Where FOIPP legislation does not apply, do individuals still have a right to know?
Sep 23, 2011
Personal Information Protection and Electronic Documents Act (PIPEDA)
In true consultant-ese, the answer is “that depends”. Even where provincial freedom of information and protection of privacy legislation does not apply, organizations still need to determine if the Personal Information Protection and Electronic Documents Act (PIPEDA) applies.
PIPEDA applies to the personal information collected by organizations that are subject to federal regulation (such as banks, interprovincial trucking, airlines, and communications companies). It also applies to private sector organizations in all provinces and territories except for British Columbia, Alberta and Quebec. (In these three provinces, there are similar provincial statutes that address the issues covered by PIPEDA.)
PIPEDA requires organizations to collect, use or disclose personal information by fair and legal methods, with consent, and only for purposes that are stated and reasonable. Under PIPEDA, organizations are also obliged to protect personal information through appropriate security measures, and to destroy it when it is no longer needed for its original purposes.
Individuals have the right to expect the personal information the organization holds about them to be accurate, complete and up-to-date. That means indiviudals have a right to see it, and to ask for corrections if it is incorrect.
Employees are not treated the same way as customers & clients
By a strange quirk of constitutional law, federal employees have the same rights as customers and clients to have the use of their personal information protected under PIPEDA. However, employee information that is gathered by private sector organizations that are not under the federal jurisdiction, are not protected by PIPEDA, but even this is not the end of the inquiry.
Unionized employees often have a ‘right to know’ what is recorded in their personnel file. Collective agreements frequently have language setting out a process entitling employees to review these documents.
Furthermore, even for those organizations not subject to the application of either FOIPP or PIPEDA requirements it should be noted that these statutes are reflective of societal norms and expectations regarding the collection and use of personal information. We advise our clients to consider establishing practices that parallel the spirit and intent of these statutes to reduce their risk or liability for any damages that might ensue from making poor decisions based on inaccurate information on file, or a inappropriate release of personal information that may lead to damages claims against the employer. Mirroring statutory standards is a means of illustrating due diligence, and helping employees feeling ‘in the know’.