Canada: Canada’s New Privacy Laws—What Employers And Plan Sponsors Need To Know

This article was originally published in Blakes Bulletin on Pension & Benefits - January 2004

Federal and emerging provincial privacy laws on handling personal information will have a profound effect on employers, benefit plan administrators and sponsors. In fact, privacy procedures and policies should already be in place in your organization.

On January 1st, 2004, as almost every business owner and manager has likely heard, the final phase of Ottawa’s privacy legislation came into full force and now applies to all federally and provincially regulated private sector organizations.

While much attention has focused on how the federal privacy law will affect the general operations of organizations, less has been said about its impact on pension and benefit plans. It is vital for employers and plan sponsors to not only understand how the federal and provincial privacy laws may affect them, but also what they need to know and do now to be in compliance.

Since 2001, the federal government has phased-in legislation governing the collection, use and disclosure of personal information in the course of commercial activities. In its Personal Information Protection and Electronic Documents Act, "personal information" is defined as any information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization.

The primary focus of the federal law is on personal information about customers or clients of organizations. For those operating a federal work, undertaking or business (such as banks), however, the law also applies to personal information about employees, as well as customers.

In any provinces where legislation is enacted that is "substantially similar" to the federal law, the provincial law dominates. That said, extra-provincial or inter-provincial collection, use or disclosure of personal information is still governed by federal law.

So far, Québec is the only province with private sector privacy legislation that is in force and "substantially similar" to the federal law. British Columbia and Alberta have enacted privacy laws effective January 1, 2004. The British Columbia and Alberta laws had not, however, as of the date of writing, been designated as substantially similar. Ontario recently introduced Bill 31, the Personal Health Information Protection Act, 2003 but, as yet, has not introduced comprehensive privacy legislation. The Québec, Alberta and British Columbia legislation all protect employee information.

To meet the requirement to be "substantially similar," any provincial privacy laws will likely be based on the following 10 principles set out in the federal law:

Accountability. Organizations are responsible for personal information in their possession or custody, even when transferred to a third party for processing. An organization must appoint someone to be accountable for compliance and must implement policies and practices giving effect to the 10 principles.

Identifying Purposes. Organizations must identify and document why personal information is needed at or before its collection. Any new purpose must be identified before use and proper consent obtained.

Consent. Knowledge and consent of the individual is required for collection, use or disclosure of personal information, except in limited circumstances. Reasonable expectations and the sensitivity of the information are relevant to issues of consent. Organizations cannot tie the provision of products or services to a requirement for consent, except to the extent required to fulfil explicitly specified and legitimate purposes. Finally, individuals may withdraw consent with limited exceptions and must be given an opportunity to opt out of non-essential uses and disclosures of personal information.

Limiting Collection. The amount and type of personal information collected must be limited to what is necessary to fulfil the stated purposes. Organizations cannot collect information indiscriminately or through deception.

Limiting Use, Disclosure and Retention. Use and disclosure of personal information is limited to the purposes for which it was collected, except as required by law or with the consent of the individual. Organizations will need retention guidelines and procedures. Personal information that is no longer needed should be destroyed, erased or made anonymous. Guidelines for the destruction of personal information are also required.

Accuracy. Personal information must be as accurate, complete and up-to-date as necessary for the purposes for which it is to be used. Note, however, the federal law does not allow for ongoing updating of personal information, unless necessary for the purposes for which the information was collected.

Safeguards. Organizations must have security safeguards appropriate to the nature and sensitivity of the personal information to protect against loss, theft and improper access, disclosure, copying, use or modification. This includes physical, organizational and technological protection measures.

Openness. Organizations must make policies and procedures easily available to anyone. This must include the name or title and contact information of the person in the organization accountable for privacy policies and to whom inquiries or complaints can be forwarded.

Individual Access. An individual is entitled to be informed, subject to limited exceptions, of the existence, use and disclosure of his or her personal information and given access to that information. Requests must be in writing and must be addressed by the organization within 30 days (in some cases, a 30-day extension may be allowed). Individuals may challenge the accuracy and completeness of information and require it be amended as appropriate.

Challenging Compliance. Individuals are also entitled to address a challenge concerning the organization’s compliance with these principles to the designated person(s) accountable for the organization’s compliance and to have their concerns addressed.

The impact of these principles on most organizations will be quite profound. Until now, the law of privacy in Canada has had limited scope. For example, in Ontario, a generally recognized tort of invasion of privacy has not emerged, although a few lower court decisions have recognized it in limited circumstances.

What You Need To Know and Do Now

Given the heightened interest in privacy, all employers and plan sponsors must deal with the impact of the federal law and any relevant provincial legislation. It is important to know, for example, that the federal law does not "grandfather" personal information collected before January 2004. Information collected in the past, present and future will be affected. To avoid liability, priorities and plan sponsors should, on an ongoing basis:

• Designate one or more individuals to be "accountable" for privacy compliance in all areas, including pensions and benefits.

• Conduct, and regularly update, an internal privacy audit, examining adherence to the 10 principles in your pension and benefits practices. Examine what personal information is collected and where it goes. If you are collecting more than is necessary for the pension and benefit program, you may have to redesign policies and documentation, such as enrolment forms.

• Prepare, and regularly review, a written privacy policy outlining information practices and how to access personal information. Ensure no punishment is applied to complainants or "whistle blowers."

• Conduct ongoing employee education about privacy and the need to maintain confidentiality of personal information.

• Identify the purpose for collection of information on your intake forms and restrict its use to the purposes for which it was provided.

• Review the types of consent needed for information collected, used and disclosed.

• Establish and monitor policies for minimum and maximum retention periods for personal information.

• Implement and monitor data safeguards and limit access to staff with a "need to know." Also, have service providers contractually agree to privacy standards.

• Establish and monitor a written complaint procedure that requires response within 30 days for requests for access.

• Conduct internal audits.

Privacy is a complex and emerging area. It is prudent for employers and plan sponsors to establish proper procedures and policies to satisfy the various rules. Privacy is now one more area of governance that requires due diligence and ongoing attention.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.