May 19, 2003

Protecting Employee Data

If you’re not protecting employee data, it’s time to get started

What are an employer’s obligations under PIPEDA?

Thanks to advances in technology, information can now be transmitted around the world easily and almost instantaneously. While we all benefit from the convenience of modern modes of communication, people are increasingly concerned about privacy and the protection of their personal information. The federal government has responded with the Personal Information Protection and Electronic Documents Act, or PIPEDA.

The purpose of the act is to govern the collection, use and disclosure of personal information. And this includes employers’ collection and dissemination of personal information about employees.

Protecting your firm

  • Designate a specific person in your organization who will be responsible for compliance with PIPEDA. In addition to being a wise business practice, this is an explicit requirement of the act.
  • Obtain written consent from employees when you collect personal information. Make sure the consent outlines the purpose for the collection of information, and is clear and specific.
  • Put in place the necessary physical, technological and organizational protections to prevent unauthorized access to personal information.
  • Only collect information that is necessary to the employment relationship and limit the use and dissemination of that information appropriately.
  • Ensure that contracts with third parties with access to personal information contain appropriate limits and protections.
  • Put in place an internal procedure to deal with complaints about personal information policies, but also make employees aware of the complaints procedure of the Privacy Commissioner.
  • Stay informed about developments in this area of the law as changes are rapidly occurring.

Since Jan. 1, 2001, the act has applied to all federally regulated private-sector organizations (banks, telecommunications firms, airlines, cross-border trucking companies) and to any organization that discloses protected information for commercial purposes outside a province or country. But provincially regulated businesses should adopt precautionary measures around the personal information of employees. That’s because, if a province has not enacted its own privacy legislation as of Jan. 1, 2004, the act will apply to all organizations that conduct commercial activities, regardless of whether they are federally or provincially regulated.

Personal information is any information that identifies a specific individual, other than name, business title, business address and business phone number. It includes such things as age, weight, height, medical records, blood type, DNA code, fingerprints, income, purchases, spending habits, race, ethnic origin and colour, marital status, religion, education, home address and phone number and social insurance number.

This definition is broad enough to cover such things as performance evaluations, written comments and notations of disciplinary action.

Under PIPEDA, personal health information was also protected as of Jan. 1, 2002. It covers any information about an individual’s mental or physical health, including any details about tests, examinations and health services provided.

What exactly are an employer’s obligations under PIPEDA? An employer must obtain an employee’s consent when it collects, uses or disseminates personal information about an employee.

Consent must be fairly specific with respect to who will have access to the information and how the information will be used. While it may be tempting to draft a broad consent covering almost any purpose or use, such consent will not be meaningful and may result in a complaint to the Privacy Commissioner of Canada. Personal information is not to be collected indiscriminately.

Given the requirements of the act, it is important that employers safeguard information collected against unauthorized access, use or disclosure. Various controls should be in place, from locks on cabinets to passwords on computers to agreements with those who access the information. Businesses must exercise particular caution when disclosing information to third parties such as payroll administrators or insurance companies. Agreements with third parties should be consistent with the consent given by employees.

What the courts are saying…

Most of the cases to date on PIPEDA have been handled by the Privacy Commissioner of Canada. Summaries of these cases are available on the Commissioner’s Web site at www.privcom.gc.ca.

Some things have to be handed over, other don’t

The complainant had asked his former employer, a telecommunications firm, for a copy of all of the information in his employment file. He alleged his former employer withheld certain portions of the file, contrary to the requirements of PIPEDA. The company did not dispute that it had withheld parts of the file, but said that it was relying on certain exempting provisions of the act.

The parts of the file that were withheld concerned grievances and a human rights investigation. The Commissioner noted that under PIPEDA an organization is not required to give access to personal information if the information was generated in the course of a formal dispute resolution process. It was determined that the grievance documents fell within this exception, but documents generated through the human rights investigation did not. The latter documents were generated for the purpose of responding to allegations, not for the purpose of settling a dispute. The company was therefore found to be in breach of the act.

(PIPED Act Case Summary #88.)

Employer accused of forcing consent to security screening

Employees of a company’s nuclear products division alleged they were pressured to consent to a security clearance check. The Canadian Nuclear Safety Commission (CNSC), which governs the division, had ordered that its licensees not permit any person to enter a licensed facility without a facility-access security clearance. This would require either a criminal record check or a full background check. The employees argued that their consent to the collection of information was not voluntary because they could lose employment if they did not consent or demoted if they failed the security check.

The Commissioner held that, for the purposes of PIPEDA, the consent was voluntary. The possibility of negative consequences did not change the fact that the employees had a choice in the matter. Furthermore, the collection of the information was reasonable given that the company would have lost its licence had it not complied with CNSC’s order.

(PIPED Act Case Summary #65.)

There are consequences for an employer that does not comply with PIPEDA. If a complaint is brought against the business, the Privacy Commissioner has broad powers that can be exercised through an investigation. These include the power to summon witnesses and compel the production of evidence. However, the commissioner may choose to settle matters through mediation or conciliation. At the end of an investigation the commissioner will issue a report and determine that the complaint was (1) well-founded (2) not well-founded, or (3) resolved. The Federal Court may also consider applications arising from complaints, or any matter referred to in a report by the commissioner.

There are many further requirements and exceptions to the requirements listed above. Any business that is considering developing a policy on protecting the personal information of employees should consult an expert in the area of privacy law. If your business does not have such a policy you should look into developing one. Further legal developments are probable, since legislators are as concerned as employees about the protection of personal information.

For more on PIPEDA go to www.hrreporter.com, click on search and enter PIPEDA in the keyword field.

This just in from B.C.

British Columbia introduced its own privacy legislation late last month.

The Personal Information Protection Act defines the kind of personal information that businesses, non-profit organizations and charities can collect from employees, clients, customers and volunteers.

Without its own legislation, B.C. would have been subject to the Personal Information Protection and Electronic Documents Act as of Jan. 01, 2004.

The provincial government consulted with more than 170 organizations in making the decision to introduce the legislation. “These organizations opted overwhelmingly for a made-in-B.C. solution rather than the more complicated federal act,” stated a press release put out by the province.

David Loukidelis, the province’s Information and Privacy Commissioner, said “(The legislation) provides British Columbians with broader coverage than the federal act and is less complex.”

Peter Israel is the senior partner in the Toronto law firm of Israel Foulon LLP – Employment and Labour Lawyers. He can be reached at 416-640-1550 or pi@israelfoulon.com. The author would like to thank Rachel Hepburn Craig for her assistance with this article. A version of this article originally appeared in the Carswell publication, Canadian HR Reporter.

LEGAL DISCLAIMER: This article is for informational purposes only and is not intended to provide legal advice, which in all circumstances must be tailored to the specific facts of any problem. You should obtain a proper legal consultation in order to determine how this article applies to your specific situation.
Please feel free to contact Israel Foulon LLP to learn more at 416-640-1550.

Notable Events

Latest Legal Articles