All questions

Data protection

i Requirements for registration

Canadian law provides for both private-sector and public-sector privacy legislation. Depending on the jurisdiction in which they operate, private-sector employers in Canada are subject to either federal or provincial legislation governing the collection, use and disclosure of personal information.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally regulated employers, as well as employers that are provincially regulated that operate in provinces that have not adopted substantially similar privacy legislation. To date, Quebec, Alberta and British Columbia have enacted personal information legislation, which has been recognised as substantially similar to PIPEDA. In 2013, Manitoba passed private-sector privacy legislation that is not yet in force. It has not yet been determined whether this legislation is substantially similar to PIPEDA.

In addition to PIPEDA and provincial legislation dealing specifically with the collection, use and disclosure of personal information in the private sector, employers may have additional statutory privacy obligations. For example, several provinces have enacted legislation, such as the British Columbia Privacy Act, which makes it an actionable wrong for one person, wilfully and without claim of right, to violate another's privacy. In Quebec, the CCQ and the Quebec Charter of Human Rights and Freedoms provide for additional privacy obligations.

ii Cross-border data transfers

Canadian privacy legislation addresses the notion of cross-border data transfers. In this regard, the transfer of personal information outside Canada must be disclosed in an employer's privacy policy, to meet the openness and safeguarding principles that apply to PIPEDA and similar privacy legislation. Further, employees whose personal information is collected must be informed of the transfer to any foreign entities and must be provided with appropriate contact information for obtaining details on the privacy obligations of those entities. While this has been held to exist as an implicit requirement in privacy legislation across Canada, it is made explicit in Alberta's Personal Information Protection Act, which also differs from other Canadian privacy law in that it imposes specific breach notification obligations on organisations.

iii Sensitive data

Under all Canadian privacy legislation, personal information is broadly defined as 'information about an identifiable individual', with certain exclusions. Sensitive information that would generally fall under the ambit of 'personal information' in Canadian privacy legislation would include, in particular, financial information, medical information, educational history, union membership or information relating to an employee's family background.

iv Background checks

The validity of background checks varies greatly across Canadian jurisdictions. Generally, employers may perform a background check on prospective employees; however, certain jurisdictions limit criminal or credit checks. Human rights legislation and privacy legislation across the jurisdictions will limit the use of criminal or credit background check results, even if these types of background checks are permitted. Employee consent to background checks is almost always preferred, if not required in most Canadian jurisdictions.