The Personal Information Protection and Electronics Documents Act, which went into full force Jan. 1 for all entities involved in Canadian commercial activity, seriously affects the collection and disclosure of personal information including due diligence on prospective and current employees and internal fraud examinations.
For the past several years, a Toronto, Canada, company routinely used a “security consultant” for human resources’ pre-employment screening and was satisfied with his discretion and useful results. The consultant is a former police officer, is working on obtaining CFE accreditation, and has the contacts and resources to get the information. He’s not licensed as an investigator but the company didn’t feel that was necessary.
The company routinely provided the consultant applicants’ and employees’ personal information without their consent for pre-employment and pre-promotion due diligence and also personal information about vendors and suppliers for preparing vendor profiles. The company continued these practices even after Canada’s new Personal Information Protection and Electronic Documents Act (PIPEDA) went into full force in January of this year.
The company is now being threatened with two distinct and significant class action suits because it allegedly violated PIPEDA by providing employee, applicant, and vendor personal information to the consultant without their consent.
PIPEDA applies to all entities involved in commercial activity in Canada including Certified Fraud Examiners and other investigators and security consultants conducting fraud examinations for their employers or third-party clients.
The collection and disclosure of personal information, including due diligence on prospective and current employees and internal fraud examinations, are seriously affected by the new privacy regulations.
PIPEDA applies throughout Canada except for provinces that have “substantially similar” legislation, which include British Columbia, Alberta, and Quebec. Obviously, CFEs practicing in those provinces should study the “substantially similar” provincial legislation to determine specific differences.
Although a province may have employee privacy legislation, PIPEDA may apply in cross-border dissemination of information or in situations in which employer/employee functions are outsourced. (Quebec recently launched a constitutional challenge to the application of PIPEDA legislation in that province.)
In a speech on March 20, 2003 in Vancouver Canada, George Radwanski, then privacy commissioner of Canada made the following comments:
“An organization that wants to collect, use, or disclose personal information about people needs their consent, except in a few specific and limited circumstances.
It can use or disclose people’s personal information only for the purpose for which they gave consent. Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.”
Radwanski then went on to indicate some of the activities which were included in gathering personal information and specifically included investigating suspected theft from an employer:
“Videotaping people claiming to have injuries, for example, or investigating suspected theft from an employer – these are collections of personal information. So is locating a person to serve legal documents or to collect a debt, and collecting background information on prospective employees, business partners, or witnesses. And so is photographing a spouse suspected of infidelity, identifying marital assets, or searching for missing persons.”