Canadian privacy lawyer David T.S. Fraser recently spoke to public library directors in Nova Scotia on privacy law and patron records. He posted his presentation on his blog pipeda.blogspot.com (Nov 3).
I asked him if provincial laws protect library user records, and he replied:
"We don't have consistent protection of library patron records in Canada. Our federal system divides jurisdiction between the federal government and the provinces. For example, the provinces have jurisdiction over property and civil rights in a province while the feds have jurisdiction over trade and commerce. The federal government came up with a federal privacy law in 2001, but have to rely on their trade and commerce power to implement it. This means that the Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to "commercial activities", something that public libraries are usually not engaged in. (If they sell their member list, it is deemed to be a commercial activity and PIPEDA applies to the sale.)
Because the provinces have jurisdiction over civil rights, there is concurrent jurisdiction that means that provinces can legislate in the privacy area as well, and put in place laws with wider application. Here in Nova Scotia, the provincial government has not done so, meaning that PIPEDA applies in the province, but again only to commercial activities.
But all provinces have public sector privacy and access laws. Nova Scotia's is called the Freedom of Information and Protection of Privacy Act (FOIPOP), which governs records held by public bodies. I do not believe that public libraries are public bodies under FOIPOP, so there is no privacy protection under that law. (This may not be the case in other provinces. For example, public libraries are under the Ontario Municipal Freedom of Information and Protection of Privacy Act and under the Alberta Freedom of Information and Protection of Privacy Act.)
This leaves library users records unprotected in Nova Scotia, by either federal or provincial law. What I recommend is that libraries still follow the good information practices set out in the Canadian Standards Association Model Code for the Protection of Personal Information, which is the mandatory standard under PIPEDA. It requires (i) appointing a privacy officer, (ii) developing a privacy policy and a statement of purposes for which personal information is collected, used and disclosed, (iii) getting consent for the use of personal information, (iv) only using and disclosing personal info for the purposes for which it was collected and for which consent has been obtained, (v) only retaining information for as long as is reasonably necessary, (vi) safeguarding the info against all threats, and (vi) having a complaint mechanism. If you have a privacy statement that becomes part of the user agreement, it should be binding upon the library and give the users specific rights vis-à-vis their information. In my experience, users expect that their privacy will be respected and libraries should live up to that expectation."
Minow take (added Nov 18): Thanks David. Sounds like library users in Nova Scotia have even less privacy protection than in the U.S. It's state by state here as well, but 48 states have library privacy laws, and the other two have attorney general opinions. At least Canada has, I believe, I stronger privacy ethos. Although voluntary for noncommercial bodies, the Canadian Standards are mandatory for commercial activities and folks are thus accustomed to those privacy principles.