September 27th, 2024 | Sterling

Privacy First: How Canada’s Laws Shape Background Screening

In today’s privacy-conscious world, Canadian privacy laws ensure that employees are informed and have control over how their personal information is managed. These laws specifically regulate the collection, use, disclosure, and retention of personal information. Consequently, HR professionals must navigate the legal obligations associated with processing applicants’ and employees’ personal data.

However, the complexity of Canada’s privacy legislation can be overwhelming. Laws and requirements vary across provinces, territories, and industries, making compliance challenging. The consequences of non-compliance can be significant.

In this article, Mark Sward, Sterling’s Global Head of Privacy, will discuss the history and scope of Canada’s privacy legislation, as well as the fundamental privacy principles that should be incorporated into your hiring and background screening programs.

For more in-depth information, download our white paper, Legal Considerations for Background Screening in Canada.

Canada’s Privacy Laws: an Overview

Canada has many privacy laws  at both the federal and provincial or territorial level. Each jurisdiction has a public-sector privacy law that applies to government agencies, certain Crown corporations, health regions, and other public-sector organizations. The overarching federal public-sector law is called the Privacy Act. Additionally, various provincial laws exist, many of which are called the Freedom of Information and Protection of Privacy Act (FIPPA).

For the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law which regulates personal information collected from customers across Canada. Some provinces also have their own private-sector privacy laws. However, not all of these laws protect employee information. For instance, PIPEDA covers employees of federally-regulated businesses but does not extend to provincially-regulated businesses, as those employee relationships fall outside the federal government’s jurisdiction.

History of Canadian Privacy Laws

The history of the Canadian privacy laws dates back to the 1960’s and early 1970’s. In 1977, Canada enacted its first public-sector privacy protection law as Part IV of the Canadian Human Rights Act. However, the anti-discrimination provisions of this Act were not ideally suited to address privacy rights, leaving a legislative gap. This gap was filled by the Privacy Act and the Access to Information Act, both passed in 1983. Later, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in January 2001.

The Privacy Act applies to approximately 250 federal government departments and agencies. It grants individuals the legal right to access personal information held about them by the federal government. The central privacy principle under the Privacy Act is “…that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution, except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.”

PIPEDA governs how private-sector organizations collect, use, or disclose personal information during commercial activities across Canada. It does not apply to not-for-profit organizations, charity groups, political parties, or associations unless they are conducting commercial activities.  This Act also does not apply to organizations operating entirely within a province that has legislation deemed substantially similar to PIPEDA, unless the personal information crosses provincial or national borders. Currently, Quebec, British Columbia, and Alberta have privacy laws that are substantially similar to PIPEDA.

Privacy Laws and Backchecks

Privacy laws vary in their application to employees’ and applicants’ information. It is advisable to incorporate PIPEDA privacy principles within an organization, particularly when developing a background screening program. The following privacy concepts should be considered:

  • Notice and Consent: Generally, privacy laws mandate that individuals be informed and give their consent before their personal information is collected, along with the purposes for which it will be used.
  • Limiting Collection and Use: When notifying an individual that their personal information will be collected, the notice should specify the purposes for the collection. Once collected, the information can only be used for the initially-identified purposes, unless the individual consents to its use for other purposes. The information cannot be repurposed or shared with other parties without the individual’s consent.
  • Retention of Personal Information: Personal information should not be retained indefinitely. Once it is no longer needed, it should be securely destroyed.
  • Safeguards: Personal information under an organization’s control must be carefully guarded against accidental loss or unauthorized disclosure.  This can be achieved through both physical and technological measures. Paper documents should be securely locked away and electronic records should be accessible only to those with a legitimate need to know.
  • Accuracy: Organizations are obligated to ensure that the personal information they hold is accurate, particularly when it will be used to make decisions about an individual.
  • Accountability: Organizations should be prepared to answer questions about how they handle personal information. Having written policies in place can help reassure individuals that their privacy is taken seriously.

Non-compliance with privacy laws carries significant risks. Organizations that fail to comply may struggle to maintain the trust of their candidates and employees. Privacy complaints and legal actions can be costly and damage the employer’s reputation.

Help Ensure Compliance: Stay on Top of Regulations

There are many laws, regulations, and rules governing the background screening industry. Privacy laws are designed to protect candidates when their personal information is used in applications and during background checks. To respect the rights of applicants and employees, organizations should be aware of their obligations and develop background check policies that consider their specific needs, risk tolerance, and legal obligations.

Given that every organization has unique hiring requirements, it is advisable to consult with legal counsel when creating and updating a background screening policy. Find more detailed information about the legal framework behind background screening regulations by downloading our white paper, Legal Considerations for Background Screening in Canada.

To find out how Sterling Backcheck can help you set up a compliant screening program, contact us.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.