Proposed legislation in Ontario imposes substantial new obligations on employers and gives workers new rights
Advances in technology have created the ability to collect, store and process vast amounts of data in ways never before possible.
But this widespread availability of information must be balanced with the recognition of personal-privacy interests.
In the workplace, highly personal information is provided by job applicants and workers during the course of employment. This information is disclosed for a variety of reasons, including:
•obtaining or continuing employment (name, qualifications, education, employment history and social insurance number);
•participating in group insurance, pension or other benefits (age, marital or family status and medical records); and
•assessing worker's performance and conduct (such as disciplinary record or performance appraisals).
Workers generally do not expect this information will be made public without consent. They want the right to determine when, how and to what extent personal information will be communicated to others.
Following the impetus of recent legislation applying to federal sector workplaces, the Ontario government has circulated a draft bill, Privacy of Personal Information Act, 2002, proposing a comprehensive framework to protect privacy in the private sector. The objective is to ensure the legislation will be in force on or before Jan. 1, 2004. Most other provinces will likely have privacy legislation in place by that time.
In its current form, the bill applies to all organizations, including associations, partnerships and trade unions. This means employers and unions will have parallel obligations. The protected personal information includes anything that could identify an individual, including health, financial and personnel records. An organization will have to obtain an individual's consent for the collection, use or disclosure of personal information. Consent will be required for the ongoing use or disclosure of personal information that had been collected before the enactment of the legislation.
Employer’s obligations
Ontario businesses will have to:
•assume responsibility for all personal information under their custody and control;
•identify the purpose for which personal information is being collected at or before the time of collection;
•obtain individual consent for the collection, use or disclosure of personal information (except in limited and clearly identified circumstances);
•limit the collection, use and disclosure of personal information to what is necessary to achieve agreed-upon purposes and not use or disclose it other than for the purposes which the information was originally collected;
•not retain information once it is no longer required to meet the purposes for which it was originally collected;
•keep personal information as accurate, complete and up-to-date as necessary to meet the purposes for which it was collected;
•protect personal information by having security safeguards in place which are appropriate to its sensitivity;
•upon request, provide individuals with specific information about how the organization collects, uses and discloses personal information;
•upon request, inform the individual about the existence, use and disclosure of personal information and provide access to that information, including its uses and disclosures;
•designate contact personnel responsible for ensuring compliance;
•prepare a written privacy policy regarding the organization’s information practices, how to access personal information and how to make complaints to the Information and Privacy Commissioner; and
•take special precautions when handling personal health information, in particular, by storing personal health information separately from other files so as to prevent any use or disclosure without express consent.
Individual’s rights
Individuals will be entitled to:
•provide or withhold consent with respect to the collection, use and disclosure of personal information except in clear and limited circumstances;
•know their rights in relation to the collection, use and disclosure of personal information;
•challenge the accuracy and completeness of personal information held by an organization;
•challenge an organization's information practices through a designated individual who is responsible for privacy matters; and
•have access to a fair and independent overseer, namely the Information and Privacy Commissioner, which has the power to investigate privacy complaints.
The bill contemplates substantial sanctions for violations. The Information and Privacy Commissioner has broad powers to investigate complaints and to review the information practices of businesses, including the power to enter premises and to examine or obtain copies of records. The commissioner has broad remedial powers, including:
•ordering a business to stop collecting, using or disclosing certain personal information;
•directing the cessation, modification or implementation of specific information practices;
•directing a business to dispose of records of personal information;
•granting access to individuals to requested information; and
•correcting personnel records.
Individuals will also have the independent right to sue for compensatory damages if an organization's practices contravene their privacy rights. In deciding whether to award damages, and in calculating damages, the bill directs the courts to consider:
•whether the invasion of privacy was intentional or inadvertent;
•the number of individuals actually harmed;
•the steps, if any, taken by the business to minimize actual harm;
•any actual loss of income suffered;
•any humiliation or psychological damage suffered; and
• the duration of the actual harm.
In its current form, the bill will significantly impact the workplace and the way employers and unions administer relationships with each other and with workers. Traditional practices regarding personnel records (for example, simply keeping them confidential) will be insufficient. There will need to be ongoing management relating to the collection, use, security, retention and deletion of personal information. Employers are well-advised to begin to take a proactive approach by implementing privacy policies that recognize legitimate business interests in conjunction with workers' privacy interests.
Joe Conforti is a partner at Goodmans LLP, an international business law firm. He practices primarily in the field of human resources management and other workplace issues. For more information, contact [email protected] or (416) 597-4177.
But this widespread availability of information must be balanced with the recognition of personal-privacy interests.
In the workplace, highly personal information is provided by job applicants and workers during the course of employment. This information is disclosed for a variety of reasons, including:
•obtaining or continuing employment (name, qualifications, education, employment history and social insurance number);
•participating in group insurance, pension or other benefits (age, marital or family status and medical records); and
•assessing worker's performance and conduct (such as disciplinary record or performance appraisals).
Workers generally do not expect this information will be made public without consent. They want the right to determine when, how and to what extent personal information will be communicated to others.
Following the impetus of recent legislation applying to federal sector workplaces, the Ontario government has circulated a draft bill, Privacy of Personal Information Act, 2002, proposing a comprehensive framework to protect privacy in the private sector. The objective is to ensure the legislation will be in force on or before Jan. 1, 2004. Most other provinces will likely have privacy legislation in place by that time.
In its current form, the bill applies to all organizations, including associations, partnerships and trade unions. This means employers and unions will have parallel obligations. The protected personal information includes anything that could identify an individual, including health, financial and personnel records. An organization will have to obtain an individual's consent for the collection, use or disclosure of personal information. Consent will be required for the ongoing use or disclosure of personal information that had been collected before the enactment of the legislation.
Employer’s obligations
Ontario businesses will have to:
•assume responsibility for all personal information under their custody and control;
•identify the purpose for which personal information is being collected at or before the time of collection;
•obtain individual consent for the collection, use or disclosure of personal information (except in limited and clearly identified circumstances);
•limit the collection, use and disclosure of personal information to what is necessary to achieve agreed-upon purposes and not use or disclose it other than for the purposes which the information was originally collected;
•not retain information once it is no longer required to meet the purposes for which it was originally collected;
•keep personal information as accurate, complete and up-to-date as necessary to meet the purposes for which it was collected;
•protect personal information by having security safeguards in place which are appropriate to its sensitivity;
•upon request, provide individuals with specific information about how the organization collects, uses and discloses personal information;
•upon request, inform the individual about the existence, use and disclosure of personal information and provide access to that information, including its uses and disclosures;
•designate contact personnel responsible for ensuring compliance;
•prepare a written privacy policy regarding the organization’s information practices, how to access personal information and how to make complaints to the Information and Privacy Commissioner; and
•take special precautions when handling personal health information, in particular, by storing personal health information separately from other files so as to prevent any use or disclosure without express consent.
Individual’s rights
Individuals will be entitled to:
•provide or withhold consent with respect to the collection, use and disclosure of personal information except in clear and limited circumstances;
•know their rights in relation to the collection, use and disclosure of personal information;
•challenge the accuracy and completeness of personal information held by an organization;
•challenge an organization's information practices through a designated individual who is responsible for privacy matters; and
•have access to a fair and independent overseer, namely the Information and Privacy Commissioner, which has the power to investigate privacy complaints.
The bill contemplates substantial sanctions for violations. The Information and Privacy Commissioner has broad powers to investigate complaints and to review the information practices of businesses, including the power to enter premises and to examine or obtain copies of records. The commissioner has broad remedial powers, including:
•ordering a business to stop collecting, using or disclosing certain personal information;
•directing the cessation, modification or implementation of specific information practices;
•directing a business to dispose of records of personal information;
•granting access to individuals to requested information; and
•correcting personnel records.
Individuals will also have the independent right to sue for compensatory damages if an organization's practices contravene their privacy rights. In deciding whether to award damages, and in calculating damages, the bill directs the courts to consider:
•whether the invasion of privacy was intentional or inadvertent;
•the number of individuals actually harmed;
•the steps, if any, taken by the business to minimize actual harm;
•any actual loss of income suffered;
•any humiliation or psychological damage suffered; and
• the duration of the actual harm.
In its current form, the bill will significantly impact the workplace and the way employers and unions administer relationships with each other and with workers. Traditional practices regarding personnel records (for example, simply keeping them confidential) will be insufficient. There will need to be ongoing management relating to the collection, use, security, retention and deletion of personal information. Employers are well-advised to begin to take a proactive approach by implementing privacy policies that recognize legitimate business interests in conjunction with workers' privacy interests.
Joe Conforti is a partner at Goodmans LLP, an international business law firm. He practices primarily in the field of human resources management and other workplace issues. For more information, contact [email protected] or (416) 597-4177.
