By David H. Flaherty, Ph. D.
David H. Flaherty Inc.
Privacy and Information Policy Consultants
1939 Mayfair Drive
The full account that follows is somewhat complicated. The short version is that the Personal Information Protection and Electronic Documents Act (the Act) will have only modest application to most Canadian archives. However, its enactment does raise a number of issues about the relationship of privacy laws and archives, the most problematic of which are treated below in chapter 15 (including the threshold issues of jurisdiction and the risk of creating "privacy limbos" within archives).
The "authorized" interpretation of the Act set out by Industry Canada is that all archives are exempt from its requirements (especially if they are covered by federal, provincial, or territorial data protection legislation), and there are no constraints on the ability of archives to collect personal information (1). If records from an organization covered by the Act are in an archive, the Act does not impose retroactive coverage over them, since it has no retroactive effect. If records from an organization covered by the Act are transferred to an archive, these records lose the privacy protections offered by the Act.
However, the core message of this guide and commentary is that all personal information held in archival settings should be handled in compliance with the fair information practices set out as a national standard in Schedule 1 of the Act. Archives, large and small, regulated and unregulated from a privacy perspective, need to figure out how to accomplish this goal in order to meet the legitimate expectations for privacy and confidentiality of those persons whose records are selected for archival retention.
Although official privacy protectors should remain vigilant about the practices of archives with respect to the collection and disclosure of records that include personal information, the known track record of major archives to date suggests that they have successfully incorporated fair information practices into their daily regime of archival work.
Readers should be aware that the author of this report wrote it under contract to the National Archives of Canada in response to its request for services. However, the end product is very much his own view of this particular world, which readers are welcome to disagree with from whatever perspective they bring to it. They should also be guided by the table of contents in terms of locating material that is of direct relevance to their interests.
A series of introductory points attempt to set the stage for the analysis that follows in this guide and commentary, which focuses on the relationship between the Canadian archival community and privacy or data protection legislation. 2 They These preliminary observations, presented in a bullet format, are for the most part not controversial points:
Part 1 of the Act, which addresses the protection of personal information in the private sector, is the heart of the legislation for purposes of this guide and commentary. Part 1 must be examined in the context of Schedule 1, which lays out a set of principles that organizations must generally follow in order to protect personal privacy.(29)These principles reflect the core privacy values, or fair information practices, that have been at the heart of national, state, provincial, and territorial legislation in advanced industrial societies since the early 1970s. (30) They are also in a direct line of intellectual inheritance from a similar set of principles developed by the Organization for Economic Cooperation and Development (OECD) around 1980. (31) During the first half of the 1990s representatives of the public and private sectors in Canada met under the auspices of the Canadian Standards Association (CSA) to develop a model code for the protection of personal information in the private sector. The intention was to develop a self-regulatory code that would reduce the need for statutory solutions for data protection in this sector. Most privacy advocates wanted Canadians to have privacy rights, with an oversight mechanism in the form of a Privacy Commissioner, which would be enforceable by law as required. Simultaneously, the European Directive on Data Protection was mandating similar standards for non-European countries that wished to continue to trade in personal information with the European Union. In 1993, Quebec enacted private sector legislation of its own.
In the Act, Industry Canada adopted the highly innovative CSA Code and gave it the force of law. Schedule 1 (which incorporates the CSA Code into the Act) lays out ten principles, each one followed by a more complicated articulation of best practices. These have already served as the basis for self-regulatory codes by, among others, the Canadian Bankers Association and the telephone industry (the former Stentor). IMS Health Canada Ltd. went one step further and had its privacy code, based on the CSA standard, certified as such by the Quality Management Institute of the Canadian Standards Association.(32) I have summarized each of the ten principles below, with a brief commentary on what they mean, since the archival community should comply with them in the course of being sensitive to the protection of privacy in permitting access to personal records in their custody and control.
Although the principles establish a level of privacy protection that archives should aspire to achieve, Part 1 of the Act modifies the contents of these principles to some extent. Such modifications, especially with respect to the collection, use, and disclosure of personal information without the consent of the individual, will be discussed further below. However, in order to try to understand a very complex piece of legislation, one first has to understand the principles in Schedule 1. (33)
Principle 1 - Accountability: "An organization is responsible for the personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles."
From an archival perspective, the requirements for compliance with this principle are laid out in a straightforward manner in 4.1.4:
The accountability principle requires both staff and clients of any archives to know what the rules are for collecting, using, and disclosing personal information. In my judgment, the head of any archive should be the "designated individual" for purposes of compliance with the rules, but with day-to-day responsibility delegated to other individuals (always including a Human Resources person who deals with staff information, which raises a different kind of privacy issue).
Principle 2 -Identifying Purposes: "The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected."
This should be a relatively uncomplicated issue for archives. The raison d'être of archives is to collect and use records, including personal information, for historical, genealogical, and other research purposes. Archives, even those located within a specific organization, such as a bank, are established for relatively precise purposes. They follow established principles to determine what records are worth preserving for archival purposes, which normally results in the elimination of routine, repetitive, and trivial information. (34) This requirement to identify purposes is much more complicated for private sector commercial concerns, which are constantly inventing new ways to use personal information for marketing purposes, such as the data warehouses developed during the 1990s. Explaining to donors what will be done with their gifts or transfers of records containing personal information to an established archive is a comparatively simple matter, not least because donors of sensitive records can easily continue to exercise some control over how their records are used through donation agreements. (35) At the same time, it is highly unlikely that corporate concerns with be transferring personal information on customers to an external archive, since such records are not kept very long in practice.
Principle 3: Consent: "The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate."
For most data custodians, obtaining appropriate consent from individuals to collect and use their personal information is the most complex data protection issue, even though the CSA Code, and hence the Act, does not require explicit informed consent as such.
An archive that collects personal information from such diverse groups of individuals as employees, customers and clients, individual donors, and potential donors should obtain consent from these persons for specific uses of their information whenever possible. This is especially the case when archives collect personal information directly from individuals. Archives currently subject to data protection legislation (which would cover the major archives in the country) may have already addressed these matters. An "unregulated" archive, such as that of a religious group (the United Church Archives in Toronto) or a specialized historical archive of a religious or ethnic group, should obtain as explicit consent as possible for future uses of personal data collected by them, even though the Act does not really require it. (36)
The much more serious issue for archives, in general, including those subject to existing privacy legislation, is whether they can assume that data subjects have consented to placing their personal information in an archive for consultation by scholars and other interested persons. For some archivists, this raises a significant fear that the strict enforcement of the consent principle would put them out of business in terms of collecting, storing, and allowing access to personal information already in their possession or custody.(37) A purist application of principle 3 would even have ex-post facto application to personal information held in archives from "organizations" subject to the Act (which has retroactive effect for an organization, but not for an archive that already holds records from such an organization), such as the Bank of Montreal or the Hudson's Bay Company.(38) In fact and in law, the responsibility of an organization is over when records are given to an archive, thus creating a "privacy limbo" to use the felicitous language of Heather Black, one of the framers of the Act from the Department of Justice. Some common sense is obviously required with respect to personal data that are already held by any kind of archive and that are already available to qualified users under controlled conditions. In an ideal world, a grandfather clause would be read into the Act for reputable archives (and no others are likely to continue in existence) with respect to personal data that are already held by the archive and made available to legitimate users.(39) However, it is highly unlikely that a court would read in such a qualification, let alone an entire grandfather clause. Fortunately, if archives do fall within the scope of Division 1 of Part 1, they could be covered by the language contained in section 7( 2)( c), which indicates that knowledge or consent for use may not be possible or even necessary, where the use is for scholarly study or research purposes. (See below)
Archivists and historians raised the issue of "informed consent" in their appearance before the House of Commons, emphasizing the exceptions to the general rule in existing legislation, such as in Quebec and in the federal Privacy Act, which recognize consistent uses of information, "without the consent of the individual, where this is consistent or compatible with the original purpose [of data collection]." The groups "emphasized that even when informed consent is not required for the use or disclosure of personal information, stringent protocols exist to ensure that the privacy rights of individuals are safeguarded." Strict enforcement of informed consent requirements would "make it extremely difficult for companies to maintain and develop an active institutional memory." (40)The scholars and archivists further warned:
The most significant and detrimental consequences of any such measure would be to Canada's archival heritage and history. It would of course be possible to ask for explicit consent for future processing of data for historical or archival purposes. But given that historical inquiry is constantly changing in terms of subject, focus, and method, it would be virtually impossible to provide the kind of detailed information required for truly informed consent with respect to potential future scholarly, archival or historical research, and to the range of potential safeguards for privacy. Core archival practices, for example, currently run to several pages. In the absence of such nuance and complex consent forms, it is likely that such measures would result in a high refusal rate and the corresponding destruction of large numbers of records. Any widespread destruction would undermine the scientific validity of many future research endeavours and have perhaps unintended, but unfortunate consequences. It would impoverish our archival heritage. It would undermine our ability to know and understand our past. It would remove the rights of citizens to seek redress for injustices. (41)
The archivists and historians offered three recent examples in support of this last assertion: (i) the Japanese-Canadian wartime removal compensation package; (ii) all Aboriginal and treaty claims, including those relating to residential schools; and (iii) the relocation of Inuit communities in the North during the 1950s. The argument of the submission on this point is so compelling that I quote it in full:
Imagine these three scenarios again. If a Japanese-Canadian being relocated in World War Two from the West coast, or an Aboriginal parent losing a child to a residential school, or an Inuit survivor from the High Arctic relocations, if these three had been asked, on forms then being filled out that were designed to accomplish these unpleasant transactions, to consent to these forms containing their personal information eventually being transferred to an archives for later historical use, the vast majority would have checked "No" in a little box on the form. They would have done so because they are uninformed about the nature of archival activity or historical research, and the nuances of long retention periods before release, archival appraisal and sampling methodologies, descriptive practices to shield names, severing of personal identifiers from documents before release, codes of research ethics, etc. They would check "No" simply because they don't want people or perhaps Big Brother government snooping in their lives. Such fears are legitimate, but they are uninformed about the nature of and regulations governing archival work and historical research. Yet by checking "No" --unless archival retention, as recommended above, is seen as being consistent with the original purpose, thus not requiring consent--these people would have destroyed the very records upon which later redress settlements for themselves and their children have been based. Moreover, the point of history is that no one at the time could have predicted such future uses for these records. In all three cases, and many more like them, the destruction of these records would have been a national tragedy, and an international scandal.
This submission fully reflects what this guide and commentary has termed the realities of life for archivists and historians. No country in the world, to the best of my knowledge, requires informed consent, as such, for archival storage of information. These archivists and scholars make a plausible argument that "archival retention and, after a reasonable passage of time, historical research is consistent with the original uses for which personal information was gathered." (42)
The note to principle 3 provides only limited guidance for archives with respect to obtaining consent, although it acknowledges, in a very important way for archives, that "organizations that do not have a direct relationship with the individual may not always be able to seek consent."(43) This particular principle is in fact modified, considerably, by section 7 of the Act. These are such important modifications for the continued functioning of archives that they must be addressed here (as well as below).
Section 7 sets out criteria that must be met if an organization is going to collect, use, or disclose personal information without the knowledge or consent of the individual concerned. The most relevant one for Archives is that "the collection is solely for journalistic, artistic or literary purposes." Although it would have been preferable if the drafters had added the words "scientific" and "scholarly" to this list, the language is broad enough to cover the traditional activities of archives and their patrons in terms of collecting personal information for archival purposes, especially with the reference to literary purposes.(44) A secondary defence for an archive might be that it is not in fact "collecting" personal information when it accepts a set of records, in whatever format, for inclusion in an archive. It is also regrettable that the legitimacy of collecting personal information for journalistic, artistic, or literary purposes was not repeated, exactly, concerning the use and disclosure of the same information. For some reason, as noted in a subsequent paragraph, the drafters changed the language from section 4( 2)( c). (45)
The Concise Oxford Dictionary (7 th edition, 1982) defines "literary" as "of, constituting, occupied with, literature or books and written composition esp. of the kind valued for quality of form." The relevance of such a definition is the fact that courts will look to dictionary definitions in interpreting the plain meaning of the language used by legislative drafters.(46) The federal Privacy Act, however, explicitly sets out specific conditions in which the use or disclosure of personal information for statistical or scholarly purposes is permitted. [Section 8.2. j actually says research or statistical purposes]
It is also helpful to note that the European Directive on Data Protection, which sets minimum standards for national data protection within the European Union and which inspired and pushed Canada to enact the Act, makes the following supportive statements about the kinds of uses of personal records addressed in this guide and commentary:
([ Recital] 20) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected[,] provided that Member States [of the European Union] furnish suitable safeguards; ....
Article 6 1. Member States shall provide that personal data must be: (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; [emphasis added]
Article 9 Processing of personal data and freedom of expression Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression[,] only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression. [This language likely explains the indirect inspiration for the language used by the drafters of Bill C-6 in section 7.]
Sections 7( 2) and 7( 3) introduce similar modifications to the requirement of principle 3 for consent for the use or disclosure of personal information from an archive, without the knowledge or consent of the individual, only if it is used "for statistical, or study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable (47) to obtain consent[,] and the organization informs the [Privacy] Commissioner [of Canada] of the use before the information is used." There are at least two problems with this set of five statutory controls on uses of personal information held by an archive subject to the Act or that acts as if it is. The first is somehow ensuring that identifiable personal information is used in a way that ensures its confidentiality (which does not appear in 7[ 3]). While a researcher using the records of employment in the shops of a particular company sixty years ago will likely have no interest in using the names of employees other than for record linkages, for example, a writer using personal information for the purposes of a biography for inclusion in the Dictionary of Canadian Biography is in quite a different situation with respect to the publication of names (and it can hardly be assumed that the Parliamentary framers of the Act intended to make it impossible for archival sources to be used by their future biographers). The issue of biography is especially sensitive with respect to living individuals, such as Pierre Eliot Trudeau or Brian Mulroney, about whom considerable amounts of personal information will be held by archives (although they are also "public figures" or celebrities, with fewer reasonable expectations of confidentiality, in a way that most Canadians are not). It is thus necessary to read the qualification in the phrase in section 7 about 'using information in such a way as to ensure its confidentiality, ' in a manner that will not prevent the identification of biographical topics in particular. This is a good example of where the drafters of the Act paid no attention to important forms of legitimate scholarship, because they had so many "larger" issues to cope with in the exercise of their mandate. (48)
The second problem is that archives acting in accordance with the Act should inform the Privacy Commissioner in advance of granting access to identifiable personal information held in their collections. This could happen by one major notice of ongoing activities. Again, there is a significant risk of scholars and genealogists, in particular, feeling that this is a kind of censorship clause that appears to require validation by the Privacy Commissioner (meaning his staff) before a research project involving the use of identifiable personal information can go forward. (49)One can document the Privacy Commissioner's raising relatively purist positions on comparable matters in his relations with the health and statistical communities in particular (which is admittedly part of the privacy watchdog role).(50) In an ideal world, various types of archives subject to the Act, or acting in compliance with its principles, will have a consultation process with the Privacy Commissioner's office (and its provincial and territorial equivalents) in order to establish, well in advance, the legitimacy of how they collect, use, and disclose identifiable personal information for "journalistic, artistic or literary purposes." This should even be true for the National Archives of Canada, which is explicitly exempt from Part 1 of the Act. (See section 4( 2)( a))
Section 7( 3) of the Act addresses issues of disclosure of identifiable personal information without the knowledge or consent of the data subject. This may only occur if the disclosure is "for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, it is impracticable to obtain consent[,] and the organization informs the Commissioner of the disclosure before the information is disclosed." Note that these criteria must be met in their entirety. Section 7( 3) at least omits the qualification, "the information is used in a manner that will ensure its confidentiality," which is highly problematic concerning section 7( 2), as discussed above. The potential remedy of discussing standard disclosures with the Privacy Commissioner, as part of an initial consultation process, as discussed in the previous paragraph, has similar application here.
The treatment of consent in principle 3 in Schedule 1 contains many additional qualifications about the process of obtaining consent for collection, use, or disclosure of personal information that are not directly relevant to the traditional work of archives i the much simpler process of collecting, using, and disclosing personn promoting uses of archival materials, although they are appropriate toal information from staff and clients. In terms of 4.3.4 and 4.3.6, it seems unlikely to me that most archives will be collecting sensitive personal information in the normal course of interactions with their employees and patrons, who will likely be filling out standard forms that can easily include consent notices. If archives exchange mailing lists with one another, they will have to be quite careful about getting consent from such persons in advance of doing so (see 4.3.7[ b]).
Principle 4 - Limiting Collection: "The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means."
A strict application of such a fair information practice as "limiting collection" to existing archives could have a disastrous impact on their traditional activities (which the drafters cannot have intended). While it would be appealing to interpret principle 4 narrowly as applying to the present-day collection of personal information from staff and patrons, not the traditional collection activities of any archive, it is unlikely that the language of principle 4 supports this narrow interpretation. Thus it would be safer for archives to set out their broad purposes in their mission statements or statements of goals to the effect that they do not collect personal information indiscriminately, that the amount and type of information collected is limited to that which is necessary to fulfil archival purposes (4.4.1), and that this process occurs by fair and lawful means. Archives may find it burdensome to have to address such matters, but it appears to be necessary to avoid undesired contact with the "privacy police." Sensitivity to privacy always requires good housekeeping practices with respect to the handling of personal information.
Principle 5 - Limiting Use, Disclosure, and Retention: "Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes."
As previously noted, the CSA Code was not drafted with the needs of archives or scholarship in mind; it was intended to apply to the current needs of companies doing business with customers. It is only in that sense that principle 5 has relevance to the work of archives in dealing with its current patrons and clients. The archivists and historians who testified on Bill C-6 before the House of Commons wanted an amendment to principle 5 itself, stating that the "use and disclosure of personal information for historical, statistical, scholarly or archival purposes shall not be deemed to be incompatible with the purposes for which it was collected."(51) In fact, it was impossible to make changes to the CSA Code during the legislative process and, again, archivists, scholars, and statisticians were not present during the development of the code itself. (52)
Archivists will have particular reason to fear the second sentence of principle 5, since it incorporates the principle of anonymization, or even destruction, of identifiable data over time, including guidelines on retention that include "minimum and maximum retention periods." (4.5.2) In particular:
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information. (4.5.3)
However, sections 4.5.2 and 4.5.3 of the Schedule both use the word "should" indicating that the principle is directory rather than mandatory.
Successive Privacy Commissioners of Canada have made positive noises about such practices as the destruction or anonymization of personal records, again without adequate regard to the interests of the archival community in the long-term retention in identifiable form, for legitimate secondary purposes, of at least some personal information. The judgment of what is transitory information, as opposed to information of archival quality, should be the domain of archivists and record managers in consultation with the official privacy protectors.(53) This process normally occurs through the implementation of record retention schedules and donation agreements in cooperation among record managers, archives staff, and government institutions. (54)
The National Archives and the Association des archivistes du Quebec wanted an amendment to schedule 4.5.3 to the effect that "[o]rganizations shall develop guidelines and implement procedures to govern the destruction of personal information not of historical or archival value. The response from Industry Canada is that the first part of the sentences says that information does not have to be destroyed, so such an amendment was unnecessary. As noted elsewhere, it was in fact impossible (or at the very least difficult) to amend the CSA Code during the legislative process on Bill C-6, since it had evolved as a national standard (although in fact Parliament could have done so and could do so in future); it is now unlikely that the Canadian Standards Association will exercise custody rights on behalf of its offspring, since it has seemingly lost interest in the Code. It would be appealing to argue that, in practice, the proposed amendment to Bill C-6 will have to be "read into it" during its implementation phase, since no one intends to stop the functioning of archives in this country. Again, the problem is that a court would be unlikely to read in such language. Faced with this question of interpretation, there is a reasonable prospect that a court would simply conclude that time limits cannot be imposed on archives for destruction of personal information, because of the nature of the functions that they perform. In fact, a court will likely never have a chance to interpret the destruction clause in Schedule 4.5.3, since it is not on the specified list of what the Federal Court can review in section 14 of the Act. In addition, the clear purpose of archives is to preserve records that they choose to archive, not destroy them.
After their appearance before the Standing Committee on Industry of the House of Commons, the Canadian Historical Association, the Institute d'histoire de l'Amerique francaise, and the Association of Canadian Archivists commented as follows about the risk of more frequent destruction of records:
We would insist that there is a legitimate public interest in the preservation of historical records and the study of the past. We strongly oppose any measures that would result in collective amnesia. Personal information should be protected by the reasonable passage of time, until it can no longer be used against the person, not by destruction, which is final and removes other protections and rights to which citizens are entitled. (55) The power of this statement speaks for itself.
Principle 6 - Accuracy: "Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used."
Again, this is a principle that only applies to archives to the extent that they collect information from employees and clients/ patrons on a one-time or an ongoing basis. Secondly, archives have no interest in collecting, using, and disclosing inaccurate information for archival purposes, but they are dependent on the quality of such data that the original collectors entrusted to them.
Principle 7 - Safeguards: "Personal information shall be protected by security safeguards appropriate to the sensitivity of the information."
This is at least one fair information practice set out in Schedule 1 in which the interests of archivists and official data protectors fully coalesce, that is with respect to the importance of ensuring security for personal information held in various types of records. One would expect an archives to use the full range of methods of protection outlined in 4.7.3, including physical measures (locking filing cabinets), organizational methods (training staff), and technological measures (the use of passwords and audit trails). Even the concept of sensitive information in the Schedule has considerable relevance here, since any archive should be more careful about the security of health information or personal diaries, for example, than a list of members of an ordinary group or a list of customers of a company. The National Archives segregates some records physically from the main holdings; these records are often stored in special vaults, have restricted finding aids, and are put into archival containers that are marked in some way or other for special treatment. The practical difficulties of defining "sensitive" information should encourage archives to follow strong security practices for all of the personal information in their custody and control.
Principle 8 - Openness: "An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
Again, compliance with this principle should be a simple matter for a well-established archive in Canada. The National Archives, for example, already publishes a substantial booklet (discussed below) on how it controls access to personal information held in its archival collections, but it pertains only to public and not private archival records. Section 4.8.2 of the Schedule outlines the following requirements:
The information made available shall include
In preparing standard responses to these categories for their privacy codes, archives need to remember that they hold personal information in their collections, but they also collect personal information from those who work for the organization and from patrons and users of the archives. The brochures that most archives have available for users and visitors should address such issues as concisely as possible.
Principle 9 - Individual Access: "Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate." The attached note is directly relevant to archives: "In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide...." (56)
Compliance with principle 9 could be literally impossible for most archives, if it were construed to mean that they were somehow responsible for informing a requester whether any information about him or her was held in the entire archive, as opposed to records of employees, donors, users, and the like. The National Archives, for example, would have no practical way of knowing whether an applicant's name appeared in the employment records of the local operations of a particular company without doing research on behalf of the applicant, which would lie beyond the normal duty of a data custodian for this type of archival information. Fortunately, the note to principle 9 does acknowledge that "[ i] n certain situations, an organization may not be able to provide access to all the personal information it holds about an individual," although, typically for Schedule 1 and the CSA Code, the drafters wrote as if they have never reflected on an archive as a normal place for storing substantial amounts of personal information. (57) This note lists a number of "limited and specific" reasons why an organization may need to deny access, including a number of considerations applicable to archives as well:
A standard response from an archive, for its archival holdings, could be that applicants for access would have to do their own research in the archives to learn what information exists about them in relevant archival holdings. (58)
Section 4.9.3 would require an archive to inform requesters to whom it discloses personal information collected from them for administrative purposes, such as the membership in the friends and supporters of a specific archive. For the latter information, a data subject has rights of correction of inaccurate information held about them. Neither consideration appears to be relevant to the normal work of an archive.
Principle 10 - Challenging Compliance: "An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance."
This is a reference to those accountable under principle one. Principle 10 essentially requires an archive to have a complaint-handling mechanism, which should already be the case for well-established archives. In practice, complaints against archives for breach of fair information practices will be necessarily limited to complaints that the routine handling of administrative information about specific persons is somehow not in compliance with Schedule 1. It is barely conceivable, although not unimaginable, that a person could actually discover that an archive held information about him or her without knowledge or consent and want the information excised. Finally, there is an obligation on an archive to investigate complaints received.
There are several separate issues here: the first is the wide variety of archives in this country, the second is the kinds of personal data that they archive on a permanent basis, and the third is the question of accessibility and how that information is shared or made publicly available. (59) They require brief attention here, as a reminder to the archival community to keep its house in good order from a privacy and data protection perspective (which means complying with fair information practices, an issue to which I return below).
Archives in Canada, it should perhaps be said, will collect any significant historical records of the Canadian past, including the records of corporations, companies, law firms, and banks and trust companies.(60) The National Archives of Canada, for example, houses records from Air Canada, Massey Ferguson, the Bank of Montreal, the Canadian Pacific Railway, an Ottawa law firm (1808- 1973), Dominion Textiles Inc. (1860-1997), and the Molson family and business records (1619-1992), including diaries. The National Archives has a mandate to acquire private sector records of national significance. Provincial, municipal, local, and specialized archives have similar obligations. In fact, it would normally be considered a great coup for any archive to acquire the records of a major company, such as the Hudson's Bay Company's voluminous and ongoing records held at the Manitoba Archives. It would be hard for anyone, including official privacy protectors, to argue against such collection activities from any perspective, although the current initiative of the Privacy Commissioner of Canada in seeking to limit access to the original records of early 20 th century censuses should make any commentator cautious in this regard. (61)
A number of major Canadian companies maintain their own archives, such as Hydro-Quebec, Ontario Hydro, Manulife, SunLife, and Scotiabank, all of which are listed in the Directory of Archival Repositories.(62)
A major forest products company like McMillan Bloedel sent its own archives to the University of British Columbia Archives after completion of a history of the company. The relevant moral may simply be that there is no predicting which records of the past, including personal information, will survive in an archive or in what kind of archive.(63) The purpose of an "archive" is to protect and disclose records of archival value.
Companies for the most part do not retain considerable amounts of personal information on employees and customers over time. They have developed record retention schedules that follow largely legal and consumer protection requirements for how long such records need to be retained (and to meet all of the business and operational requirements of the firm) and then they are destroyed. During a recent privacy assessment that I undertook for a Canadian bank, I reviewed its record retention schedule, which revealed that banking information on individual customers is not stored for long periods, even if one remains a customer of a financial institution for ten or twenty years. To put it simply, such companies have no financial incentive to store such personal records for more than five to ten years, at most, from the date of a transaction. Even the value of personal information on customers used in data warehouses for marketing purposes does not have a very long shelf life, because such companies need the most current information possible in order to profile, categorize, and then target their customers, or prospective customers, with solicitations for particular products and services. Institutions that do information-based marketing (and all commercial organizations do so) want a profile of their customers in the immediate past and the present. Thus records about individuals stored in hard copy (paper and fiche) and digital information are destroyed on a regular basis. Since the advent of large-scale automation in the early 1960s, it would be very surprising if companies had lists of individual customers that were available ten years after the fact, whereas it is possible that the records of a particular store or financial institution from earlier times might still have ledgers and registers in existence covering personal information. Historians naturally fear that the ease of destroying digital records today, their transitory character, and the lack of incentives for a company to spend money on internal archives, will make it increasingly difficult to write in an informed manner about the Canadian past. Thus, I argue that the privacy issues posed by archival records are de minimis from any kind of broad perspective, because they contain so little personal information. Even such public institutions as hospitals do not, in fact, keep patient records much beyond a ten-year period, unless an individual continues to be treated regularly by that hospital. (64) Similarly, it appears to be unheard of in Canada for the patient records of an individual physician, or a group medical practice, to be archived.
The likely main source of sensitive personal information in corporate records would be employee or human resource records. Again, the realities are, especially for the past forty years, that most companies keep only skeletal records of a person's employment over time. Good practices among Human Resource professionals is to cull files on an annual basis to remove irrelevant information or data that are no longer timely. Most union contracts require the destruction or removal of disciplinary or grievance records after relatively brief periods. My experience in British Columbia was that institutions of higher education were less likely to clean out faculty files over time. For universities created in the 1960s or thereafter, the file of a particular faculty member contained unnecessary personal information from the past that proper archival procedures should address. In the private sector, when an employee retires, is terminated, or leaves for another position, the likelihood is that his or her records will be scheduled for destruction after a relatively short period of time. Moreover, the modern corporation does not itself store very much sensitive information on employees. Disability records are in the keeping of insurance companies. Companies that offer counselling services to employees usually employ specialized companies for that purpose and pay only for blocks of time, not the receipt of individualized records. An exception to the rule of companies not collecting and storing of personal information would be files on senior executives, such as a president and chief executive officer.
Despite all of these qualifications, official data protectors will require assurances from various types of archives under their jurisdiction that there are procedures in place for ensuring and preserving the privacy interests of personal information about individuals in their custody and control. Such issues do not arise so directly, if a company maintains its own archives, as leading corporations do. However, what happens to the records of a company like Eaton's when it goes out of business completely? One would hope that a major archive would acquire its records for preservation, but how does that happen? From a privacy perspective, the placement of personal records in any archive must occur in compliance with fair information practices, whether based on law or self-regulation (for which the Act sets the national standard in a manner more precisely than public sector privacy laws). This is especially the case as it has become possible for archives to store all kinds of personal records in an electronic format that is compact and does not require the shelf space of paper records; such digital records are also more readily searchable and linkable to other data bases that are in an electronic format. Electronic records are thus very much of a two-edged sword for the archival community: they are thought to be easier to destroy and to store.
In general, and at the present time, a properly-functioning archives receives major and minor collections of records on the basis of an acquisitions agreement with the donor that is likely to set some restrictions on access to them. Thus, for example, the National Archives' recent acquisition of the records of a particular company includes films, video, artwork, plans, technical drawings, slides, photographs, and textual records, including corporate minute books, correspondence of company executives, cancelled share certificates, public relations records, price lists, legal records, financial records, and labour relations records. Based on a listing provided to me by the National Archives, none of this material appears to be sensitive from a privacy perspective, yet restrictions on access appear to exist. (65) I was informed that corporate records of this particular company that were more than 75 years old would likely be open for consultation without restrictions, whereas records less than 15 years old would likely be restricted at the request of the donor company. However "files containing personal information on individuals will be restricted to protect the privacy of the individual," including payroll records and union grievance files. The Manuscript Division of the National Archives has guidelines for that purpose.
Under sections 7 and 8 of the Privacy Act and its Regulation 6, the National Archives has a twenty-five-page publication entitled Guidelines for the Disclosure of Personal Information for Historical Research at the National Archives of Canada (1995). The most significant rules include the following, which I quote here to illustrate the kinds of rules that archivists are most likely to follow, or perhaps should follow, with respect to the disclosure of at least certain personal information in their custody and control:
Acting in accordance with Treasury Board policy, the National Archives has developed an invasion-of- privacy test to determine whether disclosure of sensitive information "would clearly result in harm or injury to the individual to whom it pertains." The four interrelated factors in the test are as follows:
The National Archives thus has detailed rules in place for certain kinds of records requiring a clear and detailed research proposal, an outline of the specific records requested, a statement of the methodology to be used to protect the privacy of individual subjects, and a statement of the accountability of the applicant.(66) Finally, Treasury Board policy requires that "[ w] hen a government institution is transferring personal information for archival or historical purposes, the National Archives should consult that organization for advice on records containing information which, is disclosed, could constitute an unwarranted invasion of privacy."(67) Again, this is a sound policy for any archive to emulate when it is accessioning personal records (and the reality is that few records do not contain any personal information in them). Once such departmental records are at the National Archives, it has the sole discretion, under section 8( 3) of the Privacy Act, to disclose personal information to researchers.
The Manitoba Archives has developed some novel practices in the sense that all applications for access to recent government records in its custody and control have to be processed by the departments concerned, including those that involve considerable amounts of personal information.(68) This fifteen-year old practice is partly the result of the costs involved, and the expectation that individual departments will have greater understanding of the sensitivity of personal information in their own records. All government records are also scheduled for destruction or retention based on information in the Access and Privacy Directory for the province.(69) The Manitoba Archives also collects records extensively in the private sector from businesses, labour groups, and churches. Access to such records is controlled by means of a donation agreement, a set of restrictions on access, and research agreements with researchers for access to restricted records, which are obviously essential for any sensible archival arrangements.(70) The Archives discusses privacy considerations with potential donors and expects to come to terms with them about any conditions, such as periods of time before records are fully open. The Manitoba Freedom of Information and Protection of Privacy Act has a 100-year rule applicable to all records being open. This means in practice that privacy rights cease to exist one hundred years after the creation of the record. The Hudson's Bay Company continues to give its records to the Manitoba Archives but the company is careful about the transfer of, or access to, records covering the last fifty years of its history. Personal records are available after 50 years, general records after 30 years, and minutes after 15 years.
The Manitoba Archives has a standard agreement with the Law Society of Manitoba to collect records of law firms and legal practices. It houses the records as well of the Children's Home of Winnipeg, which was a private sector organization. It also houses records collected since the 1930s under the Juvenile Delinquents Act and the Young Offenders Act. These are all categories of sensitive records.
The status of personal records obtained by any archive in the course of the past century is somewhat different, in the sense that a formal agreement with donors is less likely to exist. The archives of a Catholic or Anglican religious order or diocese would be a good case in point, since they were likely accumulated over time and retained for their obvious historical value, long before sensitivity to the protection of personal privacy was an issue, or at least an issue as visible as it has been during the past thirty years. Data protection legislation, such as in Quebec, applies to such archives (the archives of religious groups at Bishop's University are a current example) on an ex post facto basis. (71) A related reality is that many ongoing archives of specific organizations contain records of personal information for the second half of the twentieth century, which are inherently more sensitive from a privacy perspective than older records. Thus the B. C. Archives, for example, holds court records and correspondence that contain information restricted from disclosure under the federal Young Offenders Act, as well as adoption records and divorce records. Its collection of "non-government records" includes records from the Royal Jubilee Hospital in Victoria that contains patient registers and admissions and discharge books from the 1950s (but not patient files(72)). These are good examples of how sensitive personal information is often buried deep within records that are otherwise completely benign. Archivists have to keep fair information practices in mind as they contemplate permitting access to such information for legitimate research purposes in particular.
Another reality is that surviving records of any corporate entity are likely given to an external archives without substantial knowledge on the part of the company of what they really contain, especially if the records are reasonably old, as in the case of some of the Dominion Textile records. A decision is simply made to archive records that are still in existence and have not been destroyed according to record management criteria. A manuscript archivist then undertakes the task of organizing the collection and disposing of non-archival material. For example, depending on the size and age of a collection of papers, the archivist will weed out and dispose of duplicates, standardized forms, and records that are routine and transactional in nature. (73) Since public archives are never adequately funded, some deposited records may simply remain uncatalogued for long periods. The Manitoba Archives solicits funding for the organization of records before agreeing to archive them. The National Archives has prepared selection criteria, or draft guidelines, for the archival retention of business records. (74) This document states up front that only 2 to 5 percent of the total records of a firm will be of interest to an archive. The listed categories of desired and desirable records are overwhelmingly of a general business nature. The most evident personal information would be the personal correspondence, diaries, and oral histories of senior company officers.
One of the problems of small to medium-sized organizations is that records management systems are less likely to be in place than in larger companies. This means that personal records will not be systematically destroyed on the basis of record retention schedules. Bill C-6 may force progress on this score, but the problem of adequate resourcing for record management functions is an ongoing one. In fact, the culling of Human Resources or personnel records over time often does not happen, so that more personal information continues to accumulate in employees files than is really necessary for personnel management. The irony in such practices is the prevailing wisdom that the vast majority of personnel/ Human Resources files have no permanent value from an archival perspective and are thus slated for destruction after an individual's working relationship (including pensions) with an organization has ended. (75)
The National Archives informed me that restrictions on access to records in its collections are negotiated at the time of acquisition and on an individual basis. Typically, the restrictions are listed in an accompanying binder. For the Molson Archives Fonds, for example, access requires the written permission of a family member, which permission is usually granted. Such restrictions are loosely based on privacy concerns and in keeping with the spirit of the federal Privacy Act. Corporate proprietary information could also be restricted, perhaps for a period of 20 to 30 years. A business archivist at the National Archives remarked on the inclusion of social insurance numbers on boxes of payroll cards from mills of Dominion Textiles from the 1930s to the end of the Second World War. These numbers were added later (it would have to be after 1963-64), when pensions continued to be paid to particular individuals. From a privacy perspective, the existence of the social insurance number on a particular record is no more or less sensitive than information that could be derived from payroll cards about sex, race, age, and home address. Proper controls on access to this particular set of records should spell out, in a research agreement, what the qualified researcher intends to do, and can do, with the data in question.(76) The National Archives can be expected to be a leader in this regard. Smaller and less well-funded "archives" would be in a different situation.
Historians, who are one of the primary professional users of historical records in archives, perhaps naturally fear that signing research agreements will hinder the execution of their research and perhaps even result in censorship of what they can accomplish.(77) I would argue, at least on the basis of my experience in British Columbia, that that is not proving to be the case, even though privacy rules mandated by law do require archivists to review records in their care from a privacy perspective before allowing scholarly access to them (or controlling the process on the basis of research agreements).(78) Tensions, in this regard, are most likely to arise in the context of biographical research on living or recently deceased persons. I would compare the situation of historians under privacy legislation to social scientists and medical researchers attached to universities and university-affiliated research institutions in British Columbia, whose collection, use, storage, and disclosure of personal information is now subject to the fair information practices in the B. C. Freedom of Information and Protection of Privacy Act. (79) From my perspective as both a researcher and a privacy advocate, there must be some tightening up, and consciousness-raising, about fair information practices, including consent, among members of the scholarly community.(80) The various ethical codes of the national research funding agencies also mandate such sensitivity, but without the force of law behind them.