Part II of II
As discussed in our most recent blog post, much attention has been given recently to the Digital Privacy Act and the changes that will come into force later this year under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)  in respect of mandatory breach reporting and recordkeeping. Do PIPEDA and the Digital Privacy Act apply to pension plans? In Part I of our two-part blog post, we discussed the new provisions. In Part II of the post, we discuss the potential application of the new provisions of PIPEDA to employers who provide pension plans to their employees.
What is PIPEDA?
PIPEDA is the most prominent private sector privacy statute in Canada. Its principles are based on the core privacy principles in The Model Code for the Protection of Personal Information, which principles include, among others, accountability, accuracy and safeguards.
Application to Employee Personal Information
PIPEDA governs the collection, use, disclosure and protection of employee personal information by federally regulated employers (e.g. banks, telecommunication companies, inter-provincial transportation companies and shipping companies). It does not apply to employee personal information held by provincially regulated businesses. As such, PIPEDA governs the use, disclosure and protection of employee personal information in respect of pension plans administered and sponsored by federally regulated employers but does not govern the use, disclosure and protection of such information by provincially regulated employers.
Application to Commercial Activities
Provincially regulated employers may, however, be subject to PIPEDA in the course of their commercial activities. PIPEDA also governs the collection, use, disclosure and protection of personal information in the course of commercial activities in all provinces and territories that do not have substantially similar legislation. As at July 1, 2018, the provinces of Alberta, British Columbia and Quebec had substantially similar private sector legislation in force. This means that PIPEDA does not apply to the commercial activities of private sector organizations that operate entirely within such provinces but does apply to private sector organizations that operate in the remaining provinces and in the territories.
What is a commercial activity?
A commercial activity is defined under PIPEDA as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.” According to the Office of the Privacy Commissioner of Canada (“Privacy Commissioner”), “whether an organization can be said to collect, use or disclose personal information in the course of a commercial activity will vary depending on the facts of each case.” Because of the rather vague and circular definition of “commercial activity”, the Privacy Commissioner has considered the question of what does or does not constitute a commercial activity in a number of cases but not, to the author’s knowledge, in the context of a pension plan.
Application to Pension Plans?
Whether or not the activities of a pension plan are of a “commercial character” is unclear. For example, is a sponsor and administrator of a single-employer pension plan engaged in a commercial activity when it issues annual statements to members? The answer is likely no. On the other hand, is a third party administrator of a single-employer pension plan engaged in a commercial activity when it collects personal information of plan members for the purposes of investing their accounts under a defined contribution plan? The answer is likely yes.
In short, whether or not the activities of a pension plan are of a “commercial character” and the activity is subject to PIPEDA will vary depending on the facts of each case. As discussed in our prior blog post, if the organization or activity is subject to PIPEDA, the soon to be in force provisions under PIPEDA in respect of mandatory breach reporting and recordkeeping will apply. It is, therefore, important that plan sponsors and administrators be aware of the new provisions.
For further information, please contact Kim Ozubko at firstname.lastname@example.org or (416-597-4338).
 SC 2015, c 32.
 SC 2000, c.5.
 Ibid, s. 4(1)(a).
 Office of the Privacy Commissioner of Canada, Interpretation Bulletin: Commercial Activity (January 2017).