Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Canada reviews federal privacy law

Employers' efforts at compliance yield mixed results

Reprints

Canadian employers are still struggling to comply with the requirements of federal privacy legislation that came into full effect more than two years ago.

And a mandatory review of the legislation slated to begin this fall has raised concerns that the obligations of employers to protect the privacy of the personal information of their employees and customers will become more complicated under a modified privacy law.

The Personal Information Protection and Electronic Documents Act establishes the ground rules for how organizations collect, use and disclose the personal information of both customers and employees (see story, page 23).

Employers' efforts to comply with the requirements of PIPEDA have yielded mixed results, according to an annual report on PIPEDA conducted by the office of the Privacy Commissioner of Canada.

In investigating alleged violations, Privacy Commissioner Jennifer Stoddart concluded that organizations had complied with PIPEDA requirements in only 19% of these cases. While the number of cases in which the commissioner determined that an organization failed to respect a provision of PIPEDA was about 10%, the report noted that this does not mean that more organizations failed to comply with PIPEDA. Rather, the number is a reflection of the fact that many cases were resolved by means other than a full investigation by the commissioner's office, such as a finding that the office does not have jurisdiction or that the complaint had been settled, according to the report.

In general, employers have expressed a "surprising" lack of concern about privacy compliance in the workplace, said Avner Levin, co-author of a recent report titled "Under the Radar? The Employer Perspective on Workplace Privacy." None of the employers interviewed for the report identified workplace privacy as a current issue of concern.

"There's a real disconnect between what employees are worried about, what the privacy commissioner and provincial privacy commissioners are worried about, and what employers are doing," said Mr. Levin, a law professor in the business department at Toronto-based Ryerson University.

Employers attempting to comply with Canadian privacy legislation have encountered numerous challenges-the first obstacle being the application of different federal and provincial standards to protect personal information. "I think what employers really want across the board is uniform standards," Mr. Levin said. "That would make their lives easier and that would make compliance easier."

Alberta, British Columbia and Quebec have privacy legislation that has been determined to be substantially similar to the federal legislation, meaning that the provincial law supersedes PIPEDA in certain situations. Privacy law, for example, does not apply in the same manner to the personal information of employees if their employers are provincially regulated, said Andrea York, a Toronto-based partner in the labor and employment practice of Blake, Cassels & Graydon L.L.P., who advises employers on privacy issues.

While a federally regulated organization such as a bank must comply with PIPEDA requirements in protecting the personal information of its employees, a provincially regulated company such as a law firm must comply with a mix of federal and provincial privacy standards, she said.

"What we recommend to our clients is that they address the most stringent requirements just because you have different requirements in different provinces," said Robert Parker, a Toronto-based retired partner of Deloitte & Touche L.L.P.'s enterprise risk practice, who still consults with employers on privacy law compliance.

Companies often cite the cost of compliance as a key issue, but what they fail to realize is that the cost of taking security measures is minimal compared with the potentially significant consequences of security breaches involving personal information, said Mark Hayes, a partner in Blake, Cassels and Graydon's Toronto office who also consults on privacy issues. "What I think a lot of companies forget is that there are a lot of things that can be done that are not expensive or don't have any costs at all," he said.

The lack of clarity on specific issues is another concern, privacy experts say. In the most high-profile case involving a PIPEDA complaint, both the privacy commissioner and a federal court rejected the contention by employees of Vancouver, British Columbia-based TELUS Communications Inc. that the company breached PIPEDA by implementing a speech recognition security program and requiring employees to provide a voice print.

While finding that the collection of this information by TELUS was reasonable, both the privacy commissioner and the court had trouble reconciling the language of PIPEDA's consent requirement with the case, which did not clearly fall within the consent exceptions established in the federal legislation, Ms. York said. This demonstrates the difficulty of applying PIPEDA, which focused more on protecting consumers' information even though it also governs employee information, she said. "The exceptions don't neatly fit into the employment relationship," she said.

The consent-based structure of the federal statute is one of the key issues that will be considered during the upcoming review. Generally, PIPEDA requires the knowledge and consent of the individual for the collection, use and disclosure of personal information, which has raised several concerns. PIPEDA, for example, protects the personal information of employees, but they may not feel that they can withhold their consent for fear of termination. "In an employment relationship, consent is meaningless," Mr. Levin said. "It makes no sense to create an obligation like that to begin with."

A more appropriate approach may be to model federal law after standards created by Alberta and British Columbia laws that allow employers to collect personal information about their employees without their consent under certain conditions as long as it is being collected for a reasonable purpose. The PIPEDA review will address whether this test is an appropriate alternative.

Another key issue to be considered involves the privacy commissioner's lack of enforcement power. Currently, the privacy commissioner has the authority to investigate complaints, make findings and issue non-binding recommendations, but has a limited ability to initiate a complaint, conduct an audit or publicly disclose information relating to the protection practices of an organization. "On a practical level, employers don't have to comply with them," Mr. Levin said. "It's not a court order."

Some privacy experts want PIPEDA to authorize enforcement powers similar to those in the legislation in Alberta and British Columbia. "The employers are cringing when they hear that," Mr. Levin said.

Employers that have taken steps to comply with privacy legislation are also concerned that they have spent significant amounts of time on privacy issues and that the upcoming review will force them to comply with a different set of rules, he said.

Employers should take basic risk management steps to protect personal information such as limiting the number of employees that have access to information and ensuring that business discussions of matters that refer to personal information do not take place in open workspaces, privacy experts say.

Ensuring employees are properly trained to recognize potential security breaches and address them is a major factor in avoiding or mitigating the impact of breaches, Mr. Parker said, adding that several of his clients had good privacy policies and procedures of which their employees were unaware.

Employers also need to develop separate policies covering consumer and employee personal information. Many companies attempt to use the privacy policies they develop for their customers for their employees, which may not be an effective approach because they do not address the specific dynamics of the workplace, Mr. Levin said. "I think we will see more policies out there that target what happens specifically with respect to employees, but we're not there yet," he said.