On January 1, 2004, the last step to enforcing a nation-wide personal privacy regime will be taken by the federal government. Canvassing steps they should take before December 31, 2003, this article will provide payroll and benefits administrators, including those who manage savings plans and pensions, an understanding of the impact of the Personal Information Protection and Electronic Documents Act (PIPEDA).

To Whom Does the Act Apply?

The privacy provisions of PIPEDA have applied to all employers subject to the Canada Labour Code since January 1, 2001.  This covers employers in the following industries:  any form of transportation or communication, such as railways, trucks and pipelines, which crosses provincial boundaries, as well as broadcasting, banking, the operation of airports or airlines and freight or passenger shipping on all waters, inland or maritime.
 
Similarly, PIPEDA has applied since January 1, 2001, to all third-party payroll, pension, benefit or savings plan administrators who are for-profit and who collect, use or disclose personal information across provincial boundaries.  For example, if a third-party pension administrator collects retiree information in Ontario, but files statements of pension income to the CCRA from its Montreal office, then PIPEDA has applied to the member and retiree information collected, used or disclosed since 2001.

As of January 1, 2004, PIPEDA will apply to any for-profit third-party administrator whose collection, use and disclosure activities do not cross provincial boundaries, except where these activities take place in any province which passes a personal privacy act similar to PIPEDA—Québec, for example, currently has its own privacy legislation.

Employers who use the activities of a for-profit, third-party payroll, pension, benefit or savings plan administrator subject to PIPEDA are also subject to the provisions of that legislation.  For example, an employer provides employees with a group benefit plan, through a for-profit benefit carrier.  From the employer, the benefit carrier receives employee personal information, such as name, address and annual earnings, as well as the name, age and sex of any dependents.  The privacy provisions of PIPEDA apply to all employee personal information passed by the employer to the third-party benefit carrier, except for the employee name itself.  Under PIPEDA, an employee's name is not considered “personal information” protected by the legislation.

Unless an employer is federally regulated or uses the services of a for-profit, third-party administrator, the privacy provisions of PIPEDA do not apply to employee personal information.  This does not mean that employers who are not affected by PIPEDA should not, or do not already, respect individual employee privacy.  The privacy of employee or retiree information has been a long-standing concern of persons who work in payroll, benefit, pension or savings plan administration and all employers should implement the principles of privacy protection contained in the legislation.

However, prior to PIPEDA there were few formal requirements imposed by law on employers, or third-party administrators, related to the protection of employee privacy.  For example, the federal Income Tax Act restricts the usage of employee Social Insurance Numbers.  Similarly, the Ontario Family Responsibility and Support Arrears Enforcement Act requires that employee personal information related to support orders be kept private.  Other than these few examples, and the 1994 Québec legislation, An Act Respecting the Protection of Personal Information in the Private Sector, there have been no legal requirements imposed on the protection of personal privacy by employers or third-party administrators, acting on their behalf.

The significant impact of PIPEDA, where it applies, is that it replaces a general understanding of the need to promote privacy with a set of formal administrative requirements.  Any organization subject to the privacy provisions of PIPEDA must understand and implement these formal requirements.  These requirements can be described under the following headings:

•a catalogue of personal information types;

•security measures to protect personal information; and

•policies and procedures related to employee access, complaints and inquiries.

A Catalogue of Personal Information Types

PIPEDA mandates that organizations identify and document the purposes for which each type of personal information is collected, used or disclosed.  This principle is twined with another, which requires that organizations must limit the collection, use or disclosure of personal information to that required by the purposes that have been documented.  Meeting these two requirements implies that employers must create a catalogue of personal information types, linking each type of employee personal information collected, used or disclosed to the purposes for which this is done.  In order to create such a catalogue, employers subject to PIPEDA must undertake a thorough audit or review of existing employee, plan member or retiree personal information.

For example, many organizations maintain physical personnel files in multiple locations. Line supervisors, business unit human resources staff and centralized human resources/payroll staff may each maintain their own separate physical personnel files.  In order to comply with PIPEDA, organizations subject to this legislation will have to catalogue the types of personal information maintained in these files and document the purposes for which that information is collected, used or disclosed.  A similar process would apply to employee personal information maintained in computer systems, such as time and attendance, payroll, human resources, pension or benefit software.  Such a review would require a database administrator to review each type of personal information stored in such systems; or a user to review set-up or maintenance screens for the types of information stored in the application.

Organizations subject to PIPEDA will also have to catalogue disclosure to third parties by type of personal information.  For example, if an employer provides seniority date information to a union, under the terms of a collective agreement, then that union will have to be identified as a third party to whom that type of employee personal information may have been disclosed.  While organizations are encouraged to be as specific as possible, compliance with PIPEDA requires at a minimum that employers document, for each type of personal information, a list of the third parties to whom that type of personal information may have been, or might be, disclosed.

In PIPEDA the concept of purpose—the purpose for which each type of personal information is collected, used or disclosed—is connected to the record retention requirements for that information type.  Some purposes require employee consent.  For example, employees must consent before their personal information is shared with a for-profit, third-party benefit carrier. 

But, some purposes do not require consent.  Because, for example, employers are required by law to provide the Canada Customs & Revenue Agency with employee personal information in annual T4 filings,  employers are not required to obtain consent for the personal information disclosed on T4’s.  The law requires that employers maintain T4 information for a minimum of 6 years after the end of each tax year concerned.  After the end of each such 6-year rolling period, the legal requirement for employers to maintain employee related T4 information expires.  Unless covered by another purpose, compliance with PIPEDA requires employers to destroy employee personal information contained on such T4 related records.

Finding similar situations must be another objective of an audit or review of employer personal information records.  Where the documented purpose for collection, use or disclosure has an expiry date, that expiry date should be catalogued against the purpose for that information type.  The expiry dates recorded must then be used to drive the destruction of any records containing that type of employee personal information.

Security Measures to Protect Personal Information

Where PIPEDA applies, organizations must ensure that employee personal information is protected against unauthorized access, use or disclosure.  Under PIPEDA, employers are recommended to take physical, organizational and technical measures to ensure this protection.

Physical measures might include the use of locks on filing cabinets where employee personal information is stored, or restrictions on physical access to rooms or offices where personal information is used.  For example, swipe card or key-pad driven door locks can be used to secure access to physical areas where personal information is stored.  Where human resources or payroll staff can access employee personal information on desktops or workstations, physical measures might include steps to ensure that personal information displayed on a computer screen is not visible to others.

Organizational measures include limiting access to employee personal information on a need to know basis.  For example, in some organizations employee salary costs are contained in General Ledger accounts for single employee departments.  Under PIPEDA, access to such General Ledger account information would have to be restricted to those authorized to see such employee personal information, based on the purposes for which the salary information was collected, used or disclosed.

Organizational measures would also include contractual arrangements with third parties, to ensure that any employee personal information disclosed to them is adequately protected.  For example, external IT consultants may be used to develop or support human resources systems, including interfaces between separate systems such as human resources and payroll.  IT specialists may need access to real employee data in order to develop and test such interfaces.  Compliance with PIPEDA would require that such consultants be contractually bound in order to maintain the privacy of the employee personal information they have access to.

Technical measures include password protection on access to employee data.  If staff outside of human resources or payroll have access to an HRIS, password controls should ensure that supervisors can see only the records of employees who report to that person and not the records of employees in another area or department.  Similarly technical measures would include adequate protection against unauthorized Internet access, including access over a wireless data network.

Policies and Procedures Related to Employee Access, Complaints and Inquiries

Where PIPEDA applies, employers will have to put in place administrative policies and procedures to provide employees with a means to access, complain and inquire about their personal information.

The first step in this process is to formally designate an individual with accountability for the protection of the privacy of employee personal information.  Such accountability could be assigned internally, to a human resources executive, director or senior manager, or externally, to a third-party administrator, as part of the outsourcing services provided.  Since PIPEDA will apply to the majority of employers, only to the extent that employee administration is outsourced, outsourcers may wish to reduce such client imposed administrative burden, bundling procedures relating to employee inquiry, access and complaint with any other employee administration services they offer.

The second step is to make readily available to employees the following:

(a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;

(b) a description of the type of personal information held by the organization, including a general account of its use; and

(c) a copy of any brochures or other information that explain the organization's policies, standards, or codes.

Employers or third-party administrators could make the above information readily available through posting on cafeteria or lunch room bulletin boards or via an Intranet site to which employees have access.  Whatever the method employed, PIPEDA requires that employees have easy access to the above information.

PIPEDA also requires that employees have the right to request, in writing, access to employer records of their own personal information.  This right includes access to physical personnel files as well as to personal information stored in employee-related computer systems.  For example, an employee being terminated could ask in writing to see the employer's records of insurable hours and earnings, prior to the issuance of a Record of Employment.  An employee, denied benefit coverage, or a long-term disability claim, could ask to see the medical records on which such a decision was based.  Employees could also ask to see any employer records related to assessments or evaluations of their performance.  Employee may also ask employers to provide a list of third parties, to whom their personal information has, or may have, been disclosed.

At a minimum, responding to such employee requests would require employers to provide employees, who ask, with photocopies of their personnel files or hard-copies of screen shots from a human resources application.  A more sophisticated solution to providing employees with access to such information might involve an Internet self-service site that gave employees PDF access to the contents of their own personnel files.

Under PIPEDA, there are very few grounds on which to deny or restrict employee access to their personal information.  One ground for denying employee access relates to formal dispute resolution processes: an employer could deny employee access to records related to the settlement of a grievance, made under the formal provisions of a collective agreement. Another ground might be the objection of a government agency to which employee personal information was disclosed by the employer, under the authority of a subpoena, warrant, court or administrative order.  In Ontario, employers are obliged by law to provide employee information, as requested by the Family Responsibility Office (FRO).  Under PIPEDA, employees may ask that employers disclose the fact of any such request by the FRO, as well as a copy of the information provided.  Faced with such a request, PIPEDA requires the employer to inform the FRO and to allow the FRO an opportunity to object.  The FRO may object on the basis that responding to the employee request may interfere with the enforcement of a support order.  Based on such a governmental objection, the employee request may be denied.

Under PIPEDA, employers must provide assistance, when requested, in helping employees access, inquire or complain about their personal information.  Such assistance could include providing employees with work space and a computer in order to create a request in writing.  Additionally, where employees have a physical handicap which would prevent them from making use of information in ordinary written or electronic formats, the employer must provide the information concerned in an alternate format accessible by the person concerned.  For example, a legally blind employee could request that an employer provide personal information in Braille.

Alan McEwen is a payroll consultant with 15 years experience in helping employers produce timely, accurate pays, at lower administrative cost.  He can be reached at amcewen@look.ca.