Personal & Private

Canada’s patchwork of laws protecting the privacy of personal information is growing more intricate every year. By this fall, for example, many employers in Ontario will face the prospect of meeting the most stringent obligations in North America when it comes to the collection, use and disclosure of employees’ personal information.

Ontario’s new law, as proposed, will affect employment policies and the administration of pension and benefit plans. It will also give employees access on demand to almost every bit of information in files maintained by their employers or those of third-party suppliers such as group insurance companies. In addition, employees will be able to file complaints about misuse of their personal information to Ontario’s Privacy Commissioner and seek damages for any harm done to their career or reputation as a result of a breach of privacy.

Of course, Canadians have enjoyed some basic rights to privacy since 1982 under the Charter of Rights and Freedoms. Ottawa also enacted the Privacy Act in 1983, which governed the use of personal information by federal departments and agencies. Then, throughout the early 1990s most provinces enacted some kind of legislation covering freedom of (i.e. access to) information and privacy, but these laws largely governed information collected by governments.

Quebec was the first Canadian jurisdiction to specifically address the use of information held by private sector organizations through legislation, when it brought in its Act Respecting the Protection of Personal Information in the Private Sector in 1994.

A bigger issue

The issue of privacy has grown exponentially with the advent of the Internet and other kinds of electronic communications and information storage. As well, there are concerns about the increasing intrusiveness of telemarketing, fundraising and other organizations.

In response, the federal government enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) to establish rules regarding the collection, use and disclosure of personal information by private sector organizations. (Another key purpose of the Act was to acknowledge the legality of electronic documents.)

The first phase of PIPEDA became effective in 2001. This covered federally regulated companies such as those in the national transportation and communications industries. It also covered other organizations that collect, use or disclose personal information for profit inter-provincially or internationally (e.g. telemarketing companies). Phase 2, effective since January this year, covers personal health information. Phase 3 will extend PIPEDA’s coverage to provincially regulated organizations of all kinds unless each province has enacted its own privacy law — one that is substantially similar to PIPEDA — by January 1, 2004.

This deadline is what the government of Ontario had in mind this February when it released a draft of its long-awaited Privacy of Personal Information Act for comment. According to Patricia Wilson, a lawyer specializing in privacy in the Ottawa office of Osler, Hoskin & Harcourt, the huge and complex bill, which will cover privacy protection in almost every kind of organization in Ontario (including business, non-profit and health care), will create “a comprehensive, new legal regime” governing how personal information is collected, used, disclosed, accessed and maintained. Judging by early reaction from business groups, the proposed law raises complex issues and serious compliance challenges.

Broad definition a challenge

The bill’s broad definition of “personal information,” Wilson says, could mean everything from information kept on file by human resource departments and managers (e.g., interview notes about prospective employees, performance appraisals, training evaluations and benefits records) to comments about an employee exchanged between two managers by e-mail. It might even apply to a conversation around the water-cooler about why someone is off sick.

Ontario’s draft law requires organizations to obtain an individual’s consent before they collect, use or disclose personal information. (It also covers information collected before the legislation comes into effect.) Express consent from the employee to collect and use types of information for a specific purpose is required except in a situation that falls under the definition of “implied consent.” Implied consent means the purpose of the information was reasonably obvious to the individual and it is reasonably obvious to expect that the individual would consent.

In almost every case, however, the information cannot be used for a purpose other than that for which it was originally collected. When express consent is required, the bill also requires that it be “informed” consent (defined in the draft legislation) and voluntary, i.e. consent cannot be obtained through deception or coercion.

This provision likely means, Wilson says, that employers will not be able to make consent a condition of employment. So, any attempt to get around the law by forcing present and prospective employees to sign a “blanket” consent — giving the employer a carte blanche to collect and use personal information as it deems fit — probably won’t stand up in court.

More work for employers

Ontario’s proposed law would also require employers to:

retain and disclose to the employee, on request, detailed records about personal information disclosures to third parties (e.g. information about employee claims to benefit providers);

appoint staff who would be responsible for ensuring compliance with the Act;

prepare a written privacy policy and make it available to employees. The policy will have to include information about the organization’s employee information management practices, how employees can access their personal information and how they can make a complaint to the provincial privacy commissioner.

Other provinces have indicated they intend to bring in their own legislation that will meet the “substantially similar to PIPEDA test.” For example, British Columbia released a consultation paper on private-sector privacy legislation earlier this year. Some smaller provinces and territories are expected to just let the federal legislation take effect in their jurisdictions come January 1, 2004.

In Ontario, a spokesperson for the Ministry of Consumer and Business Services said submissions from industry associations, privacy proponents and others were currently being studied and a revised draft is expected this fall, once the government reconvenes after its summer recess. Under former Premier Mike Harris, the government had vowed to see the legislation proclaimed by the end of 2002, but it’s not known whether new Premier Ernie Eves will see it as the same kind of priority.

Shelley Boyes is a freelance writer in Toronto.