With privacy and data protection laws in Canada and abroad evolving, these changes serve as a reminder to employers to be more stringent in safeguarding the information entrusted to them, particularly by their employees.
Employers collect a myriad of personal information from their employees, including health details, spousal status, marriage breakdown information and union membership for plan administrative purposes, noted a recent report by Eckler Ltd. So what should employers keep in mind as they navigate this changing legislative landscape?
Last month, Canada’s federal government added reporting and notification obligations for private-sector data breaches in its Personal Information Protection and Electronic Documents Act. Federally regulated organizations have to notify people after a data breach that carries “a real risk of significant harm to the individual” and flag the incident to the privacy commissioner. In May 2018, the European Union rolled out the General Data Protection Regulations, a new standard that carries stricter rules than Canada’s new obligations.
While only federally regulated organizations are required to follow Canada’s new data privacy regulations, it’s still best practice for all organizations in order to avoid potential lawsuits, says Tamara Hunter, associate counsel at DLA Piper (Canada) LLP. “If organizations don’t take some steps to follow [the new laws], they could find themselves not only in hot water with privacy regulators but also being seen as less than trustworthy by consumers or by employees.”
European Union’s new privacy standard may also apply to Canadian organizations that have current, retired or former plan members who reside in the EU, according to Domenic Barbiero, a principal at Eckler Ltd., in an email to Benefits Canada. ”Until recently, when dealing with privacy, Canadian plan sponsors did not have to worry about a plan member’s country of residence. The introduction of the GDPR has changed that.”
The EU’s privacy standard also carries a higher fine than Canada’s new regulations, noted a report by Eckler. Organizations that disobey the EU legislation could pay up to 20 million euros or four per cent of the organization’s total global revenue, whichever is greater. In comparison, organizations that fail to comply with Canada’s privacy data law could face a fine of up to $100,000.
The EU law is also more specific about how long organizations have to report a breach, says Hunter. With Canada’s privacy law, the timing is as soon as feasible, she says, and the privacy commissioner has some leeway on how long is appropriate. But with the EU law, there’s a default requirement for companies to report breaches within 72 hours, unless they can justify taking an extension.
While the EU law is uniform and applies to all member countries, Canada’s privacy framework is fragmented, noted the report by Eckler. British Columbia, Alberta and Quebec are the only jurisdictions with their own private-sector privacy legislation, though health privacy laws exist in Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador.
And even through only federally regulated employers have to follow PIPEDA, it’s still best practice for other employers to follow privacy laws and safeguard confidential information in case of a potential lawsuit, says Hunter.
“There’s a lot involved in the safekeeping of plan members’ privacy, but in my opinion, documentation is key,” said Barbiero. ”Documenting the personal information you hold, and the policies and procedures you follow in protecting it, is a very important part of the process.”
There isn’t a magic formula for ensuring data protection, but employers should ensure their systems are resilient in handling the confidentiality of any personal data processed, he said.