Privacy in the workplace has remained an issue of significant importance to unions and their members. There is a rich and varied body of case law involving invasions of privacy at work, and the extent to which an employer may invade the privacy of its employees at work. Unions often end up advancing grievances about drug and alcohol testing, workplace surveillance, or employees who have been dismissed for improper use of computer equipment.
Much less has been written about a union's own privacy obligations. Unions themselves are subject to privacy legislation in Alberta1, British Columbia2, and Quebec3. However, in the rest of Canada, the only privacy legislation that may be applicable to unions is the Personal Information Protection and Electronic Documents Act ("PIPEDA")4. PIPEDA – unlike the provincial privacy legislation – only applies when an "organization" (including a trade union) is collecting, using, or disclosing personal information "in the course of commercial activities."5 The term "commercial activities" is defined in PIPEDA as "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."6
When, if ever, does a trade union engage in commercial activity that would trigger the terms of PIPEDA? The Federal Court recently issued a decision that may provide some clarity to this issue involving – of all things – an insurance company.
State Farm Mutual Automobile Insurance Co. v. Canada (Privacy Commissioner)7 began with an automobile accident. One of the participants in the accident was insured by State Farm under a standard automobile policy prescribed by New Brunswick insurance legislation and which provided that State Farm had a duty to defend her in the lawsuit brought by the other driver. As part of that defence, State Farm hired private investigators to investigate the other driver (including by using video surveillance). One of the rights under PIPEDA is a right to obtain a copy of all of the personal information that an organization has collected about you. The other driver requested his personal information from State Farm and, when State Farm refused, complained to the Privacy Commissioner.
The issue before the Federal Court was whether the collection of evidence by an insurer acting for one of its insured in the defence of a claim is "commercial activity" within PIPEDA. The Federal Court stated unequivocally that the collection of evidence by an individual involved in a claim would not be activity of a "commercial character." The Privacy Commissioner argued that the fact that an insurance company or lawyer was collecting the evidence made it "commercial activity"; however, the Federal Court rejected that argument, stating that "the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue."
The Federal Court went on to conclude that the Privacy Commissioner did not even have the right to investigate the complaint because the issue was one of "litigation privilege." A previous decision of the Supreme Court of Canada held that the Privacy Commissioner had no right under PIPEDA to assess solicitor-client documents, even for the limited purpose of determining whether privilege is properly claimed.8 The Federal Court has also ruled that the Privacy Commission has no authority under PIPEDA to require an organization to justify its assertion of privilege.9 In light of those rulings, the Privacy Commissioner had no authority to investigate State Farm's statement that the information sought was subject to litigation privilege.
While this Federal Court decision was about an insurance company, it also sheds light on how PIPEDA impacts a trade union. By analogy, the Federal Court decision is a strong indication that a union's collection of personal information (through its own investigation) in order to pursue a grievance is not subject to PIPEDA.
What then are a union's obligations under PIPEDA concerning the personal information of its members? Is a trade union engaged in "commercial activity?" The answer likely depends upon the activity being performed. However, the Federal Court took a narrow view of "commercial activity" in the State Farm case, a decision that would likely be followed in any case concerning a union.
The fact that PIPEDA may not apply to union activity does not mean that privacy is unimportant. PIPEDA sets out ten privacy principles that, even if they do not apply to unions directly, are still useful guidelines to what members will expect from their union. Those principles, and some of the ways that organizations may meet the expectations of those principles, are as follows:
- Appoint a privacy representative who is accountable and responsible for personal information policies and practices.
2. Identifying Purposes
- Clearly record in writing why you collect personal information, and notify members of why you are collecting the information before you collect it.
- Seek members' consent for the collection, use, and disclosure of personal information on the membership form.
- Do not make consent for secondary purposes (such as newsletters) a condition of membership.
- Use express ("opt-in") consent whenever possible.
- Provide some way for members to withdraw consent.
4. Limiting Collection
- Review and document the reasons for collecting information.
- Differentiate between mandatory and optional personal information.
5. Limiting Use, Disclosure, and Retention
- Use or disclose personal information only for the purposes identified and documented at the time it was collected (a new purpose requires new consent).
- If the information you hold is no longer necessary, use appropriate safeguards to destroy, erase, or anonymize it.
- Only retain information as long as is necessary to fulfil its purposes.
- Physical safeguards can include simple measures such as locked filing cabinets and a "clean-desk" policy.
- Obviously, technological safeguards are important too (encryption, firewalls, or other technological security measures).
- You should have a method for secure disposal of personal information (shredding, etc.).
- Prepare literature available about privacy practices. This literature should include: the name of the privacy officer, instructions on how to make complaints, instructions on how to obtain your own personal information, and a description of the types of personal information that you collect and hold.
- If your website uses "cookies" or other tracking tools, you should inform users.
9. Individual Access
- Be prepared for "access" requests and then respond to them appropriately. This includes informing the individual if there will be a cost before processing the request.
10. Challenging Compliance
- Be prepared for the occasional complaint. Document and investigate complaints without delay.
- Ensure that front line staff know how to handle complaints or inquiries, or at least who to refer them to.
Regardless of whether PIPEDA applies to union activity, protecting privacy is good practice.
1Personal Information Protection Act, S.A. 2003, c. P-6.5.
2Personal Information Protection Act, S.B.C. 2003, c. 63.
3Act respecting the protection of personal information in the private sector, R.S.Q. c. P-39.1.
4S.C. 2000, c. 5.
5PIPEDA, s. 4.
6PIPEDA, s. 2.
72010 FC 736.
8Canada (Privacy Commissioner) v. Blood Tribe Department of Health, 2008 SCC 44.
9Privacy Commissioner of Canada v. Air Canada, 2010 FC 429.