New Canadian Privacy Act Affects Fraud Examinations

The Personal Information Protection and Electronics Documents Act, which went into full force Jan. 1 for all entities involved in Canadian commercial activity, seriously affects the collection and disclosure of personal information including due diligence on prospective and current employees and internal fraud examinations.

For the past several years, a Toronto, Canada, company routinely used a “security consultant” for human resources’ pre-employment screening and was satisfied with his discretion and useful results. The consultant is a former police officer, is working on obtaining CFE accreditation, and has the contacts and resources to get the information. He’s not licensed as an investigator but the company didn’t feel that was necessary.

The company routinely provided the consultant applicants’ and employees’ personal information without their consent for pre-employment and pre-promotion due diligence and also personal information about vendors and suppliers for preparing vendor profiles. The company continued these practices even after Canada’s new Personal Information Protection and Electronic Documents Act (PIPEDA) went into full force in January of this year.

The company is now being threatened with two distinct and significant class action suits because it allegedly violated PIPEDA by providing employee, applicant, and vendor personal information to the consultant without their consent.

PIPEDA applies to all entities involved in commercial activity in Canada including Certified Fraud Examiners and other investigators and security consultants conducting fraud examinations for their employers or third-party clients.

The collection and disclosure of personal information, including due diligence on prospective and current employees and internal fraud examinations, are seriously affected by the new privacy regulations.

PIPEDA applies throughout Canada except for provinces that have “substantially similar” legislation, which include British Columbia, Alberta, and Quebec. Obviously, CFEs practicing in those provinces should study the “substantially similar” provincial legislation to determine specific differences.

Although a province may have employee privacy legislation, PIPEDA may apply in cross-border dissemination of information or in situations in which employer/employee functions are outsourced. (Quebec recently launched a constitutional challenge to the application of PIPEDA legislation in that province.)

In a speech on March 20, 2003 in Vancouver Canada, George Radwanski, then privacy commissioner of Canada made the following comments:

“An organization that wants to collect, use, or disclose personal information about people needs their consent, except in a few specific and limited circumstances.

It can use or disclose people’s personal information only for the purpose for which they gave consent. Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.”

Radwanski then went on to indicate some of the activities which were included in gathering personal information and specifically included investigating suspected theft from an employer:

“Videotaping people claiming to have injuries, for example, or investigating suspected theft from an employer – these are collections of personal information. So is locating a person to serve legal documents or to collect a debt, and collecting background information on prospective employees, business partners, or witnesses. And so is photographing a spouse suspected of infidelity, identifying marital assets, or searching for missing persons.”

However, there are exceptions to the requirements for consent and there’s disagreement on those activities that fall within the exclusions. According to Radwanski,

“...there are two relevant circumstances where the PIPEDA Act allows information to be collected without consent. One is where the knowledge or consent of the individual would compromise the availability or accuracy of the information, and where the collection is ‘reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.’”

And Radawanski continues, “...For example, it could allow an organization to retain an investigator to collect personal information about an employee suspected of theft. Or it could allow an insurance company to retain an investigator when insurance fraud is suspected. Or it could allow an organization to hire an investigator to locate someone who’s breached an agreement with the organization . ... The other circumstance where information can be collected without consent is where the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.” The entire text of the Commissioner Radwanski’s remarks is at: www.privcom.gc.ca/speech/2003/02_05_a_030320_e.asp  

Because the legislation hasn’t yet been tested in court, naturally there’s disagreement about the likely application of the Act’s provisions. For example, does a search for marital assets fall within the exception of investigation of a breach of an agreement so that consent wouldn’t be required? The privacy commissioner seemed to indicate in his comments that it would, but other authorities have indicated that it might not.

What sort of an agreement between an employer and an employee is required to meet the test? Would it be an implied agreement that employees won’t undertake a certain kind of conduct sufficient or a specific employment contract with a provision with respect to that conduct?

“Investigative bodies” as specified in the legislation under the Act have more freedom to collect and disclose information than non-investigative bodies. A section of the regulations under the act provides that:

(w) a corporation or other body

(i) that is licensed by a Province to engage in the business of providing private investigators or detectives and that has a privacy code that is compliant with the Canadian Standards Association Standard CAN/CSA-Q830-96, Model Code for the Protection of Personal Information, as amended from time to time, and

(ii) that is a member in good standing of a professional association that represents the interests of private investigators or detectives and that has such a privacy code.

A list of such bodies, which is being expanded upon application to be granted investigative body status, can be found at: http://canadagazette.gc.ca/

Having investigative body status doesn’t grant an exemption from compliance with PIPEDA; however, it does permit the organization to disclose personal information to the investigative body for the purposes of the otherwise compliant investigation. PIPEDA requires, with certain exceptions, consent from the individual about whom the personal information is being gathered.

There are several questions that an entity must ask itself and then document the answers before undertaking any examination that requires the collection of personal information.

• Does my organization have a privacy policy in place that complies with the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information? If no, obviously, put such a policy in place. If yes, proceed to the next question.
• Do we have a signed, informed consent? If yes, then proceed to the investigation. If no, then ask:
• What is the agreement that may be being breached or which law may be being violated? Which specific law? The Criminal Code of Canada or some other federal, provincial or municipal act or regulation? Is it “simply” a common law obligation? What’s the nature of the agreement that’s being violated? Is it a written agreement among the parties or is it an implied agreement?
• Is the information which is to be gathered relevant to the purposes of the investigation? What specific information is the investigation designed to uncover? What conduct would violate the law? What conduct would constitute a breach of the agreement? Example: An employee’s physical ability might be extremely relevant to a medical benefits or sick leave fraud examination but might not be relevant at all to the suspected embezzlement of company funds. Then again, depending upon the circumstances it might be. The point is that information can’t be gathered across the board without some consideration to relevance.
• Would attempting to obtain consent compromise the availability or the accuracy of the information? Example: Asking an employee who’s suspected of fraudulently obtaining sick benefits or medical leave for permission to keep him under video surveillance to determine the true nature of his disability would obviously compromise the availability and accuracy of the information sought.

There is, of course, “a reasonable person test” concerning the answers to all of the above questions. The only thing certain about the reasonable person test is that there’s no accepted standard for reasonableness. What you may view as a reasonable person, I may view as a raving fanatic.

The PIPEDA legislation and regulations impose a set of criteria for companies or their in-house or outsourced service in performing the collection and disclosure of personal information. Example: Your entity wants the addresses of various employees’ homes, cottages, and relatives to compare with the addresses of one or more vendors to determine if there’s a breach of a conflict of interest agreement. You believe you have met the breach of agreement and relevancy of information test. You can only proceed if:

• an address is public record or in other words, published in a telephone or trade directory or
• you have a signed consent to gather the personal information concerned or
• you can make a reasonable case that attempting to obtain consent would compromise the availability or the accuracy of the information and
• your entity has a privacy policy in place which complies with the CSA Model Code.

If an entity wishes to subcontract this work and the collection and disclosure of personal information that derives from it (such as personal address matches to a vendor address) then the subcontractors must be designated as investigative bodies.

The definition of an investigative body may exclude your current service provider. Example: If you use out-sourced investigators they must be:

a) incorporated (or a registered partnership);

b) licensed by the province in which they operate;

c) a member of an approved (for the purposes of this Act) investigative body; and

d) have a privacy policy in place which complies with the CSA Model Code.

Because being a member of an “investigative body” in many provinces isn’t a requirement for obtaining an investigator’s license, you may be prohibited from providing employees’ personal information to your investigation firm.

The investigative body has to be approved. For example, in Ontario, The Ontario Council of Private Investigators is a designated investigative body but ASIS, an international association, isn’t. If you use an unlicensed “security consultant,” even though he’s a CFE, as a company you may not be in compliance. If you use a CFE who specializes in forensic accounting, depending on his other professional associations, he may still have to be a member of an investigative body.

Professional associations have taken various positions on seeking the designation of “investigative body.” The Canadian Institute of Chartered Accountants decided not to obtain investigative body status, no doubt for compelling internal, legal and operational reasons. However, the Canadian Certified General Accountants Association applied and was designated an investigative body for probably equally compelling internal, legal, and operational reasons.

An entity’s right to gather information applies to employees such as in-house investigators and third-party contract investigators retained to collect and disclose the information on a third party on behalf of their clients or employers. These rights also appear to flow both ways: employees or agents can track the progress of investigations after the information they had collected has been passed to their employers or clients.

It’s vital that entities know the status and position of their third-party providers and whether they are, or are required to be, designated investigative bodies.

Because the legislation is new and mostly untested, information in this article isn’t advice but, hopefully, an impetus for you to research your entity’s circumstances and requirements. Before you take any action consult an attorney specializing in privacy law and any professional organizations to which you belong.

Derek S. T. Baldwin, LL.B., is director of worldwide operations and general counsel for IBIS Corporation. He is currently editing the ACFE’s 2004-2005 Canadian Fraud Examiners Manual and producing manuals for Australia, Hong Kong, and South Africa.