Canadian Privacy Law
Oct 07, 2011 QuickCounsel Download PDF
By Martha A. Healey and Karen Jensen, Norton Rose Fulbright LLP
Privacy law in Canada is a complex system of federal and provincial legislation. Businesses in Canada must be aware that the collection, use and disclosure of personal information is regulated. Additionally, organizations subject to these laws must have policies and procedures in place to ensure the confidentiality and security of personal information, as well as the right of individuals to access that information, correct and delete it. Canadian law also requires organizations to have in place policies and procedures to address a data or security breach involving the loss of, unauthorized access to or use of, personal information. This QuickCounsel will help in-house counsel understand the complexities of Canadian privacy law and the intricacies of its practical application.
Current Patchwork of Legislation
Personal information includes, but is not limited to, name, address, telephone number, social security number, credit card, biometric information, health information and bank account numbers. It also includes the likeness of a person and their voice and extends to information about their personal life that they keep in the workplace, for example on their computer.
The federal law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), applies to:
It does not apply to:
In the above cases, provincial legislation governs personal information. In the absence of such provincial legislation, personal information may be unregulated in these circumstances although, increasingly, the issue of an "expectation of privacy" has taken on legal importance and may affect the collection, use and disclosure of personal information even in cases in which statutory requirements do not apply.
New Canadian Anti-Spam Legislation
Where an entity intends to use a customer's electronic addresses (electronic mail account, instant messaging account, telephone account or any other similar account) for marketing purposes, the customer's consent is required in order to comply with the new federal legislation that has been enacted and is expected to come into effect in the fall of 2011. The new legislation, known as "Canada's Anti-spam Law" (or "CASL" for short), requires consent from the person who receives a "commercial electronic message."Under CASL, a person who seeks consent in order to send commercial electronic messages, must set out clearly and simply the purposes for which consent is being sought. Proposed regulations will further identify requirements that apply to the sending of commercial electronic messages.
Quebec, British Columbia, Alberta and Ontario (to a more limited extent) all have provincial privacy legislation substantially similar to PIPEDA. In each case, there is an order issued by the Governor in Council that provides that, to the extent indicated in the order, the collection, use and disclosure of personal information within the province (or, in the case of Ontario, by health information custodians) is exempt from the application of PIPEDA. The Ontario and Quebec legislation, however, do not contain provisions that recognize that PIPEDA (and not the provincial legislation) applies where personal information is not collected, used and disclosed solely within the province) and, consequently, compliance with both PIPEDA and the provincial legislation may be an issue in those provinces.
In addition, the provinces of, British Columbia, New Brunswick, Saskatchewan, Manitoba, Alberta, and Newfoundland and Labrador (partially in force) have enacted legislation protecting personal health information.
Implications for Human Resources
Privacy Tort Legislation
Certain provinces, namely, British Columbia, Manitoba, Saskatchewan, and Newfoundland and Labrador have "privacy acts" which make it a tort to:
Accordingly, in these provinces as well in those with general personal information protection legislation, companies must pay particular attention when hiring private investigators, notably in connection with civil litigation or for the purpose of investigating worker compensation claims.
Companies must verify use of video cameras, telephoto lenses and surveillance devices against the applicable provincial legislation.
Protection of Personal Information in Access to Information Requests
All Canadian federal/provincial and territorial governments have legislation protecting certain categories of personal information when requests are made of public sector entities for disclosure of personal information pursuant to freedom of information legislation. While such legislation will vary in detail, generally speaking:
Freedom of Information Legislation: Federal, British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland and Labrador, Yukon Territory, Northwest Territories, and Nunavut.
Similarities and Differences between Personal Information Protection Legislation (Private Sector)
Similarities and Differences
Generally, Canadian private sector privacy legislation:
There are notable differences across Canadian privacy legislation. British Columbia and Alberta privacy legislation require certain procedures and notifications for the purposes of due diligence reviews for commercial transactions and for the disclosure of personal information in connection with such transactions. Quebec privacy legislation does not recognize "implicit" consent to the collection, use and disclosure of personal information (and therefore it is necessary to obtain specific consent, although it need not be in writing).
In Ontario, companies must notify individuals of the theft, loss or unauthorized access of personal health information in the custody or control of a health information custodian. In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the provincial privacy authority of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
Because of these differences, cross-marketing with business "partners or associates" can present certain challenges to marketing departments. "Pre-checked" consents to the sharing of personal information with business partners could be valid provided that they are brought to the individual's attention and that they can be easily unchecked at the time they are presented to the individual.
USA Patriot Act
This legislation has raised concerns across Canada as to whether Canadian companies or affiliates of US companies operating in Canada are permitted to outsource data processing of personal information to companies operating in the US or, in the case of affiliates, to share that information with the parent company if it is located in the US.
After considerable controversy and the filing of complaints, the federal Privacy Commissioner issued reasoned findings that, while not a judicial decision or binding authority, are "authoritative" and probably settle the debate.
Essentially, if the individual is advised that personal information will be processed and retained in the United States and may be subject to access by United States legal authorities, nothing prohibits sending the information to the US.
The Commissioner's reasoning should be applicable across Canada. Her findings are reflected in three matters, one involving disclosures made by the Society for Worldwide Interbank Financial Telecommunications (SWIFT), one involving the Canadian Imperial Bank of Commerce and one involving the outsourcing of canada.com e-mail services.
Surveillance of Premises
Under PIPEDA and other privacy legislation, the use of surveillance cameras in the workplace is considered to be the collection, use or disclosure of employees' personal information. However, this does not mean that video surveillance is illegal. Video surveillance is permissible if it meets the following conditions set out by the Federal Court in Eastmond v. CPR 2004 FC 852:
If the above-noted conditions are present and employees have been notified that there is video surveillance in the workplace, the surveillance will likely be found to be PIPEDA-compliant. To defend against such complaints, organizations should establish a policy, in advance, that includes the following information:
There are exceptions to the requirement to notify employees about video surveillance. They are as follows:
Companies should not use video surveillance to monitor productivity, absent exceptional circumstances.
Mandatory Drug Testing
Mandatory, regular drug testing of all employees is rarely, if ever, permissible in Canada. Employee drug and alcohol testing must balance the employee's right to privacy and the employer's duty to ensure a safe and secure workplace. It must provide for the reasonable accommodation of employees who have a drug or alcohol dependency problem.
Random alcohol testing (using a calibrated breathalyzer) may be imposed on employees in safety-sensitive positions where the evidence has clearly established that an alcohol problem exists in the employer's workplace, although the burden of proof required to show that such a problem exists is a heavy one and periodic review is required to substantiate the need for continued testing. Pre-employment and/or random drug testing is not justifiable even in safety-sensitive positions with the exception of cross-border trucking and busing into the United States, when it may be justifiable.
The Canadian model for drug and alcohol testing in a unionized workplace has enunciated the following principles, which have received the approval of some courts and human rights tribunals in Canada, with the necessary adaptations for non-unionized workers:
References:Entrop v. Imperial Oil (2000), 50 O.R. (3d) 18 (ON. C.A.); Communications, Energy and Paperworkers Union, Local 707 v. Suncor Energy Inc. (Alcohol and Drug Policy Grievance),  A.G.A.A. No. 55; Syndicat canadien des communications, de l'énergie et du papier (section locale 143) c. Goodyear Canada inc., 2007 QCCA 1686; Greater Toronto Airports Authority v. Public Service Alliance of Canada, Local 0004,  C.L.A.D. No. 243
Privacy law in Canada is a patchwork of federal and provincial law covering employee personal information, surveillance, and drug testing. Understanding this framework can help in-house counsel avoid privacy liabilities. This QuickCounsel provides an overview of federal and provincial privacy law, its application, and proposed legislation.
|The information in this QuickCounsel should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or the ACC. This QuickCounsel is not intended as a definitive statement on the subject addressed. Rather, it is intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.|
2010 All Rights Reserved