B.C.’s privacy law will ‘likely’ be found to be substantially similar to federal legislation
Editor’s note: This is the second of a two-part, in-depth look at B.C.’s privacy law and what it means for employers doing business in British Columbia.
Background
As of Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into effect in Canadian provinces which have not implemented their own provincial private sector legislation, which is substantially similar to PIPEDA.
Quebec has had private sector privacy legislation since 1994. Other than Quebec, B.C. and Alberta are the only two provinces which have taken steps to implement provincial private sector privacy legislation to meet the Jan. 1, 2004, deadline. Alberta’s Bill 44 is still at second reading stage as of the date of writing of this article. But it appears the legislation is on track to receive third reading and royal assent for January 1, 2004.
B.C. has passed its legislation, the Personal Information Protection Act S.B.C. 2003 c. 63 (PIPA). The legislation received royal assent on Oct. 23, 2003, and is set to come into force on Jan. 1, 2004. Industry Canada is the body which makes determinations as to whether legislation is substantially similar to PIPEDA. Industry Canada receives input from the federal Privacy Commissioner, as well as public sector entities, and the public, as to whether or not provincial legislation is or is not “substantially similar.”
There is no indication of when Industry Canada will make its ruling with respect to the B.C. legislation. But officers at the B.C. Corporate Privacy and Information Access Branch said they expect the legislation will be determined to be substantially similar. The result is uncertainty as to which legislation applies in B.C. as of Jan. 1, 2004 — the federal or the provincial one, an outcome which is certainly not satisfactory to any organization. The recommended course of action at this point is to assume the provincial legislation will apply in B.C. and to proceed accordingly.
What’s in PIPA for B.C. employers?
Part 9 of PIPA sets out provisions for care of the personal information, including three separate obligations: accuracy; protection; and retention. An organization must make a reasonable effort to ensure personal information collected by it, or on its behalf, is accurate and complete if the information is likely to be used to make a decision affecting the individual, or is likely to be disclosed by the organization to another organization.
An organization must protect personal information in its custody or under its control. This includes making reasonable security arrangements, such as use of locked cabinets, computer passwords, and, in some cases, confidentiality agreements for employees who have regular access to personal information.
Finally, PIPA sets out obligations of organizations for retention. An organization must keep personal information for one year if it is used to make a decision that affects the individual. However, once the information is no longer required for the purposes for which it was collected, and there are no legal or business purposes to keep the information, the information must be destroyed or anonymized.
Parts 10 and 11 of PIPA set out the provisions regarding the powers of the commissioner. The commissioner has mediation powers, and may make orders. An order of a commissioner may be used as a cause of action by an individual to seek damages in court. There are also general provisions set out in Part 12, which include protection for whistleblowers, and some specific offences. Finally, Section 58 sets out that the Lieutenant Governor may make regulations with respect to legislation. It is anticipated that regulations will be introduced with respect to prescribed sources of publicly available information, who may give consent on behalf of minors, and others, and disclosure of health care information.
It is anticipated that the commissioner will use his powers to educate and assist organizations to understanding compliance, and make use of his dispute resolution powers prior to issuing orders. On the other hand, unionized employers should note that arbitrators may be asked to interpret and apply this legislation
As a result of the Supreme Court of Canada decision in District of Parry Sound, [2003] S.C.C. No. 42, arbitrators have the jurisdiction to apply employment-related statutes, such as PIPA, in interpreting collective agreements. It is anticipated that unions may challenge employers with respect to their members’ privacy rights, such as the collection of medical information and conducting surveillance, under this legislation.
Five implementation issues to consider
1. Appoint a privacy officer
First and foremost, organizations need to appoint a privacy officer. The privacy officer should be someone senior in the organization who has the authority of management to carry out their role. The privacy officer should assemble a privacy team of individuals who can assist in implementing the legislation. The team should include individuals from the IT group, accounting, human resources, and operations.
2. Conduct a privacy audit
The next step and probably the most important and time consuming, is to conduct a privacy audit. Organizations must understand the flow of personal information within their organization in order to be able to draft a policy which complies with the legislation. The organization must determine whether it has personal information about its customers, or just its employees. If the organization is the type of business which collects, uses and discloses personal information about its customers, then it is advisable to have one policy dealing with employees, and another one dealing with the customer and client issues.
The audit should determine the flow of personal information, how it is kept, where it is kept, what security measures, if any, are provided over the information, how long information has been retained and why, and the location where all personal information is kept, including electronic databases and paper files. Having conducted the audit, organizations can then move towards drafting policies.
3. Implement policies
The organization must implement policies and procedures necessary to comply with the Act. Policies are not “one size fits all.” The policy must be tailored to the unique nature and size of the business, and the ways in which it uses personal information. The cornerstone of the policy, in the case of compliance for employee personal information, will be to set out the purposes for which personal information is collected, used and disclosed for the purposes of managing the employment relationship, in an understandable form and with enough detail so that employees understand the purposes for the collection, use and disclosure. Organizations must implement a complaints policy, a document retention schedule, contractual provisions to be entered into with third parties that the organization transfers its personal information to for processing, and practices for implementing security.
In addition, managers should understand that employees may now be able to access opinions they have provided about employees. In many cases, the right to access will result in changed practices for employers. Supervisors and managers, whose comments may now be accessible, will want to understand the organization’s new obligations. Part of the changes may be to review existing files, and determine whether the file, which is currently in existence, meets the new retention schedule, or whether part of the file information should be excised. If there is no legal or business purpose to have the information, and the purpose for which the information was collected is no longer in effect, then the information must be removed from the file. However, it would be an offence to dispose of this information once the access request had been received.
Employers should also pay close attention to the definition of employee personal information. It does not include information which is not about an individual’s employment. If the employer is collecting, using or disclosing information about an employee that is not about an individual’s employment, or the personal information is not being collected, used or disclosed for a purpose reasonably required to administer the employment relationship, the employer will have to consider whether the limited circumstances for reliance on implicit consent, as defined in PIPA, will suffice, or whether express consent will be required, to collect, use or disclose the information. Obtaining express consent is always the safest course of action
4. Train employees
Employers should make employees aware of the policies that have been implemented, and train all affected employees with respect to their obligations. Since organizations will be liable for the acts of their employees in failing to comply with the legislation, employees must be aware of what those obligations are.
Management should be advised that the organization has 30 days to respond to access requests. Access requests entail searching all of the locations where the personal information may be held, such as supervisor’s daybooks or PDAs, and providing a record of that information. The policy and the training sessions should encourage limiting the number of places where personal information is held, or, if it is determined that personal information must be held in more than one location, developing a system whereby access can be easily facilitated, such as by keeping a record of all of the places where all of the personal information is held. Training should also enforce the requirement that security needs to be maintained over all of the locations where personal information is held. This requirement may also result in changes to existing employer practices, involving new practices such as the use of password protected computers, a clean desk policy, and locked cabinets and offices.
5. Organizational compliance
Many Canadian organizations have divisions throughout Canada. As a result, the Ontario location might be covered by PIPEDA, the Alberta location by the Alberta Personal Information Protection Act and the B.C. location by the PIPA legislation, regardless of where the head office is located. The approach of many organizations with locations throughout Canada is to pick the highest threshold of privacy obligations, and set the policy at that level.
However, in terms of facilitating regional compliance, it is advisable to have a regional privacy officer who can deal with access requests and security issues. As well, the regional privacy officer should be aware of the differences in the legislation between the provinces. While all of the legislation is based on the 10 privacy principles, there are substantive differences between obligations from province to province. It will be imperative for regional privacy officers to understand and ensure compliance with the legislation in their region.
This in-depth look at B.C.’s privacy law was provided by Lorene Novakowski, a partner in the labour, employment and human rights department of Fasken Martineau in Vancouver. She can be reached at [email protected] or at (604) 631-3216.
Background
As of Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into effect in Canadian provinces which have not implemented their own provincial private sector legislation, which is substantially similar to PIPEDA.
Quebec has had private sector privacy legislation since 1994. Other than Quebec, B.C. and Alberta are the only two provinces which have taken steps to implement provincial private sector privacy legislation to meet the Jan. 1, 2004, deadline. Alberta’s Bill 44 is still at second reading stage as of the date of writing of this article. But it appears the legislation is on track to receive third reading and royal assent for January 1, 2004.
B.C. has passed its legislation, the Personal Information Protection Act S.B.C. 2003 c. 63 (PIPA). The legislation received royal assent on Oct. 23, 2003, and is set to come into force on Jan. 1, 2004. Industry Canada is the body which makes determinations as to whether legislation is substantially similar to PIPEDA. Industry Canada receives input from the federal Privacy Commissioner, as well as public sector entities, and the public, as to whether or not provincial legislation is or is not “substantially similar.”
There is no indication of when Industry Canada will make its ruling with respect to the B.C. legislation. But officers at the B.C. Corporate Privacy and Information Access Branch said they expect the legislation will be determined to be substantially similar. The result is uncertainty as to which legislation applies in B.C. as of Jan. 1, 2004 — the federal or the provincial one, an outcome which is certainly not satisfactory to any organization. The recommended course of action at this point is to assume the provincial legislation will apply in B.C. and to proceed accordingly.
What’s in PIPA for B.C. employers?
Part 9 of PIPA sets out provisions for care of the personal information, including three separate obligations: accuracy; protection; and retention. An organization must make a reasonable effort to ensure personal information collected by it, or on its behalf, is accurate and complete if the information is likely to be used to make a decision affecting the individual, or is likely to be disclosed by the organization to another organization.
An organization must protect personal information in its custody or under its control. This includes making reasonable security arrangements, such as use of locked cabinets, computer passwords, and, in some cases, confidentiality agreements for employees who have regular access to personal information.
Finally, PIPA sets out obligations of organizations for retention. An organization must keep personal information for one year if it is used to make a decision that affects the individual. However, once the information is no longer required for the purposes for which it was collected, and there are no legal or business purposes to keep the information, the information must be destroyed or anonymized.
Parts 10 and 11 of PIPA set out the provisions regarding the powers of the commissioner. The commissioner has mediation powers, and may make orders. An order of a commissioner may be used as a cause of action by an individual to seek damages in court. There are also general provisions set out in Part 12, which include protection for whistleblowers, and some specific offences. Finally, Section 58 sets out that the Lieutenant Governor may make regulations with respect to legislation. It is anticipated that regulations will be introduced with respect to prescribed sources of publicly available information, who may give consent on behalf of minors, and others, and disclosure of health care information.
It is anticipated that the commissioner will use his powers to educate and assist organizations to understanding compliance, and make use of his dispute resolution powers prior to issuing orders. On the other hand, unionized employers should note that arbitrators may be asked to interpret and apply this legislation
As a result of the Supreme Court of Canada decision in District of Parry Sound, [2003] S.C.C. No. 42, arbitrators have the jurisdiction to apply employment-related statutes, such as PIPA, in interpreting collective agreements. It is anticipated that unions may challenge employers with respect to their members’ privacy rights, such as the collection of medical information and conducting surveillance, under this legislation.
Five implementation issues to consider
1. Appoint a privacy officer
First and foremost, organizations need to appoint a privacy officer. The privacy officer should be someone senior in the organization who has the authority of management to carry out their role. The privacy officer should assemble a privacy team of individuals who can assist in implementing the legislation. The team should include individuals from the IT group, accounting, human resources, and operations.
2. Conduct a privacy audit
The next step and probably the most important and time consuming, is to conduct a privacy audit. Organizations must understand the flow of personal information within their organization in order to be able to draft a policy which complies with the legislation. The organization must determine whether it has personal information about its customers, or just its employees. If the organization is the type of business which collects, uses and discloses personal information about its customers, then it is advisable to have one policy dealing with employees, and another one dealing with the customer and client issues.
The audit should determine the flow of personal information, how it is kept, where it is kept, what security measures, if any, are provided over the information, how long information has been retained and why, and the location where all personal information is kept, including electronic databases and paper files. Having conducted the audit, organizations can then move towards drafting policies.
3. Implement policies
The organization must implement policies and procedures necessary to comply with the Act. Policies are not “one size fits all.” The policy must be tailored to the unique nature and size of the business, and the ways in which it uses personal information. The cornerstone of the policy, in the case of compliance for employee personal information, will be to set out the purposes for which personal information is collected, used and disclosed for the purposes of managing the employment relationship, in an understandable form and with enough detail so that employees understand the purposes for the collection, use and disclosure. Organizations must implement a complaints policy, a document retention schedule, contractual provisions to be entered into with third parties that the organization transfers its personal information to for processing, and practices for implementing security.
In addition, managers should understand that employees may now be able to access opinions they have provided about employees. In many cases, the right to access will result in changed practices for employers. Supervisors and managers, whose comments may now be accessible, will want to understand the organization’s new obligations. Part of the changes may be to review existing files, and determine whether the file, which is currently in existence, meets the new retention schedule, or whether part of the file information should be excised. If there is no legal or business purpose to have the information, and the purpose for which the information was collected is no longer in effect, then the information must be removed from the file. However, it would be an offence to dispose of this information once the access request had been received.
Employers should also pay close attention to the definition of employee personal information. It does not include information which is not about an individual’s employment. If the employer is collecting, using or disclosing information about an employee that is not about an individual’s employment, or the personal information is not being collected, used or disclosed for a purpose reasonably required to administer the employment relationship, the employer will have to consider whether the limited circumstances for reliance on implicit consent, as defined in PIPA, will suffice, or whether express consent will be required, to collect, use or disclose the information. Obtaining express consent is always the safest course of action
4. Train employees
Employers should make employees aware of the policies that have been implemented, and train all affected employees with respect to their obligations. Since organizations will be liable for the acts of their employees in failing to comply with the legislation, employees must be aware of what those obligations are.
Management should be advised that the organization has 30 days to respond to access requests. Access requests entail searching all of the locations where the personal information may be held, such as supervisor’s daybooks or PDAs, and providing a record of that information. The policy and the training sessions should encourage limiting the number of places where personal information is held, or, if it is determined that personal information must be held in more than one location, developing a system whereby access can be easily facilitated, such as by keeping a record of all of the places where all of the personal information is held. Training should also enforce the requirement that security needs to be maintained over all of the locations where personal information is held. This requirement may also result in changes to existing employer practices, involving new practices such as the use of password protected computers, a clean desk policy, and locked cabinets and offices.
5. Organizational compliance
Many Canadian organizations have divisions throughout Canada. As a result, the Ontario location might be covered by PIPEDA, the Alberta location by the Alberta Personal Information Protection Act and the B.C. location by the PIPA legislation, regardless of where the head office is located. The approach of many organizations with locations throughout Canada is to pick the highest threshold of privacy obligations, and set the policy at that level.
However, in terms of facilitating regional compliance, it is advisable to have a regional privacy officer who can deal with access requests and security issues. As well, the regional privacy officer should be aware of the differences in the legislation between the provinces. While all of the legislation is based on the 10 privacy principles, there are substantive differences between obligations from province to province. It will be imperative for regional privacy officers to understand and ensure compliance with the legislation in their region.
This in-depth look at B.C.’s privacy law was provided by Lorene Novakowski, a partner in the labour, employment and human rights department of Fasken Martineau in Vancouver. She can be reached at [email protected] or at (604) 631-3216.
