your personally created family histories, discussed in Chapter 4 on copyright, if you used commercial software in the creation of the genealogy or include copies of documents created by other parties.