Law Firm Privacy Compliance in 10 Steps

  • August 12, 2015
  • Jeffrey Kaufman

On January 1, 2004, new federal and provincial laws came into force that change the standards lawyers in private practice must meet when they deal with personal information in their practices.

The federal Personal Information Protection and Electronic Documents Act (the PIPEDA) applies to law firms and lawyers that collect, use and disclose personal information in the course of their commercial activities, except when such activities are carried on wholly within a province that has provincial legislation which has been declared “substantially similar”.  Currently, there exists such legislation only in Quebec, B.C. and Alberta.

The Acts oblige law firms to collect, use and disclose an individual's personal information only with the knowledge and consent of that individual, which may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. There are exceptions but they are limited. The Acts will also oblige law firms to designate an individual or individuals to be accountable on behalf of the firm for its compliance and to establish (and train employees to apply) policies and practices that give effect to the requirements of the Acts.

The 10 principles that law firms must follow are embodied in Schedule 1 of the PIPEDA, and are: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

In order to achieve compliance with the obligations created by the Acts, the Office of the Privacy Commissioner of Canada has recommended that all private sector organizations conduct a privacy impact assessment of their personal information practices.

To ensure that your law firm is compliant with the Acts, you need to take the following steps:

1. Appoint a Privacy Officer

Make sure that you have designated an individual with enough authority and resources to do the job. This individual would be the contact for your clients, employees, third parties and the public when privacy issues arise. This individual is also responsible for the law firm’s privacy compliance.

In larger law firms, you may wish to delegate some responsibility to others. A team is likely more effective since areas such as information technology, records management, client services, human resources, financial operations and marketing will be affected.

2. Become familiar with the relevant legislation

Your firm will need to be familiar with the PIPEDA, at the very least. Resources are available on the Federal Commissioner’s privacy Web site at www.privcom.gc.ca. The cornerstone principle of the PIPEDA is that your firm requires the consent of an individual to collect, use or disclose their personal information, subject to the limited exceptions in the Act. Personal information is defined as any information about an identifiable individual other than their business title, address and telephone number.

The obligations for law firms are therefore much broader than obligations of confidentiality owed by lawyers to their clients.  Of particular relevance to your practice are the exceptions in s. 7 of the Act relating to investigations, debt collection, publicly available information, compelled productions and disclosures "required by law".

3. Analyze all personal information handling practices

Your law firm is responsible for the collection, use and disclosure of personal information from the time it is received to when it is destroyed. Ask these questions:

  • What personal information do you collect? (e.g. client, third party, prospective client, prospective adverse party, employee, prospective employee, expert) Why? How?
  • What information is sensitive? (e.g. health, financial)
  • What do we use it for? Where do we use it?
  • Who is it disclosed to? Does your law firm transfer or disclose personal information to service providers? (Note: a transfer for processing only does not require consent)
  • Where do you keep it? On-site? Off-site?
  • How is it secured?
  • Who has access to or uses it? Who needs to have access?
  • When it is disposed of? How is it disposed of?

4. Obtain the necessary consents

Answer these questions:

  • Is it personal information?
  • Did you obtain consent, express or implied, to collect, use or disclose the individual’s personal information? (Note: sensitive information requires express consent)
  • When you obtained the consent, was the individual aware of the purposes for which the information was being collected, used or disclosed?
  • Have you provided for withdrawal rights?
  • Can your firm rely on any exceptions? (Note: be mindful of the limited exception in s. 7 of the PIPEDA)

5.  Develop privacy policies and practices

Policies should not be developed until you have conducted the assessment described above. Information on these policies will need to be available to the public on request. Develop and implement policies and practices in the following areas:

  • Defining purposes of collection, use and disclosure
  • Ways to obtain and record consents, and handling withdrawals of consent
  • Ways to record uses and disclosures of personal information
  • Ways to keep information as accurate as is needed for decision-making
  • Limiting collection, use and disclosure
  • Adequate security measures to protect personal information of clients, third parties and possibly employees by using physical, technological and “need-to-know” measures appropriate to the sensitivity of the information
  • Developing retention and destruction procedures so you can destroy personal information no longer needed for the purposes for which it was collected. This policy will likely be different than your law firm’s present retention policies
  • Processing access requests and responding to inquiries and complaints

6. Review your documentation

Documents such as retainers and engagement letters should be reviewed to determine if you have the requisite consents to collect, use or disclose personal information in the course of the retainer.

Your website should contain a statement about your firm's privacy policy. If you do not have a website, you must still provide information on your policies upon request. Your responsibility to protect personal information continues when you provide personal information to a contractor for processing. If your firm transfers personal information to third parties for processing, all contracts should contain clauses to clarify that the firm is legally responsible for that personal information. They should also set out adequate security measures. You may also wish to provide for indemnities and audit rights.

7. Put your practices to the test

Consider whether your law firm’s information handling processes meet the requirements in the Acts. Develop a plan to overcome any deficiencies, starting with the most problematic areas. These include your handling of the most sensitive personal information collected or of the information most vulnerable to improper use or disclosure.

8. Train lawyers and staff

Ensure that you adequately train all law firm personnel for their privacy responsibilities. Training may cover such areas as:

  • The principles of privacy protection
  • The organization’s policies and practices
  • How the Acts affects their specific job and the personal information they handle or are responsible for
  • How to handle or re-direct questions received under the Acts

9. Be prepared for access requests

An individual is entitled access to their personal information generally within 30 days after their request. Accordingly, you should find out from your client who will be responsible for fulfilling any requests for access to personal information. Be mindful of the privilege exception and the other  limited exceptions to access. If your law firm is obliged to provide access, be cognizant of the strict time limits in the Acts.

10. Be prepared for complaints/inquiries about your personal information practices

Any individual can complain anonymously to the Commissioner’s office about any privacy breach. The Acts also provide further whistleblower protection. If a complaint is made, you are likely better off if your firm has been compliant and co-operates with any investigator appointed to handle the complaint.  Many complaints give rise to unflattering media coverage and adverse findings by the Commissioner.

These guidelines were prepared by Jeffrey Kaufman of Fasken Martineau DuMoulin LLP, Co-Chair of the Privacy Section Executive of the OBA and executive member of the CBA's National Privacy Section Branch. Input was provided by Karen Spector, Barrister & Solicitor and Mark Hayes of Ogilvy Renault, both of whom are Members-at-Large of the Ontario Branch Privacy Section Executive.

For information on how to become a member of the CBA National Privacy Law Section, and to receive valuable newsletters and information on privacy-related issues, please visit http://www.cba.org/CBA/Sections/privacy.