PIPA, PIPEDA, FOIPPA and the Privacy Act……this myriad of legislation can be very confusing when trying to understand an employer’s obligations and an employee’s rights with respect to the protection of personal information of an employee (ie. home address, personal email address, birthdate, social insurance number, compensation information, benefits information, etc.). However, this topic is becoming increasingly important in light of recent security events such as the ‘heartbleed bug’ and other reported security and privacy breaches.
If you are a private sector employer operating within the Province of British Columbia the most applicable legislation will be the Personal Information Protection Act, or “PIPA” as it is often referred to as. PIPA has several important provisions that restrict an employer’s ability to collect, use and disclose an employee’s personal information without their consent. It also contains provisions requiring an employer to secure and retain information in accordance with PIPA.
From an employee’s perspective, perhaps the most useful provisions in PIPA are the provisions that allow you to gain access to the personal information your employer has collected about you. If requested, the employer must also provide you with a list of the ways your personal information was used and any third parties to whom it was disclosed and all of this must be completed within the timelines outlined in PIPA. This can be a very useful tool for employees and it is also something that employers must be aware of from a compliance perspective.
In light of the obligations outlined in PIPA an employer should consider whether they have:
- a person who is responsible for ensuring the employer complies with PIPA;
- a process for employee’s to use to request access to their personal information; and
- appropriate training for employees so that they are aware of how to deal with personal information within their job duties and so that they understand their rights with respect to their own personal information.
In addition, there are a number of specific recommendations and other best practices that may be developed based on the specific industry and jurisdiction that the organization operates within. If you have questions from either the employer or employee perspective about the privacy legislation and what may apply in your circumstance you should contact a lawyer to discuss your rights and obligations.
Article written by: Greg Pratch