Canadian Privacy Rights and Legislation

Questions and Answers

Canada's original privacy legislation primarily addressed personal information held by entities other than governments.

False (B)

The BC Freedom of Information and Protection of Privacy Act was enacted in 1994, preceding Alberta's similar legislation.

False (B)

In British Columbia and Alberta, the statute covering personal information in the private sector is called Personal Information and Electronic Documents Act (PIPEDA).

False (B)

The BC Privacy Act, enacted in 1968, recognizes a common law privacy tort similar to that recognized in Ontario courts.

False (B)

The FIPPA in British Columbia and Alberta applies to provincial government ministries, Crown corporations, and local governments.

True (A)

An organization must always obtain explicit consent from an individual before collecting their personal information, without exception.

False (B)

Organizations must obtain new consent that authorizes the new disclosure before disclosing information to third parties.

True (A)

An individual may only file a complaint with the privacy commissioner if an organization refuses to provide information.

False (B)

The Office of the Privacy Commissioner of Canada (OPC) both oversees the operation of PIPEDA and has the power to make binding orders.

False (B)

The OIPC only has the power to make binding orders, it does not have powers of disclosure.

False (B)

Section 60 of the Alberta Personal Information Protection Act (PIPA) is identical to section 57(1) of the BC Personal Information Protection Act (PIPA).

False (B)

Under British Columbia's Personal Information Protection Act (PIPA), there is not an exception for organizations to to collect employee personal information without the consent of the individual.

False (B)

An employer has the right to keep the collected employee personal information forever.

False (B)

In all Canadian jurisdictions, the Office of the Information and Privacy Commissioner (OIPC) is allowed to order a matter to be resolved by mediation.

False (B)

In R v Cole, the Supreme Court stated that an employee does not have a 'reasonable expectation of privacy' on a company device, even without employer monitoring policies in place.

False (B)

In the case of Tally-Ho Motor Inn, the privacy commissioner agreed that the employer had disclosed a workers personal information, however he commissioner made note it was very serious and declined to any order.

False (B)

The privacy commisioner considered this to be unreasonable given that information about how well people are doing their assigned activites are not 'employee personal information'.

False (B)

Having contravened Alberta's PIPA, Cardinal Coach Lines was ordered by the Alberta OIPC to continue disclosing personal information about the complainant driver.

False (B)

A bus driver was required to submit his medical records in order to be considered an employee at Cardinal Coach Lines.

False (B)

In the Poliquin v Devon Canada Corporation case, it was found the employer was not justified in the use of monitoring the activities of the employee.

False (B)

With the software, Spector 360 primarily did not copy any emails.

False (B)

In the BC case of TeBaerts v Penta Builders Group, which included a privacy claim, it was found there was in act an invasion of privacy, contributing reasons for dismissal.

False (B)

The AtWell report indicates that it is fine to set the parameters of a persons voice.

True (A)

If not done well enough, having the information of a biometric measurement will be a violation, and it should be ensured for that.

True (A)

With the TELUS Case, they did not need consent to administer prints.

False (B)

If someone is in full view, they have a large space of privacy.

False (B)

When video records an event like that, it is admissible, even without probable cause.

False (B)

When one performs the role of arbitrator, everything has to be within law and ethics.

True (A)

It is okay for computer usage to be undefined.

False (B)

When it comes to those BYOD's, employer monitoring is rejected.

False (B)

The provincial law of PIPA applies to federally regulated employees

False (B)

With PIPEDA, an individual has no right to gain access to their personal data.

False (B)

The Fair Information Priniciples are not apparent from the content of legislation.

False (B)

Alberta created the OIPC in 1992.

False (B)

Generally speaking, employee monitoring that is disclosed to affected employees is prohibited.

False (B)

Historically, Canadian common law explicitly recognized privacy as a separate right.

False (B)

In the 1990s, both British Columbia and Alberta passed legislation covering personal information held by provincial governments and other public bodies like hospitals.

True (A)

BC's Freedom of Information and Protection of Privacy Act (FIPPA) was first enacted in 1982 and allows individuals to request information from the BC government and other public bodies.

False (B)

Every Canadian province and territory has some form of privacy legislation governing the collection, use, and dissemination of personal information by government agencies.

True (A)

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) and its provincial equivalents in BC and Alberta were enacted in 1994.

False (B)

The Supreme Court of Canada initially upheld Alberta's PIPA in 2013, citing its alignment with the Canadian Charter of Rights and Freedoms.

False (B)

Revisions to Alberta's PIPA in 2014 specifically targeted the collection, utilization, and revelation of private data by educational institutions during academic labor disputes.

False (B)

Ontario courts were pioneers in recognizing a common law privacy tort, influencing similar developments in provinces such as BC, Nova Scotia, and Alberta.

True (A)

In British Columbia, the BC Privacy Act, introduced in 1968, permits a person to sue for invasion of privacy. It requires proof of specific harm caused by the invasion.

False (B)

BC courts recognize a common law privacy tort because the BC Privacy Act does not create a statutory tort of violation of privacy.

False (B)

The Freedom of Information and Protection of Privacy Act (FIPPA) in BC and Alberta applies uniformly across all sectors including private businesses, trade unions and charities.

False (B)

FIPPA of BC contains an expansive definition of “privacy” that broadly encompasses all aspects of personal data protection for individuals.

False (B)

Public bodies subjected to British Columbia's FIPPA must report privacy breaches to individuals and the Office of the Information and Privacy Commissioner (OIPC) as of February 2023.

True (A)

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) directly regulates how personal employee information is handled in provincially regulated workplaces.

False (B)

PIPEDA's requirements do not apply to organizations in provinces that have implemented 'substantially similar legislation'.

True (A)

Under PIPEDA, the provincial laws apply in Alberta and British Columbia governing interprovincial and international transactions in the course of commercial activities.

False (B)

Under PIPEDA, it is not needed to get further consent before information can be used for any other purpose once it is collected, used, or disclosed.

False (B)

Under PIPEDA, an individual does not have a right to gain access to their personal information and to challenge an employer's treatment of it or its accuracy.

False (B)

Under amendments to PIPEDA in June 2015, named Bill S-4, companies are required to report every security breach regardless of the type of information breached.

False (B)

The Digital Charter Implementation Act, Bill C-27, introduced substantial changes to PIPEDA in 2022 and was proclaimed into law at the time publication of this document.

False (B)

According to Schedule 1 of PIPEDA, the standard underlying the collection, use, protection, and the disclosure of personal information is the adherence to explicit, concrete rules.

False (B)

According to Schedule 1 of PIPEDA, an organization must not let an individual know the purpose of collecting personal information.

False (B)

With limited exceptions, the individual to whom the personal information relates must consent to its collection, which has to be in oral or written format.

False (B)

To continue using or disclosing information that was collected before legislation came into effect, an organization must continue without consent.

False (B)

An organization must collect all possible information for its stated purposes to ensure nothing is missed.

False (B)

Under section 7 of PIPEDA, an organization may not use personal information without the individual's knowledge and consent.

False (B)

According to PIPEDA, if use or disclosure of out-of-date or incomplete information harms the individual, the employer does not need to ensure that the information is accurate and current.

False (B)

According to the PIPA of both provinces, in the absence of obtaining an employee's express consent to collect, use, or disclose personal information about that employee, an employer would be able to do so under all circumstances.

False (B)

Canadian employers are required to retain workers' personal information related to any personnel decision for less than six months.

False (B)

Organizations in both the provinces of Alberta and BC are required to destroy documents containing personal documents within a reasonable time frame.

True (A)

Under PIPA and FIPPA, legal claims against the organization cannot be made, except a complaint can be made to the privacy commissioner.

False (B)

Under Section 14 of PIPEDA, complaints in court cannot be made, but action can be taken if federal commissioner released a report, regardless of its content.

True (A)

According to PIPA definitions, employee personal information includes the employee’s personal information if it is not related to the employment.

False (B)

BC's, not Alberta's, broadened the PIPA in 2014 to facilitate the use and disclosure of personal information by trade unions.

False (B)

Currently, under PIPEDA, the code of conduct and integrity cannot be tracked to assess performance issues pertaining to the misuse of a workplace computer.

False (B)

In Canada's legal history, privacy has consistently been recognized as an inherent right under common law.

False (B)

The BC Freedom of Information and Protection of Privacy Act (FIPPA), enacted in 1992 allows individuals to file a request for information held by any organization within the providence.

False (B)

British Columbia's Privacy Act, established in 1968, sanctions a statutory tort for privacy violation, permitting legal action even absent demonstrable harm.

True (A)

FIPPA exclusively applies to personal information held by provincial and federal governments, thereby excluding data managed by local municipalities and universities.

False (B)

The underlying philosophy of freedom of information legislation is to hinder governmental transparency.

False (B)

The authority to apply PIPEDA directly to all personal information in provincially regulated organizations during commercial activities is fundamentally constrained by federal constitutional authority over employment.

False (B)

PIPEDA demands explicit, informed consent for collecting, using, or disclosing personal data. This precludes organizations from collecting information for one purpose and subsequently utilizing it for alternate objectives, regardless of user notification.

True (A)

Under the parameters of PIPEDA, individuals are afforded unrestricted access to their employment files, performance reviews, and disciplinary records, irrespective of any solicitor-client privilege or confidentiality restrictions.

False (B)

Under Alberta's PIPA, once PIPA has been contravened, Cardinal Coach Lines was was not directed or ordered to educate their employees regarding their obligations to the act.

False (B)

PIPEDA's focus on balancing individual privacy rights with organizational data needs is uniquely absent in provincial privacy acts like those of British Columbia and Alberta.

False (B)

Under section 7 of PIPEDA, an individual's consent is invariably required for an organization to collect personal information, with no exceptions whatsoever.

False (B)

Organizations are obligated to obtain explicit written consent from all job applicants before contacting their references for employment verification.

True (A)

Work product information is classified as personal information in British Columbia’s PIPA.

False (B)

Once a personal information breach involving significant potential harm is identified, organizations must only report and keep records of the breach exclusively to government institutions or parts thereof.

False (B)

BC's OIPC monitors the right of citizens to gain access to records held by more than 2,900 public agencies and over 380,000 businesses and other non-government organizations.

True (A)

In the Eastmond v Canadian Pacific Railway case, the Federal Court held that videotaping employees' movements, without their knowledge and consent, was never justified under any exception in PIPEDA.

False (B)

Under section 35 of the Alberta PIPA, organizations are specifically instructed with respect to retention of employee information.

False (B)

The Supreme Court's ruling in R. v. Cole established an unequivocal expansion of employee privacy rights wherein employers can never monitor employee-issued devices without explicit consent.

False (B)

The 2015 Atwell report from the BC OIPC involved a case where the monitoring of employee keystrokes and screen captures at Saanich was deemed fully justifiable under FIPPA.

False (B)

According to the information provided, the Personal Information Protection Act (PIPA) in British Columbia and Alberta allow employees to pursue compensation for damages if the OIPC finds a violation of the Act and the employee has suffered harm due to the violation.

True (A)

Canada’s Digital Charter Implementation Act, introduced as Bill C-27, has been fully proclaimed at the time of this reading, putting forward sweeping changes including the replacement of entire sections of PIPEDA.

False (B)

Amendments to Alberta's PIPA came into force on December 17, 2014, addressing Supreme Court concerns without any other changes being made to the legislation at that juncture.

True (A)

PIPEDA strictly prohibits any federally regulated organization from collecting, using, or disclosing personal information in the course of its commercial activities if situated in Alberta or British Columbia.

False (B)

Organizations are required to automatically destroy personal information the moment it is no longer needed, irrespective of potential legal or business purposes.

False (B)

Under PIPEDA section 9, access to personal information must and may be denied if the organization has disclosed information to a government institution for national security reasons and is so instructed.

True (A)

Unlike the BC PIPA, the Alberta PIPA provides an express definition for a 'volunteer-work relationship', explicitly outlining its parameters within the law.

True (A)

In the case of Cardinal Coach Lines Ltd (Re), the organization successfully demonstrated a reasonable purpose and provided appropriate prior notice before disclosing confidential information regarding a suspended employee's employment status.

False (B)

In TELUS Mobility, the employer was unable to dismiss an employee for sending pornographic material through email because of a lack of a clearly formulated policy.

False (B)

Reasonableness remains the ultimate standard regarding collection, use, and disclosure of protected information subject to all legislative mandates.

True (A)

By implementing very strict measures, employers can always collect biometric data, regardless of the level of intrusion into an employee's privacy.

False (B)

Canadian courts tend to rule against the use of video surveillance in the workplace.

False (B)

Employees should always have an expectation of privacy when using employer technology and systems, even in the face of clearly stated company policy.

False (B)

An employer discovers that a valuable employee has been accepting free landscaping services from the firm's suppliers. Even if there was no condition of it in the code of conduct, the Court of Appeal would disagree with the dismissal.

False (B)

In reviewing a wrongful dismissal case linked to monitoring software, courts are very likely to take the employer's side as they have property rights over the computer.

False (B)

A company was attempting to secure employees’ data at an unprecedented level by scanning all keystrokes on their devices, plus capturing entire screen stills every thirty seconds. A report declared the data collection legal.

False (B)

BYOD - bring your own device - trend always raises potential privacy and security issues for employers.

True (A)

Flashcards

Canadian Right to Privacy

The right to privacy has not been historically recognized as a separate right under common law in Canada.

BC and Alberta Privacy Legislation

Legislation passed in the 1990s in British Columbia and Alberta that covered personal information held by the provincial government and other public bodies.

BC's Freedom of Information and Protection of Privacy Act (FIPPA)

Allows BC residents to request information held by the BC government and other public bodies.

Personal Information Protection and Electronic Documents Act

The first privacy legislation that covers personal information held by organizations in the private sector.

Personal Information Protection Act (PIPA)

The provincial equivalents of PIPEDA in British Columbia and Alberta.

Purpose of PIPEDA

Balance the individual's right to have personal information kept private with an organization's need to collect, use, and disclose when necessary.

Personal information

Factual or subjective information about an identifiable individual.

Fair Information Principles

A set of 10 principles in Schedule 1 of PIPEDA that underlie the collection, use, protection, and disclosure of personal information.

Be Accountable

Appoint one person to oversee its legislative compliance. Employees should be aware of their name and title.

Identify the Purpose of Collection

Let an individual know why you are collecting personal information. Any forms or documents used to collect personal information must include an explanation of why it is needed and how it will be used.

Obtain Valid, Informed Consent

The individual to whom the personal information relates must consent to its collection.

Limit Collection

Only collect information that is necessary for its stated purposes.

Limit Use, Disclosure, and Retention

Organizations cannot use the information collected for any purpose other than the one stated.

Provide Safeguards

An organization should protect personal information against loss, theft, or unauthorized access.

Be Open

Privacy policies and procedures should be readily available to customers, clients, employees, and suppliers.

Give Individuals Access

Organizations must provide individuals with details about the personal information being held about them and the means to gain access to it, upon request.

Provide Recourse

Organizations must establish a procedure to deal with complaints about their compliance with privacy legislation.

Privacy Commissioner

The commissioner appointed to investigate complaints of failure to comply with the requirements of privacy legislation.

Role of the Federal Privacy Commissioner

The Office of the Privacy Commissioner of Canada oversees the operation of PIPEDA.

Employee Personal Information

The BC PIPA uses the term:

Personal Employee Information

The Alberta PIPA uses the term:

Employee Information: Consent Required

Means that an organization may not disclose employee personal information without the consent of the individual, unless there is a reasonable relationship.

BC Employee Information Retention

In BC, any employer using personal information for any decision relating to an employee must retain a record of that personal information for at least one year after using it.

Data protections

In both provinces organizations, including employers, to make reasonable security arrangements to ensure that the information collected will be protected from improper access, use, disclosure, copying, modification, or disposal.

Unionized Workplaces Surveillance

Requires that the employer notify the union and perhaps participate in discussions before implementing any decision to conduct such surveillance.

Clear IT Policy

Employees should use employer technology only. Provide explanation how technology applies including what is used for. Content restrictions should be included.

Solicitor-client privilege

A legal concept protecting client confidentiality with their lawyer, preventing disclosure of private communications.

Maintain Accurate Information

Ensures records are recent and accurate to avoid harming individuals through outdated or incomplete data.

PIPEDA Limitations

Federal legislation does not directly govern employee information held by provincially regulated employers.

Privacy Breach

The collection, retention, use or disclosure of personal information.

OIPC Role in Provinces

Oversees adherence to FIPPA and PIPA, investigates complaints, mediates disputes, researches issues, and educates the public.

OIPC Independence

The OIPC was created as a separate entity, independent from the British Columbia and Alberta government.

PIPA Application

Apply to businesses, commercial enterprises, associations, trade unions, trusts, and charities and societies.

Statutory tort violation of privacy

BC Privacy Act creates this.

Vicarious Liability

Employers can be held accountable for privacy breaches committed by their staff while performing their duties.

Common Law Privacy Tort

Tort involving private facts, non-consent, offensiveness, and lack of public concern.

FIPPA of BC applies to

This legislation applies to federal government ministries, Crown corporations, local governments, universities and colleges, school boards, municipal police forces, health boards and hospitals, and the self-governing professions.

FIPPA restrictions

Limits what government and public bodies collect from individuals.

Information security

Personal information should be shielded from loss, illicit access, or theft through measures like locked cabinets, passwords, and clearances.

Public bodies requirement

They are now needed to report any privacy breaches to individuals and to the Office of the Information and Privacy Commissioner (OIPC).

Privacy management program

Includes appointing a privacy officer, conducting privacy impact assessments, responding to privacy complaints, implementing privacy awareness education, making policies and processes available to employees and the public.

Alberta's PIPA

PIPA protects and defines personal information.

Computer misuse

A policy and technology that prevents misuse of computing systems impacts on productivity, statements and privacy.

Tort of invasion of privacy

Ontario courts were first to recognize this privacy tort affecting employers.

Requirements for Privacy Tort

Publicizing private details, absence of consent, high offensiveness, and no legitimate public concern.

Monitoring Outgoing Email

The most frequently use method to monitor employee activity.

BC Privacy Act

Permits a person to sue for privacy invasion, even without specific harm.

Privacy Issues in Workplace

Hiring managers contact references, and conduct employee drug and alcohol testing.

Supreme Court Rulings in Rv Cole

A reasonable expectation of privacy in the information on employer-issued computer equipment.

Impact of Employer's Data Policies

These policies diminish, but don't eliminate, employees' privacy interest.

Rights of Trade Unions

Allows collection, use, and disclosure of personal information by a trade union without the consent.

Principle relevance - provincial laws

These principles still guide the privacy standards in these provinces.

The oversight and the role

To oversee its legislative compliance and be aware when a privacy issue arises

The broad powers

The privacy commissioner can investigate complaints and inquire into them.

Governing organizations

Governing the collection, use and disclosure of personal information by organizations.

Study Notes

Okay, I've updated the study notes with the content you provided. Here are the updated notes.

• Understanding privacy rights and legislation is crucial in today's electronic age.

Introduction

• Privacy has not historically been a separate right under Canadian common law, it was protected by the difficulty of record compilation, but now concerns over increased electronic compilation and transfer are paramount.
• Canadian privacy legislation originally related to personal data held by governments.
• British Columbia (BC) and Alberta passed laws in the 1990s covering personal information held by the government agencies, and public bodies like hospitals.
• BC's Freedom of Information and Protection of Privacy Act (FIPPA) enacted in 1992, permits individuals to request information held by the BC government.
• Alberta legislature passed a parallel statute in 1994, performing a similar function to BC's FIPPA.
• Every province and territory has privacy legislation governing the collection, use, and disclosure of personal information held by government agencies. (Office of the Privacy Commissioner of Canada, 2014)
• In 2000, the federal government, followed by some provinces including BC and Alberta, passed the first privacy legislation covering personal information held by private sector organizations.
• The federal law is called the Personal Information Protection and Electronic Documents Act (PIPEDA).
• In BC and Alberta, the statute is called the Personal Information Protection Act (PIPA).
• BC & Alberta's PIPA acts are the provincial equivalents of the federal PIPEDA and were both enacted in 2004.

FYI: Alberta’s Personal Information Protection Act Amended

• In November 2013, the Supreme Court of Canada struck down Alberta’s PIPA.
• A one-year period was provided to bring the law in line with the Canadian Charter of Rights and Freedoms due to a dispute over photographing picket lines. (Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401)
• In a 9-0 decision, Alberta's privacy law was ruled unconstitutional in a dispute over the right of a union to photograph people crossing a picket line.
• The Court considered Alberta's privacy law to be overly broad and imposing an undue restriction on union's right to communicate during a legal strike. Abella and Cromwell JJ noted that Alberta’s PIPA “imposes restrictions on a union’s ability to communicate and persuade the public of its cause, impairing its ability to use one of its most effective bargaining strategies in the course of a lawful strike”.(at para 37).
• Alberta’s privacy legislation was changed following this, with amendments to PIPA effective on December 17, 2014.
• These amendments address the collection, use, and disclosure of personal information by unions during a lawful labor dispute.
• No other changes were made to the legislation at the time.
• A comprehensive review of Alberta's PIPA was performed in 2016, yielding ten recommendations, but the Act has not been substantially amended further since.

Potential Liability of Tort of Invasion of Privacy

• Employers and employees should be aware of potential liability for the tort of invasion of privacy, in addition to privacy rules in FIPPA, PIPA and, PIPEDA - laws that are the focus of this chapter.
• Ontario courts first recognized the common law privacy tort with other provinces following suit, including Nova Scotia and Alberta.
• Alberta recognized a common law privacy tort in 2021 in the case of ES v Shillington outside of an employment law context.
• The common law privacy tort includes private information that employers may collect about their employees of financial records, health records, and even relationships.
• To establish liability for the tort, a plaintiff must prove:
  • the defendant publicized an aspect of the plaintiff’s private life
  • the plaintiff did not consent to the publication
  • the matter publicized/publication would be highly offensive to a reasonable person
  • the publication was not of legitimate concern to the public
• BC courts do not recognize a common law privacy tort, since 1968, the BC Privacy Act has created a statutory tort of violation of privacy.
• Section 1 of the BC statute permits a person to sue for invasion of privacy, even without specific harm (referred to as “actionable without proof of damage”).
• Employers can be vicariously liable for privacy invasions committed by their employees during their duties involving employees, customers, or the public.

Freedom of Information and Protection of Privacy Act (British Columbia and Alberta)

• BC's FIPPA applies to provincial government ministries, Crown corporations, local governments, universities, colleges, school boards, municipal police forces, health boards, hospitals, and self-governing professions. (A detailed list of these public bodies and professions is provided in Schedules 2 and 3 at the end of the Act.)
• Alberta's FIPPA applies to public bodies listed in section 1(p) of the Act.
• Section 2 of the BC Act aims to make public bodies accountable and protect personal privacy by giving the public access to records. "make public bodies more accountable to the public and to protect personal privacy by … giving the public a right of access to records"
• The underlying philosophy in both provinces involves providing citizens with access to government/public body records; it compels fairness, transparency, and credibility.
• FIPPA limits the type and amount of information provincial governments/bodies can collect; there are restrictions on obtaining, storing, or passing citizen information.
• Individual citizens are provided with access to data held by government agencies/bodies.
• The Atwell report exemplifies FIPPA's application to workplace privacy in a public body employer context.
• FIPPA of BC was amended in February 2023 including new requirements to report privacy breaches (unauthorized access, theft, loss, collection, use, or disclosure)
• It also requires public bodies to develop privacy management programs (privacy officer, impact assessments, complaint response, awareness education, policies/processes, service provider obligations, program monitoring/updating)
• Despite FIPPA's importance, PIPA (provincial private sector legislation) is more relevant to cases involving employment privacy disputes.

The Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act

• PIPEDA affects how federally regulated organizations collect, use, disclose, and retain personal information of employees, customers, patients, and suppliers.
• PIPEDA does not directly affect employee information held by provincially regulated employers, however, the federal government has authority over provincially regulated organizations for commercial purposes.
• PIPEDA requirements do not apply to organizations in provinces with substantially similar legislation.
• The federal government agreed to this upon PIPEDA passage.
• Because both BC and Alberta have implemented similar legislation (their respective PIPAs), PIPEDA's application is narrower in those provinces.
• The PIPAs of BC and Alberta are "comparable".
• PIPEDA's principles in handling personal employee information apply, and employers in BC and Alberta must be aware of and follow those principles.

FYI: Key Features of the Federal PIPEDA

• PIPEDA balances an individual's right to personal information privacy against an organization's need to collect, use, and disclose personal information.
• Unless the province has comparable legislation, PIPEDA applies to all Canadian organizations (both federally and provincially regulated) that collect, use, or disclose personal information during commercial activities. (s 4)
• PIPEDA also applies to interprovincial and international transactions involving personal information during commercial activities.
• PIPEDA does not directly apply to personal employee information in provincially regulated workplaces, being federal legislation.
• Personal information under PIPEDA is broadly defined as any factual or subjective information about "an identifiable individual.” (s 2)
• PIPEDA generally requires individual's consent before collecting, using, or disclosing their personal information and information can only be used for the purpose for which consent was obtained
• Organizations must take precautions to safeguard personal information in their possession.
• Individuals have the right to access personal information and challenge its treatment.
• Individuals may complain about how an organization handles personal information to the Office of the Privacy Commissioner of Canada.

What Is Personal Information?

• Personal information broadly includes any factual or subjective information about "an identifiable individual".
• Protected personal information includes:
  • age, home address, and identification numbers (including social insurance number)
  • residential telephone numbers and personal email address
  • sex, religion, ethnicity, social status, and marital status
  • employee files, performance appraisals, disciplinary actions, and evaluations
  • photographs, opinions, and income
  • relevant dates (e.g., birth date)
  • credit records, loan records, purchasing and spending habits, and
  • blood type, genetic information, and medical records
• Personal information includes pay/benefit records, video/audiotapes, and web browsing/email/keystroke records.
• In BC's PIPA, personal information is defined as: information about an identifiable individual, including employee personal information but excludes contact/work product information.
• Alberta's PIPA defines personal information as information about "an identifiable individual".
• Although no exceptions are articulated for “work product information" or for “contact information,” “business contact information” arises as a specific exception to the application of the Act to personal information held by all organizations (s 4(3)(d)).
• Collection, use, protection, and disclosure should adhere to PIPEDA principles, regardless of personal information.

FYI: Amendments to PIPEDA: Bill S-4, the Digital Privacy Act

• The Digital Privacy Act (Bill S-4) was proclaimed on June 18, 2015.
• The act amended PIPEDA and included these key changes:
  • Organizations must report and record security breaches involving unauthorized access to personal information, security safeguard breaches, or failure to establish such safeguards if it risked significant harm to individual.
  • Elimination to personal information exception for employee name, title, business address, or telephone number.
  • PIPEDA covers job applicants beyond employees.
  • Business contact information is exempt regarding its collection, use, and disclosure only for communication in employment, business, or profession contexts.
  • Broadening of scenarios involving the disclosure of personal information without individual knowledge/consent for illegality, fraud, agreement breaches, and financial abuse
  • The privacy commissioner can enter into compliance agreements with terms for statutory compliance.
• (Jacobs, 2014) (Emond Harnden, 2014)*

Amendments to PIPEDA: Bill C-27, the Digital Charter Implementation Act, 2022

• On June 16, 2022, Bill C-27 was introduced by the federal government,
• Although Bill C-27 had not been proclaimed when the text was published, the Digital Charter Implementation Act of 2022 proposed substantial changes to PIPEDA:
  • part 1 of PIPEDA entitled “Protection of Personal Information in the Private Sector" would be replaced by The Consumer Privacy Protection Act
  • appeals of decisions from the privacy commissioner, administrative appeals for the privacy commissioner of Canada, would be heard in a administrative tribunal established by the Personal Information and Data Protection Tribunal Act and would impose penalties for the contravention of certain.
  • a code of conduct to regulate international and interprovincial commerce in artificial intelligence while prohibiting certain conduct in relations to AI by enacting the Artificial Intelligence and Data Act

Ten Fair Information Principles

• PIPEDA recognizes individuals have a right to privacy and organizations require personal data for appropriate purposes and The aim of legislatures is to achieve a fair balance between these two valid requirements.
• Schedule 1 of PIPEDA sets out ten fair information principles ( fair information principles) underlying personal information collection, use, protection, and disclosure, with reasonableness as a standard.
• An organization may collect, use, or disclose personal information only for purposes considered appropriate by a reasonable person. (Section 5(3))
• The BC and Alberta PIPAs retain the fair information principles, explicit or apparent within their legislation.
• One of the the "Privacy Guide for Businesses" (Office of the Privacy Commissioner of Canada, 2020) is discussed as:
  • Be accountable, an organization that collects personal information must appoint one person to oversee its legislative compliance
  • Identify the purpose of collection, and an organization should only use this information for the designated purpose
  • Obtain valid, informed consent and there are some number of exceptions to the need to obtain consent
  • Limit collection, collect only information that is necessary for its stated purposes
  • Limit use, disclosure, and retention, Subject to the exceptions noted below, organizations cannot use the information collected for any purpose other than the one stated
  • Be accurate if use or disclosure of out-of-date or incomplete information would harm the individual, the employer should ensure that the information is accurate
  • Provide safeguards
  • Be open
  • Give individuals access
  • Provide recourse
• Valid, informed consent must be obtained, and is a requirement unless: Collection is in the interests of the individual and consent cannot be obtained in a timely manner (medical emergency); obtaining the individual’s consent would compromise the availability or accuracy of the information, which is relevant to an investigation of a breach of law/agreement. The information is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim; the information was produced by the individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced; collection is for journalistic, artistic, or literary purposes; the information is publicly available. the collection is made for the purpose of making a disclosure to a government institution in specific circumstances related to national security or enforcing the law, or is required by law. Providing consent should not be made a condition for supplying a product or service, unless the information is necessary to meet a legitimate purpose that is specifically identified

Role of the Federal Privacy Commissioner and the BC and Alberta Information and Privacy Commissioner

• The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA, reporting to the House of Commons and Senate.
• The OPC has powers to conduct audits and investigations into an organization's handling of personal information and can summon witnesses, compel evidence, and demand records
• The OPC makes reports with recommendations after investigations, but does not have the power to issue binding orders; matters can be referred to the Federal Court.
• In BC and Alberta, the OIPC is separate from government monitoring and enforcing FIPPA (public bodies) and PIPA (private organizations).
• The OIPC in BC was established in 1993. It monitors the right of citizens to gain access to records held by more than 2,900 public agencies and over 380,000 businesses with the authorities and duties of the commissioner are set out in part 10 of PIPA and part 4 of FIPPA.
• The Alberta OIPC was established in 1995 with the powers and duties of the commissioner are set out in part 4 of PIPA and part 4 of FIPPA.
• In both provinces, the OIPC ensures that both statutes are administered so as to achieve their objectives of investigating and resolving complaints, mediates and resolves appeals, conducts research, and educates the public.
• Both PIPEDA Case Summary #2003-226, Eastmond v Canadian Pacific Railway, and PIPEDA Findings #2022-006 illustrate issues that privacy commissioners may be called upon to investigate. These cases all involve federally regulated employers, to which PIPEDA applies; however, as noted above, the principles for handling personal employee information are similar under the provincial legislation, so these decisions are also relevant to privacy situations in BC and Alberta. PIPEDA Case Summary #2003-226 involved a telecommunications industry employer’s allegedly casual treatment and eastmond involved an employer’s use of non-surreptitious video surveillance. PIPEDA Findings #2022-006 involved an employer’s use of non-surreptitious dash cameras which may be found in its safety documentation of an employee
• Eastmond involved an employer’s use of non-surreptitious video surveillance in its work yard to deter theft and vandalism. PIPEDA Findings #2022-006 involved an employer’s use of non-surreptitious dash cameras that recorded both audio and video in its vehicles to protect the company’s assets and ensure the safe operation of company trucks.

Case in Point

• Regarding Employers' Practices Regarding Medical Reports Too Lax and relates to PIPEDA Case Summary #2003-226, Office of the Privacy Commissioner of Canada: With regards to an employees application for long-term disability benefits - The employer asked the employee to provide all the medical information necessary for the application, But, only the insurance company required the information
  • The employee objected to giving sensitive information (diagnosis) and the use of a fax machine to transmit her medical reports to its human resources office because employees who had no need for this in- formation might accidentally see it..
  • Ruling: The assistant privacy commissioner found that the employer contravened both PIPEDA requirements with Letters of notification concerning long-term disability for the company to state ensure that employees have the option of sending information directly to the insurance company And because of the sensitive nature of medical diagnoses, Keeping a fax machine that receives personal information in an unlocked, accessible room was inappropriate AND questioned hr staff receiving medical reports containing diagnoses and recommended the employer inform all employees that they have the right to ensure that diagnostic information be kept confidential and give the option of staff sending reports to medical staff in health or hr staff.
  • Key factors were the the limitations of limiting collection and the use of personal information to that which is necessary for the purposes identified by the organization; and (2) ensure that the information is properly secured, with more sensitive information being safeguarded by a higher level of protection.
• Video Surveillance Cameras Justified in Work Yard (Eastmond v Canadian Pacific Railway, 2004 FC 852):
  • A 4-part test is used to determine reasonableness of the placement of cameras: Is the measure demonstrably necessary to meet a specific need, Is it likely to be effective in meeting that need, Is the loss of privacy proportional to the benefit gained, Is there a way of achieving this benefit that involves less invasion of privacy?
  • Found to be serving a reasonable purpose based on the cameras not being hidden and there being limited privacy. The tapes were reviewed only if there was a reported incident.
• Regarding Employer’s Vehicle Dash Cam Deemed Overly Intrusive and PIPEDA Findings #2022-006 (Office of the Privacy Commissioner of Canada):
  • The employer, Trimac Transportation Services, deployed a dash camera system in employees’ truck cabins which recorded both audio and video and were active whenever the truck was on, even if the driver was off duty and not driving. A complaint followed and the privacy commissioner set out a four-part test with key considerations being weather the organization’s purpose represented a legitimate need/bona fide business interest; whether the collection, use, and disclosure would be effective in meeting the organization’s need; whether there were less privacy-invasive means of achieving the same ends at comparable cost and with comparable benefits; and whether the loss of privacy was proportional to the benefits. Found to be disproportionally intrusive
  • Ruling- Trimar was recommended that it limit the audio recording function of the dash camera system to drivers’on-duty hours and instances where they may be off duty but driving, and limit access to the clips transferred to and retained by Trimac. BUT then the commissioner found Trimac could have potentially relied on the exception to consent provided under section 7.3 of PIPEDA because the personal information at issue was collected and used in the context of the employment relationship. However, because Trimac was not transparent with its employees about the disciplinary purposes of the system, the commissioner found Trimac was in contravention of the Act.
  • Ultimately, Trimac issued clear guidance to its employees that the system may be used for performance management and progressive discipline, and the commissioner determined it could therefore rely on the exception to consent under section 7.3 of the Act.
• Section 57 of the BC PIPA states there if there is no further right of appeal, an individual affected by the order has a cause of action against the organization for damages for actual harm that the indi- vidual has suffered as a result of the breach by the organization of obligations under this Act and section 60 of the Alberta PIPA is almost identical. PIPEDA offers broader options for a lawsuit by those whose privacy has been violated. Section 14 allows them to file a complaint in court after the federal commissioner has released a report, regardless of its content, and even after the commissioner discontinues an investigation. And section 16 allows the court to award a range of remedies, including damages for actual loss or mere humiliation. In the employment context, although the PIPA provisions govern provincially regulated employees, PIPEDA applies this rule to federally

Employee Personal Information and the BC PIPA

• Section 13, 16 and 19 of the BC PIPA apply to when the are forms of communication forms while communicating. Employers should be aware of all 3 sections. For Example:
  • 13(2) An organization may not collect employee personal information without the consent of the individual unless …(b) the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual…
  • 16(2) An organization may not use employee personal information without the consent of the individual unless …. (b) the use is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual …
  • 19(2) An organization may not disclose employee personal information without the consent of the individual unless …(b) the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual. [emphasis added]
• Section 15(1), 18(1) and 21(1) of the Alberta PIPA are parallel to the sections of the BC PIPA. Also, the Alberta PIPA was broadened in 2014 to facilitate the use (s 17.1) and disclosure (s 20.1) of personal information by trade unions. Therefore, even in the absence of obtaining an employee’s express consent to collect, use, or disclose personal information about that employee, an employer in both provinces would be able to do any of those things if they were reasonable for the purposes of establishing, managing, or terminating the employment relationship.
• In BC, any employer using personal information for any decision relating to an employer must retain that knowledge to use personal information for any reason
• Section 34 of the PIPA of both provinces requires organizations, including employers, to make reasonable security arrangements to ensure that the information collected will be protected from improper access, use, disclosure, copying, modification, or disposal for AT LEaST one year after To further define the means of communication at the application of PIPA's is important
• Applying PIPA to Privacy Issues in the Workplace
• Privacy issues are increasingly being raised in the workplace. Technology makes it possible for employers to monitor employees’ activities in unprecedented ways—for example, by recording keystrokes, websites visited, and emails; by tracking mobile device usage; and by conducting video surveillance.
• As well, there continue to be infringement-of-privacy issues with respect to such ac- tivities as employers providing information to third parties for reference checks and their requesting that employees submit to drug or alcohol testing at work. In the case of the former, the law has to balance privacy with a long-established defence to defamation called “qualified privilege.” With respect to the latter, it has to determine whether privacy/human rights infringements or safety concerns are most applicable.

BC OIPC

• the OIPC in BC reported 361 complaints in 2023–24, an increase from 327 the year prior (Office of the Information and Privacy Commissioner for British Columbia, 2024).
  In Rv Cole (2012 SCC 53) - The Supreme Court of Canada's Ruled that an employee has a reasonable expectation of privacy with Rulings and employee devices for PIPA

Rv Cole (2012 SCC 53) Supreme Court of Canada

• ruled that an employee has a “reasonable expectation of privacy” in the information stored on employer-issued computer equipment
• Is useful to look at how few cases at present and in the means of communicating. in each is more useful for cases in law.

Tally-Ho Motor Inn (Re 2006 CanLII 32981)

• was a case in how one communicates with one's Work Safe BC (unsanitary conditions). A worker complained and the worker was later told to be on the compaint of a lack to be working in the company now due to information relating to him of a work lack or the personal with new business. However in the law of the PIPPA this ws not found actionable. - Re, 2006 CanLII 32981 as it will effect more due diligence at any work.

Tsatsu Shores Homeowners Corporation. 2006 CanLII 42695 (BCIPC)

• was again regarding privacy of being personal relating to PIPA and the rules not in order for the employee , was again not a violation for PIPPA requirements
• This can further define in more means now. With more cases rising regarding workers

Poliquin v Devon (2006ABCA) - Regarding using one's computers in one's work, this may have less meaning due to the case.

• Also there were cases relating with what is considered ok as not doing an email violation

BYOD: The Newest Frontier

BYOD—bring your own device—refers to the trend of employees using their own personal devices for work-related as well as personal purposes. (Dobson, 2012) While many employers are embracing this development, allowing employees to access corporate networks through their own smartphones, tablets, or laptops raises potential privacy and security issues. Many employers take the position that since the employee is connecting to the organization’s network, the same rules that apply to an employer-owned device should apply to an employee-owned device. However, as discussed above, courts have found that employees have a reasonable expectation of privacy when they are allowed to use work-issued devices for personal data, and this expectation is arguably even stronger where the employee owns the device. Therefore, an employer’s BYOD policy needs to clearly state that em- ployer monitoring is allowed on such devices, explain the reason for it, and indicate how the informa- tion collected might be used. Employees may also be asked to sign an agreement that consents to the “remote wiping” of data where an employee-owned device is lost or stolen. Such an agreement should also release the employer from liability for the loss of any data, including personal data, from wiping activities (Dobson, 2012, at 20) Some employers may decide that BYOD is more trouble than it is worth and prohibit the use of personal devices for work-related communication and data storage