While PIPEDA’s application to private-sector firms that aren’t federally regulated only covers customer information, HR departments are well-advised to ensure employee information is also protected
Privacy is one of the hottest buzzwords in HR. And because technology makes it so easy to transmit reams of information in an instant, ensuring an organization is in compliance with federal and provincial privacy legislation can be a challenge. Two recent decisions to privacy complaints show the dangers in being lax when it comes to using technology.
The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the management of personal information, first came into effect on Jan. 1, 2001 for federally regulated organizations. But the big milestone date for the legislation was Jan. 1, 2004, when it was extended to cover the private sector. The exception is where a province has passed substantially similar legislation. Quebec passed its privacy law in 1994. B.C. and Alberta passed their own legislation that took effect Jan. 1, 2004, but Industry Canada is still reviewing the legislation to determine if it is substantially similar to PIPEDA.
While PIPEDA’s application to private-sector firms that aren’t federally regulated only covers customer information, HR departments are well-advised to ensure employee information is also protected. Provincial legislation may require it, PIPEDA could change, and the practice of protecting employee data is a good one.
The objective of the privacy legislation is to balance the individual’s right to have personal information kept private with the requirement that businesses collect, use and disclose personal information for legitimate business purposes. Under the act, organizations must obtain an individual’s consent when collecting, using or disclosing personal information and only use that information for the purpose for which consent was obtained.
If an organization chooses to use it for any other purpose, further consent must be obtained. The act also provides individuals with a right to access personal information and to challenge its accuracy while imposing a duty on the business to protect it through all sorts of safeguards. PIPEDA identifies 10 principles which must be followed by businesses (see “The 10 principles of federal privacy law” below). It is every organization’s responsibility to ensure these principles are understood and followed.
According to the act, personal information includes any “factual or subjective information, recorded or not, about an identifiable individual.” The act’s definition of personal information also includes information in any form such as opinions, evaluations, comments, social status or disciplinary actions. It does not include the name, title, business address or telephone number of any employee or an organization. Personal information may be collected, used or disclosed either in traditional paper form or electronically.
Electronically, personal information may be obtained through e-mail, on a hard drive, through fax machines or through videotapes and audiotapes. Given that e-mail is not private, a hard drive and fax machines are often accessible to anyone and videotapes and cassettes may be viewed or heard by anyone, personal information may be unknowingly reproduced or used for purposes other than intended.
In addition, the instantaneous manner in which information is transmitted makes it much more difficult to control the dissemination of information. But it is imperative that an organization take every precaution to safeguard it and keep it confidential as two recent complaints to the privacy commissioner illustrate.
Employee questioned info collection
In a recent decision, an employee of a telecommunications company complained the company was unnecessarily collecting personal medical information to administer the long-term disability plan. He also complained the company failed to have sufficient safeguards in place to protect this sensitive information from access to other employees.
After the employee had been notified that short-term disability benefits would be ending, the company sent the employee a letter advising the employee to provide it with all the necessary personal information for applying for long-term disability benefits. The significance was that the company asked the employee to provide the information to the company, not the insurance company, despite the fact the submission guide for the insurance company specifies the employee may submit the information to either the employer or the insurance company.
The company maintained it required the information to ensure the application was complete for long-term disability. It also said the transmission of information was secure, given that the human resources fax machine was only used by HR personnel.
The assistant privacy commissioner found that because the company was collecting the employee medical information to administer the long-term disability plan, a reasonable person might find it objectionable that the company represented this collection as a requirement without any explanation. In addition, the assistant privacy commissioner found that transmission of personal information by fax, which was accessible to all employees, was also in violation of the act.
Equally, the commissioner took issue with the fact the company’s unqualified HR personnel had received and reviewed sensitive personal information about medical diagnoses, finding that this information should only be shared with qualified medical practitioners. The company was found to be in violation of the act.
Training staff with customer’s personal info violates privacy
Another recent decision shows the responsibility organizations have to ensure employees protect customer data.
A man complained that a bank failed to protect his personal information by disclosing it to a third-party without his consent. The customer complained a tape-recorded conversation with him had been used without his consent for a purpose which had not been previously identified. During a telephone conversation, another customer was connected to a tape recording of the complainant’s transaction. The bank notified the complainant about this incident, and explained that one of his telephone calls had been used for training purposes.
But the complainant had previously only been told his call might be used for quality monitoring purposes only. The bank argued the telephone call was improperly disclosed to a third party through employee error. The bank also explained it made a practice of randomly taping phone calls and that notification of this practice was sufficient to cover uses of the kind that this employee had made of the recorded call.
The commissioner found the bank had improperly disclosed the complainant’s personal information to a third party without his knowledge and consent. The bank had also failed to consider the sensitivity of the information, the possibility of disclosure through employee error and failed to put in appropriate safeguards to avoid such closure.
The commissioner also concluded he would not expect the meaning of “quality monitoring” to extend to integrating a personal conversation into a training program by storing it in a special telephone that is accessible to all employees. The commissioner found this required specific identification and consent from the individual, which the bank did not obtain, and therefore the bank violated the act.
While there haven’t been many complaints under the act, these two very recent decisions make clear that the commissioner is prepared to enforce the act where organizations have mishandled sensitive private information. Accordingly, it is incumbent upon all businesses and organizations to review current practices for collecting and handling personal information to ensure it complies with PIPEDA. To do so, it is suggested that organizations do the following:
•designate one individual with the responsibility of being in charge of privacy;
•educate the organization as to PIPEDA’s requirements and its 10 principles;
•clearly identify the purpose for which the personal information is intended and obtain the necessary consents from individuals;
•ensure that the process is open so that individuals may access their information; and
•take all appropriate steps to ensure confidential information either in paper or electronic form is kept inaccessible to other employees.
Natalie MacDonald is an associate with Grosman, Grosman & Gale, a Toronto-based law firm specializing in employment law. She can be reached at (416) 364-9599 or [email protected]. Look for her next column in the April 19 Guide to a Healthy Workplace.
The 10 principles of the federal privacy law
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) identifies 10 principles which must be followed by businesses.
1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Start by identifying internally who will be your privacy officer(s). As personal information may be collected and processed by different department within a business, consider whether a team of individuals will be necessary to ensure the whole business in compliant with the act.
2. Identifying purpose: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Conduct a “privacy audit” to determine what personal information is collected and for what purpose. Consider specifically the nature of customer relationships, there may be followup activity which may necessitate a broader purpose statement. Check corporate forms and publications and Web sites to ensure privacy statements that identify the purpose for collection of personal information are present and visible where necessary. Contact information for a firm’s privacy officer(s) should be easily accessible.
3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
Obtaining informed consent to collection is a central element of the act. As varying types of consent are possible, consider which is most appropriate to the nature, including sensitivity, of the information.
4. Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
This means that an organization must limit the type of information collected to correspond to the stated purpose. PIPEDA includes a “reasonable person test” which mandates that organization can collect use or disclose personal information only for purposes that reasonable person would consider appropriate. This means considering which information is crucial for a purpose, and collecting only that.
5. Limiting use, disclosure and retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
This does not mean that firms cannot outsource, however organizations cannot use or pass information in a manner inconsistent with the identified purpose. A privacy policy must include guidelines that govern the handling of personal information while the organization is using it, including minimal and maximum times for retaining it. Information used to make a decision about an individual should also be kept long enough to allow the individual to have access to it.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary.
Keep information as accurate as necessary, but note that the legislation prohibits routine updating if this is not necessary to fulfill the purpose given for the initial collection.
7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
As part of a policy, put in place security policies and practices for storage of the information and for its disposal. Such practices can include physical or technical measures as needed, but also staff education and awareness.
8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Specific information, in an understandable form, on information policies and practices must be readily available. This must include: name or title and address of the privacy officer, a description of the type of personal information an organization holds (including what it is generally used for), brochures or other information that explain policies, and what personal information is made available to related organizations, such as subsidiaries.
9. Individual access: Upon request, an individual shall be informed of the existence, use and disclosure of his personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
PIPEDA states individual access requests must be made in writing, and that organizations shall assist individuals who indicate they need help to prepare their requests. An organization must respond to a request, including indicating that more time is need to process the request, within 30 days of receipt of the request.
10. Challenging compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
An organization must be ready to refer and act on complaints, including amending policies and practices if necessary. Be ready for compliance audits, which the Privacy Commissioner can undertake at his discretion.
The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the management of personal information, first came into effect on Jan. 1, 2001 for federally regulated organizations. But the big milestone date for the legislation was Jan. 1, 2004, when it was extended to cover the private sector. The exception is where a province has passed substantially similar legislation. Quebec passed its privacy law in 1994. B.C. and Alberta passed their own legislation that took effect Jan. 1, 2004, but Industry Canada is still reviewing the legislation to determine if it is substantially similar to PIPEDA.
While PIPEDA’s application to private-sector firms that aren’t federally regulated only covers customer information, HR departments are well-advised to ensure employee information is also protected. Provincial legislation may require it, PIPEDA could change, and the practice of protecting employee data is a good one.
The objective of the privacy legislation is to balance the individual’s right to have personal information kept private with the requirement that businesses collect, use and disclose personal information for legitimate business purposes. Under the act, organizations must obtain an individual’s consent when collecting, using or disclosing personal information and only use that information for the purpose for which consent was obtained.
If an organization chooses to use it for any other purpose, further consent must be obtained. The act also provides individuals with a right to access personal information and to challenge its accuracy while imposing a duty on the business to protect it through all sorts of safeguards. PIPEDA identifies 10 principles which must be followed by businesses (see “The 10 principles of federal privacy law” below). It is every organization’s responsibility to ensure these principles are understood and followed.
According to the act, personal information includes any “factual or subjective information, recorded or not, about an identifiable individual.” The act’s definition of personal information also includes information in any form such as opinions, evaluations, comments, social status or disciplinary actions. It does not include the name, title, business address or telephone number of any employee or an organization. Personal information may be collected, used or disclosed either in traditional paper form or electronically.
Electronically, personal information may be obtained through e-mail, on a hard drive, through fax machines or through videotapes and audiotapes. Given that e-mail is not private, a hard drive and fax machines are often accessible to anyone and videotapes and cassettes may be viewed or heard by anyone, personal information may be unknowingly reproduced or used for purposes other than intended.
In addition, the instantaneous manner in which information is transmitted makes it much more difficult to control the dissemination of information. But it is imperative that an organization take every precaution to safeguard it and keep it confidential as two recent complaints to the privacy commissioner illustrate.
Employee questioned info collection
In a recent decision, an employee of a telecommunications company complained the company was unnecessarily collecting personal medical information to administer the long-term disability plan. He also complained the company failed to have sufficient safeguards in place to protect this sensitive information from access to other employees.
After the employee had been notified that short-term disability benefits would be ending, the company sent the employee a letter advising the employee to provide it with all the necessary personal information for applying for long-term disability benefits. The significance was that the company asked the employee to provide the information to the company, not the insurance company, despite the fact the submission guide for the insurance company specifies the employee may submit the information to either the employer or the insurance company.
The company maintained it required the information to ensure the application was complete for long-term disability. It also said the transmission of information was secure, given that the human resources fax machine was only used by HR personnel.
The assistant privacy commissioner found that because the company was collecting the employee medical information to administer the long-term disability plan, a reasonable person might find it objectionable that the company represented this collection as a requirement without any explanation. In addition, the assistant privacy commissioner found that transmission of personal information by fax, which was accessible to all employees, was also in violation of the act.
Equally, the commissioner took issue with the fact the company’s unqualified HR personnel had received and reviewed sensitive personal information about medical diagnoses, finding that this information should only be shared with qualified medical practitioners. The company was found to be in violation of the act.
Training staff with customer’s personal info violates privacy
Another recent decision shows the responsibility organizations have to ensure employees protect customer data.
A man complained that a bank failed to protect his personal information by disclosing it to a third-party without his consent. The customer complained a tape-recorded conversation with him had been used without his consent for a purpose which had not been previously identified. During a telephone conversation, another customer was connected to a tape recording of the complainant’s transaction. The bank notified the complainant about this incident, and explained that one of his telephone calls had been used for training purposes.
But the complainant had previously only been told his call might be used for quality monitoring purposes only. The bank argued the telephone call was improperly disclosed to a third party through employee error. The bank also explained it made a practice of randomly taping phone calls and that notification of this practice was sufficient to cover uses of the kind that this employee had made of the recorded call.
The commissioner found the bank had improperly disclosed the complainant’s personal information to a third party without his knowledge and consent. The bank had also failed to consider the sensitivity of the information, the possibility of disclosure through employee error and failed to put in appropriate safeguards to avoid such closure.
The commissioner also concluded he would not expect the meaning of “quality monitoring” to extend to integrating a personal conversation into a training program by storing it in a special telephone that is accessible to all employees. The commissioner found this required specific identification and consent from the individual, which the bank did not obtain, and therefore the bank violated the act.
While there haven’t been many complaints under the act, these two very recent decisions make clear that the commissioner is prepared to enforce the act where organizations have mishandled sensitive private information. Accordingly, it is incumbent upon all businesses and organizations to review current practices for collecting and handling personal information to ensure it complies with PIPEDA. To do so, it is suggested that organizations do the following:
•designate one individual with the responsibility of being in charge of privacy;
•educate the organization as to PIPEDA’s requirements and its 10 principles;
•clearly identify the purpose for which the personal information is intended and obtain the necessary consents from individuals;
•ensure that the process is open so that individuals may access their information; and
•take all appropriate steps to ensure confidential information either in paper or electronic form is kept inaccessible to other employees.
Natalie MacDonald is an associate with Grosman, Grosman & Gale, a Toronto-based law firm specializing in employment law. She can be reached at (416) 364-9599 or [email protected]. Look for her next column in the April 19 Guide to a Healthy Workplace.
The 10 principles of the federal privacy law
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) identifies 10 principles which must be followed by businesses.
1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Start by identifying internally who will be your privacy officer(s). As personal information may be collected and processed by different department within a business, consider whether a team of individuals will be necessary to ensure the whole business in compliant with the act.
2. Identifying purpose: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Conduct a “privacy audit” to determine what personal information is collected and for what purpose. Consider specifically the nature of customer relationships, there may be followup activity which may necessitate a broader purpose statement. Check corporate forms and publications and Web sites to ensure privacy statements that identify the purpose for collection of personal information are present and visible where necessary. Contact information for a firm’s privacy officer(s) should be easily accessible.
3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
Obtaining informed consent to collection is a central element of the act. As varying types of consent are possible, consider which is most appropriate to the nature, including sensitivity, of the information.
4. Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
This means that an organization must limit the type of information collected to correspond to the stated purpose. PIPEDA includes a “reasonable person test” which mandates that organization can collect use or disclose personal information only for purposes that reasonable person would consider appropriate. This means considering which information is crucial for a purpose, and collecting only that.
5. Limiting use, disclosure and retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
This does not mean that firms cannot outsource, however organizations cannot use or pass information in a manner inconsistent with the identified purpose. A privacy policy must include guidelines that govern the handling of personal information while the organization is using it, including minimal and maximum times for retaining it. Information used to make a decision about an individual should also be kept long enough to allow the individual to have access to it.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary.
Keep information as accurate as necessary, but note that the legislation prohibits routine updating if this is not necessary to fulfill the purpose given for the initial collection.
7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
As part of a policy, put in place security policies and practices for storage of the information and for its disposal. Such practices can include physical or technical measures as needed, but also staff education and awareness.
8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Specific information, in an understandable form, on information policies and practices must be readily available. This must include: name or title and address of the privacy officer, a description of the type of personal information an organization holds (including what it is generally used for), brochures or other information that explain policies, and what personal information is made available to related organizations, such as subsidiaries.
9. Individual access: Upon request, an individual shall be informed of the existence, use and disclosure of his personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
PIPEDA states individual access requests must be made in writing, and that organizations shall assist individuals who indicate they need help to prepare their requests. An organization must respond to a request, including indicating that more time is need to process the request, within 30 days of receipt of the request.
10. Challenging compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
An organization must be ready to refer and act on complaints, including amending policies and practices if necessary. Be ready for compliance audits, which the Privacy Commissioner can undertake at his discretion.
