February 28th, 2017 | Sterling

Employee Rights: Privacy Laws in Canada

Lock on a stack of files

Canadian privacy laws help ensure employees have the knowledge and control of how their personal information is handled. Non-compliance with privacy laws can take a toll on employee relations and put the organization at the risk of a privacy complaint or legal action. Sterling Talent Solutions recently hosted a webinar discussing employee rights in Canada, Employee Rights, Part 1: Privacy in Canada presented by Mark Sward, Director of Privacy at Sterling Talent Solutions.

Review of Canada’s Privacy Laws

The privacy laws in Canada help to protect citizens while holding the government and private organizations accountable. There are public-sector (including health) and private-sector privacy laws. Public sector laws are more established and in some cases impose more specific technical requirements than private sector laws. A sample of public-sector and health privacy laws include the Privacy Act (Canada) and various provincial laws, several of which are called the Freedom of Information and Protection of Privacy Act (FIPPA). There are also municipal versions in Ontario and Saskatchewan. These laws regulate government departments, agencies, Crown corporations, municipalities and health regions and are enforced by federal and provincial privacy commissioners.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that sets out ten privacy principles based on global and national standards. PIPEDA applies to personal information that private-sector organizations collect from customers in most of the country, and to employee personal information of federally-regulated businesses only (this includes airlines, telecommunications, railways, banks and others). There are three provinces that have their own privacy laws that are substantially similar to PIPEDA: Alberta, British Columbia and Quebec. These provincial laws generally apply to private organizations collecting and processing personal information inside the province, including provincially-regulated employers.

Employee Personal Information

Not all private-sector laws protect employee information. For example, PIPEDA covers employees of federally-regulated businesses, but not provincially-regulated businesses because those employee relationships fall outside of the federal government’s jurisdiction. The provincial privacy laws that are substantially similar to PIPEDA do protect the personal information of employees of provincially-regulated businesses. In some cases, notably in Alberta and B.C., the laws draw a distinction between ’employee personal information’—which is personal information that is required to establish, manage or terminate employment—and regular personal information. In the case of ’employee personal information’, consent requirements may be relaxed, but organizations must still notify their employees that the information will be collected. However, information that is not strictly required for a job placement is subject to full consent requirements.

Applying Privacy Principles: Pre-Hire Checks

There are many ways that the PIPEDA privacy principles should be applied within an organization. Perhaps the most important are transparency and sharing why the information is being collected. In the case of background screening, employers generally must receive consent from candidates before performing the screening. Employers need to be transparent with the process, set expectations for the candidate and be prepared to answer questions about how the background check information will be used to make a hiring decision.

The purpose of collecting and handling personal information must be reasonable, legal and necessary to achieve a certain goal. To determine if the purpose is reasonable, the relationship between the information and the duties and responsibilities of the position must be kept in mind. For example, you should ask the following questions before collecting police information:

  • Which type(s) of police/criminal information is necessary and why?
  • How can we reliably obtain the type(s) we need?
  • Is there a risk of collecting more information than we need and how do we mitigate that risk?
  • How will we use the information once we have it?

These questions should also be considered when performing credit history, social media and drug and alcohol testing, among others.

Employee Monitoring and Investigations

Organizations will also need to keep privacy in mind when carrying out employee monitoring, investigations and recurring background checks. Organizations should have a clear, detailed and reasonable policy in place for monitoring their employee activities. Recurring background checks may need to be more limited then pre-employment checks and should be relatively infrequent. While consent for having the re-checks may be done at the beginning of employment, it is helpful to provide new notification to employees shortly before new checks are conducted.

Security and Retention

The security and retention of private information are also regulated by provincial and federal privacy laws. Different types of employee records may need to be kept for different reasons and different lengths of time. Privacy laws require personal information be deleted or anonymized once it is no longer needed to achieve the purpose it was collected for or to satisfy other legal or business purposes. It is a good practice to keep information used to make a decision for a minimum of one to two years to satisfy legal requirements, permit access and respond to privacy or human rights complaints.

Employee information is highly sensitive. Paper documents should be under lock and key and electronic records should be only available to those that need to know.

Risks of Non-Compliance

There are many risks that come along with being non-compliant with privacy laws. Individuals can file privacy complaints, which can involve time-consuming investigations and may result in your organization’s name being released. Court action or arbitration is also possibilities, and those can be quite expensive. In case of a human rights violation, you could face human rights complaints resulting in fines or indemnities for damage. Most important is the effect on employees. They could feel that their privacy is not being respected, which would have an impact on morale, productivity and loyalty as well as could affect recruiting good talent for the company.

Find out more about employee rights and privacy laws in Canada by checking out the On Demand version of the very informative webinar.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.