The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, June 21, 2009
Labels: employment, privacy
Thursday, May 28, 2009
I was invited to co-chair and present at the Canadian Institute's "Meeting Your Privacy Obligations" conference in Toronto. My presentation was specifically about managing privacy in the workplace, which is below if you're interested.
Here's a link if Google Docs aren't giving you due respect: Managing Privacy in Employee Relations
I have to say it was one of the best conferences of its kind that I've been to recently. The stellar speakers included Federal Privacy Commissioner Jennifer Stoddart, Alberta Information and Privacy Commissioner Frank Work and fellow bloggers Brian Bowman and Dan Michaluk. (Note: If you're reading my blog, you'll find theirs to be equally interesting and useful. So after you've read all my postings, head over there ...)
Labels: employment, facebook, media-mention, presentations, privacy, vanity, workplace
Wednesday, November 26, 2008
While my blog was down, I wrote on slaw.ca about an interesting story from Nova Scotia that made national news. For those who missed it on slaw, here it is:
Slaw: Pre-employment screeningA recent story from Nova Scotia has focused a lot of attention on pre-employment screening and the use of polygraphs. Hopefully, it will encourage a larger discussion on both sides of the issue.
According to media reports, anybody applying for a job that falls within the purview of the Halifax Police Service and Fire Service is required to pay for a polygraph examination that includes a range of questions, some of which have been considered to be objectionable. (See the full questionnaire here (pdf).)
Others have objected to the use of a polygraph, as many assert it is not a reliable indicator of
truthinesstruthfulness. (If you want a refresher on how Canadian courts are to treat polygraphs, check out R. v. Béland, 1987 CanLII 27 (S.C.C.)).The media coverage has been plentiful, from the local papers to CBC's The National (Quicktime). The former FOIPOP Review Officer has made his thoughts known (Ex-watchdog: Ditch polygraphs) as has his successor Dulcie McCallum (Nova Scotians deserve same privacy protection as others).
Any debate and discussion is a good thing. It should, hopefully, focus the mind on one of the principes of privacy best practices that appears in almost every public and private sector privacy law: only collect information that's reasonably necessary for the (reasonable) purposes. If it's not necessary or not reasonable, don't collect it. Other important principles to consider: who has access to the information, how is it used and how long is it kept around?
And now for something
completely differentsomewhat relevant, yet inadmissible:
Here's CBC The National's report:
Labels: employment, privacy
Thursday, April 24, 2008
I'm not sure how I feel about this. Apparently, MasterCard is introducing a feature for corporate cards that allows employers to set very strict parameters on spending. Economy class? Ok. Business class. Nope. HoJo's? Ok. Strip clubs? Not so much. The card also has detailed reporting that allows employers to keep close tabs on spending.
If an employee is spending the employer's money, it makes sense that the employer can set parameters on it. Business Week's article (You've Been Pre-Rejected) on the topic suggests that it smacks of big brother, but a lot of thinking about privacy depends upon peoples' expectations. If people understand what information is being collected and how it will be used (and it is reasonable), it is less likely that whatever is at issue will be seen as an invasion of privacy. Employees who use a corporate card where they know that the bill goes to the employer first can't reasonably be surprised if their employer gets upset over use of the card that does not fit within company policy. If employees know that the employer can set strict controls on the use of the card, I don't see the problem. If employees similarly are informed that the employer can see the bill in detail, it shouldn't be a problem.
Where the problems arise (and I'm sure they will) is that employers will use this product without telling the employees. The surveillance will be covert, which is much more pernicious and DOES lead to the big brother syndrome. You don't know when you're being observed and thsi leads to mistrust and insecurity. And it can also backfire: if an employee does not feel trusted, many will not act trustworthily (if that's a word!).
The product is also being touted as a tool for parents to keep track on kids' spending. Again, if you're spending someone elses' money they probably have a right to control how it is spent. But similarly, they'll have to make sure that their kids' expectations are tempered by the knowledge that Big Father (or Big Mother) is watching.
At the same time, I think the new MasterCard feature can be a benefit for privacy. Your (personal) credit card number and your (personal) credit card account are your personal information and you have a right to know how it is being used. I'd pay extra for a card that sent me a text message to advise of each charge. I'd be immediately alerted to any fraudulent use of the card and would be in a much better position to protect my own personal information. Whether this will be demanded as a card feature remains to be seen. But it is an example of a technology that can be intrusive and a boon to privacy at the same time. It depends upon how it is used and whether the user knows all about its features.
Labels: employment, privacy, workplace
Saturday, January 12, 2008
From Alberta:
Commissioner rules reference check was in compliance with Personal Information Protection ActJanuary 8, 2008
Commissioner rules reference check was in compliance with Personal Information Protection ActInformation and Privacy Commissioner, Frank Work, has determined that information collected in an employment reference check was in compliance with the Personal Information Protection Act (PIPA).
An individual had complained that a former employer had disclosed information not related to her job to a prospective employer in contravention of PIPA and that the prospective employer had collected the information in contravention of the Act. The individual also complained that the former employer had not responded to her request for her personal information.
Following an inquiry into the matter, the Commissioner determined that the information collected in the reference check was personal employee information as defined in PIPA and that no unrelated personal information about the individual was collected. The Commissioner found no evidence that personal information, aside from work related information, had been disclosed or collected.
The Commissioner did find, however, that the former employer did not properly respond to the Complainant’s request for her personal information and has ordered the former employer to respond to that request.To obtain a copy of Orders P2006-006 and P2006-007, visit our website, http://www.oipc.ab.ca/.
Labels: alberta, employment, pipa, privacy
Tuesday, October 30, 2007
Yesterday, I spoke at the McInnes Cooper labour and employment group's annual conference. It's been going on for years, but it was my first time to attend. I was greatly impressed with the turnout of more than two hundred attendees.
I gave a presentation on privacy and pre-employment screening, which is here: Pre-employment screening.
Labels: employment, presentations, privacy
Tuesday, April 10, 2007
OIPCApril 10, 2007
EPCOR Utilities Inc. found in compliance with Personal Information Protection Act
The Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc. (EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected, used and disclosed personal employee information without consent. EPCOR’s collection, use and disclosure of the employee’s personal information was also found to be reasonable for purposes of an investigation.
The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR. Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was about to begin work for another company. EPCOR contacted the other company to verify the complainant’s alleged employment there. The complainant complained that EPCOR collected, used and disclosed his personal information without consent.
The Investigator found that EPCOR had collected, used and disclosed the complainant’s personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.
Further, the Investigator found that the information qualified as personal employee information under PIPA: the information was reasonably required to manage the complainant’s employment relationship with EPCOR, and consisted only of information related to that employment relationship. The complainant was notified at the time of hire that his personal information could be collected, used or disclosed for investigation purposes. As such, EPCOR did not require consent to collect, use and disclose the complainant’s personal employee information in these circumstances.
For more information about investigation report P2007-IR-004, please visit our website at: http://www.oipc.ab.ca/
Labels: alberta, employment, pipa, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.