Sometimes It’s Personal

Missing government laptops make headlines. We’ve all heard the uproar when computers loaded with personal information are lost or stolen.

Similarly, we’ve seen the news articles about organizations that collect and then share personal information about visitors, customers or subscribers. Search and social networking websites come to mind.

One fear is that sensitive information, such as the names of individuals, perhaps their healthcare data, or even their financial details, will get into the wrong hands and be used for the wrong purposes.

At the very least, we’ve grown to value privacy, and expect those with whom we share our personal information to respect and protect it.

This concern over protecting personal information clearly extends to the construction industry. Contractors, owners and suppliers collect all sorts of personal information. There are names, addresses and phone numbers. Often there are birthdays, social insurance numbers, and family details. Sometimes, there is insurance, WCB or even healthcare information. There might even be bank accounts, credit card numbers, and income information.

Some of this information comes from employees. Other comes from suppliers. More still comes from customers.

Since 2003 Alberta has had a law that specifically addresses what personal information businesses and organizations operating here can collect and use. This law is the Personal Information Protection Act, often referred to simply as “PIPA”. (The federal government has different but similar laws addressing businesses and organizations that are subject to federal regulation.)

PIPA should be required reading for anyone running a construction business. It creates serious obligations, and can lead to equally serious consequences.

One of the fundamental themes of PIPA is that organizations can collect information they need, but must protect the information they collect. To ensure this, PIPA requires organizations to develop and follow reasonable privacy policies and practices. These policies should specify what personal information the organization collects, explain the reasons why, and describe what happens to it.

Ideally, the policies should be in writing. This is because an organization must provide written information about its policies and practices, when requested. Simply put, when a customer or employee asks, a business must answer – and in writing.

This leads to the second fundamental theme: consent. An organization must have the consent of individuals when it collects and uses their personal information. To give that consent, an individual must be able to learn the organization’s policies and practices.

Not surprisingly, much of the personal information that organizations collect is about their current, former or potential employees. PIPA specifically protects employee information. An organization can certainly collect and use personal information needed to establish and manage an employment relationship, but must use it only for those purposes.

Sometimes an organization must, for proper and legitimate reasons, share personal information with someone, somewhere else. This might be, for example, an insurance company (for employee benefits), or a hotel chain (for contractor accommodation), or a potential customer (with employee bios). But other countries have different rules, and organizations operating in those other countries may treat personal information differently. Indeed, some foreign organizations may be required to disclose information in ways we would find surprising. To protect against this, PIPA requires a local business to notify individuals when personal information is transferred to service providers outside of Canada.

Under PIPA, a Privacy Commissioner has been appointed. The Commissioner receives complaints, investigates breaches, and addresses disputes over privacy issues. The Commissioner’s comments are in the news from time to time.

Let’s return to that lost laptop. Or imagine a hacked hard drive or missing file folder. A construction company faces the very real risk that improperly disclosed personal information might lead to harm. When this happens, PIPA requires the organization to notify the Privacy Commissioner. That’s one thing that cannot be kept secret. ∎

This post is meant to provide information only and is not intended to provide legal advice. Although every effort has been made to provide current and accurate information, changes to the law may cause the information in this post to be outdated.