Privacy legislation places limits on the collection, use and disclosure of personal information, said Michael Wolpert, a lawyer with Osler, Hoskin & Harcourt in Calgary, at the Ontario Club in Toronto yesterday.

It’s important for employers to familiarize themselves with collection, use and disclosure, he continued, because everything revolves around these terms with respect to information. Companies need to know why they’re collecting the information, how it will be used, who it will be disclosed to and for what purpose, Wolpert stressed.

A general definition for personal information is information about an identifiable individual, Wolpert said. But this information can apply to a wide range of data, he said, including name, addresses, birth date, SIN, medical history, religion – even a visual image, if the person is identifiable.

As an employer, keeping employees’ personal information confidential goes without saying, but there’s more to it than that. Employers and companies need to put a system in place in order to deal with privacy issues and the treatment of personal information, said Wolpert.

Kathy Byles, director of compliance for RBC Dexia Investor Services in Toronto, said RBC Dexia considered the following 10 privacy principles to establish its employer and customer privacy policies:

• Accountability
• Identifying the purpose
• Consent from individual to use information
• Limiting the collection of information
• Limiting the use, disclosure and retention of information
• Accuracy–information should be current and up to date
• Safeguarding information
• Transparency–ensure clients and employees know about the policy
• Individual access–individual has the right to see his/her information
• Handling complaints and inquiries

Our employee privacy policy is posted on our internal site, and staff, especially managers, receive online training, said Byles. We also have an ongoing privacy incident reporting and tracking program, she said. “Every employee is obligated to report an error.”

Of 350 decisions from the federal privacy commissioner to date, about 70 are employment- or benefit-related, said Wolpert. Many of the cases highlight the need for companies to have “good governance” practices.

Although employers typically equate governance with pension plans, it can also apply to privacy, said Wolpert. These governance principles include establishing and maintaining appropriate accountabilities, documenting and communicating the programs and processes, reporting and monitoring effectively and easily, and recognizing and managing risk, he said.

“What will you do when there is an incident?” asked Byles. It’s important to act immediately, she said, and have a response plan in place before the incident occurs.

For more information on privacy legislation, go to the Office of the Privacy Commissioner of Canada. www.privcom.gc.ca.

To comment on this story email brooke.smith@rci.rogers.com.