Implementing PIPA in the Workplace

Personal Information Protection Act , (referred to herein as "PIPA" or the " Act "), is important for a number of reasons. First, most day to day functions of an organization are carried out by employees. To the extent that the Act requires an organization to develop and follow practices and procedures to ensure compliance with the Act , the day to day implementation of those practices and procedures will likely fall to its employees. Education and training of employees in privacy matters is therefore essential in order for an organization to properly meet its responsibilities under the Act .

Second, the failure of an employee to adhere to an organization's privacy policies and procedures can have serious consequences for the organization in the form of adverse publicity, time, expense, fines, and in serious cases, civil damages (ss. 56 and 57). As such, the implementation of privacy policies in the workplace raises issues of employee performance and competence which could potentially expose the organization to significant liability. As in all other issues of employee performance, it is essential, therefore, that an organization have internal procedures to monitor and ensure employee compliance with the standards set out in the applicable privacy policy. Indeed, organizations may choose to make adherence to privacy practices and procedures a term and condition of employment, such that repeated, deliberate, or otherwise culpable breaches of those terms and conditions may result in the imposition of disciplinary measures.

While non-compliance with an employer's policies and procedures can often be justified as conduct which may attract disciplinary measures, the law generally requires that the policies be clearly articulated, and that an employee be fully cognizant of the standard of performance expected. It is only then that a breach of that standard can result in discipline. The "bottom line" is that it makes sense, both from a liability and a human resources perspective, to inform, educate and train all employees in their privacy obligations.

Third, unlike the Federal Act, PIPA and its Alberta counterpart, specifically include employee personal information under the definition of "personal information". Thus, employee personal information is now subject to the same level of protection as any other type of personal information. As well, employees now have the right to access and, if appropriate, correct the accuracy of their personal information in the custody and control of the organization. Organizations who do not deal in personal information in the course of their day to day business will therefore nevertheless have significant responsibilities under the