How can unions protect their members’ privacy from intrusions by employers? In many cases, unions rely on the grievance process to address privacy breaches. However, there is a second avenue for addressing privacy breaches: complaints to BC’s Office of Information and Privacy Commissioner (the “OIPC”). When dealing with wide-spread privacy issues in the workplace, an OIPC complaint can be a more cost-effective and efficacious way of addressing your employer’s poor privacy practices.
What is the OIPC?
The OIPC is an independent oversight body established by the BC government to oversee the enforcement of most of BC’s privacy laws. It has the power to initiate, investigate, and resolve privacy concerns arising in public and private sector workplaces in BC. However, the OIPC does not have jurisdiction over federally-regulated workplaces such as banks and interprovincial railways, nor is it responsible for dealing with privacy issues arising between individuals.
There are two types of complaints that can be made to the OIPC: privacy complaints and access complaints. Privacy complaints are about an organization’s collection, use, or disclosure of someone’s personal information. Access complaints are about an organization’s behaviour related to an access request. Access requests are requests made by individuals or organizations for information held by a governmental body or private organization.
The focus of this blog post will be on privacy complaints. Access complaints and access requests will be dealt with in a later blog post.
The complaint process
The OIPC complaints process is straight forward. Complaints can be made to OIPC over the phone, via email, via letter, or via the OIPC’s complaint forms. Complaints should include any supporting documentation. The OIPC will then review the complaint and determine whether it should be investigated. If the OIPC decides to investigate the complaint, it will gather further information from all of the parties involved, and may require further submissions from the complainant.
If you’re thinking of making a privacy complaint to the OIPC, you must first raise the privacy issue with the organization you’re planning to complain about, i.e. the employer. That employer has 30 business days to respond. If it fails to respond, or if the response is inadequate, you can then make your complaint to the OIPC. The OIPC will generally not accept complaints that have not first been raised with the organization being complained about, so be sure to submit documentation of your correspondence with the organization along with your complaint to the OIPC.
If the OIPC finds that a privacy breach took place, it will issue binding orders to remedy the breach and prevent future breaches from taking place. These orders can include the correction or deletion of personal information, guidance related to the organization’s obligations under privacy legislation, and advice regarding the organization’s workplace privacy policies (or lack thereof). However, the OIPC does not have the power to award damages or penalties.
Unions can file privacy complaints with the OIPC on their members’ behalves. When determining whether a privacy complaint would be a good option in your case, consider the following:
Which legislation is applicable? Depending on your workplace, one of two privacy-related statues could be applicable: the Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165 (“FIPPA”), which applies to public (ie governmental) bodies; and the Personal Information Protection Act, SBC 2003, c 63 (“PIPA”), which applies to private sector organizations.
If your employer is a private business, then PIPA likely applies. If your employer is a governmental entity, such as a public agency or a ministry, FIPPA likely applies.What remedies are available? The OIPC can make binding orders to correct the conduct of an organization. However, it cannot order damages or penalties against that organization. This means that if you’re looking to get compensation for your members as a result of your employer’s privacy breaches, a privacy complaint to the OIPC may not be the best option for you. However, if you’re dealing with an employer who does not clearly know or understand their privacy obligations, an OIPC complaint may be an effective way to remedy systemic privacy issues in the workplace.
In some circumstances, you might want to pursue both - a grievance to get compensation for an individual member whose privacy was breached, and an OIPC complaint to force the employer to put better policies and practices in place to protect everyone’s privacy.
How much control do I need? When a union files a grievance, it owns the grievance, and can withdraw it at any time. However, once a complaint is made to the OIPC, the OIPC takes control of the complaint. This means that the OIPC can choose to continue with a complaint even if the complainant no longer wants to advance the complaint and tries to withdraw it.
What resources do I want to expend? A complaint to the OIPC can be much less expensive and time-consuming than grievance arbitration. The OIPC will proactively investigate and gather information from each side, rather than requiring you to mount a case and present it at arbitration. Making a complaint can be an effective way to get your employer to fix privacy problems without having to engage in litigation.
If you’re thinking of pursuing a privacy complaint regarding your employer’s collection, use, or disclosure of your members’ personal information, whether by way of your grievance process or the OIPC, we can advise you on your options.
This blog post is general information only and does not comprise legal advice. If you need advice about your particular situation, please contact Jadine.