When you heard about the privacy provisions of Ottawa’s Personal Information and Electronic Documents Act (PIPEDA), you probably either heaved a sigh of relief because it didn’t apply to your organization, or you, perhaps grudgingly, implemented procedures to comply with the new law. If you fall into the latter category, you may still be feeling resentful, given the expanded scope of PIPEDA that came into effect on Jan. 1, 2002.
PIPEDA deals with the collection, use, disclosure and custody of personal information. “Personal information” was expanded as of Jan. 1 to include “personal health information” so that the definition of what is protected is now virtually all-encompassing (see the “Privacy primer” below.)
But perhaps it’s time for a change in attitude. Despite the challenges in complying with the law, it actually makes good business sense to implement protection of employees’ confidential information as soon as possible.
Regardless of PIPEDA, privacy protection is essential for organizations doing business with European Union companies due to legislation banning the transfer of data where privacy is not adequately protected. Moreover, privacy protection can give your business a competitive edge. As people become increasingly concerned about privacy in the ever-growing cyberworld, customers, employees — and potential employees — want to know their personal data is secure.
Furthermore, ignoring privacy legislation because it doesn’t apply to your organization is merely delaying the inevitable. PIPEDA currently doesn’t apply to provincially regulated companies unless employee personal information is provided for commercial purposes across borders. However, as of Jan. 1, 2004, PIPEDA will apply to all provincially regulated organizations, unless the province or territory where the organization is located has passed its own “substantially similar” privacy law. So far, Quebec is the only province to have done so, though Ontario is expected to introduce a privacy bill later this year.
So for regulatory and business reasons, it’s time to become acquainted with the provisions of PIPEDA, including its latest requirements.
The very daunting task for HR professionals is to conduct an audit to identify whether an organization’s practices comply with the legislation and, if not, what processes or policies have to be implemented to ensure compliance.
The audit will ascertain exactly what information is collected, how it is used, to whom it is disclosed, how and where it is secured, and how long it is kept.
For example, one company collected and stored on its HRIS system the birth country of its employees. The original reason for collecting this information was because, in the event of an international transfer, an employee’s country of birth might have an effect on whether the person could work in certain locales, and it was administratively easier to collect this information for all employees rather than select employees.
Human rights considerations aside, the collection of this information for clerical employees is unnecessary, given that they aren’t likely to be transferred unless they applied for such a transfer, at which time that information could be collected.
Compliance includes obtaining informed consent before information is collected, used or disclosed.
An organization may collect, use or disclose personal information, including health information, only if the individual gives consent and only for the identified purposes that are reasonable, given the scope of the consent.
For example, the company should explain to employees that it collects marital status information for pension purposes and life insurance, and that certain health information must be disclosed to third-party providers who maintain the company’s benefit programs. Employees will likely not object to giving their consent to the collection, use and disclosure of such information.
The type of consent required depends on the nature of the information. Information that may be considered sensitive to an individual requires express consent that is a signed consent form stating that the employee explicitly agrees to the collection, use or disclosure of the specified information for the stated purpose. Less sensitive information (like an employee number) may only require implied consent or even merely negative consent, such as stating, “Unless we hear otherwise from you, you will be deemed to have consented to the collection, use and disclosure of this information for the stated purpose.”
There are some situations where consent is not required. PIPEDA stipulates that consent is not needed if:
•the information is also publicly available,
•disclosure is required in an emergency where the individual’s life or health is threatened, or
•the information is used, collected or disclosed only for journalistic, artistic or literary purposes.
Some organizations have designed policies or documents with “omnibus” consents. They have employees or customers sign a consent stating generally what personal information is and giving examples of when this information might be used. While Privacy Commissioner of Canada George Radwanski has stated his view that general omnibus clauses do not meet PIPEDA requirements, it is likely that it will ultimately turn on the facts in each case, including why and how the information was collected, used, or disclosed.
It’s important for HR professionals to note further consent issues:
•Information, and therefore consent, may be necessary at any stage before, during and after the employment relationship. In other words, an individual’s consent to use or disclose information collected during the hiring process or after termination may be required.
•Individuals must consent to further use or disclosure of information collected prior to the effective date of PIPEDA.
•An individual has the right to withdraw consent if the organization is given reasonable notice, subject to legal and contractual restrictions.
Information must be protected by appropriate security safeguards depending on the sensitivity of the information. Protection includes security safeguards for information retained and used on computer systems, as well as appropriate practices for the physical handling and storage of information.
One company (a credit institution) found that various branches had been keeping employee credit information in personnel files, so that anyone looking through a file would see the employee’s loan situation. Although there was a policy that required this information to be kept in a separate file, that policy was not well communicated, and so was not consistently followed. It is important to ensure that an organization’s policies not only comply with the relevant privacy legislation and requirements, but that they are properly communicated to employees.
Individuals have the right to obtain access to their personal information, as well as details of its existence, use and disclosure. They also have the right to challenge the accuracy and completeness of the information.
There may be employers who currently retain two sets of personnel files, one that can be accessed by the employee and another that is accessible and may be viewed only by management. This practice would not be compliant: all files containing personal information should be accessible by employees unless they fall within a stated exemption.
There are exemptions to this right of access, however. If records reveal health or other personal information about another person, the organization may not grant access unless the information on the other person can be severed from the rest of the data.
PIPEDA’s access requirements can produce problems for organizations. It can be prohibitively expensive and extremely challenging for organizations to be able to say with any certainty or precision what information they have collected over the years, where it is stored, what it has been used for and to whom it has been disclosed.
Large organizations with information stored in a number of databases may also find it difficult to comply with an individual’s request to view all information on file about him and to correct it, where necessary.
An organization’s privacy compliance officer or team is required to make information available regarding policies and practices relating to the management of personal information. As mentioned, an organization must also ensure that its employees know the policies and practices well enough to ensure compliance by those employees with respect to the personal information of co-workers and customers.
While achieving compliance presents some challenges for HR professionals, protecting personal data as soon as possible can give an organization a competitive edge in the marketplace from the perspective of customers and as an employer-of-choice. Moreover, since protection of personal information is inevitable, it may well be advisable to begin making the necessary changes now. Note that the commissioner has the power to publish the findings of any investigation. This may prove to be a publicity nightmare for an organization found to have substandard privacy practices.
What and whom do the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) cover? Here are the basics.
To whom does the act apply?
As of Jan. 1, 2001, the act applies to federally regulated private-sector organizations (banks, airlines, cross-border trucking companies, etc.) and to any organization that discloses protected information for commercial purposes outside a province or country.
As of Jan. 1, 2004, the act will apply to all organizations that conduct commercial activities, regardless of whether they are federally or provincially regulated if a province has not enacted its own privacy legislation.
What kind of information is protected?
Personal information was protected as of Jan. 1, 2001. “Personal information” is any information that identifies a specific individual, other than name, business title, business address and business phone number. It includes such things as age, weight, height, medical records, blood type, DNA code, fingerprints, income, purchases, spending habits, race, ethnic origin and colour, marital status, religion, education, home address and phone number and social insurance number.
Note: this definition is broad enough to cover such things as performance evaluations, written comments and notations of disciplinary action.
Personal health information was also protected as of Jan. 1, 2002. It covers any information about an individual’s mental or physical health, including any details about tests, examinations and health services provided.
What does the act require?
1. Organizations are responsible for personal information and must designate a person or group to ensure compliance with the act.
2. Organizations may only collect, use or disclose personal information if the individual consents and if it is collected for a reasonable purpose given the context and scope of the consent. (The individual must know what information will be collected, how it will be used and to whom it will be disclosed.)
3. Organizations must establish practices to ensure that personal information is protected by appropriate security measures, allow individuals access to and correction of their personal information, and ensure that the information is up-to-date and retained only as long as necessary for its intended purpose.
What do HR professionals have to do?
1. Assign an HR associate to the group that is responsible for compliance with the act.
2. Audit current HR practices.
3. Implement a system to trace consents given or withdrawn, to whom and when information has been disclosed. Consider inclusion of appropriate consent language in the employment contract.
4. Implement procedures to ensure that an employee’s personal information is accurate, complete, up to date.
5. Ensure the information is protected by appropriate security practices. For example, only those managers who are directly responsible for an employee should have access to information about an individual’s performance evaluation.
6. Impose procedures to ensure the information is kept only as long as needed (in the context of tax, employment and other applicable legislation) and that it is then destroyed, erased or made anonymous.
7. Enable employees to access information contained in their personnel files and to challenge and amend or note objection to that information.
What are the penalties for non-compliance?
Complaints may be registered with the federal Privacy Commissioner, who investigates and recommends a course of action. That decision may be used as the basis for bringing an action in the Federal Court of Canada.
The commissioner also has the power to make his findings from an investigation public. Any organization that discloses information before an individual has exhausted all recourses under the act, punishes an employee who complains or refuses to consent, or obstructs the investigation of a complaint or conduct of an audit is guilty of an offence and is subject to a maximum fine of $100,000.
For further information on PIPEDA, see the federal Privacy Commission’s Guide for Businesses and Organizations to Canada’s Personal Information Protection and Electronic Documents Act at www.privcom.gc.ca/information/guide_e.asp. You may also want to check out the Ontario Privacy Commission’s diagnostic tool at www.ipc.on.ca/english/resources.htm to determine whether your organization is privacy-law compliant and, if not, what you need to do.
Shawn Cohen and Adrienne Campbell are both legal consultants in the Toronto office of Hewitt Associates, a global outsourcing and consulting firm. They may be contacted at (416) 225-5001 or by e-mail at email@example.com and firstname.lastname@example.org.