Getting ready for privacy

PIPEDA will rule the land come January

Background

The Personal Information Protection and Electronic Documents Act (PIPEDA) was passed in 2001 by the federal government and initially applied only to federal undertakings. It includes a provision which states that as of Jan. 1, 2004, the act will apply to all provinces and territories unless there is equivalent provincial or territorial legislation in effect that is deemed to be “substantially similar” to PIPEDA.

Quebec already has a law protecting personal information in the private sector. Alberta and British Columbia have bills which have passed their first readings, and are back to committee for refinements. Ontario has circulated proposed drafts of similar privacy legislation, the latest of which is still in caucus, and will likely not be passed by Jan. 1, 2004. Thus many are arguing that, for all intents and purposes, PIPEDA will be governing in many provinces as of 2004.

Who and what does PIPEDA apply to?

PIPEDA has applied to federal government employees and to employees who are governed by federal laws (because the nature of their business is considered an undertaking under the federal government’s responsibility) for several years now.

But on Jan. 1, 2004, its provisions will apply to inter-provincial private-sector commercial activities as well as intra-provincial commercial activities except where there is substantially similar provincial legislation in place.

The definition of “commercial activity” helps to define the scope of application. PIPEDA states that “commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

PIPEDA is limited to commercial activity. There has been some debate as to whether or not it will apply to the employment relationship in provinces that have not passed substantially similar legislation. The consensus is that until substantially similar legislation is passed in a province, PIPEDA will not apply to the handling of employees’ personal information in provincially-regulated workplaces (for example, people working in non-federal works or undertakings).

The reasoning for this is two-fold. First, it is arguable the definition of “commercial activity” is not broad enough to include the collection of personal employee information that is only incidental to whatever commercial activity an employer is engaged in, such as payroll information. Second, while the federal government has constitutional jurisdiction to pass laws that relate to trade and commerce and to matters of an inter-provincial nature, the provinces have authority over property and civil rights. Arguably this means the federal government lacks jurisdiction to regulate privacy issues between employers and employees in a provincial workplace.

But employers should recognize that privacy legislation is coming to all provinces — it’s a matter of when, not if. It is also clear that PIPEDA will be the model for the provincial legislation. Therefore there is a practical benefit for employers to implement compliance measures now in an effort to anticipate the types of changes every organization will eventually have to have in place.

PIPEDA principles

PIPEDA regulates and limits how personal information is collected, used and disclosed by an organization and the legislation provides employees with rights of access and enforcement of their privacy rights. The act defines personal information very broadly — it means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee. PIPEDA is guided by 10 principles which state how an organization should deal with compliance issues. In a general sense, they are:

Accountability: The organization has to appoint someone (a person or a group) to deal with compliance. The organization’s accountability rests in the hands of this individual(s).

Identifying purposes: The organization has to identify the purpose for which it is collecting the information at the time it is collecting it. If the organization wants to use the information for a new purpose, fresh consent is required.

Consent: Generally the organization must obtain the knowledge and consent of the individual to collect, use or disclose personal information (subject to certain exceptions.)

Limiting collection: The collection of personal information is to be limited to that which is necessary for the purposes identified by the organization. It is to be collected by fair and lawful means.

Limiting use and disclosure: Personal information is not to be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information is to be kept only as long as necessary for the fulfilment of those purposes.

Safeguards: Personal information is to be appropriately protected with an understanding that the more sensitive the information, the more protection it should be given. Employers should engage in employee training, emphasizing the role of the compliance officer in handling information requests and reaffirming the importance of confidentiality in the workplace. Implementing physical barriers including the locking up of certain information along with technological measures, including the encryption of information, should be considered.

Accuracy: Personal information is to be kept as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.

Openness: Organizations must make policies and practices relating to the management of personal information readily available to individuals.

Individual access: Upon request an individual must be informed of the existence, use, and disclosure of his personal information and be given access to it.

Challenging compliance: An individual is able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

PIPEDA has no grandfathering provision. That means PIPEDA applies to information which was gathered before January 2004. There will have to be a retrospective attitude to looking at archived information — consent must now be obtained to use and disclose personal information which was collected before PIPEDA unless the information was obtained in a way which conformed with the requirements of the act.

Enforcement

If any person (including an employee) feels an organization has violated PIPEDA he can complain to the privacy commissioner. The commissioner will investigate these complaints and issue a report, usually with recommendations as to how to rectify the situation.

For HR professionals in a unionized environment it should be noted that unions do not have special privileges to assert their union members’ PIPEDA rights. Access to the information which the employer collects has to be made by the employee. In a case before the federal commissioner, a union was not permitted to pursue a PIPEDA claim on behalf of one of its members.

The commissioner has other powers he can draw on if needed. He may audit the personal information management practices of an organization, which includes the power to summon people to a hearing, and compel the production of certain documents. The commissioner can also make public any information relating to deficient information management practices of the organization if he thinks it is in the best interest of the public. Organizations guilty of an offence could face fines of up to $100,000 or be liable for personal damages.

This in-depth look at accommodating substance abuse was provided by Chris Foulon and Alex Van Kralingen. Foulon is an employment law lawyer with Goodman and Carr LLP in Toronto. He can be reached at (416) 597-4088 or [email protected]. Van Kralingen is a law student with the firm.

Complying with PIPEDA will be costly

Implementing administrative procedures for dealing with compliance will be costly for employers.

The collection, use or disclosure of personal information by an organization can only occur for “purposes that a reasonable person would consider appropriate in the circumstances.”

Therefore, when performing a compliance audit, an employer should first ask itself “why do I need this information?” If it is unnecessary information employers should consider simply not collecting it in the first place rather than going through a process of gaining consent and then potentially having to purge the information once the purpose for which it was collected has been fulfilled.

Organizations would be well advised to institute a policy of maintaining certain information for a reasonable period of time after it has been used for its purpose. The employer should also note that, for purposes of other statutes (tax, employment standards, workers’ compensation), it has obligations to maintain certain information for a certain number of years. PIPEDA does not override these other statutory requirements.

Purging information will be especially important in the context of criminal background checks. After the employer gains consent to conduct a criminal background check the employer will have to purge the information or justify why they need to keep it.

Monitoring of employees’ e-mail and Internet usage will also be more difficult to do because it will require explicit consent. Employers must also consider the purpose for such monitoring and ensure the information obtained is only used for that purpose.

Recorded images of employees are considered to be "personal information" for the purposes of the privacy commissioner. In one decision the privacy commissioner stated that videotaping an employee area without the employee's consent, for an unnecessary purpose, was considered to be a violation.

Employers who use an external company to process their payroll or benefits will arguably have to ensure the information they are providing to these outside providers is necessary information. Employee consent should be obtained to provide this information to third parties. Employers should take steps to receive assurances from third-party benefit or payroll service providers that they are complying with the requirements of PIPEDA and not, for example, using the address information they have obtained to create and sell mailing lists or target customers for other services that they, or an associated company, may provide.

Employers should begin dealing with these issues now so as not to feel the crunch of attempting to comply at the last moment. Implementing a strategy that complies with the above-noted principles is a good start to ensure compliance.

To read the full story, login below.

Not a subscriber?

Start your subscription today!