Privacy Law Extends To The Private Sector: How Will it Change Career Counselling?

By Rick Klumpenhouwer Privacy Specialist, Canadian Career Partners

On January 1, all commercial enterprises in Canada came under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law. At the same time, two provincial statutes called the Protection of Personal Information Act (PIPA) have been enacted in Alberta and British Columbia, joining existing legislation already in effect in Quebec. For the first time, all Canadian businesses and private sector organizations are regulated under law for the way they manage the privacy of individuals they provide services for and, to a certain extent, they employ.

Is the Career Services Industry Ready?

How much have career services professionals, whether employed by businesses or providing services as consultants, paid attention to how the new privacy law affects the way they do business? Most of those working in the field would agree that the attention paid has been, at best, cursory, at worst, dismissive.

Career services involve collection and exchange of a wide range of sensitive personal information from clients, from resume data to family and health status, and often from individuals who are at this point in their lives quite vulnerable. Certainly, as in the health and legal fields, the protection of client confidentiality is a cornerstone of the career services profession: without the assurance of privacy, clients would be unwilling to entrust counsellors and coaches with the basic information required to provide effective services.

Introducing statutory regulation of an important professional principle such as privacy should be cause for concern in the career counselling community. At the same time, for any lack of concern that exists, the following observation might provide some explanation:

First of all, few beyond the largest companies in Canada are even aware of this new legislation, let alone understand what they must do to comply. Governments and regulatory bodies, for all kinds of conflicting political and practical reasons, have not been very effective to this point in preparing the private sector for roil-out of the new privacy laws. Career services professionals are merely on par with the current poor state of awareness of others in the private sector.

Secondly, there is understandably a great deal of confusion about what personal information is included in the law, which law (federal or provincial) has jurisdiction, and what the rules are for specific kinds of personal information. This is especially true about employee information – the main source for provision of career services. As a result, many businesses and professionals, even as the law has come into effect, have adopted a wait-and-see position hoping that this confusion will be resolved before they need to act.

Thirdly, precisely because privacy is so vital to their work, many career counsellors may be assuming that they already meet or exceed the standards of the new privacy laws. This has been a consistent and common reaction of professionals in the health fields, for instance, when they came under statutory regulation for protection of patient privacy. While some of these assumptions were borne out, privacy laws still required significant changes to the way health professionals managed privacy in some key areas. No doubt the same will be true for career professionals.

These three conditions — lack of basic knowledge, confusion about jurisdiction and scope, and assumptions about current standards – provide a good framework for discussing whether and how the new privacy legislation will bring changes to the career services industry.

PRIVACY LEGISLATION IN CANADA: THE BASICS

What is Personal Information?

Personal information, as it is defined in legislation, is any information about an identifiable person. It includes information about a person’s home location, contact numbers, family, career, education, finances, health, consumer activities, opinions and beliefs, and even opinions that others have expressed about that person. Business location and contact information is not considered personal information, although under PIPA in Alberta, even this information may be subject to the law under certain conditions.

The definition covers information in any form, from post-it notes and paper records to computer files, video recordings, and e-mail addresses.

Some of the main types of personal information held by private sector organizations are employee records, customer data, donor information, and membership and mailing lists, but personal information can be found in almost every area of an organization’s operations.

Privacy Principles and Requirements

Both the provincial and federal legislation sets out the rules for privacy management based on ten well-accepted privacy principles:

1. Accountability: An organization is responsible for personal information under its control and must designate an individual or individuals who are accountable for the organization’s compliance with privacy policy and legislation.
2. Identifying Purposes: The organization identifies the purposes for which personal information is collected at or before the time the information is collected.
3. Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when allowed by the legislation.
4. Limiting Collection: The collection of personal information is limited to that which is necessary for the purposes identified by the organization. Information must be collected by fair and lawful means.
5. Limiting Use, Disclosure, and Retention: Personal information must be used or disclosed only for purposes consistent with those for which the information was collected, except with the consent of the individual or as required or allowed by the law. Personal information is retained only as long as necessary for fulfillment of those purposes.
6. Accuracy: Personal information must be as accurate, complete, and up-to-date as required to meet the business purposes.
7. Safeguards: Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness: An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access: Upon request, an individual must be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual can challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance: An individual can ask a regulator such as the Privacy Commissioner of Canada, to review or investigate how an organization has responded to their requests or regarding any other aspect concerning compliance with the above principles.

Without having to explain all the details of potential requirements for career services in the legislation, private sector organizations will be implementing privacy in four main areas: accountability structure, consent, information handling and security, and right of access. To meet the requirements of legislation in these areas, organizations need to complete a number of tasks identified below:

Accountability Structure:

• Develop policies for right of access, collection, use and disclosure, and security of personal information in compliance with legislation.
• Establish roles and responsibilities for administering privacy
• Develop quality standards for privacy include processes for auditing and assessing compliance with standards
• Ensure that contractors are meeting company privacy standards
• Locate and register personal information assets and the purposes for which they were collected, used, and disclosed
• Ensure that individuals are notified of the purposes for collecting information
• Maintain relations and respond to reviews and investigations of the Privacy Commissioner

Consent:

• Identify the circumstances where is required and the appropriate consent models based on the sensitivity and business use of the information
• Develop forms or processes for obtaining and revoking consents

Information Handling and Security

• Ensure that staff collect, use, and disclose information in compliance with policy and law through training and monitoring
• Track when personal information is used or disclosed for a new purpose
• Maintain procedures and systems to ensure accuracy
• Develop and implement personal information retention policies and procedures
• Develop and implement information security systems, policies and standards for personal information in compliance with industry standards

Right of Access:

• Establish resources and processes to respond to requests for access or correction that comply with legislative standards
• Ensure that personal information is retrievable when requested

Those are the basics, but how does all this relate specifically to career counselling? That will be the subject of articles to follow. Keep an eye for the next issue of The Contact Point Bulletin

Rick Klumpenhouwer is a Privacy Specialist with Canadian Career Partners an integrated Human Resource and Business Consulting firm based in Calgary, Alberta. His extensive knowledge of provincial and federal privacy legislation and its application to organizations in both public and private sectors enables him to advise clients on a range of privacy services and solutions: Rick can be contacted at rick.klumpenhouwer@career-partners.com. Additional information on privacy alignment issues can be sourced at www.career-partners.com.