B.C.’s privacy law will ‘likely’ be found to be substantially similar to federal legislation
Editor’s note: This is the first of a two-part, in-depth look at B.C.’s privacy law and what it means for employers doing business in British Columbia.
Background
As of Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into effect in Canadian provinces which have not implemented their own provincial private sector legislation (which is recognized as being substantially similar to PIPEDA).
Quebec has had private-sector privacy legislation since 1994. Other than Quebec, B.C. and Alberta are the only two provinces which have taken steps to implement provincial private sector privacy legislation to meet the Jan. 1, 2004, deadline. Alberta’s Bill 44 is still at second reading stage as of the date of writing of this article. But it appears the legislation is on track to receive third reading and royal assent for January 1, 2004.
B.C. has passed its legislation, the Personal Information Protection Act S.B.C. 2003 c. 63 (PIPA). The legislation received royal assent on Oct. 23, 2003, and is set to come into force on Jan. 1, 2004. Industry Canada is the body which makes determinations as to whether legislation is substantially similar to PIPEDA. Industry Canada receives input from the Privacy Commissioner of Canada, as well as public sector entities and the public, as to whether or not provincial legislation is or is not “substantially similar.”
There is no indication of when Industry Canada will make its ruling with respect to the B.C. legislation. But officers at the B.C. Corporate Privacy and Information Access Branch said they expect the legislation will be determined to be substantially similar. The result is uncertainty as to which legislation applies in B.C. as of Jan. 1, 2004 — the federal or the provincial one, an outcome which is certainly not satisfactory to any organization. The recommended course of action at this point is to assume the provincial legislation will apply in B.C. and to proceed accordingly.
What’s in B.C.’s privacy legislation for employers?
In terms of general principles, the federal legislation (PIPEDA) incorporates a Canadian Standards Association (CSA) Model Code, which, in turn, sets out 10 privacy principles. The privacy principles appear in B.C.’s legislation (PIPA) as substantive obligations. These 10 principles are as follows:
•accountability;
•identifying purposes;
•consent;
•limiting collection;
•limiting use, disclosure and retention;
•accuracy;
•safeguards;
•openness;
•individual access; and
•challenging compliance.
PIPA protects the collection, use and disclosure of personal information. Personal information is broadly defined as information about an identifiable individual, including employee personal information, not including contact information or work product information. These terms are all defined.
Contact information is basically the information which would enable contacting individuals at their place of work. The work product information definition is unique to the B.C. legislation. It is defined as information prepared or collected by an individual or group of individuals as part of their responsibilities or activities related to employment.
Employee personal information is defined as personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate the employment relationship, but does not include information which is not about an individual’s employment.
The B.C. law (PIPA) sets out exceptions to its application, which are, in some cases, similar to the exceptions found in its federal counterpart (PIPEDA). The exceptions include:
•PIPA does not apply to the collection, use or disclosure of personal information for personal or domestic purposes;
•for journalistic, artistic or literary purposes;
•if PIPEDA applies;
•if FOIPPA (the B.C. public sector privacy legislation) applies; or
•to a document related to a prosecution if all proceedings related have not been completed.
PIPA specifically grandparents the collection of personal information collected prior to Jan. 1, 2004. Organizations do not have to recollect this information. However, this information is covered by PIPA for all other purposes. Information collected prior to Jan. 1, 2004, can be used or disclosed without obtaining consent, but only if the use or disclosure would fulfill the purposes for which the information was originally collected.
Part 2 of PIPA sets out general rules respecting protection of personal information by organizations. Part 2 requires that an organization must designate an individual to be responsible for ensuring it complies with PIPA. That person is generally known as the privacy officer. The organization must make the privacy officer’s name, position and title available to the public along with their contact information. Organizations must develop and follow policies and practices necessary to meet obligations under the legislation, and develop a process to respond to complaints.
Part 2 provides that, in meeting responsibilities under the legislation, organizations are governed by a reasonable person test. The organization must consider what a reasonable person would consider appropriate in the circumstances.
Part 3 sets out different formats for the provision of consent. An individual must give consent to collection, use and disclosure of personal information unless PIPA authorizes the collection, use or disclosure without consent, through one of the many exceptions, or PIPA deems the collection, use or disclosure to be consented to by the individual. Where express consent is required, the organization must provide the individual with the purposes for which the information will be collected, used and disclosed, and, on request by the individual, the name or title and contact information of the privacy officer (or her delegate).
PIPA sets out three types of implicit consent. First, an individual is deemed to consent if she voluntarily provides the information and, at the time consent is deemed to be given, the purpose would be considered obvious to a reasonable person. A second type of implicit consent is also unique to the B.C. legislation. An individual is deemed to consent to collection, use or disclosure of personal information for the purpose of enrolment and coverage in an insurance, pension, benefit, or similar plan, if she is a beneficiary or has an interest under the plan as an insured. Finally, PIPA sets out a form of negative option consent, with specific requirements as to how that consent may be administered.
PIPA also deals with withdrawal of consent. Individuals may withdraw consent to the collection, use and disclosure of their personal information at any time unless it would frustrate the performance of a legal obligation. Some other exceptions apply.
Parts 4, 5 and 6 of PIPA set out the exceptions to when consent is not required for collection, use or disclosure of personal information. Unfortunately, the terms collection, use and disclosure are not defined.
While some authors refer to disclosure as constituting transfer of information outside an organization, others refer to a disclosure as also occurring inside an organization where the information is transferred for a purpose other than that for which the information was originally collected. A useful exception to the requirement for consent in order to collect personal information in the employment context is that organizations do not have to obtain consent of an individual if it is reasonable to expect that the consent would compromise an investigation or proceeding and the collection is reasonable for purposes related to an investigation or proceeding.
Parts 4, 5 and 6 of PIPA also set out some very useful provisions with respect to employee personal information. These provisions are not found in PIPEDA. Pursuant to these provisions, an employer may obtain consent from employees to collect, use or disclose their personal information, or may collect, use and disclose the employee personal information without consent, if:
•the collection, use or disclosure is reasonable for establishing, managing or terminating an employment relationship; and
•the organization notifies the individual of the collection, use and disclosure, and the purposes thereof, prior to the collection, use or disclosure.
Organizations should also note there are specific provisions dealing with transfer of personal information in the sale of an organization or its business assets, disclosure for research or statistical purposes, and disclosure for historical or archival purposes.
Parts 7 and 8 of PIPA set out provisions regarding right to access and request for correction of personal information. Part 7 sets out the positive obligations and Part 8 deals with the procedural requirements. An individual is entitled to access personal information an organization holds about them subject to certain exceptions.
Individuals also have the right to request correction of their personal information. Organizations have a duty to assist individuals in these requests, and must respond within 30 days after receiving the request, or after an extended time in specific circumstances, found in Section 31. An organization may charge minimal fees for providing access to the information. But it may not charge fees respecting access to employee personal information.
The right of employees to access personal information held about them will be of interest to employers. An organization must not disclose personal information if the disclosure would reveal personal information about another individual, or reveal the identity of an individual who provided personal information about the individual.
An example given in the draft guide, created by the B.C. Corporate Privacy and Information Access Branch, notes that, with respect to the latter, opinions given by fellow employees about employee X would constitute employee X’s personal information.
If the individuals who gave the opinions did not consent to having their identity disclosed, the organization would have to sever their identity before providing access to the personal information.
But if the provision of the information would result in the applicant who was making the access request, being able to identify the individual who held the opinion, the organization must sever all of the information.
This in-depth look at B.C.’s privacy law was provided by Lorene Novakowski, a partner in the labour, employment and human rights department of Fasken Martineau in Vancouver. She can be reached at [email protected] or at (604) 631-3216.
Part two of this article will appear in CELT #402. In it, Lorene Novakowski continues her look at B.C.’s legislation and what it means for employers doing business there. It features five key implementation steps to help organizations comply with the new provincial privacy legislation/
Background
As of Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into effect in Canadian provinces which have not implemented their own provincial private sector legislation (which is recognized as being substantially similar to PIPEDA).
Quebec has had private-sector privacy legislation since 1994. Other than Quebec, B.C. and Alberta are the only two provinces which have taken steps to implement provincial private sector privacy legislation to meet the Jan. 1, 2004, deadline. Alberta’s Bill 44 is still at second reading stage as of the date of writing of this article. But it appears the legislation is on track to receive third reading and royal assent for January 1, 2004.
B.C. has passed its legislation, the Personal Information Protection Act S.B.C. 2003 c. 63 (PIPA). The legislation received royal assent on Oct. 23, 2003, and is set to come into force on Jan. 1, 2004. Industry Canada is the body which makes determinations as to whether legislation is substantially similar to PIPEDA. Industry Canada receives input from the Privacy Commissioner of Canada, as well as public sector entities and the public, as to whether or not provincial legislation is or is not “substantially similar.”
There is no indication of when Industry Canada will make its ruling with respect to the B.C. legislation. But officers at the B.C. Corporate Privacy and Information Access Branch said they expect the legislation will be determined to be substantially similar. The result is uncertainty as to which legislation applies in B.C. as of Jan. 1, 2004 — the federal or the provincial one, an outcome which is certainly not satisfactory to any organization. The recommended course of action at this point is to assume the provincial legislation will apply in B.C. and to proceed accordingly.
What’s in B.C.’s privacy legislation for employers?
In terms of general principles, the federal legislation (PIPEDA) incorporates a Canadian Standards Association (CSA) Model Code, which, in turn, sets out 10 privacy principles. The privacy principles appear in B.C.’s legislation (PIPA) as substantive obligations. These 10 principles are as follows:
•accountability;
•identifying purposes;
•consent;
•limiting collection;
•limiting use, disclosure and retention;
•accuracy;
•safeguards;
•openness;
•individual access; and
•challenging compliance.
PIPA protects the collection, use and disclosure of personal information. Personal information is broadly defined as information about an identifiable individual, including employee personal information, not including contact information or work product information. These terms are all defined.
Contact information is basically the information which would enable contacting individuals at their place of work. The work product information definition is unique to the B.C. legislation. It is defined as information prepared or collected by an individual or group of individuals as part of their responsibilities or activities related to employment.
Employee personal information is defined as personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate the employment relationship, but does not include information which is not about an individual’s employment.
The B.C. law (PIPA) sets out exceptions to its application, which are, in some cases, similar to the exceptions found in its federal counterpart (PIPEDA). The exceptions include:
•PIPA does not apply to the collection, use or disclosure of personal information for personal or domestic purposes;
•for journalistic, artistic or literary purposes;
•if PIPEDA applies;
•if FOIPPA (the B.C. public sector privacy legislation) applies; or
•to a document related to a prosecution if all proceedings related have not been completed.
PIPA specifically grandparents the collection of personal information collected prior to Jan. 1, 2004. Organizations do not have to recollect this information. However, this information is covered by PIPA for all other purposes. Information collected prior to Jan. 1, 2004, can be used or disclosed without obtaining consent, but only if the use or disclosure would fulfill the purposes for which the information was originally collected.
Part 2 of PIPA sets out general rules respecting protection of personal information by organizations. Part 2 requires that an organization must designate an individual to be responsible for ensuring it complies with PIPA. That person is generally known as the privacy officer. The organization must make the privacy officer’s name, position and title available to the public along with their contact information. Organizations must develop and follow policies and practices necessary to meet obligations under the legislation, and develop a process to respond to complaints.
Part 2 provides that, in meeting responsibilities under the legislation, organizations are governed by a reasonable person test. The organization must consider what a reasonable person would consider appropriate in the circumstances.
Part 3 sets out different formats for the provision of consent. An individual must give consent to collection, use and disclosure of personal information unless PIPA authorizes the collection, use or disclosure without consent, through one of the many exceptions, or PIPA deems the collection, use or disclosure to be consented to by the individual. Where express consent is required, the organization must provide the individual with the purposes for which the information will be collected, used and disclosed, and, on request by the individual, the name or title and contact information of the privacy officer (or her delegate).
PIPA sets out three types of implicit consent. First, an individual is deemed to consent if she voluntarily provides the information and, at the time consent is deemed to be given, the purpose would be considered obvious to a reasonable person. A second type of implicit consent is also unique to the B.C. legislation. An individual is deemed to consent to collection, use or disclosure of personal information for the purpose of enrolment and coverage in an insurance, pension, benefit, or similar plan, if she is a beneficiary or has an interest under the plan as an insured. Finally, PIPA sets out a form of negative option consent, with specific requirements as to how that consent may be administered.
PIPA also deals with withdrawal of consent. Individuals may withdraw consent to the collection, use and disclosure of their personal information at any time unless it would frustrate the performance of a legal obligation. Some other exceptions apply.
Parts 4, 5 and 6 of PIPA set out the exceptions to when consent is not required for collection, use or disclosure of personal information. Unfortunately, the terms collection, use and disclosure are not defined.
While some authors refer to disclosure as constituting transfer of information outside an organization, others refer to a disclosure as also occurring inside an organization where the information is transferred for a purpose other than that for which the information was originally collected. A useful exception to the requirement for consent in order to collect personal information in the employment context is that organizations do not have to obtain consent of an individual if it is reasonable to expect that the consent would compromise an investigation or proceeding and the collection is reasonable for purposes related to an investigation or proceeding.
Parts 4, 5 and 6 of PIPA also set out some very useful provisions with respect to employee personal information. These provisions are not found in PIPEDA. Pursuant to these provisions, an employer may obtain consent from employees to collect, use or disclose their personal information, or may collect, use and disclose the employee personal information without consent, if:
•the collection, use or disclosure is reasonable for establishing, managing or terminating an employment relationship; and
•the organization notifies the individual of the collection, use and disclosure, and the purposes thereof, prior to the collection, use or disclosure.
Organizations should also note there are specific provisions dealing with transfer of personal information in the sale of an organization or its business assets, disclosure for research or statistical purposes, and disclosure for historical or archival purposes.
Parts 7 and 8 of PIPA set out provisions regarding right to access and request for correction of personal information. Part 7 sets out the positive obligations and Part 8 deals with the procedural requirements. An individual is entitled to access personal information an organization holds about them subject to certain exceptions.
Individuals also have the right to request correction of their personal information. Organizations have a duty to assist individuals in these requests, and must respond within 30 days after receiving the request, or after an extended time in specific circumstances, found in Section 31. An organization may charge minimal fees for providing access to the information. But it may not charge fees respecting access to employee personal information.
The right of employees to access personal information held about them will be of interest to employers. An organization must not disclose personal information if the disclosure would reveal personal information about another individual, or reveal the identity of an individual who provided personal information about the individual.
An example given in the draft guide, created by the B.C. Corporate Privacy and Information Access Branch, notes that, with respect to the latter, opinions given by fellow employees about employee X would constitute employee X’s personal information.
If the individuals who gave the opinions did not consent to having their identity disclosed, the organization would have to sever their identity before providing access to the personal information.
But if the provision of the information would result in the applicant who was making the access request, being able to identify the individual who held the opinion, the organization must sever all of the information.
This in-depth look at B.C.’s privacy law was provided by Lorene Novakowski, a partner in the labour, employment and human rights department of Fasken Martineau in Vancouver. She can be reached at [email protected] or at (604) 631-3216.
Part two of this article will appear in CELT #402. In it, Lorene Novakowski continues her look at B.C.’s legislation and what it means for employers doing business there. It features five key implementation steps to help organizations comply with the new provincial privacy legislation/
