Protecting Personnel Privacy

Avatar photo

Businesses have long needed to collect personal information for a number of reasons, such as to pre-screen job applicants, register for benefits plans, or comply with regulatory requirements.

But the Personal Information Protection and Electronic Documents Act (PIPEDA) is now placing a litany of restrictions on the way these details can be gathered, used and stored.

For example, every Canadian company needs to ask for permission (usually in the form of a signed consent clause) when gathering, using or disclosing personal details, according to the Federal Privacy Commissioner. Each individual, meanwhile, retains the right to access their information, and challenge its accuracy.

“As long as you have an individual’s consent to collect, use and disclose personal information – and are using it for the purpose you advised and informed them it would be used for – you’re not offside as long as those requests are reasonable,” says Laura Williams, a labor expert with Crawford, Chondon and Andress LLP.

But there must be a specific need for each piece of information.

Consider an early test case involving a truck driver who was terminated after refusing to give his employer a copy of a registration form that had been completed for the Canada Customs and Revenue Agency’s Customs Self-Assessment Program.

“This particular driver accepted that he had to provide the form to Customs, but he wanted to provide it directly. He didn’t want his employer to have access to the personal information,” a former federal privacy commissioner said, referring to the case. “The company told the driver, ‘Return the form to us or we terminate your employment.’ And that’s how it ended.'”

But the driver had to be re-instated because the information had to be limited to a specific purpose.

“It was Customs that needed the form, not the employer. As long as it was returned to Customs, there was no need for the information to be returned to the employer,” he explained.

While the Act does not protect an individual’s name, title, business address or telephone number, it does apply to:

* age, ID numbers, income, ethnic origin, or blood type;

* opinions, evaluations, comments, social status, or disciplinary actions;

* and, employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, or intentions (for example, to acquire goods or services, or change jobs).

The rules that have applied to all Canadian businesses since Jan. 1, 2004 may also encourage fleets to gather as little personal information as possible, lowering the cost of storing and retaining data, and limiting the risk of inappropriate disclosures.

“The more sensitive the personal information, the more protective or better safeguards you have to have in place,” Williams adds, referring to details such as the results of drug tests.

In an age of electronic data, files also need to be protected by more than a locked cabinet. Electronic data will need to be protected by passwords, firewalls and encryption systems, and access should always be limited to people on a need-to-know basis.

So too should a fleet set a timetable that identifies when the information can be destroyed or erased by shredding paper or deleting electronic files, Williams says.

Meanwhile, a fleet’s policies and procedures need to reflect the promises made in the consent clause.

“I do see a lot of organizations grabbing onto any privacy policy available, and just adopting it and slapping it on the wall, or distributing it to individuals,” she explains. “But it doesn’t reflect the practices that are in place… you’ve got to make sure the practice truly reflects the policy.”

A fleet’s dedicated privacy officer who oversees the procedures also needs to be seen as having the authority to ensure the organization doesn’t run afoul of PIPEDA rules.

If there is a complaint, meanwhile, record its date and nature, and assign the matter to someone who can review it impartially, the Federal Privacy Commissioner adds.

After all, it’s a personnel matter that deserves special attention.mt

For more information, contact the Office of the Privacy Commissioner of Canada:

112 Kent Street

Ottawa, Ontario K1A 1H3

Telephone: (613) 995-8210

Toll-free: 1 (800) 282-1376

Fax: (613) 947-6850

Web site: www.privcom.gc.ca

E-mail: info@privcom.gc.ca

The Canadian Trucking Human Resources Council (CTHRC) is an incorporated non-profit organization with a volunteer Board of Directors that is representative of stakeholders from the Canadian trucking industry. With the conviction that the best human resources skills and practices are essential to the attainment of excellence by the Canadian trucking industry, the mission of the Council is “to assist the Canadian trucking industry to recruit, train and retain the human resources needed to meet current and long-term requirements.”

For more information, go to www.cthrc.com.

Avatar photo

Truck News is Canada's leading trucking newspaper - news and information for trucking companies, owner/operators, truck drivers and logistics professionals working in the Canadian trucking industry.


Have your say


This is a moderated forum. Comments will no longer be published unless they are accompanied by a first and last name and a verifiable email address. (Today's Trucking will not publish or share the email address.) Profane language and content deemed to be libelous, racist, or threatening in nature will not be published under any circumstances.

*