More rules for employee info protection

Ontario considering new legislation that will have significant impact on workplaces

Since the start of this year all federally regulated workplaces engaged in commercial activities have been subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The act greatly restricts the types of personal information an organization may collect and how it is collected, used and accessed (for more information, click on the related articles link below).

Information must be protected by security safeguards appropriate to the nature and sensitivity of the information, including physical measures (such as locks), organizational measures (such as limiting the distribution of information to a need-to-know basis) and technological measures (such as computer encryption and passwords).

As of Jan. 1, 2004, PIPEDA will apply to all private-sector commercial activities in any province that has not put in place “substantially similar” legislation. Substantially similar means the legislation must be equal or superior to PIPEDA in the degree and quality of privacy protection provided.

Only Quebec has passed such legislation, which came into effect Jan. 1, 1994. New Brunswick, British Columbia, Manitoba and Ontario, have all issued discussion papers on the issue.

In Ontario the Ministry of Consumer and Business Services has drafted the Privacy of Personal Information Act, 2002 (PPIA). Although it appears to be aimed more at the regulation of information gleaned from consumer activities than the employment relationship, the legislation will have significant impact on Ontario workplaces if passed in its current form. The Ontario government received more than 600 comments and submissions from various stakeholders and interested parties and it is giving consideration to these submissions as it amends the draft legislation. It stands to reason that there will be some changes before its formal introduction, expected this fall, but it’s unlikely to change the fact that the legislation applies to the employment relationship.

As it stands now, in some respects, the draft Ontario legislation actually goes further than PIPEDA. For instance, where the federal legislation applies only to commercial activities, PPIA would apply to most Ontario organizations, such as those in the private sector, the health-care sector, not-for-profit organizations, professional associations, religious groups, universities and trade unions.

Like PIPEDA, PPIA deals generally with personal information, however the current draft legislations specifically identifies and deals with employee health information as requiring special safeguarding.

Health information is one of the classes of information for which consent to collect, use and store cannot be implied, but instead must be expressly given by the employee.

This means, for instance, that consent is required for the employer to request, collect or disclose information from or to an employee’s doctor, a practice common to many employers dealing with issues such as accommodating an employee’s medical restrictions.

In addition, personal health information must be stored separately from other files, such as an employee’s personnel file, to ensure the health information is not disclosed or accessed without the employee’s consent. Specific exceptions permit the disclosure of health information, including disclosure for the purposes of legal proceedings (including grievance arbitrations), or compliance with a summons.

Because PPIA requires that information be destroyed once the purpose for which it was collected is exhausted, employers must establish mechanisms to ensure the periodic review of all files containing such personal information.

To ensure compliance with PPIA, Ontario employers would also be required to:

•identify the purpose for which personal information is being collected or will be disclosed, at or before the time of collection;

•obtain consent prior to collecting, using or disclosing personal information, except in limited, clearly identified circumstances;

•limit the collection, use and disclosure of personal information to what is necessary to meet agreed upon purposes;

•not use or disclose personal information for purposes other than those for which it was originally collected, except with consent of the individual or as required by law;

•not retain information once it is no longer required to meet the purposes for which it was originally collected;

•keep personal information as accurate, complete and up-to-date as necessary to meet the purposes for which it was collected;

•provide individuals with specific information, if requested, about how the organization collects, uses and discloses personal information; and

•upon request, inform an employee of the existence, use and disclosure of the individual’s personal information and give access to that information, including its uses and disclosures.

Significantly, the proposed legislation would allow for individuals to sue for damages if an organization’s practices breached the individual’s privacy rights and the individual suffered actual harm as a result.

Erin R. Kuzz is a Partner at Sherrard Kuzz LLP, a firm providing a full range of employment and labour law services to employers. She can be contacted at (416) 603-6242 or [email protected]

Latest stories