This is the ninth instalment in our Top 10 Issues for Employers series. This instalment addresses privacy risks and best practices for employers with respect to the management of personal employee information.
Rapid advances in technology have made it possible for employers to collect all kinds of information during the employment relationship. The information collected about an employee may be limited to the standard contents of his or her personnel file, but often also includes broader data, such as swipe card information and security footage. As a result, it is increasingly important to understand how the collection, use and disclosure of personal employee information is regulated under Canada’s patchwork of privacy legislation and by the common law courts.
THE REGULATORY LANDSCAPE
Privacy legislation in Canada (as it relates to employee information) only extends to certain types of employers and within specific Canadian jurisdictions. The Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to federally regulated employers in the context of collecting, using and disclosing personal employee information for employment purposes. Alberta, British Columbia, and Quebec have also passed comprehensive privacy legislation, applying to all provincially regulated employers in those provinces. The Alberta and British Columbia legislation is known in both provinces as the Personal Information Protection Act (PIPA), while Quebec’s provincially regulated employers are subject to the Act respecting the protection of personal information in the private sector.
Certain other provinces have passed personal health information protection legislation, but do not have the same kind of comprehensive privacy statute. As a result, in those provinces, the collection, use and disclosure of personal employee information is governed primarily by the common law courts. For example, in 2012, the Supreme Court of Canada established that employees are entitled to “a reasonable expectation of privacy” in the workplace, and in that same year the Ontario Court of Appeal recognized an intrusion upon seclusion or invasion of privacy as a common law tort.
Not all information is “personal information” under privacy statutes, but the term has been broadly defined to mean any information about an identifiable individual. Information may be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information. However, an individual’s “business contact information” is not personal information if it is collected, used or disclosed for the sole purpose of communications relating to that individual’s employment.
Under the various privacy statutes, employers are generally required to seek employee consent — or at a minimum provide advance notification — for the collection, use and disclosure of personal employee information, with some limited exceptions. Recent amendments to PIPEDA allow federal businesses to collect, use or disclose personal information necessary to establish, manage or terminate an employment relationship without consent, provided that the individual has been informed that his or her personal information may be collected, used or disclosed for this purpose. In addition, information produced by an employee in the course of their employment, business or profession is also permitted to be collected, used or disclosed without consent so long as the collection is consistent with the purposes for which the information was produced.
Under the privacy statutes, employees have a right to request information about, and access to, any of their personal information collected by their employer. Access requests can only be refused in limited circumstances, such as where the information was generated in the course of a formal dispute resolution process, it would reveal confidential commercial information, or it is protected by solicitor-client privilege.
RETENTION AND DISPOSAL
Personal employee information should be retained only as long as necessary for the fulfilment of the purposes for which it was collected. Nevertheless, where personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter (or other reasonable amount of time in the absence of legislative requirements) to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision. For example, employers may retain information about former employees for at least as long as the limitation period for wrongful dismissal claims.
The following best practices will assist employers in maintaining compliance with privacy legislation and avoiding tort claims:
- Introduce or update a retention policy. Most provincial employment standards legislation provide prescribed time periods for the retention of certain employment information.
- Update contracts with third-party providers. Employers may be held responsible for the use or disclosure of personal employee information that is sent to third-party partners or vendors (e.g., payroll processors and benefits providers). It is worthwhile to ensure that third parties are bound (contractually or by other means) to protect the information received.
- Introduce and regularly update physical and technological security measures to prevent unauthorized access to employment information.
- Provide regular privacy training and education to employees to increase awareness of privacy risks and promote the use of security safeguards.