Worker concerned over SIN usage: Analysis of a privacy complaint

Privacy laws are still a relatively new realm for employers, particularly when it comes to safeguarding employee data. A recent ruling by Alberta’s Information and Privacy Commissioner involving a union member in Edmonton who filed a complaint over how the union safeguarded personal information that was stored on a server in Las Vegas sheds some light on what employers should be doing to protect employee’s personal information and how to respond to a privacy complaint.
|Canadian Employment Law Today

The worker was a member of the Alberta Regional Council of Carpenters Union (RCC) who was based in Edmonton. The RCC is a chartered council of the United Brotherhood of Carpenters and Joiners of America, an international union representing carpenters and allied trades.

The international union maintains personal information about its members in an electronic system called ULTRA. This system is a member record-keeping system that is capable of recording information about union members, including name, address, phone number, birth date, language, citizenship, gender, employer, membership status, classification, age and years of service. It also has a field for political affiliation, but the RCC did not collect that information.

ULTRA was developed in 1998 using proprietary software owned and developed by the international union. The servers are located in the union’s data centre in Las Vegas.