10 months to get ready

HR needs to prepare for new rules that expand privacy protection rights — for employees and customers

Canadian private-sector organizations that aren’t getting ready for new privacy protection legislation could be in for unpleasant surprises, say workplace legal experts.

It’s going to take a lot of work for organizations to be compliant with the Personal Information Protection and Electronic Document Act (PIPEDA) which will be in effect in most workplaces Jan. 1, 2004, says Jeffrey Kaufman, a lawyer specializing in privacy issues with Fasken Martineau.

Any organization where employees don’t understand the new rules about protecting customer privacy could find itself in hot water.

“It is getting late and it is not easy to do,” Kaufman said. “It’s going to take a full audit of practices and policies. It takes at least four to six months to do a compliance program. Many large organizations tell me it has taken them a year.”

PIPEDA sets out ground rules for how organizations collect, use and disclose personal information in the course of commercial activities. The act already covers the federally regulated sector but as of Jan. 1, 2004, the law will cover provincially regulated organizations unless the provinces can enact “substantially similar” legislation. So far only Quebec has met that requirement.

“It is most important to start (getting ready) with the employees (because) an organization will only be privacy compliant if employees understand the obligations,” Kaufman said. A lot of organizations may have privacy codes down on paper but the programs and practices don’t match up. “This is a huge issue for employers because if any single employee is offside a complaint can lead to a huge corrective action.”

Federal Privacy Commissioner George Radwanski has the right to conduct audits of organizations and the power to summon any person to appear before him, enter the premises of an organization and examine records. He can also make recommendations and publicize those recommendations and reports on organizations in violation of the act. He can not issue orders or impose penalties but in some cases, can refer cases to the Federal Court where damages can be awarded to a complainant, including damages for humiliation.

It is also a criminal offence to obstruct the commissioner, to “knowingly dispose” of personal information that could be requested and to retaliate again employees.

Radwanski has said he wants to solve problems through voluntary compliance and not through “heavy-handed enforcement.” However, in the few months since the law has applied to the federally regulated sector he has shown that organizations that aren’t compliant will be forced to undergo corrective actions. “In many cases, that can be very costly,” said Kaufman.

“I think it would be foolhardy for any organization to say the commissioner isn’t going to find me so I don’t have to do it,” said Kaufman.

Beyond the practical implications of educating and training employees about the new rules about customer privacy protection, there are also signs of a push to expand the protection of employee privacy rights in the workplace.

Radwanski has been very vocal and active on the matter. “The idea that employees have rights to privacy in the workplace is, unfortunately, still foreign to some people,” he said in a speech last October. “My view is that employees have a fundamental, inherent right to privacy in the workplace.” Radwanski has said, for example, there should be no wholesale monitoring of e-mails or computer use.

Aside from protecting customer information, PIPEDA also established new rules for the use of employee information, an important detail many organizations have overlooked, said Radwanksi in his annual update to Parliament last month.

“As a result, some organizations have been taken off guard by certain well-founded complaints against them under the PIPED Act — complaints filed by their own employees, past or present. In good part, the violations at issue in such complaints originate in an organization’s neglect to take its staff into account in developing privacy policies and procedures.”

While the provinces are required to mirror PIPEDA’s consumer privacy protection requirements, the same is not true for employee information.

“Some people might take that to mean that employers in provincially regulated industries can ignore the Act,” said Radwanski in another speech last year. “But that would be very short-sighted, because the chances are very good that provinces will pass similar laws to their provincially-regulated workplaces.”

Radwanski has acknowledged employers must be able to collect information on employees about performance, attendance the potential for advancement and so on. “If you want a job, you have to accept that it will entail giving up some information about your education and work experience. If you want to keep the job, you have to accept that some information about your performance and attendance is going to be collected, used, and disclosed.”

But recent cases where the commissioner has ruled or acted as intervener, both under PIPEDA and its predecessor the Privacy Act (which covers government departments) suggest there is little that an employer can keep from an employee. It’s a trend that may leave HR departments questioning whether or not their exit interview, 360-degree feedback and performance review policies will clear the bar being raised by commissioner Radwanski.

Some workplaces will find it difficult to perform employee evaluations and conduct performance reviews while still protecting privacy as envisioned by the commissioner, said Veera Rastogi, a lawyer with Blake, Cassels & Graydon LLP.

In one case last year an employee of Human Resources Development Canada (subject to the Privacy Act) demanded to see all of the information on her gathered during a workplace assessment.

She wanted access to any mention of her by other staff in the notes of the contractor hired to do the assessment. However, the contractor had promised confidentiality to those she interviewed and destroyed all information other than her report.

Radwanski concluded the employee’s privacy rights had been violated and she was entitled to the information she sought. Employees cannot be promised confidentiality when making statements during an administrative investigation because their statements constitute the other person’s personal information and she is entitled to that information.

In another Privacy Act case, Philip Pirie, an employee of Citizenship and Immigration Canada, demanded access to the identities of employees who expressed opinions about him during an administrative review.

He was denied access by the Federal Court Trial Division, but the case was appealed. The privacy commissioner intervened and took the position that the identities of people who commented about Pirie during the review process are the personal information of Pirie under the Privacy Act. Last June, the Federal Court of Appeal agreed with this position and Pirie was given access to the identities of the employees.

René Mercier, a spokesperson for Citizenship and Immigration explained the effect of the decision.

“We will not be able to offer protection to our employees. That is, withholding their names in future cases where we ask for the opinion of people on a person or on a process,” he said. “Every time that an employee co-operates with human resources, they would expose themselves to having their names public. So that might limit their cooperation. We will see in the future,” he said.

While both decisions are based on the specific facts of the case and grounded in the Privacy Act (which applies to government departments), it is possible that the line of reasoning used in the Pirie decision could be used as an argument in the context of the private sector under PIPEDA, said Shawn Cohen, a lawyer with consulting firm Hewitt Associates.

Employees could be entitled to information gathered about them from other employees and colleagues. Opinions of other employees are the personal information of both the person giving the opinion and the person who is the subject of that opinion. And the latter is entitled to that information.

Organizations subject to the Privacy Act may find it difficult to conduct employee reviews if people can not be assured of anonymity, said Rastogi.

Fortunately, PIPEDA does contain stronger wording about the protection of identity, she said. Employees are still entitled information about them but the identity of third parties maybe protected under PIPEDA.

But because the act is still so new, and provincial legislation is still to come, employers can’t know all of the possible ramifications for their organizations, said Rastogi.

However, it is important to remember that so far, the privacy commissioner has appeared to favour individual rights, she said, something that many organizations may find troubling.

“You have to be realistic about the way industries work and if these access requests are treated in an entirely individual-friendly manner and an organizational unfriendly manner it is really going to have a negative impact on the economy.”

To read the full story, login below.

Not a subscriber?

Start your subscription today!