May 30th, 2017 | Sterling

Privacy Laws Impact on Background Screening Checks

Three people in front of a screen

Canadian privacy laws help to ensure employees have the knowledge and control of how their personal information is handled. Privacy laws in Canada regulate the collection, use, disclosure and retention of personal information. Canada has many privacy laws on a federal and provincial or territorial level. Each jurisdiction has a public-sector privacy law that applies to government agencies, some Crown corporations, health regions and other public-sector organizations. The overall federal public-sector law is called the Privacy Act while there are various provincial laws, several which are called the Freedom of Information and Protection of Privacy Act (FIPPA). For the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law which regulates personal information collected from customers across Canada. Some provinces have their own private-sector privacy laws as well. Not all private-sector laws protect employee information. For example, PIPEDA covers employees of federally-regulated businesses, but not provincially-regulated businesses because those employee relationships fall outside of federal government’s jurisdiction.

History of Canadian Privacy Laws

The history of the Canadian Privacy Laws goes back to the 1960’s and early 1970’s. Canada enacted the first public sector privacy protection law in Part IV of the Canadian Human Rights Act in 1977. The anti-discrimination provisions of the Canadian Human Rights Act were not the best fit for the right to privacy, which left a legislative gap that was addressed by the Privacy Act and Access to Information Act both passed in 1983. The Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect in January 2001.

The Privacy Act applies only to approximately 250 federal government departments and agencies. The Act grants individuals the legal right of access to personal information held about them by the federal government. The central privacy principle under the Privacy Act is “that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution, except for the purpose for which the information was obtained or compiled by the institution or for the use of consistent with that purpose.”

PIPEDA is concerned with how private-sector organizations collect, use or disclose personal information during commercial activities across Canada. PIPEDA does not apply to not-for-profit, charity groups, political parties or associations unless the organization is conducting a commercial activity.  This Act will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to PIPEDA unless the personal information crosses provincial or national borders. Currently, Quebec, British Columbia and Alberta have privacy laws that are substantially similar to PIPEDA.

Privacy Laws and Background Screening

Privacy laws differ in how and whether they apply to employees’ and applicants’ information. There are ways that PIPEDA privacy principles should be applied within an organization, especially in regards to developing a background screening program. Some privacy concepts to keep in mind are:

  • Notice and Consent: In most cases, privacy laws require that individuals be notified (and consent) that their personal information will be collected and the purposes of the collection.
  • Limiting Collection and Use: When providing notice to an individual that personal information will be collected, the notice should include the purposes for the collection. Once the information has been collected, it can only be used for the purposes originally identified, unless the person has agreed for it to be used otherwise. The information cannot be repurposed or given to other parties for other uses without the consent of the individual.
  • Retention of Personal Information: Personal information should not be retained forever. Once there is no longer a need to keep it, it should be securely destroyed.
  • Safeguards: Personal information under an organization’s control must be carefully guarded against inadvertent loss or disclosure, using both physical and technological means. Paper documents should be under lock and key and electronic records should only be available to those that need to know.
  • Accuracy: Organizations have an obligation to ensure the personal information in their custody is accurate, especially if it will be used to make a decision about an individual.
  • Accountability: Organizations should be prepared to answer questions about how they handle personal information. Having written policies in place can help reassure individuals that their privacy is taken seriously.

There are many risks that come along with being non-compliant with privacy laws. Non-compliance with privacy laws can take a toll on employee relations and put the organization at the risk of a privacy complaint or legal action.

Keep Up with Compliance

There are many laws, regulations and rules that govern the background screening industry. The privacy laws aim to protect candidates when their personal information is being used on an application and during background screening. To respect the rights of applicants and employees, organizations should be aware of their obligations and develop background check policies that take into account their particular needs, risk tolerance and legal obligations. Since every organization has different hiring requirements, it is recommended to consult with legal counsel when creating and updating a background screening policy. Find more detailed information about the legal framework behind background screening regulations by downloading our white paper, Legal Considerations for Background Screening in Canada.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.