|
© Copyright 2000 Rogers Media. The following article first appeared in the January 2001 edition of
BENEFITS CANADA magazine.
Privacy protection
Stringent new privacy legislation extends control to plan members. Plan sponsors and providers need
to keep an eye on this new law.
By Evan Howard
Technology has greatly increased the speed and ease at which information can be retrieved and distributed.
With the click of a button, personal information can now be accessed, copied and sent to any number of
parties around the world. This advancement has made privacy a growing concern among both employers and
employees.
Many Canadians are worried about how their personal health and finance information is handled--and no
single industry has greater access to this information than the pension and benefits sector. There is a
tremendous flow of sensitive data between employers and third-party providers and consultants.
Legislators are acknowledging the increased need to protect the privacy of individuals in our highly
connected world. The most sweeping legislation to impact the pension and benefits sector on the privacy
front is the federal government's Personal Information Protection and Electronic Documents Act, known as
Bill C-6. It outlines how personal information can be used and distributed in a business context, and gives
individuals more control over the information they provide to plan sponsors and third-party providers.
Passed last April, the Act came into effect on Jan. 1 for federally regulated organizations. Its stated
intent is "to establish . . . rules to govern the collection, use and disclosure of personal information in
a manner that recognizes the right of privacy of individuals with respect to their personal information and
the need of organizations to collect, use or disclose personal information for purposes that a reasonable
person would consider appropriate in the circumstances."
The new legislation is being phased in over a period of three years and will eventually apply to both
federally regulated firms (including banking, broadcasting, telecommunications and interprovincial
transportation) and provincially regulated organizations. However, there is a provision that allows Ottawa
to exempt provincially regulated organizations if the province establishes similar legislation.
Quebec already has its own legislation and Ontario recently drafted new rules governing privacy that are
expected to be passed in the near future. Other provinces are also looking at implementing similar
legislation. It's safe to say that within the next few years, most employers, third-party pension and
benefits providers and consultants across Canada will be subject to some form of privacy legislation.
The Act could have a profound impact on how plan sponsors handle the health and financial information
(including salaries) of plan members. Not surprisingly, it has heated up the privacy debate.
The Act imposes an entire administrative framework around how personal information is collected, used and
disclosed. The major development that is raising concern surrounds consent. The Act legislates the need for
consent, giving the individual the right to determine when and how his personal information is used and
collected, to whom it has been disclosed as well as the right to access and amend the information. This
could be onerous for employers, providers and consultants.
The framework for the Act is based on the 10 principles of privacy protection spelled out in the Canadian
Standards Association (CSA) Model Code for the Protection of Personal Information (see "The 10 pillars of
privacy," above). In fact, the CSA Model Code is incorporated as a schedule to the Act, turning what was
intended as a voluntary guide into an obligatory code. The CSA Model Code is also likely to form the
backbone of any provincial privacy legislation.
In the first phase, starting Jan. 1, 2001, the Act's application is restricted to federally regulated
organizations and all interprovincial and international disclosure of personal information. On Jan. 1,
2002, the definition of personal information expands to include health information. The Act will be fully
phased in on Jan. 1, 2004.
CONSENT CONUNDRUM
The right to privacy is a laudable objective, but meeting its requirements will pose a challenge for many
employers and benefits and pension providers given the awkward and ambiguous nature of the legislation. The
fact that the CSA Model Code was originally drafted as a voluntary code does not help either.
One of the cornerstones of the CSA Model Code incorporated into the Act is the requirement that consent be
obtained before information is collected, used or disclosed by an individual organization. In certain
situations, this consent can be implied if the information is not sensitive. However, the Act suggests that
in most situations, financial and health information will be considered sensitive.
In a pension and benefits context, most of the personal information that is used or collected relates to
the personal financial and health information of plan members. This suggests that express consent must
always be obtained in a pension and benefits context, unless it can show that it's reasonable to do
otherwise.
Blanket consents could be obtained as a possible solution. The problem with this approach though, is that
an organization must identify the purposes for which the information will be used and limit collection to
comply with these purposes. In addition, the organization must take reasonable efforts to advise the
individual how the information will be used. The effectiveness of a blanket consent in such circumstances
is clearly questionable.
The Act also implies that consent must be informed. This raises the question of how much information must
be provided to an individual. For instance, when employers collect benefits-related information, do they
have to specify which provider or consultant it will be given to? And what happens if the party is changed
in favour of another? It seems unreasonable to expect that a new consent should be obtained. The problem of
obtaining consent is compounded by the fact that there is no grandfather provision in the Act to cover an
organization's existing collection of personal information.
ASSIGNING RESPONSIBILITY
Another dilemma is determining which party needs to obtain consent. In most situations, the employer would
normally collect personal information such as the employee's age, social insurance number, spousal and
direct deposit information as well as birth date. This information is then disclosed to various providers
and consultants along with other personal information, including length of service and salary.
In addition, the information may then be disclosed back to the employer who may then keep it on record.
It's unclear under the Act whether both the employer and the third party need to obtain consent, or if the
provider or consultant can rely on the consent obtained by the employer or vice versa.
There is some suggestion in the Act that when information is transferred between parties for processing,
such as a plan sponsor and consultant, that the transferor remains responsible for the information and must
obtain contractual assurances that it will be protected.
Are the terms "transferred" and "processed" any different from "disclosed" and "used" under the Act?
Perhaps the answer depends on whether the consultant or provider is acting as an agent on the employer's
behalf. However, these parties may not always act in such a capacity.
PARENTS AND AFFILIATES
Another problem involves the Act's definition of organization. The term appears to refer to a single legal
entity. Yet many employers today are part of a group of companies and employee information is processed by
the parent company.
A literal reading of the Act would suggest that a transfer of employee information among companies
operating under one parent firm would be a disclosure. Perhaps if it could be shown that a parent or
affiliated company is acting as an agent, this would not constitute a disclosure.
Parent companies are often not located in the same province--and sometimes even the same country--as the
subsidiary. This could also be the case with providers, where branch offices in different jurisdictions
provide various components of service to employers.
This raises jurisdictional issues. For instance, the same information may be subject to different legal
requirements. In addition, the issue highlights the difficulties an organization may have in fulfilling its
obligation, when requested, to inform individuals to whom personal information has been disclosed.
The Act, and in particular the CSA Model Code, is likely to be the foundation for any provincial privacy
legislation. Accordingly, all of the pitfalls outlined could arise at the provincial as well as federal
level as governments across Canada enact their own privacy legislation. Hopefully, however, some of these
concerns may be clarified in provincial legislation, or simply over time.
Ontario, for instance, has released a consultation paper on its proposed privacy legislation that appears
to address some key concerns. It suggests that there could be sector codes with distinct rules that apply
to different types of information. Employee records are listed as one example. Another proposal is an
express provision to allow the outsourcing of data processing without further consent.
Regardless of these provisions and any future clarifications, complying with new privacy legislation will
be a challenge for many parties in the benefits and pension business. The sector as a whole needs to start
thinking carefully about the personal information it holds and how it's used.
Every time personal information is received or disclosed, employers, providers and consultants must ask
themselves whether it is protected by privacy legislation, if the individual's consent is required and if
appropriate safeguards have been put in place.
Evan Howard is an associate practising pension and benefits law with Stikeman Elliott in Toronto.
ehoward@tor.stikeman.com.
*** ***
The 10 pillars of privacy
The CSA Model Code, as incorporated by Ottawa's Personal Information Protection and Electronic Documents
Act (Bill C-6), establishes 10 basic principles of privacy protection. They are:
1. Accountability. An organization is responsible for personal information under its control and must
designate an individual or individuals as accountable for compliance.
2. Identifying purposes. The purpose of collecting personal information will be identified by the
organization at or before the time information is collected.
3. Consent. The knowledge and consent of the individual are required for the collection, use or disclosure
of personal information, except where inappropriate.
4. Limiting collection. The collection of personal information must be limited to what is necessary for the
purposes identified by the organization.
5. Limiting use, disclosure and retention. Personal information must not be used or disclosed for purposes
other than those for which it was collected, except with the consent of the individual or as required by
law. Personal information shall be retained only as long as it takes to fulfil those purposes.
6. Accuracy. Personal information must be as accurate, complete and up-to-date as is necessary for the
purposes it is to be used.
7. Safeguards. Personal information will be protected by security safeguards that are appropriate to the
sensitivity of the information.
8. Openness. An organization will make specific information about its personal information management
policies readily available to individuals.
9. Individual access. Upon request, an individual will be informed of the existence, use and disclosure of
their personal information and given access to that information. An individual will also be able to
challenge the accuracy and completeness of the information and have it amended.
10. Challenge and compliance. An individual must be able to address a challenge concerning compliance with
the principles to the designated individual or individuals accountable for the organization.
|
News
News
