New federal law protects employee privacy

If Canadian companies are to participate in the global economy, provinces must bring forth new legislation to mirror Ottawa’s privacy initiative for the private sector. Without it, companies will soon be prohibited from the transfer of personal information with European nations.

Receiving Royal Assent on April 13, 2000, Canada’s new Personal Information Protection and Electronic Documents Act comes into effect on Jan. 1, 2001. By this date, employers in the federally regulated private sector must institute a significant number of measures to protect the privacy of their employees. Except for a few leading companies that have been attentive to privacy developments, it is likely that many Canadian firms will soon find themselves scrambling to achieve compliance.

Measures companies must implement include:

•developing and issuing policies and procedures incorporating privacy protections;

•documenting the purposes for which employee personal information is collected;

•obtaining employee consent for the collection and use of this information;

•providing for employees to access and correct their own data, as well as to access information about how that data has been used; and

•establishing training and communication programs, and complaint and recourse mechanisms.

Employees not satisfied with how management handles their personal information will have the right to appeal to the Federal Privacy Commissioner, and ultimately to the Courts. The Commissioner’s significantly expanded powers to investigate and audit employers, as well as to educate the public and promote good practices, are the central enforcement feature of the new law, reflecting a complaint-driven ombudsman approach to effecting privacy protection.

Background

The Personal Information Protection and Electronic Documents Act is designed to advance Canada’s participation in the global networked economy by eliminating two key barriers to the growth of electronic commerce: fears of the loss of personal privacy, and the lack of legal standing for electronic documents. The roots of the act with respect to privacy trace back to the Canadian Standards Association Model Code for the Protection of Personal Information, which emerged as a voluntary national standard in 1995. The new act incorporates this code, and its 10 principles of fair information practice modeled on the 1980 Organization for Economic Co-operation and Development guidelines, verbatim as a schedule providing the substance of what businesses must do when dealing with the personal information of customers or employees.

While the act clearly evolved out of domestic concerns about protecting privacy, the European Union’s Data Protection Directive, passed in 1995 and effective in 1998, also contributed to the bill’s passage. In keeping with the strict regulatory approach towards personal information common in the EU, the directive prohibits the transfer of personal information from Europe to other countries lacking an adequate level of data protection. The European Commission recently announced that it is considering whether the new Canadian law qualifies Canada as a country having an adequate level of privacy protection. Such a finding would be clearly beneficial, and was promoted as one of the objectives of the legislation.

Which employers are covered? And when?

The only employers covered by the act as of Jan. 1, 2001 are those in the federally regulated private sector, which includes maritime shipping companies, inter-provincial railroad, bus and ferry companies, telephone companies, airlines and air services, radio and television broadcast stations, cable television systems, banks and a few other organizations.

The act was written to encourage the provinces to pass equivalent or stronger legislation for the balance of the private sector, the incentive being that unless provinces do so by January 1, 2004, the federal law will come into effect with regard to such businesses. Because of limitations in the federal government’s General Trade and Commerce Powers, any such extension of the act would apply only to personal information of customers, and not of employees.

However, it is unlikely that the provinces, several of which have already initiated hearings and other activities relating to drafting provincial privacy legislation, would elect to leave employees with fewer rights than those enjoyed both by customers and by employees in the federally regulated private sector.

What should a covered employer do?

If they have not already done so, employers covered by the Personal Information Protection and Electronic Documents Act need to assemble teams or task forces with representatives from HR, IT, legal and other internal stakeholders, and get up to speed on the new law. Then, with senior management support and resources, they need to develop a project plan to bring their company into compliance by Jan. 1, 2001, or as soon as possible thereafter. For companies that cannot meet that aggressive date, evidence of making an ongoing good faith effort to come into compliance as soon as possible should carry weight with the Office of the Privacy Commissioner, as well as with employees.

It would be a serious mistake to underestimate the extent of the effort that will be required to achieve compliance. Any information about an identifiable individual is regarded as personal information, although a minor exception was written into the law for the name, title, business address and telephone number of employees. The new act will require a thorough review of practices in collecting, storing, accessing, using, disclosing, retaining and purging employee personal information, in any media or format, followed by a gap analysis between these practices and the provisions of the law. Eliminating the gap will not be easy.

In addition to the measures required by the law identified earlier, employers will be required to designate individual(s) accountable for compliance; provide comparable protection, for example through contracts, when processing of data is performed by third parties; and avoid any collection of personal information through unfair, deceptive or indiscriminate means.

Employees must be informed of the purposes for which personal information will be collected at or before the time of collection, and may withdraw their consent that it be used in such ways at any time.

Employers also will be required to implement security measures to safeguard against loss or theft of personal information, as well as against unauthorized disclosure, use or modification of it; ensure employee awareness about the importance of security; and exercise care in disposing or destroying personal information.

What should a non-covered employer do?

While not under the same legal and time pressures as covered employers, it would be prudent for employers not covered by the new law to carefully monitor what is going on with the Personal Information Protection and Electronic Documents Act and to begin planning for how they will respond to similar or stricter legislation at the provincial level. Any respite from an obligation to get their own privacy houses in order is likely to be temporary.

Because of this partial, and as yet uncertain applicability of the new act, non-covered employers with employees in the European Union now face considerable risks relating to the legality of importing employee data from Europe. Any finding by the European Commission that the Personal Information Protection and Electronic Documents Act satisfies the Data Protection Directive’s adequacy requirement could hardly apply to employers not covered by the act. Only comparable provincial legislation, enacted in each province in which the firm does business, could secure a comparable finding of adequacy for provincially regulated multi-nationals.

While their American counterparts have the Safe Harbour program as a compliance option, short of a similar effort launched on their behalf by Ottawa, non-covered Canadian multi-national employers will need to craft their own direct means of meeting the requirements of the directive in the immediate future. This will require use of some combination of model contracts, consent and HR codes of practice. Such multi-nationals might also consider pooling resources, by either forming or joining industry coalition efforts such as the HR Data Consortium (www.pandab.org/Consortium.htm).

The need for interpreting the act

One of the unique features of the new act is the high level of generality at which it is written. With few exceptions, the CSA model code incorporated into the act is left open to interpretation. This means that an unusually large number of questions about how it is to be applied in particular situations will only be answered over a period of time, through clarifications issued by the Privacy Commissioner and the Courts. Employers are likely to find this encouraging and frustrating at the same time, since it places a premium on divining where ongoing public policy debates over privacy, and expectations of the “reasonable person” cited in the law, are likely to lead.

The new act, along with information that will be relevant in interpreting it, may be found at the Web site of the Federal Privacy Commissioner, at www.privcom.gc.ca. The Privacy Commissioner may also issue additional guidance specifically directed to employers, at some point in the near future. A number of workshops, conferences and handbooks on implementing the new law are available (see, for example, www.centruminformation.com). Finally, privacy consultants and compliance specialists are also available to help employers meet their obligations under the new law.

Donald F. Harris is president, HR Privacy Solutions, a New York-based consulting practice that assists corporate employers in meeting global and domestic privacy challenges. He can be reached at [email protected]

Latest stories