Briefing Paper on New Privacy Legislation
Prepared by Ian Matthews August
Most companies have
a general awareness of new Canadian privacy legislation but lack detailed
information they can use to develop a compliance strategy. The purpose
of this paper is to highlight some of the key items in the legislation so
that companies can start developing that plan.
called Personal Information Protection and Electronic Documents Act
(PIPEDA) becomes applicable to all Canadian corporations on January 1, 2004.
The Provinces are allowed to create overriding legislation as long as the
Federal Government approves. Alberta, like most provinces, has taken
advantage of this opportunity. A draft copy of the Personal Information
Protection Act (PIPA), which is expected to become Alberta law in September
2003, has been submitted to the Federal Government for consideration.
The largest difference
between PIPEDA and PIPA is that the effective start date for regulation.
Alberta’s PIPA has a ‘grandfather clause’ allowing companies to maintain all
existing personal data under the old rules while the Federal PIPEDA requires
an action plan to be developed to bring old data into compliance with the
Most of the Provincial
legislation is very similar to the Federal statute. The balance of this
document will provide an insight into the key areas of:
The term “client”
is used in this document to relate to all external stake holders, be they
potential or current customers, contractors, shareholders…
Currently most Provincial
legislation, including Alberta’s PIPA, mandate serious penalties for breaching
the new privacy laws:
a quasi-judicial order to rectify
a ‘negative’ press release
substantial fines, to be used in repeated
or grievous offences
In Alberta fines for
individual employees can be $10,000 and fines for corporations can be $100,000.
More importantly, it is expected that this legislation will be sited in individual
and corporate lawsuits in which damage settlements could be quite high.
The PIPEDA legislation
grants the Federal Privacy Commissioner little more than the right to request
that companies make changes and to create ‘negative’ press releases.
relating to clients, potential clients, and employees may only be collected
for a previously approved or obvious business use. For example you may
collect names, address, and personal preferences of your clients if that information
allows you to complete a task requested by the client. However, you
may not sell or transmit that data to other companies without prior client
approval. Although it was perhaps poor business etiquette in the past,
it will soon be illegal to inform one client of other clients ‘buying patterns’.
All sales staff need to be aware of this change.
that would typically be contained on a business card is considered public
and may be provided by itself or in bulk (i.e. complete employee list) to
anyone for any purpose. However, you can no longer request personal
information from an employee that does not directly relate to a particular
Human Resources or management function. For example, it is conceivable
that this legislation would bar the HR manager from asking if a potential
hire was a smoker during a job interview but would allow such a question for
a new hires health forms.
Copies of personal
information must be now tracked and controlled based on a ‘need-to-know’.
For instance if an accident report which briefly outlined an employee’s medical
condition, were to be sent to the HR, Legal, Payroll departments as well as
the Employee’s direct manager, the company would be responsible to account
for the whereabouts of all four copies of that report.
Access to personal
information must now be highly constrained. Because data may only be
collected for a specific business function, it flows that staff who do not
directly relate to that particular business requirement should be barred from
access. In the case of paper employee records, they must be stored in
a physically secure environment such as locked cabinets.
Client records are
more difficult to deal with as they are often stored in Customer Relations
Management (CRM) software which may not allow for partitioning of information.
For example, it may be that the courier desk staff only needs to access the
CRM system to confirm addresses and should therefore be restricted from viewing
The company is responsible
to ensure that all personal data has reasonable protection and this rule manifests
itself in several surprising ways. For example, several critics of the
legislation have pointed out that it would likely be against the law for a
manager to leave his/her network password on a ‘sticky note’ attached to his
computer monitor. Wireless networks with minimal access controls and
data encryption are also likely to be problematic under this new law.
‘Audit trails’ to track digital access to client or staff files stored on
a corporate network are likely to become mandatory.
This oft overlooked
issue is an important part of the new legislation. Personal data that
is no longer relevant to the approved task for which is was collected, must
be destroyed within a reasonable time period. Most companies maintain
employee records in perpetuity. This is now a breach of the law.
Depending on the jurisdiction, the staff records must be destroyed between
seven and ten years of the employee's exit from the company.
A much more difficult
issue here is what to do with performance evaluations of long term staff.
It is more than conceivable that a company which keeps a managers’ poor performance
review of an employee for greater than its relevant life (say 10 years) may
be contravening the law.
Customer files containing
personal information that somehow pertained to work produced many years previous
may need to also be destroyed.
The legislation does
not require destruction of personal data to be documented but without such
documentation the company may be exposed to legal action.
Clients and employees
have the right to request a copy of any and all information stored on them
by the company. Typically the company has 45 days to ‘action’ such a
request and generally must comply. Exceptions to this disclosure rule
include documents detailing the investigation of an employee for misconduct
and documents containing both personal client information and corporate trade
an obligation to ensure that the personal data they store is accurate.
Clients and employees have the right to request correction of factual information
stored by corporations. The key word here is ‘factual’. If an
employee asks that his/her birth date be corrected in the HR database, the
company must comply. However, if an employee disagrees with a manager’s
poor performance review, and requests it be changed, the company can safely
decline the request. It is still within the bounds of the law to create
a written opinion.
Companies must communicate
demand. This may be done verbally or in writing. Many companies
will choose to document their policies on corporate Intra/Internets.
Privacy policies should
include a section of the Communication Systems. Control and ownership of Email,
Instant Messenger Services, and Telephone communications systems should all
be explicitly defined. Most firms will want to formally state that all
inbound and outbound communications, regardless of method (i.e. MSN WebMail,
Instant Messenger, Outlook Mail, Corporate Cell phone, office phone), that
occur on company time, in company facilities, and/or using company equipment
is property of that corporation and as such subject to storage and inspection
by management without notice.
Often companies’ will
allow email may be used for personal purposes as long as it does not negatively
impact corporate effectiveness or employees job function. However, it
should be documented and communicated that there should be no expectation
of privacy in such communication.
The vast majority
of companies will also want to create a new management position to deal with
privacy issues. In small and mid-sized companies, the corporate Privacy
Officer will likely be a new role for an existing senior manager.