Since January 2001, Canada has protected individuals' personal information handled by federally regulated private sector organizations including inter-provincial trucking. Effective Jan. 1, 2004, thes...
Since January 2001, Canada has protected individuals’ personal information handled by federally regulated private sector organizations including inter-provincial trucking. Effective Jan. 1, 2004, these rules will be applied to private sector organizations that are provincially regulated. But not every fleet operator is aware of or prepared for the impact of this federal legislation, known officially as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
At PMTC’s 2001 annual conference, Christopher Andree from the law firm of Crawford, Chondon & Andree LLP, explained that PIPEDA provide a glimpse of what the future held for provincially regulated employers. Well, the future has just arrived. The underlying rule of PIPEDA is that an individual’s personal information should not be collected, used or disclosed without that individual’s consent. The provinces were given until Jan. 1, 2004 to implement their own “substantially similar” legislation, in the absence of which PIPEDA will apply to provincial operations where personal information is being handled in the course of commercial activities. An example of when personal information might be the subject of a commercial activity would be when it is disclosed by the employer to a health care/benefits provider, to a payroll company, to a consultant engaged by the employer, or in the course of selling the business.
Not many provinces have taken steps to enact “substantially similar”privacy legislation, so in many cases the PIPEDA Act will apply as of Jan. 1. Exceptions are Qubec,with legislation since 1994, British Columbia, which has legislation in place (although there is some question regarding whether it is deemed “substantially similar’ to PIPEDA) and Alberta, which at the time of writing expected to have legislation passed by January 2004. With so many provinces subject to PIPEDA, many companies – and their fleet managers – will need to reconsider the way they handle employee’s personal information.
Among other PIPEDA requirements, organizations must protect personal information with security safeguards appropriate to the sensitivity of that information. Personal information such as financial and health information, should be protected by security measures which could include locked file cabinets, computer passwords, or other means that will prevent access by casual observers. Other types of employee records also need to be protected to deny access to casual observers. For example, if your federally regulated fleet is one that still keeps its driver records in a drawer in the driver supervisor’s office for ready access, you might be required to ensure that the drawer is locked, and that only authorized personnel have access. Keeping those records handy for the transportation department may be expedient, but keeping them safeguarded is the law.
PIPEDA also requires the employer to ensure that third parties, to which employee personal information is disclosed, will protect this information. These assurances could take the form of a written agreement between the company providing the information and the third party. The agreement should also include the provider’s right to audit the handling of the personal information by the third party from time to time. An interesting reversal of the normal organization to third party information flow comes about when a driver or personnel supply agency provides information about its employees to clients. The agency/employer must ensure that its clients safeguard the personal information in a manner compliant with the Act. As for compliance, Chris Andree and Laura Williams of Crawford Chondon & Andree agree many federally regulated companies are still not in compliance with PIPEDA, and most provincial companies are not prepared to comply in time. This may be because enforcement is complaint driven, which gives organizations additional time to get their houses in order.
Michael Geist of the law firm of Osler Hoskin & Harcourt LLP has suggested that while “PIPEDA contains penalty provisions that establish the potential for both actual and punitive damages, the most powerful weapon in a privacy commissioner’s arsenal is public disclosure of non-compliant organizations.” But that doesn’t often happen. Mr. Geist goes on, saying “…the Federal Privacy Commissioner has been unwilling to name names” in decisions issued by the Privacy Commissioners’ office. Without the threat of public exposure, Mr. Geist theorizes, “privacy laws alone are not sufficient to ensure good privacy practices.” A scan of the commissioner’s Web site confirms the statement – company names are absent from the reports on decisions. Whether stringent penalties are applied or not, the new world of privacy protection demands that every fleet manager become fully aware of the new rules and take steps to ensure that they are compliant. One of those steps might well be to seek professional advice from a practitioner who thoroughly understands the new legislation.
-The Private Motor Truck Council of Canada is the only national association dedicated to the private trucking community. This column presents opinions on trucking issues from the perspective of private carriers. Comments can be addressed to email@example.com