The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, July 12, 2005

Alberta Privacy Commissioner faults two companies and their law firms for handling of employee information

Hot off the presses ...

The Information and Privacy Commissioner of Alberta has just released a decision that should make business, securities and labour lawyers look more closely at the information that is made available in the course of business acquisitions and that is filed electronically in compliance with securities regulations.

In this particular decision, the Commissioner was responding to a complaint brought by an employee of the vendor company whose personal information was provided to the purchaser and was subsequently posted on SEDAR, the online repository for information about public companies. The vendor apparently provided, as a schedule to the purchase agreement, a list of employees that included home addresses and social insurance numbers. This schedule was provided to the purchaser by the vendor's counsel. The purchaser's counsel subsequently posted the agreement, including the complete schedule, on SEDAR.

Provincially regulated organizations in Alberta are subject to the Personal Information Protection Act (PIPA), which has been deemed to be "substantially similar" to PIPEDA by the federal cabinet. PIPA covers employee information, but also contains what is often called the "business transaction exception", meaning that employee consent is not required for certain disclosures of personal information that are necessary and connected to a business transaction, such as a sale of a business. In this case, the Commissioner's investigator found that the exception did not apply because employee home addresses and social insurance numbers were not necessary for the purposes of the transaction.

While the Commissioner concluded that counsel was acting as agents for their clients, both the clients and their law firms were at fault. The decision contains two particularly strong statements with respect to the law firms:

"[47] We suggest generally that [vendor's counsel] and other law firms have shown a lack of attention to the impact of privacy laws on the myriad legal processes involving the collection, use and disclosure of personal information, including client information and third party information that are common in the type of work they perform on behalf of their clients. Privacy laws are complex, and have implications for their clients on many different types of transactions, including mergers and acquisitions such as in the present case. We believe that lawyers and law firms require heightened awareness and knowledge of privacy laws in order to properly recognize these implications."

The Commissioner also made strong recommendations to the firms. To purchasers' counsel:

enact a privacy policy and appoint a Calgary-based Privacy Officer [though the national firm already had a Toronto-based privacy officer];
conduct comprehensive in-house privacy training with all lawyers and staff;
ensure that lawyers develop professional awareness and knowledge of privacy law by supporting participation in privacy law seminars and courses and encouraging ongoing education in this regard;
communicate these findings to all lawyers and staff;
review its processes when representing clients on business transactions where personal information may be collected, used or disclosed and address any gaps that are identified;
review the processes and controls employed by Stikemans when material contracts or other filings are posted on SEDAR and address any gaps that are identified.

From the Commissioner's website:

Investigation Report P2005-IR-005
Commissioner releases investigation report into improper disclosure of home addresses and SINs onto the Internet by two organizations and their law firms.
Click to view more information Investigation Report P2005-IR-005

Labels: alberta, information breaches, pipa, privacy