Daniel Urbas is a lawyer with Woods & Partners. His practice focuses on media law, intellectual property, e-commerce and litigation. He can be reached at durbas@woods.qc.ca
The contents of Publishing Law should not be construed as legal advice offered by Masthead or Mr. Urbas. Readers should consult their own lawyers before acting.
Column for May 2001
Question and Answer Part II: Privacy laws will forbid use of "terminal" files
This is Part II of a two-part series of questions and answers generated further to suggestions made by Janet Feaver, general manager of Canadian Homes & Cottages. The Mississauga-based magazine has a circulation of 51,000 and is published eight times a year; the Web site is at www.homesandcottages.com.
I have taken Ms. Feaver's suggestions and developed my own questions and answers regarding the Federal Personal Information Protection and Electronic Documents Act.
For Part I, see my column for April 2001.
Q: When do we have to identify the purposes for which we are collecting the personal information?
A: At or before the time the personal information is collected.
Q: What type of personal information can my magazine collect?
A: The collection of personal information is limited to the information which is necessary for the purposes identified by your magazine at the time it collects the information.
Q: Who must receive notice of the purposes for which our magazine is collecting the information?
A: The Act simply says that the purposes should be specified to the person from whom the personal information is collected. This aspect of the legislation is unclear for gift subscriptions. One person could pay for a gift subscription to a friend and provide the friend's name and address. In such cases, the personal information is collected from someone who is not the object of the information.
Q: How do I manage gift subscriptions then?
A: It appears that the intent of the Act is for the recipient of the gift subscription to provide his or her consent also. Once you have a gift subscription, you should confirm that the recipient agrees with the collection of his or her personal information.
Q: Can I change the purpose after I collect the personal information?
A: Yes. However, you must identify the new purpose and obtain the consent of the individual prior to using or disclosing the personal information for that new purpose.
Q: Are there any standard rules or phrases we should use to obtain consent?
A: No. Consent must be meaningful. You must state the purpose in such a way so that a person can reasonably understand how their personal information will be used or disclosed.
Q: Is there a model form I can use?
A: Consent can be given orally or in writing. Written consent is better because it is easier to store and recall if necessary.
The form can vary. For example, a blow-in or bind-in carton card may be used as well as a subscription template on your web site. Make sure that your paper and electronic exchanges are secure so that the personal information does not go astray.
The Principles provide that, when determining the form, the magazine must weigh the sensitivity of the personal information. Some information may be sensitive in some circumstances, but not others. As an example, the Principles note that the names and addresses of subscribers to a general-interest magazine might generally not be considered sensitive, but the names and addresses of subscribers to a special-interest magazine such as drug dependants or credit-card addicts will be.
Q: What should appear on the form?
A: A pre-printed subscription form may inform the subscriber about the uses that may be made of the information. The form could advise the subscriber that the completion and signature of the form will be considered a consent to any use and disclosure of the personal information for the specific uses disclosed on the form.
As an alternative, subscribers could be invited to indicate on the subscription form that they do not want to have their personal information disclosed to others. Similar to the unpopular negative billing for some cable companies, a subscriber who did not so indicate on the form would be considered by the magazine to consent to the disclosure of the personal information. This approach may be unpopular with subscribers.
Q: We publish a personal finance magazine and we would like to cross-promote our magazine with the services of a credit management company. Can we use their client lists to solicit subscriptions?
A: No. A client with debt problems would not reasonably expect that his or her name and address given to their debt management professionals would be shared with someone else selling personal finance magazines.
Q: Can I use the mailing list to solicit the renewal of a subscription to my magazine?
A: Yes. A subscriber should assume that a magazine would use its mailing and billing information to contact subscribers to extend their subscriptions.
Q: How long can we hold on to old subscribers' lists then?
A: Personal information which is no longer required for the specified purpose should be destroyed, erased or reduced to such an extent that the personal information no longer serves to identify any particular person. Once you have tried and failed to solicit a subscription renewal, you must retire the information.
Q: We may broaden our editorial profile. Can we collect as much personal information now as possible and then decide what to use it for later?
A: No. A magazine's collection of personal information must be limited to identified purposes. A mailing list cannot be increased through deceptive practice. You are better to contact your subscribers after your changes and solicit a new consent to the additional specified purposes.
Q: We allow subscribers to subscribe through our web site. Does the Act impose any obligation on our collection through the web?
A: The Act does not specifically mention web sites as a means to collect personal information. The Principles oblige personal information holders to protect personal information against theft or unauthorized access, regardless of whether the personal information is stored in paper or electronic format. However, you should verify your web site's security measures to prevent access by hackers. Contact your web site developer to verify the level of your encryption and the security level for access through the web site. For paper format, your security level may simply be locking your office or filing cabinets which contain the personal information.
Q: Does our magazine have other obligations in addition to restricting the collection, use and disclosure of personal information to the specified purposes?
A: Yes. The Act provides a detailed list of how each organization must implement policies to manage personal information. The Principles are explicit and provide the following obligations:
"(a) implement procedures to protect personal information;
(b) establish procedures to receive and respond to complaints and inquiries;
(c) train staff and communicate to staff information about the organization's policies and practices;
(d) develop information to explain the organization's policies and procedures."
Q: I have also heard that we must be "open" about our policies to apply the Principles. How do we become "open"?
A: A magazine must make available the following information specifically required by the Act:
"(a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
(e) what personal information is made available to related organizations such as subsidiaries."
The information can be provided through brochures, web sites or toll-free numbers.