October 4th, 2022 | Sterling

Employee Rights: Privacy Laws in Canada

Canadian privacy laws help ensure employees have knowledge and control over how their personal information is handled by employers. Non-compliance with privacy laws can take a toll on employee relations and put the employer at the risk of a privacy complaint or legal action.

Review of Canada’s Privacy Laws

The privacy laws in Canada help to protect individuals while holding the government and private organizations accountable. There exist both public-sector (including health) and private-sector privacy laws. Public sector laws have been around longer and, in some cases, impose more specific technical requirements than private sector laws.

A sample of public-sector and health privacy laws include the Privacy Act (Canada) and various provincial laws, several of which are called the Freedom of Information and Protection of Privacy Act (FIPPA). There are also municipal versions in Ontario and Saskatchewan. These laws regulate government departments, agencies, Crown corporations, municipalities, and health regions, and are enforced by federal and provincial privacy commissioners.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that sets out ten privacy principles based on global and national standards. PIPEDA applies to personal information that private-sector organizations collect from customers in most of the country, and to employee personal information of federally-regulated businesses only (this includes airlines, telecommunications, railways, banks, and others).  As of September 2022, a bill is pending before Parliament which would repeal and replace PIPEDA with an updated private-sector privacy framework.

There are three provinces that have their own privacy laws that are substantially similar to PIPEDA: Alberta, British Columbia, and Quebec. These provincial laws generally apply to private organizations collecting and processing personal information inside the province, including provincially-regulated employers.

Employee Personal Information

Not all private-sector laws protect all employee information. For example, PIPEDA covers employees of federally-regulated businesses, but not provincially-regulated businesses, because those employee relationships fall outside of the federal government’s jurisdiction. The provincial privacy laws that are substantially similar to PIPEDA protect the personal information of employees of provincially-regulated businesses only.

In some cases, notably in Alberta and B.C., the laws draw a distinction between ’employee personal information’ — which is personal information that is required to establish, manage, or terminate employment — and regular personal information. In the case of ’employee personal information,’ consent requirements may be relaxed, but organizations must still notify their employees that the information will be collected. However, information that is not strictly required to establish, manage or terminate the employment relationship is subject to full consent requirements.

Applying Privacy Principles: Pre-Hire Checks

There are many ways that the PIPEDA privacy principles should be applied to hiring processes. Perhaps the two most important factors to consider are 1) the need for transparency in the process of collecting personal candidate information and 2) requirements for disclosing why the information is being collected. In the case of background screening, employers generally must receive consent from candidates before performing the screening. Employers need to be transparent with the process, set expectations for the candidate, and be prepared to answer questions about how the background check information will be used to make a hiring decision.

The purpose of collecting and handling personal information must be reasonable, legal, and necessary to achieve a stated goal. To determine if the purpose is reasonable, the relationship between the information and the duties and responsibilities of the position must be kept in mind. For example, you should ask the following questions before collecting police information:

  • Which type(s) of police/criminal information is necessary and why?
  • How can we reliably obtain the type(s) we need?
  • Is there a risk of collecting more information than we need, and how do we mitigate that risk?
  • How will we use the information once we have it?

These questions should also be considered when performing credit history, social media, and drug and alcohol testing, among others.

Employee Monitoring and Investigations

Organizations will also need to keep privacy in mind when carrying out employee monitoring, investigations, and recurring background checks. It is important to have a clear, detailed, and reasonable policy in place for monitoring their employee activities. Recurring background checks may need to be more limited then pre-employment checks, and should be relatively infrequent. While consent for having the re-checks may be possible at the beginning of employment, it is helpful to provide new notification to employees shortly before new checks are conducted to refresh employees’ memory and give them an opportunity to update their personal information.

Security and Retention

The security and retention of private information are also regulated by provincial and federal privacy laws. Different types of employee records may need to be retained for different reasons and different lengths of time. Privacy laws require personal information be deleted or anonymized once it is no longer needed to achieve the purpose it was collected for or to satisfy other legal or business purposes. It is good practice to keep information used to make a decision for a minimum of one to two years to satisfy legal requirements, permit access, and respond to privacy or human rights complaints. Some provincial privacy laws mandate a minimum one-year retention period when data has been used to make a decision.

Employee information is highly sensitive. Paper documents should be under lock and key, while electronic records should be only available to those who “need to know.”

Risks of Non-Compliance

There are many risks which result from being non-compliant with established privacy laws. Individuals can file privacy complaints, which can involve time-consuming investigations and may result in findings against your organization being published. Court action or arbitration are also possibilities, and those can be quite expensive. In case of a human rights violation, you could face human rights complaints resulting in fines or indemnities for damage. New privacy laws, including revisions to Quebec’s private sector law and the federal bill working its way through Parliament at time of writing, include significant fines for non-compliance.

The most important risk to consider is the effect on employees. They could feel that their privacy is not being respected, which would have an impact on employee morale, productivity, and loyalty, and could also make it more difficult for you to recruit good talent for your company.

Find out more about employee rights and privacy laws in Canada by checking out the Compliance Hub.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.