Prepared by Ian Matthews August 2003
Most companies have a general awareness of new Canadian privacy legislation but lack detailed information they can use to develop a compliance strategy. The purpose of this paper is to highlight some of the key items in the legislation so that companies can start developing that plan.
Federal legislation called Personal Information Protection and Electronic Documents Act (PIPEDA) becomes applicable to all Canadian corporations on January 1, 2004. The Provinces are allowed to create overriding legislation as long as the Federal Government approves. Alberta, like most provinces, has taken advantage of this opportunity. A draft copy of the Personal Information Protection Act (PIPA), which is expected to become Alberta law in September 2003, has been submitted to the Federal Government for consideration.
The largest difference between PIPEDA and PIPA is that the effective start date for regulation. Alberta’s PIPA has a ‘grandfather clause’ allowing companies to maintain all existing personal data under the old rules while the Federal PIPEDA requires an action plan to be developed to bring old data into compliance with the new legislation.
Most of the Provincial legislation is very similar to the Federal statute. The balance of this document will provide an insight into the key areas of:
- Non Compliance Penalties
- Data Collection & Dissemination
- Control Mechanisms
- Data Destruction
- Data Disclosure
- Additional Resources
The term “client” is used in this document to relate to all external stake holders, be they potential or current customers, contractors, shareholders…
Currently most Provincial legislation, including Alberta’s PIPA, mandate serious penalties for breaching the new privacy laws:
- a quasi-judicial order to rectify the situation
- a ‘negative’ press release
- substantial fines, to be used in repeated or grievous offences
In Alberta fines for individual employees can be $10,000 and fines for corporations can be $100,000. More importantly, it is expected that this legislation will be sited in individual and corporate lawsuits in which damage settlements could be quite high.
The PIPEDA legislation grants the Federal Privacy Commissioner little more than the right to request that companies make changes and to create ‘negative’ press releases.
Data Collection & Dissemination:
Personal information relating to clients, potential clients, and employees may only be collected for a previously approved or obvious business use. For example you may collect names, address, and personal preferences of your clients if that information allows you to complete a task requested by the client. However, you may not sell or transmit that data to other companies without prior client approval. Although it was perhaps poor business etiquette in the past, it will soon be illegal to inform one client of other clients ‘buying patterns’. All sales staff need to be aware of this change.
Employee information that would typically be contained on a business card is considered public and may be provided by itself or in bulk (i.e. complete employee list) to anyone for any purpose. However, you can no longer request personal information from an employee that does not directly relate to a particular Human Resources or management function. For example, it is conceivable that this legislation would bar the HR manager from asking if a potential hire was a smoker during a job interview but would allow such a question for a new hires health forms.
Copies of personal information must be now tracked and controlled based on a ‘need-to-know’. For instance if an accident report which briefly outlined an employee’s medical condition, were to be sent to the HR, Legal, Payroll departments as well as the Employee’s direct manager, the company would be responsible to account for the whereabouts of all four copies of that report.
Access to personal information must now be highly constrained. Because data may only be collected for a specific business function, it flows that staff who do not directly relate to that particular business requirement should be barred from access. In the case of paper employee records, they must be stored in a physically secure environment such as locked cabinets.
Client records are more difficult to deal with as they are often stored in Customer Relations Management (CRM) software which may not allow for partitioning of information. For example, it may be that the courier desk staff only needs to access the CRM system to confirm addresses and should therefore be restricted from viewing clients’ histories.
The company is responsible to ensure that all personal data has reasonable protection and this rule manifests itself in several surprising ways. For example, several critics of the legislation have pointed out that it would likely be against the law for a manager to leave his/her network password on a ‘sticky note’ attached to his computer monitor. Wireless networks with minimal access controls and data encryption are also likely to be problematic under this new law. ‘Audit trails’ to track digital access to client or staff files stored on a corporate network are likely to become mandatory.
This oft overlooked issue is an important part of the new legislation. Personal data that is no longer relevant to the approved task for which is was collected, must be destroyed within a reasonable time period. Most companies maintain employee records in perpetuity. This is now a breach of the law. Depending on the jurisdiction, the staff records must be destroyed between seven and ten years of the employee’s exit from the company.
A much more difficult issue here is what to do with performance evaluations of long term staff. It is more than conceivable that a company which keeps a managers’ poor performance review of an employee for greater than its relevant life (say 10 years) may be contravening the law.
Customer files containing personal information that somehow pertained to work produced many years previous may need to also be destroyed.
The legislation does not require destruction of personal data to be documented but without such documentation the company may be exposed to legal action.
Clients and employees have the right to request a copy of any and all information stored on them by the company. Typically the company has 45 days to ‘action’ such a request and generally must comply. Exceptions to this disclosure rule include documents detailing the investigation of an employee for misconduct and documents containing both personal client information and corporate trade secrets.
Corporations have an obligation to ensure that the personal data they store is accurate. Clients and employees have the right to request correction of factual information stored by corporations. The key word here is ‘factual’. If an employee asks that his/her birth date be corrected in the HR database, the company must comply. However, if an employee disagrees with a manager’s poor performance review, and requests it be changed, the company can safely decline the request. It is still within the bounds of the law to create a written opinion.
Privacy policies should include a section of the Communication Systems. Control and ownership of Email, Instant Messenger Services, and Telephone communications systems should all be explicitly defined. Most firms will want to formally state that all inbound and outbound communications, regardless of method (i.e. MSN WebMail, Instant Messenger, Outlook Mail, Corporate Cell phone, office phone), that occur on company time, in company facilities, and/or using company equipment is property of that corporation and as such subject to storage and inspection by management without notice.
Often companies’ will allow email may be used for personal purposes as long as it does not negatively impact corporate effectiveness or employees job function. However, it should be documented and communicated that there should be no expectation of privacy in such communication.
The vast majority of companies will also want to create a new management position to deal with privacy issues. In small and mid-sized companies, the corporate Privacy Officer will likely be a new role for an existing senior manager.
- Canadian Privacy Commissioner PIPEDA Site
- ITWorld Brief PIPEDA Article
- Nymity PIPEDA Consulting
- Canadian Association of Petroleum Producers Event – Will be repeated in the fall of 2003
- PIPEDA Policy Handbook for the Insurance Industry