Law protects privacy of employee information

Privacy has become one of the greatest concerns of the high-tech era.

With information shooting around the world, through fibre-optic wires, under oceans waves and through air waves, in and out of databases and network servers across the globe, interception of that information is a great concern.

Employers have been treading carefully in some areas while staking out their legal ground in others.

A new law recently came into effect in the United Kingdom that gives employers new, wider and unprecedented powers of surveillance of employees’ e-mails and Internet use. Besides enabling the monitoring of e-mail, employers will also be able to eavesdrop and record phone calls, check who an employee is calling on a cellphone and search the hard drives of laptops.

In Canada, court rulings have suggested employers are free to monitor employee communications so long as staff are warned in advance. However there is no law like the new British legislation, that gives Canadian employers the explicit right to do so. Though British employers are supposed to stay away from personal e-mails, unions and anti-surveillance groups say that is not enough and may challenge the law under the new European Human Rights Act.

Meanwhile new Canadian legislation designed to guarantee the protection of employee information comes into effect in January.
Toronto-based employment lawyer Soma Ray answers some of the important questions around the new law.

What is the purpose of the Personal Information Protection and Electronic Documents Act (PIPEDA)?
The PIPEDA is designed to address the following three main concerns:

•protect the privacy of personal information that is collected, used or disclosed in the private sector;

•facilitate interaction and communication with the federal government by electronic means; and

•facilitate the use of electronic documents in legal proceedings.

The first part, when fully implemented, will compel businesses to respect the code of fair information practice requiring individual consent for the collection, use and disclosure of personal information. Equally important, the act provides the mechanism for independent oversight, mandating the Privacy Commissioner of Canada to investigate complaints, issue reports and conduct audits. As a last resort, it provides for recourse to the Federal Court and empowers the Court to award damages when it feels the penalty is justified.

When does the law come into force and who does it apply to?
The legislation takes effect in stages. Initially, the act applies to federally regulated businesses as of January 1, 2001. “Federally regulated businesses” includes federal works, undertakings and businesses in sectors such as transportation and communication.

The next stage takes effect three years later. At that time, the PIPEDA will apply to all commercial activities within those provinces that fail to adopt comparable laws of their own.

Currently, only the Province of Quebec has legislation respecting the protection of personal information.

It also should be noted that health-care information will not be covered until January 1, 2002. This is a result of intensive lobbying by the health-care industry giving the sector greater time before being impacted by the PIPEDA.

What do HR practitioners have to be aware of for compliance?
HR practitioners have to be aware that while they might be provincially regulated employers (as most industries are), if they are shipping information across provincial boundaries or international lines, then this will require the specific consent of the employee.

Other practical issues for employers include:

•the dissemination of personal information among related corporations may be restricted;

•third-party service, such as health group insurers, have to be in compliance with the legislation;

•employee monitoring program should be set out in a policy to which each employee has knowledge and consent;

•employees are educated about privacy policies and the implementation of privacy policies; and

•application, procedures and forms are reviewed to ensure proper compliance with the legislation.

What are the penalties for non-compliance?

The PIPEDA empowers the Privacy Commissioner of Canada to investigate complaints, issue reports and conduct audits. As a last resort, it provides recourse to the Federal Court and empowers the Court to:

•order an organization to correct its practices in order to comply with the act;

•order an organization to publish a notice of action taken or proposed to be taken to correct these practices; and

•award damages to the complainant including damages for any humiliation that the complainant had suffered.

Further, fines may be imposed on an organization that discloses personal information prior to the subject of that personal information being able to exhaust his or her rights to discover who is going to get the information about them or attempt to object to its disclosure. Individuals guilty of taking such action may be subject to:

•a fine of up to $10,000 for an offence punishable on summary conviction; or

•a fine up to $100,000 for a conviction of an indictable offence.

Soma Ray is an employment lawyer at the firm of Donahue Ernst & Young.

Latest stories