One significant aspect of employing workers is the collection of information about those workers in order to effectively administer human resources. Much of this information is of a personal nature, including employees’ addresses, dates of birth, social insurance numbers, marital status and rates of pay.

The collection, use and disclosure of personal information is regulated in Canada by way of legislation, including Alberta’s Personal Information Protection Act, S.A. 2003, c.P-6.5 (“PIPA”), and the federal government’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”). This legislation imposes obligations on organizations that collect personal information to protect such information. Employers must be aware of these obligations, and must take steps to adequately safeguard personal employee information.

While most organizations are familiar with these obligations, information can still be lost or stolen from an employer, despite the best of efforts. It is not unusual to hear of cases involving theft of laptops or memory sticks containing employee information. In such situations, employers must be aware of the steps they should take in response to such a privacy breach. Developing a response plan is one important aspect of an employer’s obligations to safeguard the personal information of its employees.

The Privacy Commissioner of Canada (the “Commissioner”) has developed valuable resources that can assist employers in understanding how to respond to a privacy breach, and how to develop an action plan in the event such a breach unexpectedly occurs. In particular, the Commissioner has highlighted four key steps in responding to a privacy breach:

  1. Breach Containment and Preliminary Assessment;
  2. Evaluation of the Risks Associated with the Breach;
  3. Notification; and
  4. Prevention of Future Breaches.

Every organization that collects personal employee information should understand the privacy obligations it owes to its employees, and be in a position to respond appropriately where a breach occurs. The Commissioner’s guide to privacy breaches is a helpful tool for all organizations, as is the related checklist. Copies of both documents can be found online, on the Commissioner’s web-site at: