TORONTO, Ont. – Effective Jan. 1, every provincially-regulated private sector organization that handles personal information in the course of commercial activities became regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA).

The act, passed by the federal government, requires organizations to obtain consent before handling the personal information of individuals. It came into force for federally regulated companies in Jan. 2001.

So what’s new for the trucking industry, given that many carriers are federally-regulated and have already grown accustomed to locking up driving records and getting consent before they give a reference to someone considering hiring one of their drivers?

Here’s what’s new: many driving schools, agencies and third-party service providers (accounting, payroll etc.) are not federally-regulated and may therefore have to get used to applying a whole new set of rules when it comes to how they deal with personal information.

And federally-regulated carriers, assuming they’re already compliant with the new rules, have to make sure they’re dealing with companies who deal with the information in accordance with the new law.

“The issue is especially of interest to third-party providers,” says Laura Williams, a partner with Crawford, Condon and Andree LLP, a management-side labour and employment law firm, with clients in the trucking industry. “Driving schools and placement services for example have to make sure they have the consent of their students before they issue information about them to potential employers.”

Personal information that can legitimately be shared without fear of breaking the privacy rules basically consists of what you’d normally find on a business card – name, title, phone number at work, work e-mail address, company name and that’s about it.

But for all else, it’s generally best for a company to get written consent from the person whose information is being given out, given the slippery nature of how “implied” consent can be interpreted.

Consider the case of an airport employee who complained her employer improperly disclosed her personal information to three third parties (including two union reps) by sending them copies of a request she’d sent the company, asking for access to her personal information file. (The law also makes it mandatory for employees to have access to the personal information that their employer has gathered, as well as a full accounting of what the employer has done with it.)

The employee did not explicitly consent to having her request for information from the company sent to these third parties, and the privacy commissioner found in the woman’s favour.

“This conclusion gives rise to questions of how the privacy commissioner will rule respecting exchanges and disclosures of personal information between trade unions and employers,” Williams wrote in a report to the Ontario Bar Association Institute on the impact of private sector privacy legislation on the workplace.

The paper also describes complaints to the commission about employers refusing to supply personal information files to employees or failing to supply them within the established 30-day time limit.

And the report describes still another complaint to the commission which sprang from a group of employees who felt they were being pressured into consenting to a security clearance check.

The check involved a criminal record check for employees with 10 years of service or more, and a full background check for employees with less than 10 years of service.

The commission ruled in the company’s favour in this case, concluding the request for information was reasonable given the enhanced concern over possible acts of terrorism.

(Chances are that means drivers who refuse to undergo criminal background checks won’t have much of a leg to stand on if they decide to make a complaint.)

Video surveillance was another issue raised in Williams’ paper – something owners of yards where trucks and containers are parked will be interested in.

PIPEDA case 114 relates the story of a railway employee who objected to the use of video surveillance equipment. The commissioner concluded the employee’s complaint, that the video surveillance equipment was improperly collecting personal information, was well founded.

This despite the employer’s claim the digital surveillance equipment had been installed in the company’s yard to stem vandalism and theft, liability for property damage and threats to staff safety. The employer even informed employees about the existence of the cameras and their purpose, and even provided details about the camera locations.

But the commissioner ultimately decided that, given the relatively minor incidents of vandalism that the company had encountered, the employer failed to demonstrate the existence of a “real, specific problem, only the potential for one.” The commissioner also concluded that, even though the cameras were not pointed towards work areas, it might be possible to identify an individual during the day, and that the presence of the cameras could give rise to the perception among employees of an invasion of privacy.

The commissioner also suggested that the employer might find a better way of addressing concerns over staff safety, such as installing better lighting in the parking lots.

The above cases demonstrate quite clearly that privacy legislation isn’t just about locking up your employees personal information files and making sure you get written consent to give references over the phone.

And chances are many federally regulated companies who think they’ve been compliant ever since the rules for them were implemented in Jan. 2001, are not.

“In his 2001-2202 Annual Report, the Commissioner concluded that many federal organizations are not aware of the scope of their obligations under PIPEDA,” reads Williams’ report. “Respecting privacy compliance in the employment context, the commissioner specifically commented, ‘it appears not to have occurred to such organizations that, in the everyday course of business administration, they also handle a great deal of personal information about the individuals who work for them.'”

So how can companies comply?

According to Williams’ report, employers need to implement the following strategies:

Become familiar with the scope and definition of personal information;

Designate an individual or group to be in charge of privacy compliance;

Conduct thorough reviews and audits of all personal information held and managed by the organization;

Identify the purposes for which personal information is collected and managed (e.g. drivers’ health records, their drivers’ abstracts, their criminal records, etc.);

Ensure that up-front consent is obtained from employees as extensively as possible (you know you have to get their consent to obtain a criminal background check, but did you know you have to get their consent before you forward this information to someone else, unless it’s an enforcement official?);

Establish policies and practices that incorporate the principles under Schedule 1 of PIPEDA ( see Web address below) and provide a process for individuals to request access to their personal information and to resolve complaints (companies are required to create an internal grievance process, which the complainant must appeal to prior to making a complaint to the Commissioner);

Ensure that third parties (payroll services, driving schools, placement agencies, trade unions, etc.) have obtained consents where required, before disclosing personal information to the organization.

For further information on how PIPEDA affects the workplace and to read the legislation itself, visit http://privacyforbusiness.ic.gc.ca/epic/internet/inpfb-cee.nsf/vwGeneratedInterE/Home

HUMAN RIGHTS TRIBUNAL OKAYS DRUG TESTING

TORONTO, Ont. – The Canadian Human Rights Tribunal has found that drug testing for employees in the road transportation sector is acceptab
le for promoting road safety.

The decision is the result of a challenge brought forward by a coach driver who failed a pre-employment drug test, reports the Canadian Trucking Alliance (CTA). (A negative result was necessary for the company to be able to use the driver in U.S. work.) Even though the driver had been employed by the company for several years, a pre-employment test was required to transfer him to the U.S. DOT regulated pool, a requirement under the U.S. rules to qualify him to drive in cross-border work.

The complainant alleged that he had been discriminated against because the company perceived he was dependent when they terminated his employment after a positive drug test result. The Canadian Human Rights Act prohibits employers from discriminating on the basis of a disability. Drug and/or alcohol dependency is included under the definition of a disability.

In its decision, the tribunal held that the driver did not suffer from a disability, or that he was perceived to be disabled by his employer. The tribunal also looked at whether the absence of drug metabolites is a bona fide occupational requirement for bus drivers in light of the Supreme Court’s three tests, and in part, concluded that:

The employer’s goal to promote road safety by preventing driver impairment is connected to the business of providing bus transport;

The company satisfied the good faith requirement, given the need to comply with U.S. requirements and the lack of direction from Transport Canada;

Urine testing does assist in identifying drivers who are at an elevated risk of accident;

The presence of a drug testing policy will serve to deter at least some employees from using alcohol or drugs.

In assessing the company’s policy with respect to individuals who test positive either in a pre- or post-employment situation and have a problem, the tribunal found that the employer has a duty to refer them for assessment and accommodate their problem up to undue hardship.

Also significant in the decision is the fact that the existing drug testing policy developed by the Canadian Human Rights Commission was deemed to be virtually irrelevant. The tribunal confirmed that the Commission’s policy on testing was not binding on their review of the case, and noted that its policy “is nothing more than a statement of the Commission’s opinion on the issue of drug and alcohol testing, an opinion that the Tribunal may agree with or not as it sees fit.”