Employee personal information a sensitive area for employers

Following basic guidelines should help employers avoid privacy violations

Employers have several legitimate business reasons for the collection and retention of personal information about current and prospective employees. Collecting information such as home addresses and social security numbers is common and consent to its collection is implied when a prospective employee fills out a job application asking for this information. Collection of other types of personal information will generally require a clearer expression of consent and a legitimate need for the information.

An employer should inform the individual of the type of information to be collected and its purpose. These principles apply to the collection of employee personal information through background checks, voiceprint technology, video surveillance and monitoring of Internet or e-mail.

Privacy legislation

Privacy in Canada is governed by a combination of legislation in some jurisdictions and certain guiding principles. The federal Privacy Act governs personal information collected and used by government institutions. The federal Personal Information and Protection of Electronic Documents Act (PIPEDA) applies to federal undertakings, works or businesses other than those governed by the Privacy Act as well as the collection, use or disclosure of personal information in the course of commercial transactions. PIPEDA does not apply to employment-related matters of a provincially regulated private sector employer. Alberta, British Columbia and Quebec all have provincial statutes which apply to the collection, use and disclosure of employee personal information. While the other provinces and territories do not currently have legislation in place, it would be prudent for any employer, given the developing culture of privacy in Canada, to observe certain fundamental principles relating to personal information.

Accountability. An organization is responsible for personal information under its control and shall designate an individual who is accountable for the organization’s compliance with privacy principles.

Identifying purposes. The purposes for which personal information is collected should be identified by the organization at or before the time the information is collected.

Consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. For some jobs based on the nature of the position (such as an airport security guard), consent to collection of a prospective employee’s background information is implied. Such exceptions are rare and an employer should seek legal advice before assuming consent can be implied in the circumstances.

Limiting collection. The collection of personal information should be limited to what is necessary for the purposes identified.

Limiting use, disclosure and retention. Personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law and should be retained only as long as necessary for fulfillment of those purposes.

Accuracy. Personal information should be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards. Personal information should be protected by security safeguards appropriate to the sensitivity of the information.

Openness. An organization should make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Individual access. Upon request, an individual should be informed of the existence, use and disclosure of his personal information and given access to it.

Challenging compliance. An individual should be able to address a challenge concerning compliance with these principles to the designated individual for the organization’s compliance.

Personal information protection legislation and related principles are intended to focus employers’ attention on a balance between the legitimate business interests of employers and the privacy interests of employees.

Application of privacy principles

In some circumstances a background check is appropriate. The information collected must be limited to that necessary to help the employer decide whether to hire an individual or not. Consent is generally required for the collection of background personal information but in some rare cases it is implied based on the position sought.

In Turner v. Telus Communications Inc., the Federal Court of Appeal affirmed the use of voice recognition technology is not a violation of privacy legislation, provided consent of the employees to collect the information used by the technology is obtained.

Similarly, in Canada Safeway v. U.F.C.W., Local 401, an arbitrator ruled in some circumstances video surveillance of employees is appropriate, provided employees are regularly notified of the surveillance, its purpose and it is no broader in scope than to meet the articulated purpose.

Employers may monitor employee e-mail and Internet usage for a number of legitimate interests including “theft of time” and workplace harassment. However, all monitoring should be reasonable in purpose and in scope, even if employee consent has been obtained. If an employer is concerned with “theft of time,” effective monitoring may only require a review of the addresses to which e-mails are being sent and the quantity of e-mails, but not the content.

Employer privacy policies are useful means by which to communicate to employees what types of information will be collected and by which methods. Privacy policies should also address where and for how long the information will be retained, as well as how an individual may obtain access to his information.

If an employee shares his personal information after being notified in official policy how an employer uses it, the employee effectively consents to the use of the personal information as described in the policy. It may be appropriate in some cases to have an employee acknowledge in writing or electronically the terms of an employer’s privacy policy, including by agreeing to “terms of use” for an employer’s Internet system.

Breaches of privacy

An employer’s response to a breach of privacy and the loss or destruction of employee information is just as important as its collection. While the appropriate response will be largely fact-based and legal advice surrounding the circumstances should be sought, the key objectives for an employer should be to contain the breach and assess and mitigate the risk to clients, customers and employees. An important consideration is whether to notify employees of the breach. Absent a specific statutory obligation to notify, the employer should carefully consider whether notification is necessary or appropriate. This consideration should involve an assessment of the sensitivity of the information and the potential for its misuse.

For more information see:

Turner v. Telus Communications Inc. 2007 CarswellNat 172 (F.C.A.).

Canada Safeway v. U.F.C.W., Local 401, (April 11, 2005), Doc. Alta. G.A.A. 2005-037 (Alta. Arb. Bd.).

Helen Gray practices employment law and civil litigation as part of the Litigation Group at McCarthy Tétrault in Ottawa.

Latest stories