QuickCounsel

Canadian Privacy Law

By Martha A. Healey and Karen Jensen, Norton Rose OR LLP

Overview
Current Patchwork of Legislation
New Canadian Anti-Spam Legislation Provincial Legislation
Implications for Human Resources
Privacy Tort Legislation
Similarities and Differences
USA Patriot Act
Surveillance of Premises
Mandatory Drug Test
Conclusion
Additional Resources

Rate this QuickCounsel

Overview

Privacy law in Canada is a complex system of federal and provincial legislation. Businesses in Canada must be aware that the collection, use and disclosure of personal information is regulated. Additionally, organizations subject to these laws must have policies and procedures in place to ensure the confidentiality and security of personal information, as well as the right of individuals to access that information, correct and delete it. Canadian law also requires organizations to have in place policies and procedures to address a data or security breach involving the loss of, unauthorized access to or use of, personal information. This QuickCounsel will help in-house counsel understand the complexities of Canadian privacy law and the intricacies of its practical application.

Back to top

Current Patchwork of Legislation

Personal information includes, but is not limited to, name, address, telephone number, social security number, credit card, biometric information, health information and bank account numbers. It also includes the likeness of a person and their voice and extends to information about their personal life that they keep in the workplace, for example on their computer.

The federal law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), applies to:

• Personal information collected, used or disclosed by an organization in the course of commercial activities, and
• All employee personal information of an organization, work or undertaking coming under federal legislative jurisdiction.

It does not apply to:

• The collection, use and disclosure of personal information solely within a single province which has adopted privacy legislation declared by the federal government to be substantially similar to PIPEDA;
• Personal information collected for philanthropic or charitable activities; or
• Employees of businesses regulated by provincial law.

In the above cases, provincial legislation governs personal information. In the absence of such provincial legislation, personal information may be unregulated in these circumstances although, increasingly, the issue of an “expectation of privacy” has taken on legal importance and may affect the collection, use and disclosure of personal information even in cases in which statutory requirements do not apply.

Back to top

New Canadian Anti-Spam Legislation

Where an entity intends to use a customer's electronic addresses (electronic mail account, instant messaging account, telephone account or any other similar account) for marketing purposes, the customer’s consent is required in order to comply with the new federal legislation that has been enacted and is expected to come into effect in the fall of 2011. The new legislation, known as “Canada’s Anti-spam Law” (or “CASL” for short), requires consent from the person who receives a “commercial electronic message.”Under CASL, a person who seeks consent in order to send commercial electronic messages, must set out clearly and simply the purposes for which consent is being sought. Proposed regulations will further identify requirements that apply to the sending of commercial electronic messages.

Back to top

Provincial Legislation

Quebec, British Columbia, Alberta and Ontario (to a more limited extent) all have provincial privacy legislation substantially similar to PIPEDA. In each case, there is an order issued by the Governor in Council that provides that, to the extent indicated in the order, the collection, use and disclosure of personal information within the province (or, in the case of Ontario, by health information custodians) is exempt from the application of PIPEDA. The Ontario and Quebec legislation, however, do not contain provisions that recognize that PIPEDA (and not the provincial legislation) applies where personal information is not collected, used and disclosed solely within the province) and, consequently, compliance with both PIPEDA and the provincial legislation may be an issue in those provinces.

In addition, the provinces of, British Columbia, New Brunswick, Saskatchewan, Manitoba, Alberta, and Newfoundland and Labrador (partially in force) have enacted legislation protecting personal health information.

Back to top

Implications for Human Resources

In the provinces that have not adopted a general private sector privacy law, there is no general privacy legislation protecting employees’ personal information held by businesses. Most companies, however, operate across provincial lines and find it preferable to adopt a single privacy policy, applicable to all their employees across Canada, rather than trying to administer a patchwork of policies that may apply, or cease to apply to an employee when transferred from one province to another.

Back to top

Privacy Tort Legislation

Certain provinces, namely, British Columbia, Manitoba, Saskatchewan, and Newfoundland and Labrador have “privacy acts” which make it a tort to:

• Conduct surveillance (with or without trespass),
• Record conversations, or
• Use the likeness of an individual for promotional purposes without proper and lawful reason.

Accordingly, in these provinces as well in those with general personal information protection legislation, companies must pay particular attention when hiring private investigators, notably in connection with civil litigation or for the purpose of investigating worker compensation claims.

Companies must verify use of video cameras, telephoto lenses and surveillance devices against the applicable provincial legislation.

Privacy Tort Legislation: British Columbia, Saskatchewan, Manitoba, Newfoundland and Labrador

Protection of Personal Information in Access to Information Requests

All Canadian federal/provincial and territorial governments have legislation protecting certain categories of personal information when requests are made of public sector entities for disclosure of personal information pursuant to freedom of information legislation. While such legislation will vary in detail, generally speaking:

• It applies to public bodies’ disclosures and does not govern private sector collection, use and disclosure of personal information.
• It will be relevant to private sector businesses which provide documentation to the federal, provincial or territorial governments for regulatory purposes or when bidding on contracts.
• This legislation provides certain safeguards with respect to personal information of employees or others that found in those documents.
• The law does not protect some “personal” information, such as salaries, from disclosure.
• The relevant provisions of the applicable legislation must be kept in mind when submitting documentation to public bodies and, where possible, precautions must be taken to help protect such information from disclosure in the event a request is made for access to the information.

Freedom of Information Legislation: Federal, British Columbia, Alberta, Saskatchewan, Manitoba, Ontario, Quebec, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland and Labrador, Yukon Territory, Northwest Territories, and Nunavut.

Similarities and Differences between Personal Information Protection Legislation (Private Sector)

Back to top

Similarities and Differences

Generally, Canadian private sector privacy legislation:

• Limits collection of personal information to that which is necessary (and not merely useful) for the specific purpose for which the information was collected (as disclosed to the individual);
• Prohibits using that information for other purpose without the individual’s consent (unless required by law);
• Prohibits disclosing the information to third parties and making the information available within an organization to those whose functions do not require it, unless required by law or a collective agreement;
• Provides individuals with the right to access their personal information and to correct any inaccuracies or to have irrelevant or outdated information deleted; and
• Requires organizations to have privacy policies and procedures in place and a person responsible within the organization for the protection of personal information and for ensuring respect of an individual’s right to access and correct the information.

There are notable differences across Canadian privacy legislation. British Columbia and Alberta privacy legislation require certain procedures and notifications for the purposes of due diligence reviews for commercial transactions and for the disclosure of personal information in connection with such transactions. Quebec privacy legislation does not recognize “implicit” consent to the collection, use and disclosure of personal information (and therefore it is necessary to obtain specific consent, although it need not be in writing).

In Ontario, companies must notify individuals of the theft, loss or unauthorized access of personal health information in the custody or control of a health information custodian. In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the provincial privacy authority of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.

Because of these differences, cross-marketing with business “partners or associates” can present certain challenges to marketing departments. “Pre-checked” consents to the sharing of personal information with business partners could be valid provided that they are brought to the individual’s attention and that they can be easily unchecked at the time they are presented to the individual.

Back to top

USA Patriot Act

This legislation has raised concerns across Canada as to whether Canadian companies or affiliates of US companies operating in Canada are permitted to outsource data processing of personal information to companies operating in the US or, in the case of affiliates, to share that information with the parent company if it is located in the US.

After considerable controversy and the filing of complaints, the federal Privacy Commissioner issued reasoned findings that, while not a judicial decision or binding authority, are “authoritative” and probably settle the debate.

Essentially, if the individual is advised that personal information will be processed and retained in the United States and may be subject to access by United States legal authorities, nothing prohibits sending the information to the US.

The Commissioner’s reasoning should be applicable across Canada. Her findings are reflected in three matters, one involving disclosures made by the Society for Worldwide Interbank Financial Telecommunications (SWIFT), one involving the Canadian Imperial Bank of Commerce and one involving the outsourcing of canada.com e-mail services.

Back to top

Surveillance of Premises

Under PIPEDA and other privacy legislation, the use of surveillance cameras in the workplace is considered to be the collection, use or disclosure of employees’ personal information. However, this does not mean that video surveillance is illegal. Video surveillance is permissible if it meets the following conditions set out by the Federal Court in Eastmond v. CPR 2004 FC 852:

1. It must be necessary and not simply useful or less expensive than other means to accomplish the stated purpose;
2. There must be a strong likelihood that the surveillance will accomplish the purpose;
3. The benefit gained by the surveillance must be proportionate to the loss of privacy, that is, the greater the invasion of privacy the greater the benefits will need to be;
4. There must be no other, less privacy-invasive ways of achieving the same end.

If the above-noted conditions are present and employees have been notified that there is video surveillance in the workplace, the surveillance will likely be found to be PIPEDA-compliant. To defend against such complaints, organizations should establish a policy, in advance, that includes the following information:

1. The purpose of the surveillance;
2. The locations of the surveillance cameras and times when surveillance will be conducted;
3. The permitted use of the surveillance tapes; and
4. Contact information for the person handling inquiries and complaints with respect to privacy issues in the workplace.

There are exceptions to the requirement to notify employees about video surveillance. They are as follows:

• Getting consent would compromise the availability or accuracy of the information collected; and
• The collection of the information is for the purpose of investigating violations of the employment agreement or the law.

Companies should not use video surveillance to monitor productivity, absent exceptional circumstances.

Back to top

Mandatory Drug Testing

Mandatory, regular drug testing of all employees is rarely, if ever, permissible in Canada. Employee drug and alcohol testing must balance the employee’s right to privacy and the employer’s duty to ensure a safe and secure workplace. It must provide for the reasonable accommodation of employees who have a drug or alcohol dependency problem.

Random alcohol testing (using a calibrated breathalyzer) may be imposed on employees in safety-sensitive positions where the evidence has clearly established that an alcohol problem exists in the employer’s workplace, although the burden of proof required to show that such a problem exists is a heavy one and periodic review is required to substantiate the need for continued testing. Pre-employment and/or random drug testing is not justifiable even in safety-sensitive positions with the exception of cross-border trucking and busing into the United States, when it may be justifiable.

The Canadian model for drug and alcohol testing in a unionized workplace has enunciated the following principles, which have received the approval of some courts and human rights tribunals in Canada, with the necessary adaptations for non-unionized workers:

• An employer has the right to require an employee to submit to a medical examination where the purpose is to confirm that the person is physically fit to perform assigned work in a safe manner;
• Drug or alcohol testing may be imposed as a qualification/certification condition to obtain a safety-sensitive position only when a “general fitness for duty” medical examination reveals that the person may become impaired on the job or when the individual discloses a substance abuse problem;
• Where the employee’s duties are inherently safety-sensitive, an employer may ask an employee to undergo a drug or alcohol test if there is reasonable cause to believe that an employee may be working while impaired;
• It is within management’s rights under a collective agreement to require alcohol or drug testing following a significant incident, accident or “near-miss” in safety-sensitive positions if the employee’s physical state is a reasonable focus for an investigation into the cause of the significant incident, accident or near-miss;
• It may be justifiable to require drug and alcohol testing following a significant incident, accident or “near-miss” in non-safety-sensitive positions if the health and safety of others was in jeopardy and no other means of protecting employees/ascertaining fitness was possible;
• Drug or alcohol testing may also be part of the terms and conditions of reinstatement as negotiated with the employee and the employee’s bargaining agent as long as it is part of a broader program of monitoring, rehabilitation and support;
• Post-reinstatement drug or alcohol testing agreements can, by consent, involve random and unannounced testing, to be administered in a non-abusive fashion;

References:Entrop v. Imperial Oil (2000), 50 O.R. (3d) 18 (ON. C.A.); Communications, Energy and Paperworkers Union, Local 707 v. Suncor Energy Inc. (Alcohol and Drug Policy Grievance), [2008] A.G.A.A. No. 55; Syndicat canadien des communications, de l’énergie et du papier (section locale 143) c. Goodyear Canada inc., 2007 QCCA 1686; Greater Toronto Airports Authority v. Public Service Alliance of Canada, Local 0004, [2007] C.L.A.D. No. 243

Back to top

Conclusion

Privacy law in Canada is a patchwork of federal and provincial law covering employee personal information, surveillance, and drug testing. Understanding this framework can help in-house counsel avoid privacy liabilities. This QuickCounsel provides an overview of federal and provincial privacy law, its application, and proposed legislation.

Back to top

Additional Resources

ACC Resources

• ACC Presentation (2011): A Compliance Challenge - Data Protection and Privacy
• ACC Quick Counsel (2010): Employment Considerations When United States Companies Manage or Acquire Employees in Europe or Canada
• ACC InfoPak (2010): Canadian Labour and Employment Law

Web Resources

• Proposed Canadian Anti-Spam Regulations (Norton Rose, 2011)
• Work and Privacy: An Impossible Marriage? An Overview of The Canadian Experience (Norton Rose, 2010)
• Document Retention: An International Review 2011 - Canada (Norton Rose, 2011)
• Financial Institutions Cannot Disclose Personal Information to Facilitate Collection of Debt (Norton Rose, 2011)
• Doing Business in Canada (Norton Rose, 2011)
• Doing Business in Quebec (Norton Rose, 2011)
• Norton Rose Privacy and Access to Information Team
  

Back to top

Have an idea for a quick counsel or interested in writing one?

• Submit your ideas by filling out our online topic proposal form.

The information in this QuickCounsel should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or the ACC. This QuickCounsel is not intended as a definitive statement on the subject addressed. Rather, it is intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

Back to top

Published June 15, 2009 (Updated on October 7, 2011)

Reprinted with Permission from the Association of Corporate Counsel
2010 All Rights Reserved
www.acc.com