Title: Personal Information Protection and Electronics Documents Act Background to PIPEDA
1Personal Information Protection and Electronics
Documents Act Background
to PIPEDA
- 1980 The Privacy Act. Regulated the Federal
Governments collection, use and disclosure of
personal information and included some protection
for employees. - 1982 Quebec. Act Respecting Access to Documents
Held by Public Bodies and Protection of Personal
Information. Act specifically covers
universities.
2Background to PIPEDA
- 1983 Quebec enacts the first comprehensive
personal information protection statute applying
to private sector enterprises. Act Respecting
the Protection of Personal Information in the
Private Sector. - 1994 Canada agrees to adhere to the Organization
for Economic Cooperation and Developments (OECD)
Guidelines for Privacy Protection
3Background to PIPEDA
- 1996 Canadas Model Code for the Protection of
Personal Information developed by business,
consumers, academics and government under the
auspices of the Canadian Standards Association.
The 10 principles in the Model Code are later
incorporated into PIPEDA. - 1998 European Union (EU) directive issued
countries wanting to do business with EU member
countries are required to have a regulatory
system to protect personal information and
businesses are required to adhere to fair
information practices.
4Background to PIPEDA
- 2001 PIPEDA becomes law. Has been certified to
meet the European Directive on Data Protection. - 2003 (May) BC and Alberta introduce Bills. Both
contain a default rule that is more employer
friendly than PIPEDA. The employer may collect
personal information with respect to empoyees
without consent if the employer reasonably
requires collection, use or disclosure solely for
the purposes of establishing, managing or
terminating an employment relationship with the
employee. Excludes personal information not
about the employment relationship.
5Background to PIPEDA
- 2004 (January 1) PIPEDA applies in all
jurisdictions to provincial private sector
organizations where there is no substantially
similar provincial legislation. - The Act applies to employee information only in
organization that are engaged in federal works,
undertakings, or businesses. The extension of
the Acts scope in 2004 does not change that.
6If PIPEDA does not apply why should we care?
- Other provinces may get around to enacting
similar legislation at some point. - Four other jurisdictions have such legislation
(Federal, Quebec, Alberta and BC) and it makes
little sense to have a different system of
employee privacy requirements across the country.
Alberta, Manitoba and Saskatchewan have all
passed health sector privacy legislation as
well. - It also seems likely that provincial legislation
will not be limited to commercial activities.
7Where should we start?
- First, we need to review the context of personal
information we deal with as Faculty Associations.
Three major contexts with respect to the effect
of privacy legislation on the collection, use and
disclosure of personal information are readily
apparent - The university as an employer of academic staff
- The Association representing members and,
- The Association as an employer.
8Context 1 the university as employer
- If a future Act contains the Alberta/BC default
rule, then the employer will be able to continue
much as it currently does subject to grievance
and arbitration. Associations may, therefore,
have an interest in negotiating privacy
protection or strengthening existing language to
protect members. CAUT has model clauses on
Privacy of Information, Privacy and Campus
Surveillance, and Privacy and Security of
Personal and Professional Communication.
9Context 2 the association and its members
- We all collect information on our members. As
consent is a vital part of the ten principles of
fair information practice, the easiest way to
proceed is to negotiate an information article
(or protocol if not unionized) and have the
members ratify it. - For other more specific information relating to a
member (such as that obtained for a grievance) it
may be prudent to have the individual sign a
consent form even though consent could be
implied.
10Context 2 the association and its members
(continued)
- The other information flow Associations
participate in is the sharing of information with
other Associations, Provincial and National
organizations and, possibly, foreign national and
international bodies. PIPEDA applies now to
personal information flowed across
provincial/national borders. - Other issues that will need attention are the
length of time the information is kept, security
of the information and who has access.
11Context 3 the association as employer
- The same issues arise here as for the university
as employer. Employees need to come to an
agreement with their Association employers on a
Privacy of Personal Information Policy. Perhaps
COFAS could work on a Model Policy or, if CAUT is
working on one for its employees, COFAS could
adapt it to our needs.
12What constitutes personal information?
- information that is about an identifiable
individual (not information merely associated
with an individual) - the individual must be identifiable through the
information, not be identified - the information need not be unique to an
individual
13What does not constitute personal information?
- name,
- title,
- business address or
- telephone number of an employee of an organization
14What constitutes employee personal information?
- employee personal information includes any
information about an identifiable individual such
as name, date of birth, age, race, ethnic
origin, colour, martial status, religion,
nationality, language, education, home address
and phone number, information on employment
applications, job references, salary information,
direct deposit information, garnishments, SIN,
credit record, benefits information (i.e., type
of coverage, details on dependents, details on
illnesses, sexual orientation, etc.), performance
reviews, opinions, evaluations, comments,
disciplinary reports, surveillance and monitoring
information
15What does not constitute employee personal
information?
- name, title, business address or telephone number
of an employee of an organization (although not
specified in PIPEDA, information on a business
card is not covered by privacy legislation such
information may include email address, cell and
fax numbers) - provided the information is within the context of
the individuals employment relationship,
organizations may use and disclose this
information without the consent of the employee
16What are the ten principles of fair information
practice?1. Accountability
- designate and identify the primary individual
accountable for maintaining compliance - the organization is responsible for personal
information it possesses or has custody of,
including information sent to a third party for
processing (may need a privacy contract with the
third party)
172. Identifying Purposes
- before the time of collection, identify
reasonable purposes for gathering the information
(the purpose needs to be considered appropriate
to the task in the opinion of a reasonable person
and the organization needs to be able to explain
the purposes if asked) - only information pertinent to the reasonable
purpose may be collected - if the purpose changes then identify the new
reasonable purpose - an individual may challenge the purpose
183. Consent
- subject to exceptions, knowledge and consent of
the individual is required before collection, use
or disclosure of information - must make a reasonable effort to advise the
individual of the purposes for which the
information will be used
193. Consent (continued)
- nature of consent may be express, implied or
deemed (sensitivity of information determines
nature of consent for senstitive information,
express consent should be obtained implied
consent may be used for less sensitive
information where withdrawal of consent would not
cause negative consequences deemed consent
refers to opting out where an individual does not
do so when given a valid opportunity)
203. Consent (continued)
- may collect personal information without consent
if it is in the persons inerests and consent is
not available in a timely way or if it is used
for statistical, or scholarly study or reasearch,
purposes that cannot be achieved without
disclosing informaton, the information is used in
a manner that will ensure its confidentiality, it
is impracticable to obtain consent and the
organization informs the Commissioner of the
disclosure before the information is disclosed
214. Limiting Collection
- limit collection, amount and type of personal
information to that which is necessary for the
purposes identified - collect information only by fair and lawful means
- do not mislead or deceive about the purpose of
the collection
225. Limiting Use, Disclosure
and Retention
- use or disclose only for the purposes it was
collected for or as required by law - draw up and implement data retention policies or
guidelines specifying minimum and maximum
retention periods - keep information with respect to decisions about
an individual long enough to permit the
individual to appeal a decision
235. Limiting Use, Disclosure and Retention
(continued)
- any legislative requirements are paramount and
this policy is in addition to those requirements - draw up and implement a policy or guideline on
data destruction - personal information collected should not be
retained any longer than necessary for the
specified purpose - destroy, erase or make data anonymous
246. Accuracy
- information must be as accurate as necessary for
the purposes for which it is used - decisions should not be made based on inaccurate
information - must minimize possibility that inappropriate
information is used in making a decision about an
individual
256. Accuracy (continued)
- no routine updating of data unless it is
necessary to fulfill the purposes for which the
data was collected - data used on an on-going basis, including data
disclosed to a third party, should generally be
up-to-date, unless limits are clearly set out
267. Safeguards
- information in an organizations possession or
custody must be protected in a manner appropriate
to its sensitivity (highly sensitive information
requires higher protection) against unauthorized
access, theft, loss, disclosure, copying, use or
modification - protect information regardless of the format in
which it is held
277. Safeguards (continued)
- design and implement measures for physical,
organizational and technological security
(consider disposal or destruction as a safeguard) - make employees aware of the importance of
confidentiality
288. Openness
- privacy policies and practices must be
communicated in a form that is generally
understood and must be readily available - policy must state who is the person within the
organization accountable for policies and
practices and to whom to make inquiries and
complaints what personal information is
collected and how it is used a list of other
organizations (related and unrelated) that
personal information is disclosed to and, how to
access data held by an organization
299. Individual Access
- individuals have a right to know what personal
information is held about them, how it is used,
to whom it is disclosed a right to access their
own personal information and have it amended - organizations shall respond to a request for
access within a reasonable time (within 30 days
or, with notification to the individual of a
requirement for an extention, 60 days) at
minimal or no cost to the individual and, in a
generally understandable format
309. Individual Access (continued)
- failure to respond within the time limit is
deemed to be a refusal to respond - individuals may challenge he accuracy or
completeness of the information held - organizations shall advise, where appropriate,
third parties to whom the information has been
disclosed of amended information or unresolved
challenges
319. Individual Access (continued)
- an organiation must refuse access if it would
reveal information about a third party, unless
there is consent or a life-threatening situation - an organization may refuse access in
circumstances where the information is subject to
solicitor-client privilege or was generated in
the course of a formal dispute resolution process
3210. Challenging Compliance
- organizations must have procedures in place for
complaints and inquiries that are both easily
accessible and easy to use - individuals have the right to challenge an
organizations compliance by addressing
complaints to designated persons in the company
or to the Federal Privacy Commissioner - organizations must investigate all complaints
- if a complaint is justified, the organization
must take appropriate corrective measures
33Designing a Privacy Compliance Plan
- appoint a privacy committee
- conduct a privacy audit of data collection
procedures - conduct a privacy analysis of the information
collected, held and disclosed technology used in
collection, holding and disclosure and, security
- draft procedures to implement the privacy policy
- draft procedures to deal with a breach of privacy
- implement the procedures including employee
training - ensure oversight of the organizations compliance
with its privacy policy and with all applicable
legislation
34Final thoughts
- We should be mindful of possible implications for
Liability Insurance (should we ever find a
carrier) as they may want us to demonstrate
compliance with the legislation even if it is not
clear that it applies to us.
35Final thoughts (continued)
- It seems likely that Faculty Associations in much
of Canada have a few years to get ready for a
provincial version of PIPEDA. - Given the anti-union amendments to the Ontario
Labour Relations Act and the requirement that
unions disclose salaries of employees earning in
excess of 100,000, even though other non-public
sector employees are not covered, plus the
requirement that OCUFA so disclose although not a
union, we might well expect that any legislation
on privacy will contain language designed to give
members more control over their union under the
guise of privacy protection.
36Recommendations
- Amend contract language (or whatever similar
document governs in a non-unionized setting) to
cover employee information provided to the
Association - member ratification signifies consent to permit
the Association to gather and hold the information
37Article 23.1(a) CUASA collective agreement
- The employer shall make available monthly to the
Association a list stating the name, rank, status
(term, preliminary, tenured, confirmed), amount
of dues deducted, department, date of initial
appointment at the University, date of last
sabbatical, department of primary position, full
time equivalent (sum of positions), highest
degree, resignation date, stipend title, stipend
amount, year of first degree, year of highest
degree, date of last promotion, leave status and
a unique identifier for each employee within the
bargaining unit and the total number of employees
in each rank.
38Notes
- Your Privacy Responsibilities - Privacy
Commissioner of Canada http//www.privcom.gc.ca
/information/guide_e.asp
- a detailed 27 page document dealing with
responsibilities - Canadian Institue of Chartered Accountants
www.cica.ca/privacy
- 20 questions that Directors should ask about
privacy - Emond-Harnden, Ensuring compliance with the
Personal Information Protection and Electronic
Document Act What your organization should do
http//www.emond-harnden.com/oct01/pipeda.html
- Emond-Harnden, The Personal Information
Protection and Electronic Document Act What it
means for federally regulated business and their
employees http//www.emond-harnden.com/jul01/
pipeda.html
39Notes
- Knight, Janice, Ontario Employees and PIPEDA, CCH
Canadian Labour Notes, 2003 08 05 p.3 - MacNeil, Michael, Collective Bargaining and the
Discourse of Privacy as a Human Right, presented
at the Canadian Industrial Relations Association
Annual Meeting, Halifax, Nova Scotia, 2003 06 01 - Mayer, Susan, Privacy Laws in Canada changes
that impact your union and your employer,
Nelligan OBrien Payne Conference paper, 2003 03
04