British Columbia, Alberta and Quebec have enacted privacy legislation that is substantially similar to PIPEDA. Ontario does not have similar legislation; however, the Ontario courts have recognized that an employee has a common law right of privacy. Alberta, Saskatchewan, Manitoba and Ontario have also passed legislation specific to the healthcare sector and personal health information— collectively, the “Health Sector Privacy Laws”—applicable to individuals and organizations providing healthcare services to individuals who may collect, use and disclose personal health information (e.g., doctors and pharmacies).
The basic premise for all of this legislation is that an organization cannot collect, use or disclose personal information about an identifiable individual without the knowledge and consent of that individual. In the context of benefits enrollment and administration, personal information typically includes data such as an employee’s name, home address, phone number and social insurance number, as well as information relating to his or her medical history and existing conditions.
Personal information collected from and about employees can be extremely sensitive, and employers are accountable for how this information is used. Therefore, they must ensure that employees consent to the collection, use and disclosure of such information as required for the purposes of enrolling in and administering benefits plans. Employers can do this by adding language to benefits enrollment and claims forms, and by updating their privacy policies.
Employers must also ensure that adequate security measures are taken to protect personal information, such as retaining hard copies of files in locked cabinets and implementing firewalls and password protection for data stored electronically. Access to personal information should be limited to those who need it for benefits administration purposes, and the information should only be retained for as long as necessary to meet the specific need for which it was collected.
It is becoming increasingly common for employers to retain third-party service providers to administer all or part of their benefits plans. Employees must be notified and must consent to the disclosure of personal information to these parties. And employers must ensure that providers are collecting, using and disclosing this information only for benefits administration purposes, in compliance with applicable privacy legislation. To this end, employers should include language to this effect in the service agreement. They should also request a copy of the provider’s privacy policy and review it carefully. In addition, many employers negotiate audit rights (the right to enter the provider’s premises to audit personal information handling practices) and indemnification in service agreements, in case personal information is mishandled and employees file claims against the employer.
With the fragmented structure of privacy legislation in Canada and the evolution of the common law right of privacy, employers must know their obligations. Not only could they be subject to statutory and common law penalties for breaching an employee’s privacy rights, such breaches may also give rise to negative publicity and low employee morale. It’s critical that employers routinely audit their own personal information handling practices. This is the first step toward ensuring that employee privacy rights are protected and minimizing the risk of improper disclosure.
Trevor Lawson is a partner with McCarthy Tétrault LLP. tlawson@mccarthy.ca
> click here for a PDF version of this article