Legal Resources

QuickCounsel

Canadian Privacy Law: Making Sense of the Patchwork Quilt

Overview
Current Patchwork of Legislation
Provincial Legislation
Implications for Human Resources
Privacy Tort Legislation
Similarities
USA Patriot Act
Surveillance of Premises
Mandatory Drug Test
Differences
More Resources

Rate this QuickCounsel

Overview

Businesses in Canada need to be aware that:

The collection, use and disclosure of personal information is regulated;
There must be policies and procedures in place to ensure the confidentiality and security of personal information, as well as the right of individuals to access that information, correct and delete it.

Current Patchwork of Legislation

The federal government and certain provinces have legislation protecting personal information, which is generally defined as information that allows an individual (not a corporation) to be identified.

Personal information includes, but is not limited to, name, address, telephone number, social security number, credit card, and bank account numbers. It also includes the likeness of a person and their voice and extends to information about their personal life that they keep in the workplace, for example on their computer.

The federal law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to:

Personal information collected, used or disclosed by an organization in the course of commercial activities, and
All employee personal information of an organization, work or undertaking coming under federal legislative jurisdiction.

It does not apply to:

The collection, use and disclosure of personal information solely within a single province which has adopted privacy legislation declared by the federal government to be substantially similar to PIPEDA;
Personal information collected for philanthropic or charitable activities; or
Employees of businesses that are provincially regulated.

In the above cases, personal information is governed by provincial legislation in those provinces having personal information protection legislation. In the absence of such provincial legislation, personal information is unregulated in these circumstances.

Provincial Legislation

Quebec, British Columbia and Alberta all have general provincial privacy legislation that has been declared substantially similar to PIPEDA.

The Alberta and British Columbia legislation recognizes that PIPEDA (and not the provincial legislation) applies where personal information is not collected, used and disclosed solely within the province.
Quebec’s legislation contains no such provision and therefore purports to apply as soon as the information is collected, used or disclosed within the province, regardless whether the information circulates interprovincially. Consequently, compliance with both PIPEDA and the Quebec legislation is an issue in that province.

Other provinces do not have personal information protection of general application. However, Saskatchewan, Manitoba Alberta, Ontario and Newfoundland (not yet in force) do have specific legislation that protects personal health information

Implications for Human Resources

In the six provinces that have not adopted their own personal information protection acts, including Ontario, there is no privacy legislation protecting employees’ personal information held by businesses. Most companies, however, operate across provincial lines and find it preferable to adopt a single privacy policy, applicable to all their employees across Canada, rather than trying to administer a patchwork of policies that may apply, or cease to apply to an employee when transferred from one province to another.

Moreover, it can be difficult to explain to your workforce why employees in one province have more rights or greater protection than those in another.

Privacy Tort Legislation

Certain provinces, namely, British Columbia, Manitoba, Saskatchewan and Newfoundland have “privacy acts” which make it a tort to:

Conduct surveillance (with or without trespass),
Record conversations, or
Use the likeness of an individual for promotional purposes without proper and lawful reason.

Accordingly, in these provinces as well in those with general personal information protection legislation, particular attention must be paid when hiring private investigators, notably for the purpose of investigating worker compensation claims.

Use of video cameras, telephoto lenses and surveillance devices must be verified against the applicable provincial legislation.

Privacy Tort Legislation: British Columbia, Saskatchewan, Manitoba, Newfoundland

Protection of Personal Information in the Context of Access to Information (Freedom of Information) Requests

The federal government and all provinces have legislation protecting certain categories of personal information when requests are made for disclosure of such information pursuant to freedom of information legislation. The legislation varies from one province to another.

It applies to public bodies’ disclosures and does not govern private sector collection, use and disclosure of personal information.
It will be relevant, however, to private sector businesses which provide documentation to the federal or provincial governments for regulatory purposes or when bidding on contracts.
This legislation provides certain safeguards with respect to personal information of employees or others that may be found in those documents.
A word of caution: some “personal” information, such as salaries, is not protected from disclosure.
For this reason, the relevant provisions of the applicable legislation should be kept in mind when submitting documentation to public bodies.

Freedom of Information Legislation: Federal, British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland and Labrador, Yukon Territory, Northwest Territories, and Nunavut.

Similarities and Differences between Personal Information Protection Legislation (Private Sector)

Similarities

Because all provincial privacy legislation has been declared “substantially similar” to PIPEDA, complying with the patchwork of legislation is not as difficult as it might first appear to be. Most agree that Quebec’s provincial legislation is the most onerous and that compliance with the Quebec legislation will generally ensure compliance with all other applicable privacy legislation.

Generally, Canadian protection of personal information legislation:

Limits collection of personal information to that which is necessary (and not merely useful) for the specific purpose declared to the individual;
Prohibits using that information for any other purpose without the individual’s consent;
Prohibits disclosing the information to third parties and making the information available within an organization to those whose functions do not require it, unless required by law or a collective agreement;
provides individuals with the right to access their personal information and to correct any inaccuracies or to have irrelevant or outdated information deleted; and
requires organizations to have privacy policies and procedures in place and a person responsible within the organization for the protection of personal information and for ensuring that an individual’s right to access and correct the information is respected.

USA Patriot Act

This legislation has raised concerns across Canada as to whether Canadian companies or affiliates of US companies operating in Canada are permitted to outsource data processing of personal information to companies operating in the US or, in the case of affiliates, to share that information with the parent company if it is located in the US.

After considerable controversy and the filing of complaints, the federal Privacy Commissioner issued reasoned findings that, while not a judicial decision or binding authority, are “authoritative” and probably settle the debate.

Essentially, if the individual is advised that personal information will be processed in the United States and will be subject to the USA Patriot Act, nothing prohibits sending the information to the US.

The Commissioner’s reasoning should be applicable across Canada. Her findings are reflected in three matters, one involving disclosures made by the Society for Worldwide Interbank Financial Telecommunications (SWIFT), one involving the Canadian Imperial Bank of Commerce and one involving the outsourcing of canada.com e-mail services

Surveillance of Premises

One of the more recent judicial pronouncements on video surveillance of the workplace, Eastman v. CPR, provides the following guidance for determining when video surveillance in the workplace is permissible under PIPEDA:

It must be necessary and not simply useful or less expensive than other means to accomplish the stated purpose;
An organization should establish a policy, in advance, setting forth why the surveillance is necessary;
The policy should explain:
- Why other, less intrusive measures are not as effective;
- Why the surveillance complies with “proportionality,” that is, why the benefits are proportional to the loss of privacy; and
- Why other, less intrusive measures are not capable of attaining the same objectives.
Employees must be given adequate notice; and
The surveillance should not be used to monitor productivity, absent exceptional circumstances.

Generally speaking, these principles should apply across Canada.

Mandatory Drug Testing

Mandatory, regular drug testing of all employees is rarely, if ever, permissible in Canada.

Employee drug and alcohol testing must balance the employee’s right to privacy and the employer’s duty to ensure a safe and secure workplace.
It must provide for the reasonable accommodation of employees who have a drug or alcohol dependency problem.
Testing is justifiable in the case of employees occupying safety-sensitive positions in some circumscribed situations.
For employees not occupying a safety-sensitive position, drug or alcohol testing is permitted only in two situations:
- At the time of a promotion or transfer to a safety-sensitive position;
- In the context of a post-rehabilitation program.

The Canadian model for drug and alcohol testing in a unionized workplace has enunciated the following principles which have received the approval of some courts and human rights tribunals in Canada, with the necessary adaptations for non-unionized workers:

An employer has the right to require an employee to submit to a medical examination where the purpose is to confirm that the person is physically fit to perform assigned work in a safe manner;
Drug or alcohol testing may be imposed as a qualification/certification condition to obtain a safety-sensitive position when required as part of the “general fitness for duty” medical examination;
Where the employee’s duties are inherently safety-sensitive, an employer may ask an employee to undergo a drug or alcohol test if there is reasonable cause to believe that an employee may be working while impaired;
It is within management’s rights under a collective agreement to require alcohol or drug testing following a significant incident, accident or “near-miss” if the employee’s physical state is a reasonable focus for an investigation into the cause of the significant incident, accident or near-miss;
Drug or alcohol testing may also be part of the terms and conditions of reinstatement as negotiated with the employee’s bargaining agent;
Post-reinstatement drug-testing agreements can, by consent, involve random and unannounced drug testing, to be administered in a non-abusive fashion;
Random drug testing by employers in Canada is prohibited, even for safety-sensitive positions;
However, random alcohol testing (using a calibrated breathalyzer) could be imposed on employees in safety-sensitive positions where the evidence has clearly established that an alcohol problem exists in the employer’s workplace, although the burden of proof required to show that such a problem exists is a heavy one and periodic review is required to substantiate the need for continued testing.

References: Communications, Energy and Paperworkers Union, Local 707 v. Suncor Energy Inc. (Alcohol and Drug Policy Grievance), [2008] A.G.A.A. No. 55; Syndicat canadien des communications, de l’énergie et du papier (section locale 143) c. Goodyear Canada inc., 2007 QCCA 1686; Greater Toronto Airports Authority v. Public Service Alliance of Canada, Local 0004, [2007] C.L.A.D. No. 243;

Differences

There are notable differences across Canadian legislation.

Quebec Privacy Legislation:

does not recognize “implicit” consent to the collection, use and disclosure of personal information (and therefore it will be necessary to obtain specific consent, although it need not be in writing);
does not contain exceptions to disclosure of personal information for the purpose of due diligence (although the British Columbia and Alberta legislation do; as a result, many companies insert a consent to this in their employment contracts or “employee welcome kit” upon hiring), and;
does not favor “negative opt-outs” as a form of consent.

Because of the last difference, cross-marketing with business “partners or associates” can present certain challenges to marketing departments. “Pre-checked” consents to the sharing of personal information with business partners could be valid provided that they are brought to the individual’s attention and that they can be easily unchecked at the time they are presented to the individual.

More Resources

Ogilvy Renault Privacy and Access to Information Experts

Private Sector Personal Information Protection Legislation

Federal Privacy Commissioner’s Kits for Businesses
British Columbia: Personal Information Protection Act
Alberta
- Health Information Act
  - Q&As
  - Publications
- Personal Information Act
  - Q&As
  - Publications
Manitoba
- Personal Health Information Act
  - Q&As
  - Privacy Compliance Tool
Quebec
- Q&As
New Brunswick

Become involved in ACC chapter activities in Canada if you reside in Canada.

Have an idea for a quick counsel or interested in writing one?

Email ACC at quickcounsel@acc.com or call +1 202.293.4103 ex 341 with your ideas and inquiries.

The information in this QuickCounsel should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or the ACC. This QuickCounsel is not intended as a definitive statement on the subject addressed. Rather, it is intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

Published June 15, 2009

additional resources

International Legal Affairs Committee

Get the latest information on international business affairs and legal resources from your professional peers. Once you're a member of the committee you're eligible to join the listserve where you can pose your questions to hundreds of your colleagues and get the assistance you need.

Join the committee

ACC Newsstand

Sign up for the ACC Newsstand, a daily newsfeed, tailored to your chosen practice areas, providing you with a depth of free practical know-how. Look for news items and stories related to the topic discussed in this QuickCounsel.

Find a Member

Search by expertise and find an ACC Member with in-depth knowledge of the topic discussed in this QuickCounsel who is willing to help.

ACC: Assocation of Corporate Counsel

Browse by Practice Area