Legislative “should”s

Last week we touch on the seemingly unusual wording of section 3(1) of the Broadcasting Act which contains the word should in several critical places. One specific issue we touch on was the potential for subsection (g): (the programming originated by broadcasting undertakings should be of high standard;) to be used to regulate the fake news phenomenon.

After Professor Festinger highlighted the odd statutory language I became curious to see if I came across other Acts with similar wording. Sure enough I found a couple of significant examples that I thought might spark some debate. I found what seem to be some significant shoulds at both the federal and provincial levels. The example I have is federal and in addition to containing several interesting shoulds, it defines the word:

Personal Information Protection and Electronic Documents Act
S.C. 2000, c. 5
DIVISION 1Protection of Personal Information
Marginal note:Compliance with obligations
• 5 (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.
Meaning of should
(2) The word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.

4.2 Principle 2 — Identifying Purposes
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.

4.5 Principle 5 —Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

4.6 Principle 6 — Accuracy
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

4.7 Principle 7 — Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
The methods of protection should include
• (a) physical measures, for example, locked filing cabinets and restricted access to offices;
• (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
• (c) technological measures, for example, the use of passwords and encryption.

4.9 Principle 9 — Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

4.10 Principle 10 — Challenging Compliance
Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.

The optional nature of the shoulds in the Personal Information Protection and Electronic Documents Act (PIPED) seems to frustrate or compromise the stated purpose of the Act of “protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate…” We discussed many of the reasons justifying not creating obligational shalls as opposed to shoulds in the context of the Broadcasting Act. Do they apply equally convincingly in this context? Were there better ways to draft the provisions PIPED to facilitate its goals?

How many more legislative shoulds lurk out there…

One response to “Legislative “should”s”

  1. laura courdi

    I am still undecided if “should” should all disappear.

    The usage of “should” in PIPEDA brings is a load of challenges for organizations subject to those recommendations; moreover, when the organizations are also subject to provincial legislations. In the other hand, the shoulds give discretion to each organization on how to develop a reasonable standard appropriate to their reality, their business model, their size, how the information is collected, etc. Shoulds give guidelines but flexibility.

Leave a Reply

To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create