Personal Information Protection and Electronic Documents Act: Are You in Compliance?

by Leanne E. Standryk

In this article, Leanne E. Standryk delves into the specifics of the Personal Information Protection and Electronic Documents Act (PIPEDA) and examines legislative compliance requirements. Readers who have a general familiarity with PIPEDA will find this article particularly valuable.

Collection, use and retention of information about employees, as well as the exchange and disclosure of such information to third parties, such as benefit and pension administrators, trade unions and government agencies, is necessary for the effective functioning of the workplace relationship. Employers require certain information from their employees regarding work history, education and training, personal contact information and in some cases, a criminal record or credit check. In addition to acquiring certain data from employees, employers generate information about their employees through the creation of employee identification numbers, income information and evaluative information such as performance appraisals and disciplinary information.

Privacy legislation imposes additional rights, obligation and liabilities. The objective of privacy legislation is to strike a balance between an individual’s right to privacy and the organization’s need to collect, use and/or disclose that information for legitimate purposes. It regulates how information is collected, used and disclosed and corresponding obligations with respect to the management, retention/storage and destruction of that information.

Public sector organizations, at both the federal and provincial levels, have been subject to privacy legislation for over a decade. However, in January 2001, the landscape of privacy law forever changed. The Federal Government enacted private sector privacy legislation entitled the Personal Information Protection and Electronic Documents Act (S.C. 2000, C-5, as amended, S.C. 2001, c-41) (hereinafter referred to as “PIPEDA” or the “Act”). PIPEDA codifies the principles of international data protection standards and voluntary privacy codes, including the Canadian Standards Association’s Model Code for the Protection of Personal Information. These standards and codes have been developed to regulate personal information management practices and address the relaxed manner in which personal information can be accessed, transferred, exchanged, and manipulated given the sophistication of current technology.

Part I of PIPEDA applies to federally regulated organizations in respect of personal information that the organizations collect, use or disclose in the course of commercial activities and to which the federal public sector Privacy Act does not apply. The legislation specifically applies to every organization in respect of personal information that “is about an employee of the organization and that the organization collects, uses, or discloses in connection with the operation of a federal work, undertaking or business” (s.4(1)(b)). PIPEDA expressly references trade unions in the definition of organization, thus requiring trade unions to comply with the Act both as employers and vis-à-vis the handling of their members’ personal information.

As of January 1, 2004 PIPEDA applies to all commercial activities involving personal information within Canada except in provinces that have enacted legislation that is substantially similar to the Act. Ontario’s Ministry of Consumer and Business Services had circulated a draft private sector privacy bill for consultation purposes in March 2002, but the draft bill never made it to first reading. Rumour has it that the criticisms of the draft bill were so numerous and complex that the Tories decided to shelve the project altogether after putting the bill through dozens of revisions. With the new Liberal government in power in Ontario, private sector privacy legislation is likely to appear at some point, but it is unlikely to be a priority in the short term. If and when this happens, it is expected that organizations will be given a reasonable transition period to prepare for compliance. For now, PIPEDA applies to every organization in Ontario that collects, uses or discloses personal information in the course of a commercial activity.

The Act contains no exception or exemption from any of its terms for organizations that are small businesses or organizations that are carried on by an individual, family, or other small group, which happens to collect, use, or disclose personal information in the course of a commercial activity. For example, a small variety store may collect and use such information about its customers in connection with the rental of videos. For these small businesses, it will be a particular challenge to understand and apply the requirements of the Act, some of which are clearly designed for large organizations. Indeed, the requirements of the Act are so extensive that, as a practical matter, many small businesses with the best intentions will not have the personnel and information management capacity to comply.

Purpose of the Act

The purpose of the Act is to provide individuals with a right to privacy concerning their “personal information”. The basic principle at the core of this right to privacy is that personal information should not be collected, used or disclosed without the prior knowledge and consent of the individual concerned, subject to the limited exceptions in the Act. The purpose of the Act is set out in Part I of the legislation and states: …to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Application of the Act

The Act governs “organizations”, a term that includes persons, associations, partnerships and trade unions. The term “persons” in turn includes corporations as well as individuals.

Commercial Activity

As previously stated, the Act applies to those organizations in respect of personal information they collect, use or disclose “in the course of commercial activities”. Commercial activity is broadly defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” (s.2(1)). Although Not-for-Profit or charitable entities are considered non-commercial because they primarily carry on a charitable endeavor, they remain subject to the Act in respect of any of their activities that in isolation, could be characterized as commercial.

Scope of Application

PIPEDA will not apply to the collection, use or disclosure of “employee personal information” in the provincial private sector. The reason for this is that Part 1, section 4 provides that the Act only applies “in respect of personal information that…is about an employee of the organization…in connection with the operation of a federal work, undertaking or business.” This does not mean that there is no such thing as private sector employee privacy regulation in Ontario. Ontario employee privacy rights are protected in various ways, sometimes explicitly and sometimes by implication, under the Occupational Health and Safety Act, the Workplace Safety and Insurance Act and the Human Rights Code.

Organizations Exempt from the Application of the Act

The Act has no application to government institutions that are subject to the Privacy Act (Canada).[1] The rationale for the exemption is that those institutions are part of the federal public sector which already provides a regime for the collection, use and disclosure of personal information. There is no similar exception to the provincial equivalent or municipal government institutions that are subject to the provisions equivalent of the Privacy Act, namely, the privacy part of the provincial freedom of information and protection of privacy legislation. However, provincial and municipal organizations do not typically deal with personal information in the course of commercial activities, which is the limiting factor in the application of the Act.

Federal and provincial Crown agents are exempt from the Act because the Act does not mention or refer to the Crown as being bound by its provisions. However, the Act can be made binding upon any federal Crown agent not already subject to the Privacy Act by order of cabinet. For example, the Canadian Broadcasting Corporation and the Enterprise Energy of Canada are bound by the Act as a result of such an order.

There is no authority to make the Act binding on a provincial Crown agent. Thus, even if such an entity carries on a commercial activity, it is not and cannot as yet be made subject to the provisions of the Act.

The Act contains a further exception for individuals in respect of personal information they collect, use or disclose for personal or domestic purposes only. The collection, use or disclosure of such information is unlikely to be in the course of a commercial activity and, therefore, would be outside the scope of the Act.

Finally, the Act contains an express exemption for organizations in respect of personal information they collect, use, or disclose for journalistic, artistic, or literary purposes only. Its inclusion in the Act was most likely motivated by a concern that its requirements would restrict the activities of journalists, writers and pose a risk that would infringe the freedom of expression, freedom of press, etc., guaranteed by section 2(b) of the Canadian Charter of Rights and Freedoms.[2]

Information to which the Act applies

The Act applies in respect of “personal information” which is defined to mean “information about an identifiable individual”. The Act makes it clear that the term does not include the name, title, business address, or telephone number of an employee of an organization. These exceptions suggest that other similar types of employee information that are not specified by way of exception may well be personal for the purposes of the Act, such as an employee’s e-mail address and fax number.

Personal information identifiers may include the following:

(a) age, ID numbers, health card numbers, SIN; (b) opinions, evaluations including performance evaluations, comments, disciplinary records, criminal records; (c) employee files, credit reports, medical records, stated intentions to change jobs; (d) videotape, machine-readable record, sound recordings, photographs; (e) home contact information; (f) insurance benefit coverage; (g) marital status; (h) opinions expressed; and (i) website cookies, etc.

Of note, is that the information must relate to an “identifiable individual”. Arguably the information must therefore relate to a human being rather than a legal entity such as a corporation. It need not precisely identify the individual to be personal information; it is enough that a particular individual could be identified by considering the information in question along with other information that is well known or reasonably available.

Publicly Available Information

Protection of the Act is not confined to confidential or non-public information of a personal nature. The restrictions that the Act imposes can be removed in respect of information from public sources that are specified by regulation. Public sources of personal information include municipal tax rolls, telephone directories, land registry records, court records, etc. These sources are often used to assist in marketing campaigns, preparation of consumer or credit reports and private investigations. Organizations may continue to take advantage of these sources of personal information only if the sources are specified by regulation under the Act. A regulation has been adopted by the Act specifying five public sources from which an organization my collect, use or disclose personal information without the knowledge or consent of the individual(s) to whom it relates, namely, directories of telephone subscribers, professional and business directories, registries for which information is collected under statutory authority, records and documents of judicial or quasi-judicial bodies and publications such as magazines, books and newspapers. In every case, the source must be available to the public. For each source there are additional requirements for qualification under the regulation and one should have reference to the applicable legislation provisions.

Information Collected prior to the January 1, 2004

The Act applies in respect of personal information collected prior to the application of the Act. The information must be dealt with in accordance with the provisions of the Act. If the information is to be used or disclosed for the purpose to which the affected individual did not consent when it was originally collected, the Act requires the organization to obtain a current consent to the proposed use or disclosure.

Key Terms: Collection, Use and Disclosure

Collection

To collect means to come into possession of personal information regardless of the sources. The personal information need not originate with or be directly collected from the individual. Therefore, personal identifiers even when created/generated by the organization are still considered personal information. For example, if an employer creates an employee personnel folder containing information such as the employer created employee I.D. as well as performance appraisals, records of discipline, the maintenance or “keeping track” of such matters constitutes “collecting”. Where an employer uses video surveillance to monitor the workplace, the monitoring would constitute collection of personal information.

Use

Use covers whatever an organization does with the personal information collected. Examples of use include making use of personal information in decision making and in the ordinary course of human resource administration (i.e. hiring process, using employee’s date of birth to determine retirement date).

Disclosure

Communications of information between individuals within an organization may form a part of its use by that organization; however, communication to anyone outside the organization is disclosure.

Consider communication to affiliated companies: the communication falls outside the organization and therefore may constitute disclosure.

Limitations on the Collection, Use and Disclosure of Personal Information

The Act requires in most cases, consent to collect, use or disclose personal information. The purposes for which personal information is collected, used or disclosed must be identified and documented by the organization and disclosed to the individual prior to the collection of the information. This means that the organization must itself know before it collects personal information, why it is doing so. Identify all primary and secondary purposes.

If a new purpose is identified after information is collected, a fresh consent is required before using the information for this new purpose.

Despite having an individual’s consent to collect, use or disclose personal information, PIPEDA contains a blanket limitation on the purposes for which an organization can engage in personal information activities. An organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider appropriate in the circumstances. What is reasonable depends on the circumstances.

Meaning of Knowledge and Consent

Subject to certain exceptions set out in the Act, knowledge and consent of the individual to whom the information relates is a prerequisite to an organization’s entitlement to collect, use or disclose that information. PIPEDA requires that the consent be informed, meaning that the individual giving consent has full knowledge about the scope of the consent given and the purpose for which the information will be used. The legislation contemplates both express and implied consent. However, organizations handling sensitive personal information such as health or financial information will be held to a higher standard under the Act and, consequently, should obtain express consent from the individual to whom the information pertains before handling it.

Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual, the purpose for the collection is reasonably obvious to the individual, or it would be reasonable to expect that the individual would consent to the collection, use or disclosure. For example, when an individual subscribes to a magazine, it can usually be taken to carry the implication that the individual consents to his or her name and address being used for mailing and billing purposes and for the purpose of soliciting a renewal, the reasonable expectations of the individual being relevant in determining when consent can be assumed.

Limitation on the Consent Requirement

Organizations are prohibited from requiring as a condition of supplying product or service that an individual consent to the collection, use, or disclosure of personal information that goes beyond what is necessary to fill any specified or legitimate purpose.

Obligation to Advise Individuals about the Existence, Use and Disclosure of Information

Organizations are required to advise an individual upon request as to whether they hold personal information about that individual. Although not obliged to do so, organizations are encouraged to indicate the source of the information in their response. If the source of the information is a third party who is an individual, the identity of that source is likely personal information, in which case the organization should not disclose the source except as permitted by the provisions of the Act.

Organizations must tell an individual what they have done with the personal information. Upon request, the organization is required to provide an account of:

(a) the use it has made or is making of the individual’s personal information; and (b) the third parties to which the organization has disclosed the individual’s personal information.

If the organization cannot provide a specific account of those entities, it must provide a list of entities to which the information may have been disclosed[3].

Timing of the Response

The Act requires the organization respond to the request within 30 days of receiving it. The organization may, however, extend this time limit by an amount of time not exceeding 30 days if:

(a) meeting the time limit would unreasonably interfere with the activities of the organization; or (b) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet.

The time limit may also be extended for the period that is necessary for the purpose of converting the personal information into an alternative format. Where the organization extends the time limit, it must within 30 days of the request send a notice of extension to the requester, advising them of the new time limit, the reason for the extension and the right to make a complaint to the Privacy Commissioner about the extension.

Where the organization fails to respond within the applicable time frame, the organization is deemed to have refused the request.

Grounds for Refusing Access

There are several situations in which the organization either must or may refuse to give the requester access to personal information about him or her that is held by the organization. An organization must deny access where:

1. the access would reveal personal information about a third party;
2. information has been given to a government institution without the knowledge or consent of the individual to whom it relates, in the interests of enforcing the law, carrying out an investigation, responding to a judicial or quasi-judicial process, protecting national security, acting in the defence of Canada, etc.[4]

PIPEDA also permits the organization to refuse to grant access in some situations, but the organization can nevertheless exercise its discretion to disclose. The organization may deny access where the information:

1. is protected by solicitor-client privilege;
2. would reveal confidential commercial information;
3. could reasonably be expected to threaten the life or security of another individual;
4. was collected without the person’s knowledge or consent for law enforcement purposes; or
5. was generated in the course of a formal dispute resolution process.

These discretionary exceptions, along with the mandatory refusals, do not apply where the requester needs the information because an individual’s life health or security is threatened.

Other grounds for refusing access involve situations where PIPEDA does not apply in the circumstances. For example, the request may be denied where:

1. the organization did not collect the information in the course of commercial activities;
2. the holder of the information is an individual who collects, uses or discloses the information exclusively for personal or domestic purposes; and
3. the organization that holds the information collects, uses or discloses it exclusively for journalistic, artistic or literary purposes.

The Privacy Commission maintains that an organization may not refuse access on the following grounds:

1. the high cost of granting access;
2. the fact that the requester may obtain the information elsewhere;
3. the requester would have difficulty understanding the information; and
4. the information would be difficult to extract.

Access and Correction Rights

An organization that holds personal information must amend that information if the individual to whom it relates successfully demonstrates that it is inaccurate or incomplete. The amendment may entail correcting or deleting the information, or adding information to it. The organization may be required to transmit the amended information to third parties who have had access to the original information, where appropriate.

Obligations under PIPEDA

The Act requires organizations to follow a number of other practices in respect of the personal information they hold. Part I of the Act establishes specific rules for the management of personal information by organizations. These rules are essentially the “fair information principles” of the Canadian Standards Association Model Code for the Protection of Personal Information which is incorporated into PIPEDA as Schedule 1 of the Act. Schedule 1 requires organizations, including trade unions to, among other things, do the following:

1. Be responsible for all personal information under their control and implement practices and procedures to protect personal information, including designating an individual or group to be accountable for the organization’s compliance with the legislation;
2. Identify the purposes for which personal information will be collected, used or disclosed at or before the time of collection;
3. Limit the collection, use and disclosure of personal information to that which is necessary to meet the stated purpose;
4. Obtain fresh consent before using personal information for additional or secondary purposes;
5. Retain personal information only as necessary or required (i.e. by law) and establish both minimum and maximum retention personal information retention periods;
6. Retain information used to make a decision about an individual for a sufficient period to allow that person access to this information;
7. Delete, destroy or make anonymous personal information no longer required to fulfill its purpose;
8. Ensure personal information is accurate, complete and up-to-date;
9. Protect personal information with security safeguards appropriate to the sensitivity of the information;
10. Be open about information management policies, which involve implementing and informing employees of policies and procedures relating to the management of personal information as well as tracking uses and disclosures;
11. Respond to employee’s access and correction requests in a timely and appropriate manner; and
12. Establish internal complaint procedures, investigate complaints and correct or amend any personal information that is inaccurate or incomplete.

Offences

PIPEDA contains offence provisions for:

(a) employers who carry out reprisals against employees who take actions under the legislation in good faith; (b) individuals who fail to retain information subject to an access request as required; and; (c) individuals who obstruct the Privacy Commissioner or his delegate in the investigating a complaint or conducting an audit

If the organization fails to meet its obligations under PIPEDA, it could face having to respond to complaints initiated by individuals or filed by the Commissioner. Under the Act, the Commissioner has been given broad powers which include the power to investigate and conduct audits of organizations’ personal information management practices. While the Commissioner’s decision-making authority is restricted to making recommendations where he finds violations of the provisions of the Act, either a Complainant or the Commissioner may apply to the Federal court for an order that the organization change its practices that violate the Act and/or an award of damages for harm suffered as a result of the organization’s breach, including damages for humiliation. Further organizations may face the imposition of fines ranging from $10,000.00 to $100,000.00 if convicted of committing an offence under PIPEDA.

SUMMARY AND CONCLUSIONS

The new privacy regime clearly requires the development and implementation of policies and procedures to achieve and maintain compliance with the new privacy legislation. Organizations should undertake a coherent, step-by-step process to assess their current information collection activities to determine what will be required to make them compliant and to develop policies and procedures to address compliancy issues.

The personal information collected from consumers/clients and employees should be treated as an asset. Good privacy is good business and fosters customer/client and employee confidence.

We invite you to contact us to discuss any questions or concerns you might have regarding the application and/or impact of PIPEDA on your organization.

[1] R.S.C. 1985, c. P-21, as am. [2] Part I of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (U.K.), 1982, c.11. [3] Note that where information has been disclosed to a government institution, the organization may have to follow a third party notice procedure that enables the government institution to object. [4] If that is the case, the organization must not disclose its personal information without following the mandatory third party notice procedure set out in the Act.