While the deadline for compliance with the Personal Information Protection and Electronic Documents Act was Jan. 1, most organizations in Canada will find themselves scrambling to catch up if they haven’t already complied. The act extends rights to individuals who control the collection, use, and
disclosure of their personal information by organizations in the course of commercial activity.
At Royal LePage, the human resources department has taken the act one step further to include protection of the information of its employees. And while gathering the information was a huge task that began in January 2002, getting employees to give consent will be aided by a software tool from software vendor eQuest.
“”We did an audit of all the personal information in the department and all the information that leaves the department in terms of when it leaves, where does it go?”” says Nancy Brickwood, HR manager for Royal LePage in Toronto. “”Whether it’s to a controller at merit time for budget, or if a manager requests a report on an employee in terms of a list of employees with current salaries, we looked at all of that. We did an audit and put procedures in place that will be live in January on how we need to handle our information within the department and how our managers and controllers need to handle it as well.””
Using eQuest’s eConsent product, Royal LePage will send employees the forms necessary to get their consent for the exchange and use of their personal information.
“”When we go out to everybody to get their consent, rather than having a horrendous job with all this paper and people having to sign forms and ticking boxes and forgetting boxes and us having to send it back we thought this was a wonderful opportunity to do it electronically,”” says Brickwood.
Employees will be e-mailed the consent notice and asked to log on to the system from there.
“”In terms of efficiency over paper I think it will be tremendously efficient,”” she adds. “”It will be making sure employees do it within the time limits.””
Royal LePage had been dealing with eQuest on the HR side for sometime and was part of the beta test for eConsent. The company is hoping for a 62 per cent savings compared to what it would have cost to do existing privacy management manually.
“”It’s about the ability of the software to help them plan and implement their policies and manage the data,”” says Kathy Tuitt, partner and co-founder of eQuest Systems.
The Canadian Privacy Institute offers consulting and software services to help companies address the challenges of meeting the privacy law requirements.
Director and senior consultant for the Institute, Ian Turnbull, says very few companies are prepared.
“”The banks and telecommunications have had a jump on it because the legislation has applied to them since 2001,”” he says. “”But I know some of the largest companies in the country who are not ready but are still talking about how they are going to deal with it.””
Turnbull says many large organizations may not be ready, but points out there are small to mid-size organizations that are not even aware they should be ready.
“”Y2K was a deadline and had a lot of media attention for years and passed without a whimper,”” he says. “”We think this is the complete reverse because it has had very little media coverage, and Jan. 1 is not the deadline, but the start line. This is only going to grow bigger. On Jan. 2 we’re not going to see high profile complaints or a huge bulge of complaints to the
privacy commissioner’s office, but it’s going to start happening pretty quickly because we believe consumers of all types have a number of privacy issues and as soon as they discover they have rights in this area, this will grow exponentially,”” he says.
According to Tuitt, a small percentage of companies are prepared for PIPEDA.
“”The awareness is minimal by both companies and consumers of what the new privacy legislation implications are,”” she says.
Equest has designed software to address the privacy legislation in Canada. The software helps manage the tracking, collection, use and disclosure of personal information, and how it is being used. It is a Web-based application and is sold under subscription basis. Within the application you can set up organizational information and define the type of personal information you are storing by groups.