18
FEB
2013

What Every Employer in Ontario Needs to Know – Part 4

comment : Off

Every employer in the province of Ontario has numerous obligations in relation to employment law matters. The following is a summary of some of the more salient ones.

Please note this paper addresses provincially (as opposed to federally) regulated employers with non-unionized staffs. Additional considerations will apply to union situations. The commentary below is intended as a general guide. Specific advice should be obtained to address specific situations.

This is Part 4 of five parts. Please check back regularly for further installments.

(This memorandum is effective at January, 2013)

4. Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA)

PIPEDA sets out ground rules for the management of personal information in the private sector in Canada. Organizations covered by the PIPEDA must obtain an individual’s consent when they collect, use or disclose an individual’s “personal information”. This extends to information of employees. An individual has a right to access his personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

Employers are responsible to:

• Comply with all 10 of the principles of Schedule 1 to PIPEDA.

• Appoint an individual (or individuals) to be responsible for the organization’s compliance.

• Protect all personal information held by the organization or transferred to a third party for processing.

• Develop and implement a privacy policy and personal information protection practices.

How to fulfill these responsibilities

• Give the designated privacy official senior management support and the authority to intervene on privacy issues relating to any of the organization’s operations.

• Communicate the name or title of this individual internally and externally (e.g. on Web sites and in publications).

• Analyze all personal information handling practices including ongoing activities and new initiatives to ensure that they meet fair information practices.

• Develop and implement a privacy policy and procedures to protect personal information which defines the purposes of its collection, obtains consent, limits its collection, use and disclosure, ensures information is correct, complete and current, ensures adequate security measures, develops or updates a retention and destruction timetable, processes access requests, responds to inquiries and complaints.

• Include a privacy protection clause in contracts to guarantee that the third party provides the same level of protection as the organization.

• Inform and train staff on the company’s privacy policy and procedures.

• Make information available explaining its privacy policy and procedures to customers (e.g. in brochures and on Web sites).

Our firm can assist businesses with the development of an appropriate privacy policy and personal information protection procedures.

About the Author
Libby Gillman is, by training, an experienced corporate and commercial lawyer with particular expertise in financial institution incorporation and regulation, banking law and regulation, sophisticated and innovative payment systems, electronic banking products, emerging technology-based financial and other products and services, electronic commerce including Internet law, and legal issues of privacy and security on the Internet.