Articles & Publications...
Click once on heading to open, click on heading again to close.
London Free Press
Monitoring Employee Telephone and Internet use in the Privacy Age
In an age where most business communications occurs via computer, what does the Federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), have to do with monitoring employee telephone and computer use?
Under PIPEDA, personal information is defined as any information that is identifiable to the individual.
This includes audio recordings of the individual's telephone calls, as well as Internet surfing and downloading activity.
Although PIPEDA does not govern personal information of private sector employees to the same extent as public sector employees, Provincial privacy legislation is slated for introduction later in 2004.
Businesses involved in commercial activities, as well as non-profit organizations, should review the decisions coming out of the Federal Privacy Commissioner for guidance as to the rights and obligations of an employer that wants to monitor its employees’ work performance.
Regarding employee telephone conversations, Canada’s Criminal Code sets out fines and penalties of up to 5 years imprisonment for any individual or company found to have listened or recorded a private communication without consent to such “interception” by the parties.
In one case before the Federal Privacy Commissioner, an employee in a customer service call centre had granted consent to the employer to monitor calls for statistical purposes, as well as measuring and managing workload.
The employee complained to the Privacy Commissioner when the employer notified the employees that there was going to be a change in the policy to use the information collected from the call centre to manage individual performance.
The Privacy Commissioner found that the complaint was not well founded.
The reasons given for the ruling were that, as the employee's work was in the call centre, and consent was already provided to monitor phone calls for statistical and quality assurance purposes, monitoring the same calls for the purpose of evaluating job performance was appropriate.
As well, the Privacy Commissioner found that, as the company had taken appropriate steps to inform employees of the purposes for the call monitoring in its policy at the time of employment, consent to such use was implicit by agreeing to work for the employer.
The other issue raised in the Privacy age is what about monitoring an employee's Internet and email use on company computers.
In wrongful dismissal cases decided by Arbitration tribunals and the Courts, there is an principle emerging that an employee cannot have a reasonable expectation of "privacy" with respect to their Internet and email use on company computers.
For example, in one case, an individual with 14 years service with a company was disputing termination for, among other things, improper Internet use during working hours.
The employer investigated the employee’s claim of 467 hours overtime for a five month period and had found that 328 of those hours had been in personal Internet usage visiting, mostly, pornography sites.
The Arbitrator found that the individual’s use of Internet during work hours was theft of company time and a breach of company rules.
That stated, the case law on discipline and termination makes it clear than an employer must have a written policy for appropriate Internet and email use, which includes a clear statement outlining how and when the company might monitor such usage.
If there is a complaint to the Privacy Commissioner, the company will have to justify the purposes for which surveillance was instituted on an employee and demonstrate its steps to train its staff on its policy regarding appropriate telephone, Internet and email use.
As well, the company may have to demonstrate that a less privacy-invasive measure for achieving the same purpose was considered prior to monitoring employee performance or activity on the Internet.
© 2006 Janet A. Allinson. All Rights Reserved.
[ Top ]London Free Press Article – December 2003
Countdown to PIPEDA Compliance: Step One: Selecting a Chief Privacy Officer
The Personal Information Protection and Electronic Documents Act (PIPEDA) is going to impact every business and organization in Ontario.
The legislation is mandating every business to examine its current practise of handling personal information about its customers or data subjects (if the business is in the business of collecting and marketing or exchanging lists of personal information to or with other businesses).
PIPEDA will require that every business and organization take steps to ensure such information is protected from unauthorized collection, use, disclosure, and retention. It also requires that the information retained be accurate.
A business or organization avoids compliance with PIPEDA at the risk of being subject to investigation and possible court action by the customer or Federal Privacy Commissioner.
This is the first article of a five part series to guide businesses and organizations in the steps needed to be in compliance with PIPEDA when it comes into effect on January 1, 2004.
Becoming PIPEDA-ready requires compliance with the 10 ‘Principles’ of PIPEDA. Accountability is Principle 1. Accountability requires a business or organization to be responsible for personal information under its control.
Accountability requires the appointment of a “go-to” person, or Chief Privacy Officer (CPO), who will oversee the business’s or organization’s personal information handling practice.
The CPO will get the business ready for PIPEDA by conducting an internal audit of its personal information-handling practise.
The CPO will oversee the development of privacy policy and procedure, as well as the policy’s implementation.
Where there is a request for access, or a complaint about the information held by the business, it is the CPO who will handle the request and report to the Federal Privacy Commissioner about its privacy policy and response to the customer, if required.
You can see why selecting the CPO is key to your business’s success in the effective compliance with PIPEDA.
Compliance with PIPEDA is more than simply revising a business’s existing web site privacy policy.
The legislation requires that a business provide its customers and data subjects with the right to consent, or withdraw consent, to the use of their personal information.
Obtaining customer consent to retain and use their personal information will require a well defined policy setting out what information is collected, how it is used, and seeking the customer’s consent, or “opting-in”, to the business’s use as explained.
It is not sufficient to place a box in the small print of a contract, or web site’s privacy policy statement, that says “check this box if you don’t want us to use your information”.
Decisions of the Federal Commissioner have stated that this kind of “opt-out” strategy is not sufficient to enabling the customer to make an informed decision about whether they consent to the on-going or future use of their personal information.
Further, PIPEDA requires that the business grant a customer or data subject access to the information held about them and, if inaccurate, the business is required to make the necessary corrections.
A business may charge a reasonable fee for responding to a customer’s request, but the business needs first to determine what are its costs for retrieving the information, possibly converting the information in a format that is understandable by the customer, and providing a report to the customer.
In some cases, PIPEDA permits a business to set a limit in its response to the customer’s request where the cost to provide such information would be financially burdensome to the business.
At a first glance, it is easy to see why a business might see PIPEDA as a costly make-work project.
This certainly may be the impression with small to medium business owners that cannot afford to dedicate a management person to the role of CPO, as well as the support personnel to carry out the audit, draft policy, and field customer questions and complaints.
There is key message coming from, Anne Cavoukian, Privacy Commissioner of Ontario.
PIPEDA is good for business.
Developing and promoting the protection of your customer’s personal information creates trust.
Customer trust in your business translates into more sales, better customer retention, and more new customer referrals from existing customers.
© 2006 Janet A. Allinson. All Rights Reserved.
[ Top ]LONDON FREE PRESS
PRIVACY PRACTICUM: PIPEDA and the Franchise
(Note: Updated July 2008)
The Personal Information and Electronic Documents Act (“PIPEDA”) came into effect for private sector business and organizations on January 1, 2004.
As organizations involved in commercial activities, franchises that obtain personal information in the course of transactions with consumers are now accountable for the handling of that personal information.
Quebec franchises have been operating under the province’s own privacy legislation since 1994. Similarly, franchises based solely out of British Columbia or Alberta have been subject to privacy legislation enacted in those provinces since 2004. Therefore, regardless of whether a franchise operates locally, regionally or nationally, all are expected to have privacy policies and procedures in place for the proper handling of customer personal information.
As the provincial privacy statutes have been found “substantially similar” to the federal PIPEDA, if your franchise operates out of one of the above-named provinces, refer to the privacy legislation for that province to ensure your privacy policies and procedures are in compliance with that legislation. There is also helpful information from the respective privacy commissioners’ web sites and their links are provided below. For the rest of Canada, PIPEDA sets out 10 Principles that an organizations are required to comply with in order to avoid a complaint being made to the Federal Privacy Commissioner and risking a possible civil law suit at the Federal Court.
For franchisors, the most important – need-to-know – aspect of PIPEDA is the requirement under the Accountability principle for developing privacy policies and procedures and ensuring that its franchisees understand their obligations under the Act and implement similar policies and procedures.
If there is a complaint regarding a franchisee’s handling of a customer’s personal information and it results in an investigation and, ultimately a lawsuit in Federal Court, the Federal Privacy Commissioner will look to the role taken by the franchisor in developing and distributing privacy policies and procedures for its franchisees.
If the franchisor is found to have not fulfilled its obligations under PIPEDA, the franchisor and not the franchisee may be found accountable and liable for any damages arising from the complaint.
If you are a franchisor, then you should already have a Chief Privacy Officer in place, fully up to speed on PIPEDA and ensuring that all staff and franchisees are well supported with the necessary privacy policies and procedures, consent documentation, and confidentiality agreements where applicable.
For franchisees, the most important – need-to-know – aspect of PIPEDA is the requirement to implement the privacy policies and procedures provided by your franchisor.
If you have not received any information on PIPEDA as yet, contact your franchisor and ask what it is doing to be in compliance with the legislation.
If you do have the privacy polices and procedures, and don’t follow them resulting in a complaint – then it may be you as the franchisee who is held accountable and not the franchisor.
Some franchises have their head offices in the United States, so the question arises whether the privacy policy for the U.S.-based franchise will work in Canada.
The simple answer in most cases is no, because American privacy laws, where they exist, are less stringent than in Canada
Among PIPEDA’s 10 Principles, compliance with the Act requires that the franchise set out in a Privacy Policy, the purpose, or purposes, for the use, collection and disclosure of a customer’s personal information.
The Policy should also provide contact information for the franchise’s Chief Privacy Officer if the customer wants access to their personal information or has a complaint regarding the franchisee’s personal information handling practise.
As communication of a franchise’s personal information handling practises is good business, as well as a requirement under the Act, the Privacy Policy should be printed, or posted on the Internet website.
Many retail franchise operations provide simplified versions of the privacy policies by printing a Privacy Statement on a card that can be included in billings to customers, or displayed as a “take one” item at the check-out counter.
For more information about PIPEDA, as well as a helpful diagnostic tool to determine where the franchise is at risk of complaint for not being in compliance with the legislation, refer to the Internet web site for the Federal Privacy Commissioner at www.privcom.gc.ca. Office of the Privacy Commissioner of Alberta: http://www.oipc.ab.ca/home. Office of the Information and Privacy Commissioner of British Columbia: http://www.oipc.bc.ca. Commission d’accèss à l’information du Québec: http://www.cai.gouv.qc.ca/index-en.html.
[ Top ]London Free Press
PIPEDA Compliance – Handling a request for access or complaint
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on January 1, 2004.
PIPEDA will require all Ontario businesses and organizations to handle personal information about its’ customers or data subjects in accordance with the 10 Principles contained in the Federal legislation.
One of the frequently asked questions about PIPEDA is whether this legislation has any teeth.
What obligation does a business have to a customer that requests access to their information or complains about the personal information handling practise of the business?
What happens if the business cannot deliver the information requested by the customer, or it refuses to respond to a customer request or complaint?
In a nutshell, a business or organization that fails to comply with PIPEDA may be at risk of a civil law suit in the Federal court, brought by either the Federal Privacy Commissioner or the disgruntled customer.
According to the legislation, there is no ceiling as to the amount of damages that can be awarded against a business or organization found to have ignored or failed to comply with PIPEDA.
Consequently, it is important that an Ontario business, organization, or fundraising operations to understand its obligations under PIPEDA and take the necessary steps necessary to be in compliance as soon as possible.
The good news is that a business or organization will have several opportunities to be in compliance with PIPEDA prior to it being in serious risk of being brought before the Federal Court.
The first opportunity will be in responding promptly to a request to access a file or complaint.
In doing so, it is important to remember that time is of the essence.
PIPEDA requires that a business or organization respond within 30 days of receiving an access request or complaint.
If more time is required because the information is stored at a remote site, or it is stored in a database that needs conversion so the information is easily legible to the requester or complainant, then an extension of 30 days is permitted under PIPEDA.
At this stage in the process, the Federal Privacy Commission has not become involved.
But, if the requester is dissatisfied with the refusal or request for extension, he or she has the right to escalate the matter to the Privacy Commissioner.
In an investigation by the Privacy Commissioner, the business or organization will be required to produce copies of its Privacy Policy and Procedure, the request or complaint received, as well as any records showing how the business responded to requester or complainant.
If the complaint is found to have merit, the business or organization will be ordered to amend its personal information policy and/or practise to correct its non-compliant conduct.
A business or organization that ignores this direction from the Privacy Commissioner risks a report being prepared, at which time, either the complainant or the Privacy Commissioner may launch a civil law suit.
Aside from the legal penalties associated with a complaint being made to the Privacy Commissioner, PIPEDA gives an organization the 10 Principles to building greater customer trust by instituting and promoting personal information handling practises that respect a customer’s right to have such information handled carefully so that it is not disclosed to another party without their consent.
Customer trust translates to better customer retention and more business. Thus, PIPEDA is good for business.
For more information about PIPEDA, as well as a handy diagnostic tool, the Internet web site for the Federal Privacy Commissioner is www.privcom.gc.ca.
[ Top ]London Free Press
PIPEDA Compliance – Implementation of your Business’s Privacy Policy and Procedure
The Personal Information Protection and Electronic Documents Act (PIPEDA) comes into effect on January 1, 2004.
PIPEDA will require all Ontario businesses and organizations to examine the way they handle personal information about its’ customers or data subjects to ensure such information is protected in accordance with the Federal legislation.
In prior articles we have looked at some of the preliminary steps a business should take to make sure it is in compliance with PIPEDA.
At step one, the business identifies a Chief Privacy Officer (CPO) to be accountable for ensuring personal information handled by the business is in accordance with PIPEDA.
At step two, the business conducts a Personal Information Assessment to determine its sources of personal information and where there may be a risk that its information handling practise is not in compliance with the legislation.
Step three requires the development, or redrafting, of a privacy policy and procedure that is in compliance with PIPEDA.
The fourth, and most important step, is implementation of the PIPEDA-compliant privacy policy and procedure.
Implementation can be summarized in three words: communication, education and follow-through.
Principle 8 of PIPEDA, Openness, requires that the privacy policy and practise of your business be communicated to the public in a format that is easy to understand.
The privacy policy and procedure may be communicated in a variety of ways, whether it is a brochure, a letter to your customers, a toll-free number or access to a web site.
Education of your employees regarding PIPEDA and the privacy policy and procedure of your business will enable your staff to handle requests for information, and any complaints, in a timely and efficient manner.
Principle 9 of PIPEDA, Individual Access, requires a business to provide detail as to what information it holds on the individual, how the information is used, and to where the information is disclosed to another business or organization, upon a request by the individual.
Under PIPEDA, the business has 30 days to respond to a request for access to personal information and, in some instances, a business can deny access where it is overly costly to provide, or the information cannot be disclosed for reasons set out in the legislation.
For these reasons and more, it is important that the CPO ensure that all employees are well educated about the business’s privacy policy and practise. As well, the CPO wants to ensure that the business’s privacy policy and practise is communicated to the public so an individual knows what procedure is required for access to their personal information..
Finally, implementation of your business’s privacy policy and procedure requires follow-through.
Again, the CPO is the point person to review the privacy policy and procedure on a semi-annual to annual basis.
Keep apprised of any changes in the legislation and review the record of requests or complaints received over the review period to determine if the privacy policy and procedure needs some spot revision.
The bottom line to PIPEDA is that the business that can promote itself as PIPEDA-compliant has a marketing advantage over its competitors.
Marketing that personal information is handled in compliance with PIPEDA creates customer trust in your business and customer trust can translate more and better sales.
In short, PIPEDA is good for your business.
Watch for our fifth and final installment in this series, scheduled for Thursday, November 20th.
Step five in the Countdown for Compliance is knowing how to respond to a request for access or complaint from the Federal Privacy Commissioner.
Tag line: Janet Allinson is a member of the Privacy Law and Commercial Litigation groups at Siskinds. For more information about this article or the legal services available at Siskinds, contact Ms. Allinson at 672-2121, or see the website at www.siskindsprivacylaw.com.
[ Top ]Published in the London Free Press
PRIVACY PRACTICUM: Simple Steps to Compliance for Retailers
Is this a familiar scene for you?
You enter a store and when you go to pay for the merchandise the clerk asks for your phone number, or maybe its your postal code?
I went to a florist to purchase a floral arrangement and arrange to have it delivered to a friend that lived in the same city.
After selecting the arrangement and providing the delivery information of the person to receive the flowers, the clerk stated, "I need your name, and phone number for our customer database."
I explained to the clerk that this was a one-time purchase and that I did not want to be in the store's database.
The clerk responded, "I have to have this information to put something in the computer or I can't deliver those flowers."
Perhaps the time was right to move on to another florist down the street or remind the clerk that, under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the clerk was not entitled to my personal information, nor could she refuse to sell me merchandise or provide services because I would not consent to my personal information being collected.
Instead, I gave the name, "Jane Doe" and the phone number "416-555-1212". The clerk curled her lip at me – she was not impressed and neither was I – especially when I received by credit card receipt and saw my credit card number clearly displayed, along with my name and signature.
As it happened the person who received the flowers, did not immediately recognize who the sender was of the flowers. They called the store and when asked who had sent the flowers, the clerk responded "Jane Doe" – even though the clerk had my name from the credit card receipt.
I told my story at a conference that I was speaking at recently and an audience member shared with the crowd what a pain this Privacy legislation was for small businesses and retailers.
"Business is tough enough as it is" the man said to the sympathetic crowd, I don't have the time or the money to deal with PIPEDA".
This is not the first time I have heard this from retailers and small businesses, but was the retailer correct?
Is PIPEDA too complicated and onerous that it threatens retailers and small businesses?
Does PIPEDA prevent retailers and small businesses from collecting information from its customers as it has done in the past?
What can a business or organization do to find out more information about consumers' rights, and the businesses' obligations, under this legislation?
There are five key steps that a small retailer or business can take today, to bring them in compliance, or at least close-to-compliance, with PIPEDA.
These recommendations are not for retailers or franchisors with multiple stores that maintain a database of all customer data, or any businesses that shares or sells its customers' information to direct marketing companies or other businesses. If your business matches this last description, contact a lawyer that specializes in Privacy law to guide your business through a more comprehensive assessment and crafting of privacy policies.
First step is to read the legislation and understand what the retailer's obligations are under this Act. PIPEDA's 10 principles are not complicated and the Internet web site for the Federal and Ontario privacy commissioners have lots of helpful fact sheets to assist the small business to get up to speed with the legislation.
The second step is to conduct a Personal Information Assessment (PIA). The retailer needs to identify what personal information is being collected about its customers or clients, why such information is being collected, how long the information retained and why, what safeguards are in place to protect that information, and to whom the information s being shared (if any) and why.
The third step - a Privacy Policy or Statement - need not be several pages long, but has to summarize what information is collected, why, confirm that safeguards are in place to protect the information, whether it is shared with other businesses and how it is destroyed when no longer needed. It should also provide contact information of the individual at the business who will handle customer questions or complaints.
I have seen privacy policies and statements that provide this information on a 3-1/2 X 8" card that fits in a display stand at the check out for customers to read or take a copy.
One retailer, a beauty spa, reads a brief privacy statement before taking credit card information for booking appointments or selling gift certificates over the telephone.
The goal is that the customer is informed about the purposes for which the retailer requests the personal information and how it will be handled by the business or retailer if the customer consents to its collection, and the customer knows who to call if they have a question or concern about how their information is handled.
The fourth step is protecting the information collected from the customer from access to that information by other people, as well as from loss or theft.
Sales receipts containing customers’ credit card numbers should be “anonymized” so that, once the transaction is complete, there is no way that another person could obtain that customer’s credit information and use it for their own purposes.
Although many stores have re-programmed their Interact/credit card machines so that the receipt generated from a sale has all or a portion of the credit card number obscured with “X’s” or blank spaces, there are several retailers where this step should be implemented immediately.
The fifth step is to train staff to provide the privacy statement at the time of requesting the information, know how to answer questions about how the information is handled, and who the customer should contact if they have a question regarding their information.
Even with these five steps, PIPEDA may still seem like an unnecessary burden. It may be helpful to know that some business are looking at PIPEDA as an opportunity to grow their customer base by utilizing their compliance with PIPEDA as a marketing vehicle - being the first to advertise their privacy policy. And the alternative is to do nothing, like the florist. Can a retailer afford to remain ignorant about Canada's privacy legislation and be ignorant with its customers?
[ Top ]