Tuesday, July 12, 2005

Alberta Privacy Commissioner faults two companies and their law firms for handling of employee information

Hot off the presses ...

The Information and Privacy Commissioner of Alberta has just released a decision that should make business, securities and labour lawyers look more closely at the information that is made available in the course of business acquisitions and that is filed electronically in compliance with securities regulations.

In this particular decision, the Commissioner was responding to a complaint brought by an employee of the vendor company whose personal information was provided to the purchaser and was subsequently posted on SEDAR, the online repository for information about public companies. The vendor apparently provided, as a schedule to the purchase agreement, a list of employees that included home addresses and social insurance numbers. This schedule was provided to the purchaser by the vendor's counsel. The purchaser's counsel subsequently posted the agreement, including the complete schedule, on SEDAR.

Provincially regulated organizations in Alberta are subject to the Personal Information Protection Act (PIPA), which has been deemed to be "substantially similar" to PIPEDA by the federal cabinet. PIPA covers employee information, but also contains what is often called the "business transaction exception", meaning that employee consent is not required for certain disclosures of personal information that are necessary and connected to a business transaction, such as a sale of a business. In this case, the Commissioner's investigator found that the exception did not apply because employee home addresses and social insurance numbers were not necessary for the purposes of the transaction.

While the Commissioner concluded that counsel was acting as agents for their clients, both the clients and their law firms were at fault. The decision contains two particularly strong statements with respect to the law firms:

"[47] We suggest generally that [vendor's counsel] and other law firms have shown a lack of attention to the impact of privacy laws on the myriad legal processes involving the collection, use and disclosure of personal information, including client information and third party information that are common in the type of work they perform on behalf of their clients. Privacy laws are complex, and have implications for their clients on many different types of transactions, including mergers and acquisitions such as in the present case. We believe that lawyers and law firms require heightened awareness and knowledge of privacy laws in order to properly recognize these implications."

The Commissioner also made strong recommendations to the firms. To purchasers' counsel:

  • enact a privacy policy and appoint a Calgary-based Privacy Officer [though the national firm already had a Toronto-based privacy officer];
  • conduct comprehensive in-house privacy training with all lawyers and staff;
  • ensure that lawyers develop professional awareness and knowledge of privacy law by supporting participation in privacy law seminars and courses and encouraging ongoing education in this regard;
  • communicate these findings to all lawyers and staff;
  • review its processes when representing clients on business transactions where personal information may be collected, used or disclosed and address any gaps that are identified;
  • review the processes and controls employed by Stikemans when material contracts or other filings are posted on SEDAR and address any gaps that are identified.

From the Commissioner's website:

Investigation Report P2005-IR-005

Commissioner releases investigation report into improper disclosure of home addresses and SINs onto the Internet by two organizations and their law firms.

Click to view more information Investigation Report P2005-IR-005

No comments: