Presented in partnership with Davies

This article was originally published October 19th, 2018

Read the original article: https://www.dwpv.com/en/Insights#/article/Publications/2018/Legalization-of-Cannabis-A-Guide-for-Employers

Authors: Louise Patry, Brian Kujavsky, Jessica Bullock, Joseph-Anaël Lemieux, Rachael Lee and Brent Winston

With the legalization of recreational cannabis as of October 17, 2018, Canadian employers must be prepared to understand their rights and responsibilities vis-à-vis their employees.

Substance and Drug Use Policy

Employers are encouraged to adopt or amend their substance and drug use policies to conform to cannabis legalization.

First, employers’ drug policies should clearly stipulate that they apply to cannabis use, notwithstanding its legalization.

Second, regardless of the particular rules employers wish to adopt, it is advisable to institute policies that are clear with regard to the behaviours that are forbidden and the consequences of violating the policies. These policies should also be applied in a consistent and uniform manner to every employee (subject, of course, to any duty to accommodate, as discussed below).

The implementation of cannabis use policies should be accompanied by training on the various issues surrounding cannabis and the workplace, particularly for managers who will have to apply these policies.

When Is Testing for Cannabis Use Permitted?

Subjecting an employee to a drug test is considered to be a violation of the employee’s right to privacy. Testing employees for drug use is allowed only in specific circumstances. Therefore, unilateral random testing is justified only in safety-sensitive industries and workplaces or where there is evidence of a generalized problem with substance abuse, and only for employees who occupy safety-sensitive positions.

Beyond that, an employer may impose drug testing only in a safety-sensitive workplace and for an individual employee who occupies a safety-sensitive position in the following situations:

• There is reasonable cause to believe that the employee is impaired while on duty.
• The employee has been directly involved in a workplace accident or significant incident.
• The employee is returning to work after treatment for substance abuse.

Current drug testing is unable to accurately determine the extent of cannabis impairment. Although testing for cannabis use can detect the presence of THC in the blood, such tests do not necessarily show that an employee is or was impaired by using cannabis. Moreover, because THC can be detected in the blood several days after consumption, these tests cannot accurately determine the temporal aspect of impairment. We strongly recommend that employers seek legal advice before testing their employees for cannabis use.

Employers’ Duty to Accommodate

Employers are required by law to accommodate an employee’s disabilities up to the point of undue hardship. While employers are permitted to prohibit employees’ recreational use of cannabis in the workplace, employers are required to accommodate employees who use prescribed medical cannabis and employees who suffer from an addiction to cannabis where such disabilities do not affect their ability to perform their duties and do not affect workplace safety.

An employer’s policy could provide that employees who need to use cannabis for medical purposes are required to inform their employer. The policy could also stipulate that employees with an addiction to cannabis are encouraged to inform their employer in a confidential manner, so both parties can work together to find a solution to accommodate the employee.

Employers are advised to seek legal advice regarding the appropriate measures to be adopted in respect of employees who use cannabis for medical purposes or who suffer from an addiction to cannabis.

Québec: Bill 157 to Restrict Cannabis Use in the Workplace

Québec’s Bill 157, which enacted, among others, the Cannabis Regulation Act (Act), provides regulations regarding the use and possession of cannabis in the workplace. Under the Act, employers have the option of regulating or entirely forbidding any form of cannabis use in the workplace by their personnel, regardless of the nature of the business they operate. The Act also prohibits the smoking of cannabis in any enclosed workplace. The Act more specifically prohibits anyone who takes care of or otherwise provides care to a minor, a senior or any person in a vulnerable situation from using cannabis during working hours. The exact scope of this prohibition is nebulous, but it may well apply to employees of schools, hospitals and pharmacies so as to prohibit them from using cannabis during their work shift, which would likely include coffee and/or lunch breaks.

The Act also modifies the Act Respecting Occupational Health and Safety (AOHS) to restrict employees to whom the AOHS applies from performing work when their condition, by reason of impairment by cannabis, represents a risk to their health, safety or physical well-being or to the health, safety or well-being of other people in or near the workplace. In addition, the AOHS creates a corresponding obligation for employers to ensure that their employees do not perform their work when their condition represents such a risk to health, safety and physical well-being. It is noteworthy that on a construction site, being impaired by cannabis is deemed to represent a risk to health, safety and physical well-being.

Ontario: Bill 36 and the Occupational Health and Safety Act

In Ontario, Bill 36 was passed on October 17, 2018, which amended the Ontario Cannabis Act, 2017, to become the Cannabis Control Act, 2017. Bill 36 provides that smoking or consuming cannabis is prohibited in enclosed workplaces.

The Occupational Health and Safety Act (Ontario) requires employers to ensure the safety and protection of their employees in the workplace. This means that the legalization of cannabis does not affect an employer’s right to require employees to be free from impairment in the workplace.

It should be noted that the other provinces and territories of Canada can adopt their own rules regarding the use of cannabis in the workplace, and they may differ from the rules adopted in Québec and Ontario.

Presented in partnership with Cox & Palmer

This article is also posted on Cox and Palmer’s website.

Article Written by:
Matt Saunders

Local and global data breaches remain headline news. From Facebook’s disclosure of its sharing of millions of users’ profiles (without their consent) to the recent data breach involving the Nova Scotia government’s Internal Services website, awareness is growing about privacy rights, how people share data, and how personal information is protected.

Canadians’ interest in these issues will only increase as Canada’s new mandatory data breach notification provisions under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) come into force on November 1, 2018. Further details of the notification process are set out in the Breach of Security Safeguard Regulations (the “Regulations”), which were published in final form on April 18, 2018.

The new data breach notification framework lists the steps an organization must take when it experiences a “breach of security safeguards” (or a breach due to a failure to establish safeguards):

1. Determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach;
2. If the answer is “yes” to (1), notify affected individuals and report to the Privacy Commissioner of Canada (the “Commissioner”) as soon as feasible after determining the breach has occurred;
3. Notify any other organization that may be able to mitigate harm to affected individuals; and
4. Maintain a record of any data breach the organization becomes aware of (and provide these records to the Commissioner upon request).

“REAL RISK OF SIGNIFICANT HARM”

Under the new framework, “significant harm” is broadly defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on one’s credit record, and damage to or loss of property.

When assessing whether a breach poses a real risk of significant harm to affected individuals, the organization should consider the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being or will be misused, and other factors that may be set by regulation.

NOTIFICATION TO THE COMMISSIONER

After determining that a data breach has occurred and poses a real risk of significant harm, an organization must report the data breach to the Commissioner as soon as feasible. The Regulations require that any report to the Commissioner must be in writing, sent by any secure means of communication, and include:

• a description of the circumstances of the breach and, if known, the cause;
• the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• a description of the personal information that is the subject of the breach to the extent that the information is known;
• the number of individuals affected by the breach or, if unknown, the approximate number;
• a description of the steps taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
• a description of the steps the organization has taken or intends to take to notify affected individuals of the breach; and
• the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Additionally, an organization can submit to the Commissioner any new information referred to above that the organization becomes aware of after the report is made.

NOTICE TO AFFECTED INDIVIDUALS

Organizations must also provide notification to each individual affected by a breach, unless otherwise prohibited by law. Such notifications must include:

• a description of the circumstances of the breach;
• the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• a description of the personal information that is the subject of the breach to the extent that the information is known;
• a description of the steps the organization has taken to reduce the risk of harm that could result from the breach;
• a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
• contact information that the affected individual can use to obtain further information about the breach.

Organizations must directly notify affected individuals of a breach in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

However, it is acceptable for an organization to indirectly notify affected individuals in the following circumstances: (i) direct notification would be likely to cause further harm to the affected individual; (ii) direct notification would be likely to cause undue hardship for the organization; or (iii) the organization does not have contact information for the affected individual. Indirect notification can be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.

NOTICE TO OTHER ORGANIZATIONS

If an organization notifies affected individuals, they must also notify any other organization, government institution, or part of a government institution of the breach if the notifying organization believes that the other organization or government institution may be able to reduce the risk of harm that could result from the breach or mitigate that harm.

RECORD KEEPING

An organization must maintain a record of every breach of security safeguards involving personal information, even those that the organization has determined do not pose a real risk of significant harm to an individual, for a period of 24 months after the day on which the organization determines that the breach has occurred. The record must also contain any information that enables the Commissioner to verify compliance with the provisions requiring reports to the Commissioner and notification to affected individuals.

FINES

Organizations should also be aware that knowingly failing to report to the Commissioner or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly failing to maintain a record of all breaches, can lead to fines of up to $100,000.

The teams at Trisura and Cox & Palmer are happy to assist businesses and organizations looking for more information on how to prepare for the roll-out of Canada’s data breach notification requirements. Should you have any questions, please do not hesitate to contact Michael Kalakauskas or Matt Saunders.

ABOUT COX & PALMER

At Cox & Palmer, they believe that strong client relationships are the foundation for great results. With excellence in client service a number one priority, they deliver timely legal solutions built on a deep understanding of their clients’ needs and top quality work. 200 lawyers strong, with over a century of experience serving Atlantic Canadians, the full-service regional law firm provides advice to individuals and businesses in a broad range of sectors across all major industries.

Cox & Palmer privacy lawyers have extensive knowledge and experience in all aspects of privacy and access law and have appeared before various levels of court in Nova Scotia and Ontario. They work closely with their clients and other practice groups within the firm to provide sector-specific advice that is tailored to meet our clients’ needs. Members of their team have backgrounds in emergency management and security consulting, and are also Certified Information and Privacy Professionals with the International Association of Privacy Professionals (IAPP).