The proper administration of pension and benefit plans requires compliance with duties and obligations that are primarily outlined in pension, insurance and income tax legislation. However, plan administrators will often encounter situations that require a consideration of legal rules arising from other areas of law such as trust law, bankruptcy & insolvency law, labour & employment law, family law and privacy law, to name a few. Savvy pension and benefits lawyers must be able to identify some of the legal issues and/or obligations arising outside the pension and benefits context that may have an impact on the plan administrator, and where possible, encourage their clients to take proactive steps to address such obligations and minimize associated risks. One area of law which intersects with the practice of pension and benefits law, and which provides plan administrators and their legal advisors with a unique opportunity to take enterprising action is privacy law.
Unique privacy concerns relevant to pension and benefit plans
Privacy laws govern the collection, use, disclosure and storage of personal information. In the commercial context, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information by private sector organizations, except in Alberta and British Columbia (which have legislation which has been deemed substantially similar to PIPEDA).
PIPEDA broadly defines personal information as information about an identifiable individual. Accordingly, in the course of administering pension and benefit plans, plan administrators regularly collect various types of personal information about plan members, including their address, birth date, gender, employment, health, income and spousal status. Accordingly, quite separate from their duties under the governing pension and benefit statutes, plan administrators in Ontario have a duty to handle the personal information of plan members in a manner that complies with the minimum requirements of PIPEDA. In addition, there are circumstances unique to the administration of pension and benefit plans, as outlined below, that justify a pro-active approach to compliance with obligations under PIPEDA:
-
Sensitive nature of the information collected
Plan administrators regularly collect personal information about members, much of which can be described as highly sensitive personal information. In the context of benefit plans, an example of sensitive personal information that is routinely collected is the health information of plan members. In the pension plan context, an example of sensitive personal information that is routinely collected is the spousal status of members, including information about the breakdown of spousal relationships and the division of assets.
While all personal information must be safeguarded to prevent unauthorized or inadvertent disclosure, the safeguarding of sensitive personal information is an important priority because of the increased degree of harm that can result from unauthorized disclosure. A privacy breach involving sensitive personal information is more likely to have a significant adverse impact on the individual whose privacy has been compromised by the breach.
-
Requests for information
Plan administrators are likely to receive requests for personal information about plan members from third parties such as their spouses, children, relatives or friends who are inquiring about the plan member’s benefits under the plan. In the context of pension and benefit plan administration, such situations are likely to arise when a plan member is ill and unable to contact the plan administrator themselves. In the context of pension plans, third party requests for information are sometimes made by family members who are supporting elderly, retired plan members who need assistance accessing and understanding information about their benefits under the plan.
The reasons a third party would contact a plan administrator for information about a plan member are often sympathetic, and in some circumstances the request for information will be framed as requiring an urgent response. To prevent the unauthorized disclosure of personal information in such circumstances, plan administrators would be wise to have a strategy in place that would allow them to be responsive to member needs while mitigating the risks of unauthorized disclosure of personal information.
-
Beneficiary Disputes
From time to time, plan administrators are faced with competing claimants for benefits after the death of a plan member (“competing beneficiaries”). When investigating or responding to competing beneficiaries, plan administrators deal with requests for information from competing beneficiaries who often demand information about the identity of their competitor, and the basis of their competitor’s claim to the death benefits. Indeed, if the plan administrator is able disclose the information requested in some situations, this disclosure would facilitate dispute resolution, and demonstrate to an individual that compelling information has been provided which discredits their claim.
However, plan administrators must take care not to disclose personal information about a plan member or a competing beneficiary without consent. If care isn’t taken to address this privacy risk, the plan administrator could be left to deal with allegations of a breach of privacy long after the beneficiary issue is resolved.
-
Electronic collection and storage of personal information
Plan administrators routinely collect, use, store and disclose the personal information of plan members by electronic means. There are unique risks associated with the electronic management of personal information.
The presence of cyber security threats, such as hacking, requires plan administrators to implement security measures that provide an adequate measure of security in response to current and emerging threats that can result in the unauthorized access or disclosure of personal information. Such security measures should also extend to the plan administrator’s disposal of hardware, such as printers and computers, which may retain sensitive personal information. The plan administrator should take steps to ensure that personal information of plan members cannot be retrieved from hardware that has left its custody and control.
Proactive steps to manage security risks
Pension and benefits lawyers can provide valuable assistance to their plan administrator clients that will help them to comply with PIPEDA, and to pro-actively manage some of the privacy risks that are unique to their business, as outlined above. Some pro-active steps to consider include:
-
Reviewing existing practices, policies and procedures to see how responsive they are to minimum obligations under PIPEDA.This could involve drafting a privacy policy or reviewing an existing corporate privacy policy to ensure it is responsive to privacy issues that arise in the pension and benefit context.
-
Contacting business partners and third party service providers to understand what policies they have in place to safeguard plan members personal information that the plan administrator discloses to them.
-
Implementing pro-active guidelines to address unique situations in the pension and benefits context where the risk of mishandling personal information is heightened, and identifying key persons who should be consulted for guidance and direction when responding to such situations.
-
Delivering training to staff involved in plan administration activities to ensure they have the knowledge and skills to handle the personal information of plan members in accordance with legislative obligations.
The pro-active management of privacy obligations and risks provides many advantages to plan administrators including a reduced risk of regulatory investigations, fines, breach of privacy lawsuits, incidence of member complaints, and also prevents the loss of goodwill and business relationships. Also a pro-active approach to privacy concerns will put plan administrators in the best position to respond should a privacy breach occur.
About the author
Glorie Alfred, Morneau Shepell