Businesses operating in Canada that collect, use, disclose or store personal information that crosses provincial and national borders in the course of commercial activities fall under the scope of the Personal Information Protection and Electronic Documents Act (PIPEDA). For example, digital marketing activities such as address harvesting, web analytics, cookies and social media campaigns will trigger PIPEDA considerations. Construction organizations such as residential homebuilders or contractors may also have personal information subject to PIPEDA.
The basic principle of data privacy is proportionality, a fine balance between protecting the rights to privacy of an individual and the legitimate interests of a business. Privacy management programs should be designed with an eDiscovery process in mind.
Keeping eDiscovery workflow as the spearhead for privacy management program allows businesses to build a robust cross-functional compliance program and, in the arbitration and litigation heavy construction industry, save on costs when the need for disclosure arises. The following are some of the areas where business can combine the two processes:
Data mapping and maintaining a record of collection, use, disclosure and storage
One of the most important first steps for the data privacy compliance is understanding where the data is stored and how it is used and maintained. Maintaining a record of the category of data, the purpose of collection, retention policy and relevant custodians not only serves as the backbone of any privacy program but can also be a useful tool for the preservation stage of an eDiscovery process.
Adapting privacy by default approaches to data management
The privacy by default approach, which is not yet an explicit obligation under Canada’s current privacy framework, has emerged as the global standard for best practices. Privacy by default entails consciously adopting a structured approach with the default settings of systems or applications used to ensure that only strictly necessary information is stored and processed. Minimizing the volume of data retained will lower the costs at all stages of an eDiscovery project by reducing the amount of data that is collected, processed, reviewed and ultimately redacted.
De-identification and redaction
Manual redaction of personally identifiable information (PII) is a very time-consuming and costly aspect of an eDiscovery project. Using technology for auto-redactions can help lower the costs; however, it may result in false positives or may not catch all PII. Having anonymization and pseudonymization as part of compliance strategy allows organizations to permanently or temporarily de-identify PII that is not necessary. Data that cannot identify an individual is outside the scope of PIPEDA.
Litigants can also consider entering an agreement to redact PII only if and when the document becomes a public record (I.e., as an exhibit at trial), and to rely on the implied or deemed undertaking rule. The deemed undertaking rule complements PIPEDA and helps preserve privacy by ensuring that documents obtained in discovery are not used for any other purpose.
Transfers outside of Canada
PIPEDA does not prohibit cross-border data transfers but places the onus on the organization to protect the information under its control. When engaging in the eDiscovery process and collecting, processing and reviewing data for construction disputes, companies should inquire with eDiscovery service providers on whether the data will leave Canada. Keeping the data in Canada reduces risk and simplifies the eDiscovery process.
Keeping eDiscovery in mind when creating a data management system will reduce costs and assist litigants with meeting their PIPEDA obligations. Once a dispute arises, organizations should consider the above strategies to reduce the burden and cost of dealing with PII.
Candice Chan-Glasgow is director of review services and counsel at Heuristica Discovery Counsel LLP, which has offices in Toronto and Calgary. It is the sole national law firm whose practice is limited to eDiscovery and electronic evidence. Shadab Khan is a Law Practice Program student at Heuristica Discovery Counsel LLP. Send Industry Perspectives comments and ideas to to email@example.com.