May 5, 2021
Pension and benefit plan administrators and trustees process a substantial amount of personal information about individuals in order to provide benefits to employees, retirees, pensioners and surviving spouses. Privacy legislation, such as Personal Information Protection and Electronic Document Act (PIPEDA), imposes a legal framework around how the personal information collection by pension and benefit plan administrators is collected, used, disclosed, maintained, accessed and retained. This is in addition to common law fiduciary standards of care.
Not all activity by a pension and benefit plan administrator or trustee is necessarily caught by private-sector privacy legislation, however, as certain activities, such as providing information to a member about their own pension benefits, is unlikely to be considered a commercial activity.
Where privacy legislation does apply, pension and benefit plan administrators and trustees need to ensure that they comply with the various nuances in different jurisdictions. For example, Alberta’s Personal Information Protection Act (PIPA) provides that an individual is deemed to consent to the collection, use and disclosure of personal information about the individual by an organization for the purpose of enrolment or coverage under a pension plan. Included in this provision are any family members of the applicant. British Columbia’s Personal Information Protection Act (PIPA) contains the same provisions implying consent, however, if information is transferred across a provincial border and PIPEDA applies, it does not have similar provisions providing for implied consent.
Based on the applicable privacy legislation, there may be a number of privacy issues pension plan administrators and trustees must regularly address include, for example, ensuring:
- personal information was collected with informed consent, where applicable;
- only personal information that is required is collected from individuals;
- personal information remains correct;
- if a new purpose for the personal information is identified (for example, debt collection for overpayments), that consent is permitted by law or is obtained;
- personal information provided to third parties is protected appropriately;
- adequate cybersecurity measures are in place to ensure personal information remains safe;
- plan members are provided with information as required by legislation; and,
- regulators are provided with information as required by legislation.
Koskie Minsky’s privacy team can assist in navigating various privacy issues to ensure administrators and trustees have ensured adequate protection of the personal information of members and employees.
Privacy and Compliance