PROCESSING OF EMPLOYEE PERSONAL DATA UNDER THE ALBERTA PERSONAL INFORMATION PROTECTION ACT: THE REASONABLE TEST
OVERVIEW OF THE PERSONAL INFORMATION PROTECTION ACT
The Personal Information Protection Act (“PIPA” or the Act”) was enacted to give individuals in Alberta greater control over their personal information. It strikes a balance between the need for organizations to collect and use personal data for legitimate business purposes and the rights of individuals to have their privacy respected.[1]
The Alberta Personal Information Protection Act is a privacy law that governs the collection, use, and disclosure of personal information by private sector organizations in the Canadian province of Alberta. It is designed to protect the privacy and personal information of individuals and ensure that organizations handling this data do so in a responsible and transparent manner.
PERSONAL INFORMATION UNDER THE PERSONAL INFORMATION PROTECTION ACT
The PIPA defines personal information as information about an identifiable individual including name, home address, email, and identity number.[2] To expand the definition proffered by PIPA for applicability, the personal data must be about an individual and sufficient on its own to identify such individual. Such data could include blood type, skin tone, educational or employment history, income, financial history, spending or physical description.
The Act further provides for another variation of personal information. The Act caters for personal information provided to facilitate the conduct of business between persons resident in Alberta. Such data are categorized as Business Contact Information and they include the individuals name, position name or title, business telephone number, business address, business e-mail address, business fax number and other similar business information.[3]
It is important to note that the Act does not apply to the collection, use or disclosure of an individual’s Business Contact Information where such collection, use or disclosure is for the purposes of facilitating contacts in relation to the individual’s business responsibilities and for no other purpose.[4] This implies that organizations need not obtain the consent of the data subject to disclose their Business Contact Information for them to be contacted as a representative of the company. For instance, a company listing the Business Contact Information of its contact person for inquiries or its sales team on its website without the need to obtain the consent of the relevant person.
PROCESSING OF PERSONAL EMPLOYEE INFORMATION
The Act applies to every organization in respect of all personal information.[1] For the purposes of private organizations, it includes corporations, trade union, partnership, an individual acting in a commercial capacity (not in a personal or domestic capacity), and an association that is not incorporated.[2]
The PIPA provides the principles and guidelines on how an organization resident in Alberta should handle the personal data of employees. The Act defines an employee as an individual employed by an organization to perform a service for or in relation to the organization as:
- a partner or a director, officer, or other office-holder of the organization;
- an apprentice, volunteer, participant or student;
- under a contract or an agency relationship with the organization.[3]
An ‘employee’ instituting an action under the Act, must satisfy the definition proffered to have the locus standi for instituting such action. The Act provides for the personal data of employees that an employer may process under the Act. The Act defines Personal Employee Information to mean information in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purpose of:
- establishing, managing or terminating an employment or volunteer-work relationship; or
- managing a post-employment or post-volunteer-work relationship.
…between organizations and the individual but does not include personal information about the individual that is unrelated to that relationship.[4]
Under various privacy legislations, including the PIPA, the concept of consent is paramount to the processing of the personal data of data subjects. The PIPA mandate organizations not to process the personal information of an individual unless the individual consents to the same, including the collection of the information from a source other than the individual.[5]
Specifically, the Act allow organizations to collect, use or disclose the Personal Employee Information of an individual where the collection, use or disclosure is done solely for the purpose of establishing, managing or terminating an employment or volunteer-work relationship, or managing a post-employment or post-volunteer-work-relationship between the organization and the individual.[6] It is worthy of note that organization can process these Personal Employee Information without obtaining the requisite consent where it is reasonable to collect, use or disclose such information.
It becomes necessary to understand what constitutes “reasonable” processing of employees’ personal data without the need for consent.
THE REASONABLE TEST
The Personal Information Protection Act provides for the standard test for what is reasonable processing of the personal data of employees under the Act. The Act provides that any matter described, characterized or referred to as reasonable or unreasonable, required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner, the standard to be applied for determining whether the matter had been dealt with the in manner described above would be what a reasonable person would consider appropriate in the circumstances.[1]
The judicial decision of the court in Pearson v. Peninsula Consumer Services Cooperative,[2] where to assist in campaign for election to its board of directors, the member of consumer services association incorporated under Cooperative Association Act (Co-op Act) sought copy of association’s Membership Register (Register). Sections 17 and 18 of Personal Information Protection Act (PIPA) permitted association to disclose personal information only in certain circumstances that fulfilled association’s purposes, and only permitted disclosure of personal information about individual without consent if required or authorized by law. The Association refused to provide Register to member, citing provisions of PIPA and privacy of members. A member brought a petition for declaration that all members, including candidates, were entitled to Register and members’ contact information. The Petition was granted.
Once information was disclosed, the recipient was responsible for the information and subject to prosecution if it was misused. Individuals who joined an association would reasonably expect that Register and personal contact information would be available, particularly to candidates for election within association. It was practically impossible to have necessary cooperation amongst members of Co-op without access to some means of contacting each other, and Co-op Act made it clear that members were entitled to this information. Declaration was to issue to effect that any member of association in good standing could, upon complying with statutory requirements of Co-op Act, obtain copy of Register as soon as reasonably practicable for association.
Often, what constitutes reasonableness will take some trial and error to arrive at what is reasonable. It often results from thinking about the fairness of a situation or how you will react in the same scenario. Both the employer and the employee may have divergent opinions on what constitutes reasonableness to the matter at hand. To play safe, it is important for organizations to examine the Personal Employee Information collected, why they are collected, how they are stored, and what they do with them to ensure that it can pass the reasonable man test.
CONCLUSION
In conclusion, the Alberta Personal Information Protection Act (PIPA) serves as a crucial pillar in safeguarding the privacy and personal information of individuals within the province of Alberta. By emphasizing fundamental principles like consent, purpose limitation, and data minimization, PIPA strikes a balance between the legitimate data needs of private sector organizations and the rights of individuals to control their personal information. The law places a strong emphasis on reasonableness for the processing of data, accountability, requiring organizations to designate privacy officers and implement security safeguards to protect data because an employee, whose personal data has been unlawfully collected, used or disclosed can sue the organization for damages to compensate for loss or injury due to the organizations breach of its obligations under the Act.[1] Furthermore, the oversight and enforcement of PIPA by the Office of the Information and Privacy Commissioner of Alberta (OIPC) ensures that organizations comply with the law, with penalties in place for non-compliance.
As the digital landscape continues to evolve, PIPA remains adaptable through amendments to address emerging privacy concerns. The Act also acknowledges the importance of data protection beyond Alberta’s borders, with restrictions on cross-border data transfers. In essence, PIPA is a critical piece of legislation that underscores the significance of privacy in the modern era, helping to ensure that individuals in Alberta have confidence that their personal information is treated with the respect and protection it deserves within the private sector.
[1] Section 3, the Personal Information Protection Act.
[2] Section 1 (1) (k), the Personal Information Protection Act.
[3] Section 1 (1) (a), the Personal Information Protection Act.
[4] Section 4 (3) (d), the Personal Information Protection Act.
[5] Section 4 (1), the Personal Information Protection Act.
[6] Section 1 (i), the Personal Information Protection Act.
[7] Section 1 (e), the Personal Information Protection Act.
[8] Section 1 (j), the Personal Information Protection Act.
[9] Section 7 (1), the Personal Information Protection Act.
[10] Section 15 (1) (a). 18 (1)(a), and 21 (1)(1), the Personal Information Protection Act.
[11] Section 2, the Personal Information Protection Act.
[12] 2012 CarswellBC 3644, 2012 BCSC 1725, [2013] B.C.W.L.D. 311, [2013] B.C.W.L.D. 459, 222 A.C.W.S. (3d) 586
[13] Section 60, the Personal Information Protection Act.