by Leanne E. Standryk
Written by Leanne E. Standryk, this article canvasses the Personal Information Protection and Electronic Documents Act (PIPEDA), which was brought into force in Ontario effective January 1, 2004. Readers will learn about the content and purpose behind PIPEDA and how to adapt to the legislative requirements imposed by this important, new law.
The Federal Personal Information Protection and Electronic Documents Act (PIPEDA) has applied to federally regulated and inter-provincial businesses since 2001. January 1, 2004 is the date on which the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) will apply to the provincially regulated privacy sector in provinces that have not enacted substantially similar legislation.
PIPEDA will apply to each organization that collects, uses or discloses personal information in the course of a commercial activity. At this early stage there is little judicial guidance regarding the interpretation and application of the Act and as such, the full scope of “personal information” and “commercial activities” has not been determined.
This article will highlight the key principles, applications and organizational obligations established by PIPEDA. Its aim is to provide organizations with general information for consideration in preparing for the changing landscape of Ontario privacy regulation.
Purpose of the Act
The purpose of PIPEDA is set out in Part I of the Act and states:
…to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Key Terms and Definitions
“Personal Information” is the key to understanding what PIPEDA requires, because the Act only applies to personal information. Personal Information is defined as “information about an identifiable individual”. The definition is exceptionally broad, however, excludes the name, the title, the business address and the business phone number of an employee of an organization. The inclusion of the word business is clearly intended to modify both “address” and “telephone number”.
Examples of personal information identifiers include the following:
- Name, age, health card numbers, SIN
- Home contact information
- Identification numbers (SIN, health card, credit card)
- Insurance benefit coverage
- Ethnic/Country of Origin
- Marital status
- Social status
- Opinions expressed, performance evaluations, disciplinary record
- Website cookies, videotape, sound recordings, etc.
PIPEDA will not apply to the collection, use or disclosure of “employee personal information” in the provincial private sector. The reason for this is that Part 1 s. 4 provides that the Act only applies “in respect of personal information that…..is about an employee of the organization….in connection with the operation of a federal work undertaking or business.” This is not to say that an employer is under no obligation to protect employee privacy. Employee privacy interests are currently protected by various provisions under the Occupational Health and Safety Act, the Workplace Safety and Insurance Act, the Human Rights Code and privacy rights developed through the Courts.
To collect means to come into possession of personal information regardless of the source. The personal information need not originate with or be directly collected from the individual. Therefore, personal identifiers, even when created/generated by the organization, are still considered personal information. For example, if an employer creates an employee personnel folder containing information such as the employer created employee I.D. as well as performance appraisals, records of discipline, the maintenance or “keeping track” of such matters constitutes “collecting”. Where an employer uses video surveillance to monitor the workplace, the monitoring would constitute collection of personal information.
Use covers whatever an organization does with the personal information collected. Examples of use include, making use of personal information in decision making and in the ordinary course of human resource administration (i.e. hiring process, using employee’s date of birth to determine retirement date).
Communication of information between individuals within an organization may form a part of its use by that organization; however, communication to anyone outside the organization is disclosure.
Consider communication to affiliated companies. The communication falls outside the organization and therefore constitutes “disclosure”.
Appropriate Purposes Limitation
The Act requires, in most cases, consent to collect, use or disclose personal information. The purposes for which personal information is collected, used or disclosed must be identified and documented by the organization and disclosed to the individual prior to the collection of the information. This means that the organization must itself know, before it collects personal information, why it is doing so. Identify all primary and secondary purposes.
If a new purpose is identified after information is collected, a fresh consent is required before using the information for this new purpose.
Despite having an individual’s consent to collect, use or disclose personal information, PIPEDA contains a blanket limitation on the purposes for which an organization can engage in personal information activities. An organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider appropriate in the circumstances. What is reasonable depends on the circumstances.
Consider the following guidelines regarding personal information protection:
- Obtain the consent of the individual in order to collect, use or disclose personal information about the individual;
- The organization may make whatever collection, use, or disclosure of such information is covered by the consent;
- The organization cannot collect, use or disclose personal information that a “reasonable person” would not consider “appropriate in the circumstances.”
PIPEDA establishes very specific rules regarding the management of personal information and requires organizations, including trade unions, to perform very specific tasks. The following summarizes the tasks, “privacy principles”, required of an organization in preparing and complying with PIPEDA.
- Be responsible for personal information under their control and develop procedures to protect personal information including the designation of an individual(s) within the organization to be accountable for compliance with the legislation.
- Identify the purposes for which personal information is collected, used or disclosed at or before the time of collection.
- Obtain informed consent of the individual before using personal information. Obtain a fresh consent when information is to be use for a new or secondary purpose not previously disclosed to the individual.
- Limited to collection of personal information to that which is necessary for the purposes identified by the organization. Information is to be collected by fair and lawful means.
- Retain personal information only as necessary or required to fulfill the stated purpose(s) for collection. Establish minimum and maximum retention periods.
- Ensure personal information is accurate, complete and up-to-date.
- Protect personal information by security safeguards appropriate to the sensitivity of the information collected.
- Be open about information management policies and practices. This involves implementing and informing employees of policies and procedures relating to the management of personal information as well as tracking uses and disclosures.
- Promptly respond to employee’s request to correct and/or access personal information in an appropriate manner.
- Be open about the circumstances under which you may refuse access to information.
- Establish an internal complaint and investigation procedure
- Establish a retention and destruction policy. Destruction of information must be done in a secure fashion which typically involves shredding of paper, deleting of electronic information and the physical destruction of any computer hard drives or electronic data storage containers when they are discarded.
PIPEDA is governed by the Privacy Commissioner. An individual may file a complaint about non-compliance or the Commissioner may audit the privacy practices of an employer.
Where a person commits an offence under the Act, such as destroying personal information, retaliating against a whistle-blowing employee or obstructing the investigation of a complaint, s/he may face a monetary fine up to $10,000.00 on summary conviction or up to $100,000.00 for an indictable offence.
Getting Ready for PIPEDA
Employers should review the extent to which PIPEDA will apply to their operations. If you have any questions or concerns regarding the application of PIPEDA to your organization, consult legal counsel.
PIPEDA will impose signification obligations on all organizations engaged in “commercial activities”. At a minimum, employers should:
- appoint a privacy officer to perform an audit of the current policies;
- identify the various purposes for the collection, use and disclosure of personal information;
- develop further policies and procedures governing the management of personal information in compliance with the privacy principles outlined in the Act.
We invite you to contact us to discuss any questions or concerns you might have regarding the application and/or impact of PIPEDA on your organization.