Respecting and Protecting Employee Privacy When Administering Benefits
Data privacy is a modern day Pandora’s box, once the contents have been released, it can no longer be placed back in. This is a self-evident truth in the group benefits arena where plan administration requires employers to manage a significant amount of personal information on employees and their dependents. Employers must understand the applicable privacy rules and their responsibilities.
Federal privacy legislation, known as the Personal Information Protection and Electronic Documents Act (PIPEDA), came into effect in 2001. This is a law to ensure that federally regulated organizations are using and storing data appropriately. Although Ontario has not enacted privacy legislation similar to PIPEDA, the courts have recognized that an employee has a common law right of privacy. The basic premise for all this legislation is that an organization cannot collect, use or disclose personal information about an identifiable individual without the knowledge and consent of that individual.
Personal information collected from and about employees can be extremely sensitive, and employers are accountable for how this information is used. Therefore, having a policy outlining how your employee’s information is kept secure should be implemented by all organizations.
In the context of benefits enrollment and administration, personal information typically includes data such as an employee’s name, home address, phone number and social insurance number, as well as information relating to his or her medical history and existing conditions.
Employers must also ensure that adequate security measures are taken to protect personal information, such as retaining hard copies of files in locked cabinets and implementing firewalls and password protection for data stored electronically. Access to personal information should be limited to those who need it for benefits administration purposes, and the information should only be retained for as long as necessary to meet the specific need for which it was collected.