Privacy in the workplace is an evolving area of the law. Currently, the question of whether an employer is subject to privacy laws is largely dependent on the province or jurisdiction in which it operates. However, many employers find that it makes good business sense to establish privacy policies that establish rules and expectations for employees and managers to follow. These policies can assist in finding the balance between the employer’s “need to know” and an employee’s right to privacy.

There are presently four jurisdictions that have privacy laws that apply to employers in the private sector. Employers in the following jurisdictions should ensure that their operations are in compliance with the applicable law:

  • Federal: The Personal Information Protection and Electronic Documents Act (“PIPEDA”) has
  • Alberta: The Personal Information Protection Act (“Alberta PIPA”)
  • British Columbia: The Personal Information Protection Act (“BC PIPA”)
  • Quebec: An Act respecting the protection of personal information in the privacy sector (“Quebec Private Sector Act”)

In addition, in September 2013 Manitoba passed The Personal Information Protection and Identity Theft Prevention Act (“PIPITPA”), which is not yet in force.

The general purpose of privacy laws is to regulate the collection, use and disclose of personal information. It is important to note that personal information is defined broadly, and includes any information “about” an individual. It therefore covers much more than information that may be traditionally considered “private”, such as Social Insurance Numbers or employee medical records.

The following is a list of the types of employee personal information that employers will often collect, use and disclose, and that will potentially be subject to privacy policies and (where applicable) privacy laws:

  • Recruitment: resumes, application forms, interview notes, background and criminal record checks, pre-employment tests
  • Hiring: Social Insurance Numbers, Canada Revenue Agency forms, home contact information, application for benefit forms
  • Compensation: wages (including salaries, bonuses and commissions), punch cards, payroll records, employee “direct deposit” bank account information
  • Performance: performance evaluation scores, sales results
  • Employee monitoring: video surveillance records, audio recording, GPS tracking records, biometrics
  • Use of technology: email records, internet usage records, information stored on computer networks
  • Medical information: doctor’s notes, medical records provided for the purpose of obtaining sick leave or disability benefits, requesting accommodation of a disability, or upon a return to work following an illness or injury
  • Discipline records: warning letters, evidence collected during an investigation into employee misconduct, investigation results and findings
  • Termination: termination letters, severance agreements, letters of employment
  • Workforce analysis: attendance rates, employee turnover, health and safety records

Given the myriad of forms of employee personal information collected by employers, which in some jurisdictions will be subject to privacy laws, employers may considering establishing a privacy policy that applies specifically to employees. This policy will be distinct from similar policies the employer may have in place relating to personal information about customers, confidential and proprietary business information, or computer use.

A privacy policy relating to employee personal information should cover the following topics:

  • Information covered by the policy:
    • What information about employees does the employer collect and use?
    • What information does the employer not consider to be personal information (i.e. certain work contact information such as the employee’s title, business address and business telephone number).
  • Collection, use and disclosure:
    • What are the purposes for which employers collect and use personal information?
    • Does the employer disclose personal information to third parties (i.e. payroll administrators)?
    • Where are the third parties located (i.e. are they located in another jurisdiction that may be subject to different privacy laws)?
  • Security
    • Where does the employer store personal information?
    • What steps does the employer take to protect personal information?
    • What employees have access to personal information?
  • Access:
    • How can employees access their personal information in order to verify and/or update it?
    • Who can employees contact about accessing their personal information (i.e. the Chief Privacy Officer / the human resources department)?
  • Retention:
    • How long does the employer retain personal information for?
    • If the personal information is no longer needed, how does the employer dispose of it?