Privacy is one of the hottest buzzwords in HR. And because technology makes it so easy to transmit reams of information in an instant, ensuring an organization is in compliance with federal and provincial privacy legislation can be a challenge. Two recent decisions to privacy complaints show the dangers in being lax when it comes to using technology.
The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the management of personal information, first came into effect on Jan. 1, 2001, for federally regulated organizations. But the milestone date for the legislation was Jan. 1, 2004, when it was extended to cover the private sector. The exception is where a province has passed substantially similar legislation. Quebec passed its privacy law in 1994. B.C. and Alberta passed their own legislation that took effect Jan. 1, 2004, but Industry Canada is still reviewing the legislation to determine if it is substantially similar to PIPEDA.
While PIPEDA’s application to private-sector firms that aren’t federally regulated only covers customer information, HR departments are well-advised to ensure employee information is also protected. Provincial legislation may require it, PIPEDA could change, and the practice of protecting employee data is a good one.
The objective of the privacy legislation is to balance the individual’s right to have personal information kept private with the requirement that businesses collect, use and disclose personal information for legitimate business purposes. Under the act, organizations must obtain an individual’s consent when collecting, using or disclosing personal information and only use that information for the purpose for which consent was obtained.
If an organization chooses to use it for any other purpose, further consent must be obtained. The act also provides individuals with a right to access personal information and to challenge its accuracy while imposing a duty on the business to protect it through all sorts of safeguards.
According to the act, personal information includes any “factual or subjective information, recorded or not, about an identifiable individual.” The act’s definition of personal information also includes information in any form such as opinions, evaluations, comments, social status or disciplinary actions. It does not include the name, title, business address or telephone number of any employee or an organization. Personal information may be collected, used or disclosed either in traditional paper form or electronically.
Personal information may be obtained through e-mail, on a hard drive, through fax machines or through videotapes and audiotapes. Given that e-mail is not private, a hard drive and fax machines are often accessible to anyone and videotapes and cassettes may be viewed or heard by anyone, personal information may be unknowingly reproduced or used for purposes other than intended.
In addition, the instantaneous manner in which information is transmitted makes it much more difficult to control the dissemination of information. But it is imperative that an organization take every precaution to safeguard it and keep it confidential as two recent complaints to the privacy commissioner illustrate.
Employee questioned info collection
In a recent decision, an employee of a telecommunications company complained the company was unnecessarily collecting personal medical information to administer the long-term disability plan. He also complained the company failed to have sufficient safeguards in place to protect this sensitive information from access to other employees.
After the employee had been notified that short-term disability benefits would be ending, the company sent the employee a letter advising the employee to provide it with all the necessary personal information for applying for long-term disability benefits. The significance was that the company asked the employee to provide the information to the company, not the insurance company, despite the fact the submission guide for the insurance company specifies the employee may submit the information to either the employer or the insurance company.
The company maintained it required the information to ensure the application was complete for long-term disability. It also said the transmission of information was secure, given that the human resources fax machine was only used by HR personnel.
The assistant privacy commissioner found that because the company was collecting the employee medical information to administer the long-term disability plan, a reasonable person might find it objectionable that the company represented this collection as a requirement without any explanation. In addition, the assistant privacy commissioner found that transmission of personal information by fax, which was accessible to all employees, was also in violation of the act.
Equally, the commissioner took issue with the fact the company’s unqualified HR personnel had received and reviewed sensitive personal information about medical diagnoses, finding this information should only be shared with qualified medical practitioners. The company was found to be in violation of the act.
Training staff with customer’s personal info violates privacy
Another decision shows the responsibility organizations have to ensure employees protect customer data.
A man complained a bank failed to protect his personal information by disclosing it to a third party without his consent. The customer complained a tape-recorded conversation with him had been used without his consent for a purpose which had not been previously identified. During a telephone conversation, another customer was connected to a tape recording of the complainant’s transaction. The bank notified the complainant about this incident, and explained that one of his telephone calls had been used for training purposes.
But the complainant had previously only been told his call might be used for quality monitoring purposes. The bank argued the telephone call was improperly disclosed to a third party through employee error. The bank also explained it made a practice of randomly taping phone calls and that notification of this practice was sufficient to cover uses of the kind this employee had made of the recorded call.
The commissioner found the bank had improperly disclosed personal information to a third party without the complainant’s knowledge and consent. The bank also failed to consider the sensitivity of the information, the possibility of disclosure through employee error and failed to put in appropriate safeguards to avoid such closure.
The commissioner also concluded he would not expect the meaning of “quality monitoring” to extend to integrating a personal conversation into a training program by storing it in a special telephone accessible to all employees. The commissioner found this required specific identification and consent from the individual, which the bank did not obtain, and therefore the bank violated the act.
While there haven’t been many complaints, these two recent decisions make clear the commissioner is prepared to enforce the act where organizations have mishandled sensitive private information. Accordingly, it is incumbent upon all organizations to review current practices for collecting and handling personal information to ensure it complies with PIPEDA. To do so, it is suggested that organizations do the following:
•designate one individual with the responsibility of being in charge of privacy;
•educate the organization as to PIPEDA’s requirements and its 10 principles;
•clearly identify the purpose for which the personal information is intended and obtain the necessary consents from individuals;
•ensure that the process is open so that individuals may access their information; and
•take all appropriate steps to ensure confidential information either in paper or electronic form is kept inaccessible to other employees.
Natalie MacDonald is an associate with Grosman, Grosman & Gale, a Toronto-based law firm specializing in employment law. She can be reached at (416) 364-9599 or [email protected].
The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the management of personal information, first came into effect on Jan. 1, 2001, for federally regulated organizations. But the milestone date for the legislation was Jan. 1, 2004, when it was extended to cover the private sector. The exception is where a province has passed substantially similar legislation. Quebec passed its privacy law in 1994. B.C. and Alberta passed their own legislation that took effect Jan. 1, 2004, but Industry Canada is still reviewing the legislation to determine if it is substantially similar to PIPEDA.
While PIPEDA’s application to private-sector firms that aren’t federally regulated only covers customer information, HR departments are well-advised to ensure employee information is also protected. Provincial legislation may require it, PIPEDA could change, and the practice of protecting employee data is a good one.
The objective of the privacy legislation is to balance the individual’s right to have personal information kept private with the requirement that businesses collect, use and disclose personal information for legitimate business purposes. Under the act, organizations must obtain an individual’s consent when collecting, using or disclosing personal information and only use that information for the purpose for which consent was obtained.
If an organization chooses to use it for any other purpose, further consent must be obtained. The act also provides individuals with a right to access personal information and to challenge its accuracy while imposing a duty on the business to protect it through all sorts of safeguards.
According to the act, personal information includes any “factual or subjective information, recorded or not, about an identifiable individual.” The act’s definition of personal information also includes information in any form such as opinions, evaluations, comments, social status or disciplinary actions. It does not include the name, title, business address or telephone number of any employee or an organization. Personal information may be collected, used or disclosed either in traditional paper form or electronically.
Personal information may be obtained through e-mail, on a hard drive, through fax machines or through videotapes and audiotapes. Given that e-mail is not private, a hard drive and fax machines are often accessible to anyone and videotapes and cassettes may be viewed or heard by anyone, personal information may be unknowingly reproduced or used for purposes other than intended.
In addition, the instantaneous manner in which information is transmitted makes it much more difficult to control the dissemination of information. But it is imperative that an organization take every precaution to safeguard it and keep it confidential as two recent complaints to the privacy commissioner illustrate.
Employee questioned info collection
In a recent decision, an employee of a telecommunications company complained the company was unnecessarily collecting personal medical information to administer the long-term disability plan. He also complained the company failed to have sufficient safeguards in place to protect this sensitive information from access to other employees.
After the employee had been notified that short-term disability benefits would be ending, the company sent the employee a letter advising the employee to provide it with all the necessary personal information for applying for long-term disability benefits. The significance was that the company asked the employee to provide the information to the company, not the insurance company, despite the fact the submission guide for the insurance company specifies the employee may submit the information to either the employer or the insurance company.
The company maintained it required the information to ensure the application was complete for long-term disability. It also said the transmission of information was secure, given that the human resources fax machine was only used by HR personnel.
The assistant privacy commissioner found that because the company was collecting the employee medical information to administer the long-term disability plan, a reasonable person might find it objectionable that the company represented this collection as a requirement without any explanation. In addition, the assistant privacy commissioner found that transmission of personal information by fax, which was accessible to all employees, was also in violation of the act.
Equally, the commissioner took issue with the fact the company’s unqualified HR personnel had received and reviewed sensitive personal information about medical diagnoses, finding this information should only be shared with qualified medical practitioners. The company was found to be in violation of the act.
Training staff with customer’s personal info violates privacy
Another decision shows the responsibility organizations have to ensure employees protect customer data.
A man complained a bank failed to protect his personal information by disclosing it to a third party without his consent. The customer complained a tape-recorded conversation with him had been used without his consent for a purpose which had not been previously identified. During a telephone conversation, another customer was connected to a tape recording of the complainant’s transaction. The bank notified the complainant about this incident, and explained that one of his telephone calls had been used for training purposes.
But the complainant had previously only been told his call might be used for quality monitoring purposes. The bank argued the telephone call was improperly disclosed to a third party through employee error. The bank also explained it made a practice of randomly taping phone calls and that notification of this practice was sufficient to cover uses of the kind this employee had made of the recorded call.
The commissioner found the bank had improperly disclosed personal information to a third party without the complainant’s knowledge and consent. The bank also failed to consider the sensitivity of the information, the possibility of disclosure through employee error and failed to put in appropriate safeguards to avoid such closure.
The commissioner also concluded he would not expect the meaning of “quality monitoring” to extend to integrating a personal conversation into a training program by storing it in a special telephone accessible to all employees. The commissioner found this required specific identification and consent from the individual, which the bank did not obtain, and therefore the bank violated the act.
While there haven’t been many complaints, these two recent decisions make clear the commissioner is prepared to enforce the act where organizations have mishandled sensitive private information. Accordingly, it is incumbent upon all organizations to review current practices for collecting and handling personal information to ensure it complies with PIPEDA. To do so, it is suggested that organizations do the following:
•designate one individual with the responsibility of being in charge of privacy;
•educate the organization as to PIPEDA’s requirements and its 10 principles;
•clearly identify the purpose for which the personal information is intended and obtain the necessary consents from individuals;
•ensure that the process is open so that individuals may access their information; and
•take all appropriate steps to ensure confidential information either in paper or electronic form is kept inaccessible to other employees.
Natalie MacDonald is an associate with Grosman, Grosman & Gale, a Toronto-based law firm specializing in employment law. She can be reached at (416) 364-9599 or [email protected].
The 10 principles of the federal privacy law Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance. Identifying purpose: The purposes for which personal information is collected shall be identified at or before the time the information is collected. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Limiting use, disclosure and retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Individual access: Upon request, an individual shall be informed of the existence, use and disclosure of his personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Challenging compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance. |