Privacy Issues

MILLER THOMSON

LLP

Barristers & Solicitors Patent & Trade-Mark Agents VAN C OU VE R

T OR O N TO

CAL G A RY

Robson Court 1000-840 Howe Street Vancouver, BC Canada V6Z 2M1 Tel. 604.687.2242 Fax. 604.643.1200 www.millerthomson.com E DM O NT O N

L ON D O N

KIT CH EN E R- WA TE RL O O

GU EL P H

MA RK HA M

M ON T RÉ AL

Privacy Issues Paul Devine Miller Thomson Seminar Labour & Employment Update June 4, 2008

This presentation is provided as an information service only and is not meant as legal advice. Readers are cautioned not to act on the information provided without seeking specific legal advice with respect to their unique circumstances. © Miller Thomson LLP 2008. All Rights Reserved. All Intellectual Property Rights including copyright in this presentation are owned by Miller Thomson LLP. This presentation may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be obtained by contacting [email protected]

\\vanfil4\dept\common\marketing\Templates\Word Templates\Articles_Coverpage_Vancouver.DOC

Topics to be Discussed ƒ Managing employee personal information/reference checks ƒ Buying and selling a business ƒ Data Security Breaches ƒ Confidentiality – Surveillance ƒ Outsourcing – Patriot Act

10 Principals of Privacy ƒ Privacy legislation based on 10 principles for collection, use, and disclosure of personal information: 1. Accountability. Organizations are accountable for the protection of personal information under their control. 2. Identifying purposes. The purposes for the collection of personal information must be identified prior to or during the collection. 3. Consent. Organizations may collect, use and disclose personal information only with the knowledge and consent of the individual (with limited exceptions specified in personal information protection laws). 4. Limited collection. The collection of personal information is limited to what is necessary for the identified purposes and must be collected by fair and lawful means. 5. Limiting use, disclosure and retention. Personal information must be used and disclosed only for the purpose(s) intended, except where consent of the individual is obtained or as required by law. It can be retained only for the period of time required to fulfill the intended purpose(s).

Privacy Principles cont’d 6.

Accuracy. Personal information must be complete, accurate and current. 7. Safeguards. An organization in control of personal information must ensure the information is protected by adequate safeguards. 8. Openness. An organization’s privacy policies and practices must be readily available to individuals upon request. 9. Individual access. An individual has the right to access his/her personal information, subject to legislated exceptions, and has the right to seek correction. 10. Challenging compliance. Organizations must provide the means for an individual to challenge the organization’s compliance with these privacy principles.

Introduction cont’d ƒ In BC, private sector employers are covered by PIPA, public sector employers by FOIPPA. ƒ Canada wide covered by federal legislation: PIPEDA. ƒ PIPEDA is to apply in jurisdictions other than BC, Alberta and Quebec. ƒ The privacy agencies now work closely together on policy issues.

Introduction ƒ Privacy is becoming part of the litigation landscape. ƒ Case of Keays v Honda Canada now before the Supreme Court. ƒ One issue in this case deals with an employer’s ability to require medical evidence to confirm absence.

Buying and Selling a Business ƒ When selling or acquiring a business or part of a business, employee privacy rights come into play. ƒ The acquiring business needs to know about employees, and access to personnel files is part of due diligence. ƒ The information can be seen but there are restrictions.

Buying and Selling cont. ƒ Access can be granted for purposes of due diligence only. ƒ Employees need to be advised that their information has been accessed for this purpose. ƒ Send a letter to employees to confirm that personal information was accessed and why.

Data Collection Breaches ƒ Businesses need to be concerned about inadvertent release of third party data ƒ Legislation requires that personal information is safeguarded. ƒ A major developing trend is inadvertent disclosure of third party information. ƒ The inadvertent failure to shred thousands of tax returns on contract to the federal government is one recent example.

Data Collection cont’d ƒ What happens in the case of inadvertent release of personal information? ƒ Businesses are responsible for informing the Commissioner about inadvertent disclosure, and also notifying parties whose information was disclosed. ƒ See information from OICP.

Surveillance ƒ An emerging area of concern is surveillance, especially video. ƒ Many businesses use video as part of loss control or security. ƒ Consideration is needed to potential impact on employees and the public. ƒ Even use of GPS on company vehicles has been scrutinized.

Confidentiality ƒ PIPA puts the onus on the organization to comply with the legislation. ƒ It most often falls to Human Resources to carry out this mandate. ƒ There are significant penalties under PIPA. Appoint a person who understands the requirements. ƒ Delegation must be specific. ƒ Personnel files need to be scrutinized and maintained appropriately. ƒ Minimal collection is the rule.

Conclusion ƒ We suggest you review your office’s privacy initiatives on a regular basis. ƒ Accountability and compliance is an obligation for each organization. ƒ Failure can lead to adverse orders and penalties. ƒ Be sure senior management is aware of emerging trends.