The Canadian Source Of Employee Pension Fund Investment And Benefits Plan Management

Back Issues

Canada’s New Privacy Law

By: Ian Turnbull

Canada’s new privacy law, ‘The Personal Information Protection and Electronic Documents Act (PIPEDA),’ has come into force in stages:

How does provincial legislation fit in?

Unless a province has “substantially similar” legislation, PIPEDA applies. This means, in essence, that PIPEDA’s standards represent the minimum Canadian standard. Any organization or person who wonders what a specific province’s legislation may require can assure itself that meeting PIPEDA’s standards will go a long way to satisfying similar legislation. The recently approved British Columbia legislation has not yet been found to be substantially similar, so on January 1, 2004, both the BC law and PIPEDA shall apply

. In addition, most provinces have other legislation that touches on the privacy of certain information. This maze of legislation will take a long time before it is clear to all.

What does PIPEDA apply to?

The legislation controls the collection, storage, and use of most personal information – that is, any personal information that you collect about current, past, or potential customers, clients, patients, and suppliers.

What is personal information?

PIPEDA defines personal information very broadly as: “information about an identifiable individual.” It includes everything except name and business contact information (address, phone, email, etc). It can include age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, medical records, and disputes between consumers and merchants.

Does it apply to employees?

Yes, and no. PIPEDA does not apply to the personal information that your organization collects, retains, or uses if the personal information is handled within the four walls of your organization within one province. That is if you, an employer in any province other than Quebec, are not engaging in a commercial activity with respect to your employees, PIPEDA does not apply.

But, it does apply to persons who are not employees, but who sell services to your organization (including consultants and contractors) because they are engaging in a commercial activity. We fully expect that the provinces will enact “substantially similar legislation” in the near future and that the legislation will include employees’ personal information.

As well, human resources and payroll often send employee personal information to third parties – benefits carriers, payroll processors, etc. There are two important concepts here:

In my experience, almost all movement of employee personal information from an employer to a third party qualifies as a disclosure, not a transfer because the third party retains that information. Therefore, most of these transactions probably qualify as commercial activity and are subject to PIPEDA. For example, your organization sends personal information to a benefits firm so that those employees are registered to become covered and to send in claims. The carrier keeps this personal information for a long time and normally does not dispose of it even when the employer changes carriers because the history may still be required.

What about claims management?

Some benefits carriers are suggesting that PIPEDA means that employers should – or may – no longer have access to individual employee claims and that they should be managed as we do Employee Assistance Programs (EAP). It has been suggested that employers should move to create this relationship because otherwise the employer may be accused of using an individual employee’s claims for inappropriate purposes.

Most employers do not examine an individual employee’s claims, so this proposal may have practical merit. But, there is nothing in the legislation or findings of the Privacy Commissioner to support this view. A benefit carrier has no more legal right to an individual employee’s claims than does an employer.

What is the risk?

The Privacy Commissioner of Canada has no authority to fine or impose penalties. His findings have no legal standing except that he and/or the complainant can take the case to federal court where the commissioner’s findings will be heard. However, there are some teeth in PIPEDA:

“Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of

Note our emphasis on every person. The legislation is too young for there to be any history here, but we expect that the list of persons liable to be fined and/or jailed could be extensive if a significant breach and/or bad faith were determined.

Finally, what organization, and especially what public company, wants the extremely negative publicity of an adverse finding by the commissioner, whether that finding relates to employees or customers or patients? The Federal Privacy Commissioner’s findings are public and one of the mandates of that office is to educate. To date, the office has been quite forceful in ensuring that the media is advised of the commissioner’s findings. The office also has a large website detailing specific cases and findings and the commissioner makes annual (more or less) reports to Parliament.

The positive impact of a published organizational privacy plan should be positive for employees, clients, and others. The very fact that this legislation was felt to be required is, in and of itself, an indication of how strongly society at large feels about the abuse of personal information.

What should we do?

Regardless of size, every organization in Canada should be aware of its rights and responsibilities with respect to PIPEDA. In order to do that, every organization should have a plan to create and manage a privacy policy, plan, and procedures.

If your organization collects, retains, uses, or discloses any information in the course of business about your customers, clients, patients, or suppliers, your organization needs a privacy policy, plan, and procedures. Since it is highly likely that employee personal information will be covered by one or another piece of provincial legislation in the near future, you should also be including the management of employee personal information within this framework.

Key concepts to remember

Provincial Legislation

I want to emphasize that it is not only PIPEDA, and substantially similar provincial legislation, that deals with privacy as it relates to human resource management. In the federal legislative framework, and in those of each province and Territory, as well as in various international treaties, there are other laws, rules, and regulations dealing with a wide range of subject matter. These include, but are certainly not limited to:

The federal government and each provincial government and Territory has legislation protecting the information gathered by organizations in the public sector, including the information gathered from government employees. These acts, along with PIPEDA, also protect an individual’s health information and there are several other laws in Canada that specifically safeguard health information.

Elements of a Privacy Plan

Start by appointing a Chief Privacy Officer (CPO).

Then, conduct a thorough assessment of how your organization collects, stores, retains, uses, transfers, and discloses personal information for anyone including customers/clients/patients, suppliers, and employees. This should include functional, marketing, sales, HR, payroll, finance, purchasing, and technical staff.

Determine what tools you have to manage hard and soft personal information? See if these tools are sufficient. If not, you will need to invest or create policies and procedures that make up for the tool deficiencies.

Then develop specific and detailed policies and procedures about how your organization should operate given its privacy compliance obligations. Policies should cover data collection/retention, including what is required, and why; knowledgeable consent (including ‘opt out’ or withdrawal); personal right of access (including specific time periods to respond); staff access rules or who has a need to know; personal information storage tools and procedures, both hard and soft; and transmittal tools and procedures.

Now you can write a privacy code for your organization that complies with the law.

Make sure all third parties sign agreements to abide by your code, or provide one of their own that is as least as good as yours.

Next, train all ‘staff’ (employees and third parties who manage employee personal information) to ensure awareness.

Finally, put procedures in place to close the loop and monitor adherence.

As is the case with any new legislation, findings (by the Privacy Commissioner) and later federal court rulings will play a huge role in more fully defining the parameters of managing privacy in Canada. The provinces will also play a role as they put forward legislation (that may, or may not, be found substantially similar) and provincial privacy commissioners make their findings.

The only certainty about this entire legislative area is that 10 years from now we will almost certainly look back on these years as the privacy decade.

Ian Turnbull is a director of the Canadian Privacy Institute and an author of a book to be published by CCH on the practical issues of privacy legislation in Canada for payroll and human resources practitioners.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Subscribe to Daily News Alerts

Subscribe now to receive industry news delivered to your inbox every business day.

Interactive issue now onlineSubscribe to our magazinePrivate Wealth Online