Privacy Legislation

At the beginning of January the requirement for compliance with the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) took effect. Where the provinces have also passed legislation, compliance with the corresponding Provincial Private Act. (In Alberta the Personal Information Protection Act (PIPA) also became law.

Compliance with the new law requires an understanding of the Act and undertaking a privacy compliance regime. (For a quick overview skip down to page 3)

Implementing and adjusting to new legislation usually involves changing the way things have been done. There are numerous sources of information and tools to help organizations become compliant. The following are some especially useful sources.
 

The Canadian Standards Association (CSA) Model Code for the Protection of Personal Information contains core privacy principles that apply equally to paper-based and electronic commerce. (www.csa.ca)

The Government of Canada: www.cio-dpi.gc.ca

Privacy Commissioner for Canada: www.privcom.gc.ca/information/links-liens_e.asp
 

In Alberta
You can access Personal Information Protection Act information (PIPA) by going to www.gov.ab.ca and clicking on the Privacy Act information headline, or directly by using www.psp.gov.ab.ca, then clicking on Presentations and Publications. Within that heading you will locate "A Summary For Organizations" which is a four page briefing on requirements.

There is also “A Guide for Organizations and Businesses” which is a detailed 42 page guide outlining responsibilities and obligations.
 

Assessing your Current Situation
Information & Privacy Commissioner of Ontario – Free diagnostic tool

"The Privacy Diagnostic Tool (PDT) is a self-assessment program used to help businesses gauge their privacy readiness by comparing their information processes with international privacy principles. Developed by the IPC with the assistance of Guardent and PricewaterhouseCoopers.

To check out the free tool, click here.

Does using the PDT make a business compliant with the privacy legislation in its jurisdiction?

No, because the PDT is not intended to meet the requirements of a given privacy statute. The PDT is not designed to provide a detailed privacy audit or an in-depth privacy impact analysis. It is not designed to provide assurances of compliance with any particular legislation. Use of the PDT should be viewed as an initial gauge of privacy readiness - it is intended to complement other measures that may be required to ensure compliance with relevant privacy legislation or industry privacy codes as they apply to an individual organization. For many organizations, it could be a first step to the more rigorous work needed to effectively manage personal information in a privacy protective manner. Completing the PDT will set organizations in the right direction for compliance with most privacy statutes as it is based on an internationally recognized privacy principle called Fair Information Practices.
(from the IPC Web page)
 

Links to international Privacy Legislation Information

• European Union (EU)
• Organisation for Economic Co-operation and Development (OECD)

What is it All About?
Privacy Acts set out the ground rules for the management of personal information in the public and private sector (including for profit and not-for-profit) in Canada.

It balances an individual’s right to privacy of personal information with the need for organizations to collect, use or disclose personal information for legitimate business reasons.



At Which Level of Government Does this Lie?
Federal Legislation (PIPEDA) applies where there is no provincial legislation. Provincial legislation (PIPA) applies where it exists.

What is Considered Personal Information?
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status, or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example to change jobs or acquire goods or services)

Personal information does not include: name, title, business address or telephone number of the employee of an organization.

What is Required?

• An Individual’s consent must be obtained when an organization collects, uses or discloses the individual’s personal information.
• The individual has the right to access personal information held by an organization.
• The individual has the right to challenge the accuracy of the information held if need be.
• Personal information can ONLY be used for the purposes for which it was collected. (If an organization is going to use it for another purpose, consent must be obtained again.)
• Information must be held confidentially and protected by specific safeguards (locked cabinets, computer passwords, encryption).
• Access to any personal information is on a “must know” basis only.

What are the Underlying Principles for Impelemenation?

1.  Accountability:

• Develop and implement personal information policies and practices
• Appoint an individual to be responsible for compliance
• Protect all personal information held by your company or that has been transferred to outside third parties for processing

The key here is knowing what personal information you have and collect.
 

2. Identify the Purpose/Reasons for Collecting personal information:

• Before or when information is collected, identify why it is needed and how it will be used.
• Document why the information is collected
• Inform the individual from whom the information is collected why it is needed.
• Identify any new purpose for the information and obtain the individual’s consent before using it.

3. Obtain Consent

• Inform the individual in a meaningful way of the purposes of the collection, use or disclosure of personal information
• Obtain the individual’s consent before or at the time of collection, as well as when a new use is identified.

4. Limit Collection

• Do not collect personal information indiscriminately.
• Do not deceive or mislead individuals about the reasons for collecting personal information

5. Limit Use, Disclosure and Retention

• Use or disclose information only for the purpose for which it was collected, unless the individual consents or the use or disclosure is authorized by the Act.
• Keep personal information only for as long as necessary to satisfy purposes.
• Put guidelines and procedures in place for retaining and destroying personal information.
• Keep personal information used to make a decision about a person for a reasonable period. This should allow the person to obtain the information after the decision and pursue redress.
• Destroy, erase or render anonymous information that is no longer required for an identified purpose or legal requirement.

6. Be Accurate

• Keep personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual.
• Update personal information only when necessary to fulfil the specified purposes.
• Keep frequently used information accurate and up to date unless there are clearly set out limits to this requirement.

7. Use Appropriate Safeguards

• Protect personal information against loss or theft.
• Safeguard information from unauthorized access, disclosure, copying, use or modification.
• Protect personal information regardless of the format in which it is held.

8. Be Open

• Ensure front-line staff is familiar with the procedures for responding to individual inquiries.
• Make known:
  • The name and contact address of the person responsible for your Privacy policies and procedures.
  • How an employee can gain access to their information
  • How an individual can complain to your company
  • A description of what personal information is made available to other organizations (including subsidiaries and parents) and why it is disclosed.

9. Give Individuals Access

• Provide any help needed for an individual to prepare a request for access to personal information.
• Respond to requests as quickly as possible.
• Give access at minimal or no cost to the individual
• Make sure the requested information is understandable
• Inform – in writing - any individual refused access of the reasons and any recourse available.

10. Challenging Compliance

• Develop simple and easily accessible complaint procedures.
• Inform complainants of avenues of recourse.
• Investigate all complaints received.
• Take appropriate measures to correct information handling practices and policies.

Job Market News

• Are you having trouble finding the perfect person for the job?
• Are you using traditional methods for attracting ,selecting and retaining people?

Concerns for labour shortages in the oil patch in Alberta are making headlines and are addressed in detail in the Petroleum Human Resources Council of Canada report “The Decade Ahead”. The report is on their website, www.petrohrsc.ca. There are implications for every other industry as people are recruited away from other organizations to fill those gaps. When shortages of the magnitude being discussed by the oil patch are coupled with existing shortages in many industries including, but not limited to trades contractors, mechanics, education and health care, there will be challenges in finding and keeping people for everyone.

A recent study conducted by the World Economic Forum in partnership with Watson Wyatt Worldwide indicates some significant economic consequences of global demographic trends. One of those is the shift in proportions of employed to retired workers in the first world countries. For example: By 2030, retirees in Italy will outnumber active workers. The entire EU will experience a significant decline in its working age population. Those concerns are not limited to the EU. One of the many issues related to these aging populations was highlighted on NBC’s The West Wing recently as they struggled to find a solution to the under-funded retirement portion of the Social Security Program.

Benefits & Legislation Changes
Canada is the first country in the world to provide an employment insurance benefit for Compassionate Care. Employment Insurance (6 weeks) is now available for Canadian workers who need leaves of absence for “compassionate care or support of a family member who has a significant risk of death”.

Ontario has increased is general minimum wage from $6.85 per hour to $7.15 per hour effective February 1, 2004.

Looking for more information or need some help with these or other HR issues? Please get in touch.
 

What is Anne doing now?

Ongoing work in developing a fully integrated human resource development process in a knowledge organization where the belief that future success is dependent on creating a learning environment. The first stage of the design and implementation of a professional growth and development program was defining individual performance needed to create organizational success. The second stage is to create the environment in which the potential for individual success is multiplied. That includes skill building for those providing feedback and developing and implementing an effective process to ensure the feedback and coaching of staff occurs.

Short Term Projects underway include: updating of the policies & procedures and development of a new approach more consistent with today’s organizational culture for their communication. Facilitation of the strategic planning process for a technology manufacturing company, and design of a competency based performance evaluation tool for an Executive Director in a Not-For-Profit organization.

top of page