Canada’s New Privacy Law
By: Ian Turnbull
Canada’s new privacy law, ‘The Personal Information Protection and Electronic Documents Act (PIPEDA),’ has come into force in stages:
- On January 1, 2001, it came into force with respect to federal commercial activities, federal employment relationships, and the Territories.
- On January 1, 2002, it began to apply to a person’s health information.
- Finally, on January 1, 2004, it will come into effect fully, applying to all commercial activities in the provinces where no substantially similar legislation had been passed (only Quebec has substantially similar legislation).
How does provincial legislation fit in?
Unless a province has “substantially similar” legislation, PIPEDA applies. This means, in essence, that PIPEDA’s standards represent the minimum Canadian standard. Any organization or person who wonders what a specific province’s legislation may require can assure itself that meeting PIPEDA’s standards will go a long way to satisfying similar legislation. The recently approved British Columbia legislation has not yet been found to be substantially similar, so on January 1, 2004, both the BC law and PIPEDA shall apply
. In addition, most provinces have other legislation that touches on the privacy of certain information. This maze of legislation will take a long time before it is clear to all.
What does PIPEDA apply to?
The legislation controls the collection, storage, and use of most personal information – that is, any personal information that you collect about current, past, or potential customers, clients, patients, and suppliers.
What is personal information?
PIPEDA defines personal information very broadly as: “information about an identifiable individual.” It includes everything except name and business contact information (address, phone, email, etc). It can include age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, medical records, and disputes between consumers and merchants.
Does it apply to employees?
Yes, and no. PIPEDA does not apply to the personal information that your organization collects, retains, or uses if the personal information is handled within the four walls of your organization within one province. That is if you, an employer in any province other than Quebec, are not engaging in a commercial activity with respect to your employees, PIPEDA does not apply.
But, it does apply to persons who are not employees, but who sell services to your organization (including consultants and contractors) because they are engaging in a commercial activity. We fully expect that the provinces will enact “substantially similar legislation” in the near future and that the legislation will include employees’ personal information.
As well, human resources and payroll often send employee personal information to third parties – benefits carriers, payroll processors, etc. There are two important concepts here:
- Transfer: Under PIPEDA, ‘transfer’ occurs when you send employee personal information to a third party for processing and that third party does not retain the information after processing is complete. Transfers are not covered under PIPEDA. The Office of the Canadian Privacy Commissioner has held that an organization is responsible for personal information that has been transferred to a third party.
- Disclosure: ‘Disclosure’ occurs when employees’ personal information is sent to third parties to process that personal information and they retain it.
In my experience, almost all movement of employee personal information from an employer to a third party qualifies as a disclosure, not a transfer because the third party retains that information. Therefore, most of these transactions probably qualify as commercial activity and are subject to PIPEDA. For example, your organization sends personal information to a benefits firm so that those employees are registered to become covered and to send in claims. The carrier keeps this personal information for a long time and normally does not dispose of it even when the employer changes carriers because the history may still be required.
What about claims management?
Some benefits carriers are suggesting that PIPEDA means that employers should – or may – no longer have access to individual employee claims and that they should be managed as we do Employee Assistance Programs (EAP). It has been suggested that employers should move to create this relationship because otherwise the employer may be accused of using an individual employee’s claims for inappropriate purposes.
Most employers do not examine an individual employee’s claims, so this proposal may have practical merit. But, there is nothing in the legislation or findings of the Privacy Commissioner to support this view. A benefit carrier has no more legal right to an individual employee’s claims than does an employer.
What is the risk?
The Privacy Commissioner of Canada has no authority to fine or impose penalties. His findings have no legal standing except that he and/or the complainant can take the case to federal court where the commissioner’s findings will be heard. However, there are some teeth in PIPEDA:
“Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of
- an offence punishable on summary conviction and liable to a fine not exceeding $10,000
- an indictable offence and liable to a fine not exceeding $100,000
Note our emphasis on every person. The legislation is too young for there to be any history here, but we expect that the list of persons liable to be fined and/or jailed could be extensive if a significant breach and/or bad faith were determined.
Finally, what organization, and especially what public company, wants the extremely negative publicity of an adverse finding by the commissioner, whether that finding relates to employees or customers or patients? The Federal Privacy Commissioner’s findings are public and one of the mandates of that office is to educate. To date, the office has been quite forceful in ensuring that the media is advised of the commissioner’s findings. The office also has a large website detailing specific cases and findings and the commissioner makes annual (more or less) reports to Parliament.
The positive impact of a published organizational privacy plan should be positive for employees, clients, and others. The very fact that this legislation was felt to be required is, in and of itself, an indication of how strongly society at large feels about the abuse of personal information.
What should we do?
Key concepts to remember
- No Grandfathering - For those organizations for which PIPEDA applies, it should be kept in mind that PIPEDA applies retroactively. That is, although PIPEDA only comes into force for most Canadians on January 1, 2004, the privacy commissioner’s office has stated that organizations need to get informed consent for all personal information that was retained as of that date in any system about contractors, consultants, clients, suppliers, patients, and, where applicable, employees.
- Knowledgeable Consent – Whenever your organization collects personal information you should ensure that you obtain ‘knowledgeable consent.’ That means that persons providing the information need to know what information is being collected and why.
- Storage – Whether hard copy or electronic, personal information should be stored in a secure manner.
- Retention – You should establish specific retention periods for each data element collected.
I want to emphasize that it is not only PIPEDA, and substantially similar provincial legislation, that deals with privacy as it relates to human resource management. In the federal legislative framework, and in those of each province and Territory, as well as in various international treaties, there are other laws, rules, and regulations dealing with a wide range of subject matter. These include, but are certainly not limited to:
- freedom of information
- employment standards
- worker’s compensation
- occupational health and safety
The federal government and each provincial government and Territory has legislation protecting the information gathered by organizations in the public sector, including the information gathered from government employees. These acts, along with PIPEDA, also protect an individual’s health information and there are several other laws in Canada that specifically safeguard health information.
Elements of a Privacy Plan
Start by appointing a Chief Privacy Officer (CPO).
Then, conduct a thorough assessment of how your organization collects, stores, retains, uses, transfers, and discloses personal information for anyone including customers/clients/patients, suppliers, and employees. This should include functional, marketing, sales, HR, payroll, finance, purchasing, and technical staff.
Determine what tools you have to manage hard and soft personal information? See if these tools are sufficient. If not, you will need to invest or create policies and procedures that make up for the tool deficiencies.
Then develop specific and detailed policies and procedures about how your organization should operate given its privacy compliance obligations. Policies should cover data collection/retention, including what is required, and why; knowledgeable consent (including ‘opt out’ or withdrawal); personal right of access (including specific time periods to respond); staff access rules or who has a need to know; personal information storage tools and procedures, both hard and soft; and transmittal tools and procedures.
Now you can write a privacy code for your organization that complies with the law.
Make sure all third parties sign agreements to abide by your code, or provide one of their own that is as least as good as yours.
Next, train all ‘staff’ (employees and third parties who manage employee personal information) to ensure awareness.
Finally, put procedures in place to close the loop and monitor adherence.
As is the case with any new legislation, findings (by the Privacy Commissioner) and later federal court rulings will play a huge role in more fully defining the parameters of managing privacy in Canada. The provinces will also play a role as they put forward legislation (that may, or may not, be found substantially similar) and provincial privacy commissioners make their findings.
The only certainty about this entire legislative area is that 10 years from now we will almost certainly look back on these years as the privacy decade.
Ian Turnbull is a director of the Canadian Privacy Institute and an author of a book to be published by CCH on the practical issues of privacy legislation in Canada for payroll and human resources practitioners.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -