Personal Information Protection and Electronics Documents Act Background to PIPEDA

1
Personal Information Protection and Electronics
Documents Act Background
to PIPEDA

• 1980 The Privacy Act. Regulated the Federal
  Governments collection, use and disclosure of
  personal information and included some protection
  for employees.
• 1982 Quebec. Act Respecting Access to Documents
  Held by Public Bodies and Protection of Personal
  Information. Act specifically covers
  universities.

2
Background to PIPEDA

• 1983 Quebec enacts the first comprehensive
  personal information protection statute applying
  to private sector enterprises. Act Respecting
  the Protection of Personal Information in the
  Private Sector.
• 1994 Canada agrees to adhere to the Organization
  for Economic Cooperation and Developments (OECD)
  Guidelines for Privacy Protection

3
Background to PIPEDA

• 1996 Canadas Model Code for the Protection of
  Personal Information developed by business,
  consumers, academics and government under the
  auspices of the Canadian Standards Association.
  The 10 principles in the Model Code are later
  incorporated into PIPEDA.
• 1998 European Union (EU) directive issued
  countries wanting to do business with EU member
  countries are required to have a regulatory
  system to protect personal information and
  businesses are required to adhere to fair
  information practices.

4
Background to PIPEDA

• 2001 PIPEDA becomes law. Has been certified to
  meet the European Directive on Data Protection.
• 2003 (May) BC and Alberta introduce Bills. Both
  contain a default rule that is more employer
  friendly than PIPEDA. The employer may collect
  personal information with respect to empoyees
  without consent if the employer reasonably
  requires collection, use or disclosure solely for
  the purposes of establishing, managing or
  terminating an employment relationship with the
  employee. Excludes personal information not
  about the employment relationship.

5
Background to PIPEDA

• 2004 (January 1) PIPEDA applies in all
  jurisdictions to provincial private sector
  organizations where there is no substantially
  similar provincial legislation.
• The Act applies to employee information only in
  organization that are engaged in federal works,
  undertakings, or businesses. The extension of
  the Acts scope in 2004 does not change that.

6
If PIPEDA does not apply why should we care?

• Other provinces may get around to enacting
  similar legislation at some point.
• Four other jurisdictions have such legislation
  (Federal, Quebec, Alberta and BC) and it makes
  little sense to have a different system of
  employee privacy requirements across the country.
  Alberta, Manitoba and Saskatchewan have all
  passed health sector privacy legislation as
  well.
• It also seems likely that provincial legislation
  will not be limited to commercial activities.

7
Where should we start?

• First, we need to review the context of personal
  information we deal with as Faculty Associations.
  Three major contexts with respect to the effect
  of privacy legislation on the collection, use and
  disclosure of personal information are readily
  apparent
• The university as an employer of academic staff
• The Association representing members and,
• The Association as an employer.

8
Context 1 the university as employer

• If a future Act contains the Alberta/BC default
  rule, then the employer will be able to continue
  much as it currently does subject to grievance
  and arbitration. Associations may, therefore,
  have an interest in negotiating privacy
  protection or strengthening existing language to
  protect members. CAUT has model clauses on
  Privacy of Information, Privacy and Campus
  Surveillance, and Privacy and Security of
  Personal and Professional Communication.

9
Context 2 the association and its members

• We all collect information on our members. As
  consent is a vital part of the ten principles of
  fair information practice, the easiest way to
  proceed is to negotiate an information article
  (or protocol if not unionized) and have the
  members ratify it.
• For other more specific information relating to a
  member (such as that obtained for a grievance) it
  may be prudent to have the individual sign a
  consent form even though consent could be
  implied.

10
Context 2 the association and its members
(continued)

• The other information flow Associations
  participate in is the sharing of information with
  other Associations, Provincial and National
  organizations and, possibly, foreign national and
  international bodies. PIPEDA applies now to
  personal information flowed across
  provincial/national borders.
• Other issues that will need attention are the
  length of time the information is kept, security
  of the information and who has access.

11
Context 3 the association as employer

• The same issues arise here as for the university
  as employer. Employees need to come to an
  agreement with their Association employers on a
  Privacy of Personal Information Policy. Perhaps
  COFAS could work on a Model Policy or, if CAUT is
  working on one for its employees, COFAS could
  adapt it to our needs.

12
What constitutes personal information?

• information that is about an identifiable
  individual (not information merely associated
  with an individual)
• the individual must be identifiable through the
  information, not be identified
• the information need not be unique to an
  individual

13
What does not constitute personal information?

• name,
• title,
• business address or
• telephone number of an employee of an organization

14
What constitutes employee personal information?

• employee personal information includes any
  information about an identifiable individual such
  as name, date of birth, age, race, ethnic
  origin, colour, martial status, religion,
  nationality, language, education, home address
  and phone number, information on employment
  applications, job references, salary information,
  direct deposit information, garnishments, SIN,
  credit record, benefits information (i.e., type
  of coverage, details on dependents, details on
  illnesses, sexual orientation, etc.), performance
  reviews, opinions, evaluations, comments,
  disciplinary reports, surveillance and monitoring
  information

15
What does not constitute employee personal
information?

• name, title, business address or telephone number
  of an employee of an organization (although not
  specified in PIPEDA, information on a business
  card is not covered by privacy legislation such
  information may include email address, cell and
  fax numbers)
• provided the information is within the context of
  the individuals employment relationship,
  organizations may use and disclose this
  information without the consent of the employee

16
What are the ten principles of fair information
practice?1. Accountability

• designate and identify the primary individual
  accountable for maintaining compliance
• the organization is responsible for personal
  information it possesses or has custody of,
  including information sent to a third party for
  processing (may need a privacy contract with the
  third party)

17
2. Identifying Purposes

• before the time of collection, identify
  reasonable purposes for gathering the information
  (the purpose needs to be considered appropriate
  to the task in the opinion of a reasonable person
  and the organization needs to be able to explain
  the purposes if asked)
• only information pertinent to the reasonable
  purpose may be collected
• if the purpose changes then identify the new
  reasonable purpose
• an individual may challenge the purpose

18
3. Consent

• subject to exceptions, knowledge and consent of
  the individual is required before collection, use
  or disclosure of information
• must make a reasonable effort to advise the
  individual of the purposes for which the
  information will be used

19
3. Consent (continued)

• nature of consent may be express, implied or
  deemed (sensitivity of information determines
  nature of consent for senstitive information,
  express consent should be obtained implied
  consent may be used for less sensitive
  information where withdrawal of consent would not
  cause negative consequences deemed consent
  refers to opting out where an individual does not
  do so when given a valid opportunity)

20
3. Consent (continued)

• may collect personal information without consent
  if it is in the persons inerests and consent is
  not available in a timely way or if it is used
  for statistical, or scholarly study or reasearch,
  purposes that cannot be achieved without
  disclosing informaton, the information is used in
  a manner that will ensure its confidentiality, it
  is impracticable to obtain consent and the
  organization informs the Commissioner of the
  disclosure before the information is disclosed

21
4. Limiting Collection

• limit collection, amount and type of personal
  information to that which is necessary for the
  purposes identified
• collect information only by fair and lawful means
• do not mislead or deceive about the purpose of
  the collection

22
5. Limiting Use, Disclosure
and Retention

• use or disclose only for the purposes it was
  collected for or as required by law
• draw up and implement data retention policies or
  guidelines specifying minimum and maximum
  retention periods
• keep information with respect to decisions about
  an individual long enough to permit the
  individual to appeal a decision

23
5. Limiting Use, Disclosure and Retention
(continued)

• any legislative requirements are paramount and
  this policy is in addition to those requirements
• draw up and implement a policy or guideline on
  data destruction
• personal information collected should not be
  retained any longer than necessary for the
  specified purpose
• destroy, erase or make data anonymous

24
6. Accuracy

• information must be as accurate as necessary for
  the purposes for which it is used
• decisions should not be made based on inaccurate
  information
• must minimize possibility that inappropriate
  information is used in making a decision about an
  individual

25
6. Accuracy (continued)

• no routine updating of data unless it is
  necessary to fulfill the purposes for which the
  data was collected
• data used on an on-going basis, including data
  disclosed to a third party, should generally be
  up-to-date, unless limits are clearly set out

26
7. Safeguards

• information in an organizations possession or
  custody must be protected in a manner appropriate
  to its sensitivity (highly sensitive information
  requires higher protection) against unauthorized
  access, theft, loss, disclosure, copying, use or
  modification
• protect information regardless of the format in
  which it is held

27
7. Safeguards (continued)

• design and implement measures for physical,
  organizational and technological security
  (consider disposal or destruction as a safeguard)
• make employees aware of the importance of
  confidentiality

28
8. Openness

• privacy policies and practices must be
  communicated in a form that is generally
  understood and must be readily available
• policy must state who is the person within the
  organization accountable for policies and
  practices and to whom to make inquiries and
  complaints what personal information is
  collected and how it is used a list of other
  organizations (related and unrelated) that
  personal information is disclosed to and, how to
  access data held by an organization

29
9. Individual Access

• individuals have a right to know what personal
  information is held about them, how it is used,
  to whom it is disclosed a right to access their
  own personal information and have it amended
• organizations shall respond to a request for
  access within a reasonable time (within 30 days
  or, with notification to the individual of a
  requirement for an extention, 60 days) at
  minimal or no cost to the individual and, in a
  generally understandable format

30
9. Individual Access (continued)

• failure to respond within the time limit is
  deemed to be a refusal to respond
• individuals may challenge he accuracy or
  completeness of the information held
• organizations shall advise, where appropriate,
  third parties to whom the information has been
  disclosed of amended information or unresolved
  challenges

31
9. Individual Access (continued)

• an organiation must refuse access if it would
  reveal information about a third party, unless
  there is consent or a life-threatening situation
• an organization may refuse access in
  circumstances where the information is subject to
  solicitor-client privilege or was generated in
  the course of a formal dispute resolution process

32
10. Challenging Compliance

• organizations must have procedures in place for
  complaints and inquiries that are both easily
  accessible and easy to use
• individuals have the right to challenge an
  organizations compliance by addressing
  complaints to designated persons in the company
  or to the Federal Privacy Commissioner
• organizations must investigate all complaints
• if a complaint is justified, the organization
  must take appropriate corrective measures

33
Designing a Privacy Compliance Plan

• appoint a privacy committee
• conduct a privacy audit of data collection
  procedures
• conduct a privacy analysis of the information
  collected, held and disclosed technology used in
  collection, holding and disclosure and, security
  
• draft procedures to implement the privacy policy
• draft procedures to deal with a breach of privacy
• implement the procedures including employee
  training
• ensure oversight of the organizations compliance
  with its privacy policy and with all applicable
  legislation

34
Final thoughts

• We should be mindful of possible implications for
  Liability Insurance (should we ever find a
  carrier) as they may want us to demonstrate
  compliance with the legislation even if it is not
  clear that it applies to us.

35
Final thoughts (continued)

• It seems likely that Faculty Associations in much
  of Canada have a few years to get ready for a
  provincial version of PIPEDA.
• Given the anti-union amendments to the Ontario
  Labour Relations Act and the requirement that
  unions disclose salaries of employees earning in
  excess of 100,000, even though other non-public
  sector employees are not covered, plus the
  requirement that OCUFA so disclose although not a
  union, we might well expect that any legislation
  on privacy will contain language designed to give
  members more control over their union under the
  guise of privacy protection.

36
Recommendations

• Amend contract language (or whatever similar
  document governs in a non-unionized setting) to
  cover employee information provided to the
  Association
• member ratification signifies consent to permit
  the Association to gather and hold the information

37
Article 23.1(a) CUASA collective agreement

• The employer shall make available monthly to the
  Association a list stating the name, rank, status
  (term, preliminary, tenured, confirmed), amount
  of dues deducted, department, date of initial
  appointment at the University, date of last
  sabbatical, department of primary position, full
  time equivalent (sum of positions), highest
  degree, resignation date, stipend title, stipend
  amount, year of first degree, year of highest
  degree, date of last promotion, leave status and
  a unique identifier for each employee within the
  bargaining unit and the total number of employees
  in each rank.

38
Notes

• Your Privacy Responsibilities - Privacy
  Commissioner of Canada http//www.privcom.gc.ca
  /information/guide_e.asp
  - a detailed 27 page document dealing with
  responsibilities
• Canadian Institue of Chartered Accountants
  www.cica.ca/privacy
  
  - 20 questions that Directors should ask about
  privacy
• Emond-Harnden, Ensuring compliance with the
  Personal Information Protection and Electronic
  Document Act What your organization should do
  http//www.emond-harnden.com/oct01/pipeda.html
  
• Emond-Harnden, The Personal Information
  Protection and Electronic Document Act What it
  means for federally regulated business and their
  employees http//www.emond-harnden.com/jul01/
  pipeda.html

39
Notes

• Knight, Janice, Ontario Employees and PIPEDA, CCH
  Canadian Labour Notes, 2003 08 05 p.3
• MacNeil, Michael, Collective Bargaining and the
  Discourse of Privacy as a Human Right, presented
  at the Canadian Industrial Relations Association
  Annual Meeting, Halifax, Nova Scotia, 2003 06 01
• Mayer, Susan, Privacy Laws in Canada changes
  that impact your union and your employer,
  Nelligan OBrien Payne Conference paper, 2003 03
  04