by Rick Klumpenhouwer Privacy Specialist, Canadian Career Partners
Last issue, I proposed that three key conditions have dominated the career service industry’s response the new privacy regulation in Canada: a lack of basic knowledge, confusion about jurisdiction and scope, and some assumptions about current industry standards. I addressed the first condition to some extent by laying out a brief overview of the new legislative environment in Canada for privacy in the private sector and some of the implementation measures required. Drawing on this basic knowledge, which seems reasonable enough, how will the jurisdiction and scope of the legislation specifically affect the way career service providers work? The answer to this practical question will likely give credence to the otherwise dubious contention that, sometimes, there are things you don’t want to know about. The journey is necessary, though, to realize reasonable standards for private sector privacy compliance in the career counseling industry.
Jurisdiction and Scope – The Basics
There are both federal (PIPEDA) and provincial (PIPA BC, PIPA Alberta, and PSPA Quebec) privacy statutes in affect and their jurisdictions overlap. Basically, the federal law applies unless a “substantially similar” provincial law is in effect, based on the judgment of the federal cabinet. Only the Quebec law has officially been given this status, although it is widely expected that Alberta and BC laws will be declared shortly. In true Canadian legislative tradition, the privacy laws are similar, but different, and all in different ways. All of these Acts use the ten principles outlined in the last issue as the basis for their rules and all came fully into effect in the private sector on January 1, 2004; however, there are significant differences in their scope and standards, especially in the area of employee information.
PIPEDA, as federal legislation, applies to all personal information, including employee information, collected, used, and disclosed by federal works and undertakings (e.g., telecommunications companies, broadcasters, transportation sectors, and pipeline operations). For all other private sector organizations and companies, PIPEDA only applies to personal information that is part of a “commercial transaction” and this by and large does not include information generated for employment management purposes. The provincial legislation, however, does cover employee management information collected, used and disclosed by for-profit organizations within their provincial borders.
It is crucial to understand that whether and to what extent “employee information” is subject to a particular law is determined not by the nature of the information itself, but the nature of the transaction and the purposes of the transaction. In other words, the same type of personal information of an employee may at once or at different times be under PIPEDA or PIPA or the personal employee information section of PIPA, depending on who collected it and for what purpose.
I can’t get into all the differences in standards among the various private sector privacy statutes, but let me point out the three main ones:
PIPEDA and the Quebec legislation require that organizations obtain both the knowledge and consent of the individual before they collect use and disclose their personal information, including employee information in cases where the legislation applies. The exceptions to this consent rule are few. PIPA in BC and Alberta requires only the knowledge, not the consent, of the individual if the information is collected, used and discloses for employment management purposes. Even for other personal information, there are more exceptions to consent under PIPA legislation.
2) Right of Access
Both the federal and provincial legislation, where they have jurisdiction, establish the right of individuals to access personal information that companies or service providers have collected about them, but there are explicit exceptions to this right of access. PIPA legislation has many more exceptions than PIPEDA, and some are significant. For instance, PIPA requires that companies withhold the identity of those providing opinions about the individual (think about references or internal investigations).
3) Privacy Regulator
The Privacy regulator receiving complaints and conducting reviews, inquiries, and investigations on behalf of individuals is of course different for each jurisdiction: the Privacy Commissioner of Canada handles PIPEDA complaints; the provincial Information and Privacy Commissioners handle complaints under their legislation.
Where does the Career Counselor Fit In?
In a nutshell, career service providers working with personal employee information must first of all establish what rules cover them based on where they are and whom they work for. This is more difficult than you might think, and I’ll give you some examples to illustrate.
If you are a human resources advisor delivering career advice to employee of an oil company in Lloydminster, Alberta, your handling of personal employee information would be subject to PIPA Alberta. The same advisor handling employee information for that same oil company operating a site just across the border in Lloydminster, Saskatchewan, however, would not be subject to either PIPA Alberta (these are Saskatchewan employees) or PIPEDA (because it doesn’t cover employee information), or provincial legislation (Saskatchewan has not enacted one). If the company were a pipeline operation, all of the personal employee information would come under PIPEDA because the company is a federal work.
It gets a bit trickier if you are delivering career management services as a consultant under contract. If you are providing career coaching services for an executive employed by a company in BC, your collection, use, and disclosure of the wide variety of educational, financial, family, and employee information would be subject to the client company’s policies on privacy, which is in turn subject to PIPA BC. However, if you are providing such services for a private individual client, where your firm has custody and control of the career coaching information, your firm would be responsible for handling the personal information in compliance with PIPA BC. For HR consultants outside of BC, Alberta and Quebec operating under PIPEDA, the differences in scope are even more acute: the personal information produced as part of career coaching services contract to the company would not be subject to any legislation (it would be considered personal employee information of the company), but if the services are for an individual client, it would be subject (it is “customer information” of the coaching consultant generated for commercial purposes).
If that isn’t tricky enough, consider the circumstances of outplacement service consultants and their company and individual clients. For that same consultant providing outplacement services on contract with perhaps the same BC company, what is collected or disclosed before the actual termination is the responsibility of the company itself, following the personal employee information standards of PIPA BC, which do not require consent. Under the same contract, the personal information the outplacement consultant collects after the individual has left the employ of the company – and this information can be substantial – is no longer under the same rules. That’s because the individual is no longer an employee so the information is not being collected for “employment management services”. What is more, even though the former employer may be paying for the service, the outplacement firm, not the company, has custody and control of the post-termination information as a referred service.
In effect, the personal information that the outplacement consultant collects from the former employee, including all notes from career counseling sessions, participation in seminars or workshops, and information about the status of the individual’s job search, is under the general rules, not the personal employee information rules, of PIPA BC. That means that exchange of information with former employer, including reports on services provided, cannot disclose any details of the individual’s progress through the outplacement process, unless by authority of the individual’s consent (which may very well be declined, considering the circumstances).
And, just to add a final twist for good measure, that same BC outplacement consultant, besides information about the individual client’s employment history, finances, competencies, career goals, and job search, may very well be collecting information about the individual’s medical history. Now, for all kinds of reasons, the legislators responsible for creating this patchwork of privacy jurisdiction decided late last year effectively to remove medical or “health information” from the scope of the provincial privacy legislation in BC and Alberta and place it under the jurisdiction of PIPEDA, except when it is collected for employment management purposes. Post-termination outplacement services are not included in this definition of employment management purposes, so the health information collected would fall under PIPEDA. The outplacement consultant, who cannot claim the employment management exception, is therefore facing the prospect of two privacy laws applicable to the same outplacement client file: PIPEDA would apply to personal health information and PIPA BC would apply to the rest.
You always wanted to join the circus, right?
With all these jurisdictional balls in the air, it may seem too many career service providers that juggling is the most appropriate skill set for implementing privacy. There are, however, strategies for the career counselor in implementing private sector privacy that are reasonable, practical, effective, and don’t require a clown costume. The first step is to identify and build on the current industry standards and cultures for managing information, processes, and relationships involved in privacy protection. That will be the subject of the final installment.
Rick Klumpenhouwer is a Privacy Specialist with Canadian Career Partners an integrated Human Resource and Business Consulting firm based in Calgary, Alberta. His extensive knowledge of provincial and federal privacy legislation and its application to organizations in both public and private sectors enables him to advise clients on a range of privacy services and solutions: Rick can be contacted at firstname.lastname@example.org. Additional information on privacy alignment issues can be sourced at www.career-partners.com.
To view the first part of this article, click here.