Even if PIPEDA doesn’t apply to employer-employee relationships as of Jan.1, provincial legislation almost certainly will in the near future
Ten years from now we may look back on this as the privacy decade. If that’s the case, then Canada will have passed an important milestone of that era on Jan. 1.
Since 2001, the commercial activities and employment relationships of all federally regulated employers like banks, telecommunications companies and airlines, have been covered by the Personal Information Protection and Electronic Documents Act (PIPEDA).
But Canada’s privacy law comes into force for almost all other Canadian organizations on Jan. 1. It will apply to all commercial activity in provinces where no substantially similar legislation has been passed.
So far, only Quebec is exempt from PIPEDA since the only other province that has passed its own privacy legislation — British Columbia — has not received federal recognition for it.
What you need to know about PIPEDA
The legislation applies to all personal information — that is, almost everything about someone except business contact information. It covers consumers, customers, suppliers, sub-contractors, patients and anyone else whose personal information is collected in the course of commercial activity.
Commercial activity is not just restricted to situations where money is directly involved in the transaction. All organizations, for profit and not-for-profit, have a responsibility to manage personal information responsibly. For volunteer organizations, this legislation includes donor activity, and possibly volunteer management as well.
It applies to organizations of all sizes. That includes the corner video store, where they collect driver’s licence and home contact information. It also applies retroactively; personal information that has already been collected is also covered by the law.
PIPEDA goes a long way to reinforce consumers’ rights. Most importantly, consumers must give knowledgeable consent for personal information to be collected. They have the right to know how the information will be used. That includes the right to question any organization about how personal information will be used.
Employer-employee relationship
PIPEDA applies directly to the employer-employee relationship — but only for federal organizations.
However, instead of taking refuge in that fact, employers should remember that even if PIPEDA doesn’t apply to employer-employee relationships as of Jan.1, provincial legislation almost certainly will in the near future.
And there are still important questions about whether or not PIPEDA applies in certain employment situations. For example, employee personal information is often sent to third parties such as benefits carriers and payroll processors. The question centres on the distinction between “disclosure” and “transfer.”
•Transfer: Under PIPEDA, a transfer occurs when the employer sends employee personal information to a third party for processing, and that third party does not retain the information after the processing is complete. Transfers are not covered under PIPEDA. The Office of the Canadian Privacy Commissioner has held that an organization is responsible for personal information that has been transferred to a third party.
•Disclosure: A disclosure occurs when employees’ personal information is sent to a third party and that third party retains it. Almost all movement of employee personal information from an employer to a third party qualifies as a disclosure, not a transfer, because the third party retains that information. Therefore, most of these transactions probably qualify as commercial activity and are subject to PIPEDA.
For example, an employer sends personal information to a benefits firm so employees can be registered to be covered by the plan. The carrier keeps the personal information for a long time and normally does not dispose of it even if the employer changes carriers because the history may still be required.
Risks of non-compliance
Employers violating PIPEDA run the risk of Federal Court fines, but that’s unlikely except in the worst circumstances. The penalties for obstructing an investigation by the privacy commissioner are severe. But the greatest risk is negative public relations. What organization wants to be identified as careless with personal information — of consumers or employees?
After Radwanski
There is also some uncertainty about how much the enforcement of PIPEDA will change with the downfall of George Radwanski as privacy commissioner. How much have the decisions of the Office of the Privacy Commissioner of Canada since 2001 reflected the man who held the job, and how much did those decisions reflect the office?
Last month Prime Minister Jean Chrétien appointed Jennifer Stoddart as Canada’s new privacy commissioner. Stoddart officially took over the role Dec. 1.
The question of personal style versus the direction of the office has a huge potential impact. In May, Radwanski advised Parliament that neither the British Columbia law (Bill 33 — now passed into law) nor the Alberta law (Bill 48) met his criteria as “substantially similar” legislation. However, B.C. passed its bill into law anyway.
Industry Canada, the federal government department that makes the recommendation to cabinet to accept or reject provincial legislation, was to begin the formal review of B.C.’s legislation this month. The review would include public consultation and a final recommendation from the new privacy commissioner, Stoddart.
The review is unlikely to finish before the end of January and could run into February, meaning that as of Jan. 1, B.C. will technically be subject to PIPEDA.
However, Industry Canada says it’s unlikely any complaints originating in B.C. would be heard until a final decision is made on B.C.’s legislation.
As is the case with any new legislation, findings — in this case, by the privacy commissioner, and later by federal court rulings — will play a huge role in more fully defining the parameters of managing privacy in Canada.
The provinces will also play a role as they put forward legislation and provincial privacy commissioners make their findings.
Preparing for Canada’s privacy legislation
•Establish a privacy policy and management plan.
•Appoint a chief privacy officer (CPO).
•Write a privacy code that complies with the law.
•Conduct a thorough assessment of how the organization collects, stores and retains, or uses and discloses personal information for anyone, including customers, clients, patients, suppliers and employees.
•Include the entire organization: marketing, sales, HR, payroll, finance, purchasing and operations.
•Determine what tools exist to manage personal information. Are those tools — application software, paper file processes — sufficient? If not, make an investment or create policies and procedures that make up for tool deficiencies.
•Develop specific and detailed policies and procedures about how the organization should operate given its privacy compliance obligations, including:
•collection and retention (including what is required and why);
•knowledgeable consent (including “opt out” or withdrawal);
•personal right of access (including specific time periods to respond);
•staff access rules;
•personal information storage tools and procedures;
•transmittal tools and procedures;
•have all third parties sign an agreement to abide by your code, or provide one of their own that is as least as good;
•train all “staff” (employees and third parties who manage employee personal information) to ensure awareness; and
•put procedures in place to close the loop. Monitor adherence.
Ian Turnbull is a director of The Canadian Privacy Institute and primary author and editor of Privacy in the Workplace — An Employment Perspective, to be published in late 2003. He can be contacted at [email protected] or (416) 618-0052.
Since 2001, the commercial activities and employment relationships of all federally regulated employers like banks, telecommunications companies and airlines, have been covered by the Personal Information Protection and Electronic Documents Act (PIPEDA).
But Canada’s privacy law comes into force for almost all other Canadian organizations on Jan. 1. It will apply to all commercial activity in provinces where no substantially similar legislation has been passed.
So far, only Quebec is exempt from PIPEDA since the only other province that has passed its own privacy legislation — British Columbia — has not received federal recognition for it.
What you need to know about PIPEDA
The legislation applies to all personal information — that is, almost everything about someone except business contact information. It covers consumers, customers, suppliers, sub-contractors, patients and anyone else whose personal information is collected in the course of commercial activity.
Commercial activity is not just restricted to situations where money is directly involved in the transaction. All organizations, for profit and not-for-profit, have a responsibility to manage personal information responsibly. For volunteer organizations, this legislation includes donor activity, and possibly volunteer management as well.
It applies to organizations of all sizes. That includes the corner video store, where they collect driver’s licence and home contact information. It also applies retroactively; personal information that has already been collected is also covered by the law.
PIPEDA goes a long way to reinforce consumers’ rights. Most importantly, consumers must give knowledgeable consent for personal information to be collected. They have the right to know how the information will be used. That includes the right to question any organization about how personal information will be used.
Employer-employee relationship
PIPEDA applies directly to the employer-employee relationship — but only for federal organizations.
However, instead of taking refuge in that fact, employers should remember that even if PIPEDA doesn’t apply to employer-employee relationships as of Jan.1, provincial legislation almost certainly will in the near future.
And there are still important questions about whether or not PIPEDA applies in certain employment situations. For example, employee personal information is often sent to third parties such as benefits carriers and payroll processors. The question centres on the distinction between “disclosure” and “transfer.”
•Transfer: Under PIPEDA, a transfer occurs when the employer sends employee personal information to a third party for processing, and that third party does not retain the information after the processing is complete. Transfers are not covered under PIPEDA. The Office of the Canadian Privacy Commissioner has held that an organization is responsible for personal information that has been transferred to a third party.
•Disclosure: A disclosure occurs when employees’ personal information is sent to a third party and that third party retains it. Almost all movement of employee personal information from an employer to a third party qualifies as a disclosure, not a transfer, because the third party retains that information. Therefore, most of these transactions probably qualify as commercial activity and are subject to PIPEDA.
For example, an employer sends personal information to a benefits firm so employees can be registered to be covered by the plan. The carrier keeps the personal information for a long time and normally does not dispose of it even if the employer changes carriers because the history may still be required.
Risks of non-compliance
Employers violating PIPEDA run the risk of Federal Court fines, but that’s unlikely except in the worst circumstances. The penalties for obstructing an investigation by the privacy commissioner are severe. But the greatest risk is negative public relations. What organization wants to be identified as careless with personal information — of consumers or employees?
After Radwanski
There is also some uncertainty about how much the enforcement of PIPEDA will change with the downfall of George Radwanski as privacy commissioner. How much have the decisions of the Office of the Privacy Commissioner of Canada since 2001 reflected the man who held the job, and how much did those decisions reflect the office?
Last month Prime Minister Jean Chrétien appointed Jennifer Stoddart as Canada’s new privacy commissioner. Stoddart officially took over the role Dec. 1.
The question of personal style versus the direction of the office has a huge potential impact. In May, Radwanski advised Parliament that neither the British Columbia law (Bill 33 — now passed into law) nor the Alberta law (Bill 48) met his criteria as “substantially similar” legislation. However, B.C. passed its bill into law anyway.
Industry Canada, the federal government department that makes the recommendation to cabinet to accept or reject provincial legislation, was to begin the formal review of B.C.’s legislation this month. The review would include public consultation and a final recommendation from the new privacy commissioner, Stoddart.
The review is unlikely to finish before the end of January and could run into February, meaning that as of Jan. 1, B.C. will technically be subject to PIPEDA.
However, Industry Canada says it’s unlikely any complaints originating in B.C. would be heard until a final decision is made on B.C.’s legislation.
As is the case with any new legislation, findings — in this case, by the privacy commissioner, and later by federal court rulings — will play a huge role in more fully defining the parameters of managing privacy in Canada.
The provinces will also play a role as they put forward legislation and provincial privacy commissioners make their findings.
Preparing for Canada’s privacy legislation
•Establish a privacy policy and management plan.
•Appoint a chief privacy officer (CPO).
•Write a privacy code that complies with the law.
•Conduct a thorough assessment of how the organization collects, stores and retains, or uses and discloses personal information for anyone, including customers, clients, patients, suppliers and employees.
•Include the entire organization: marketing, sales, HR, payroll, finance, purchasing and operations.
•Determine what tools exist to manage personal information. Are those tools — application software, paper file processes — sufficient? If not, make an investment or create policies and procedures that make up for tool deficiencies.
•Develop specific and detailed policies and procedures about how the organization should operate given its privacy compliance obligations, including:
•collection and retention (including what is required and why);
•knowledgeable consent (including “opt out” or withdrawal);
•personal right of access (including specific time periods to respond);
•staff access rules;
•personal information storage tools and procedures;
•transmittal tools and procedures;
•have all third parties sign an agreement to abide by your code, or provide one of their own that is as least as good;
•train all “staff” (employees and third parties who manage employee personal information) to ensure awareness; and
•put procedures in place to close the loop. Monitor adherence.
Ian Turnbull is a director of The Canadian Privacy Institute and primary author and editor of Privacy in the Workplace — An Employment Perspective, to be published in late 2003. He can be contacted at [email protected] or (416) 618-0052.
