Digging too deep

When conducting reference checks, employers should know the limits of privacy legislation and what they can collect

Collecting information from references is an invaluable step in the hiring process. However, imprudent reference checks and the mishandling of reference information can cause employers to run afoul of privacy legislation. Using best practices with relevant privacy standards in mind for conducting reference checks is important to avoiding trouble caused by digging a little too deep.

Federally regulated employers: PIPEDA

The Personal Information Protection and Electronic Document Act (PIPEDA) applies to the collection, use, retention and disclosure of “personal information” about individuals by federally regulated employers. The term “personal information” has been interpreted broadly to include opinions, evaluations, comments, social status and disciplinary actions, so most information in a reference will be subject to PIPEDA. PIPEDA requires that the individual whose personal information is being collected knows the purpose for which the information is collected and provides prior consent. Only personal information that is necessary for the identified purposes can be collected and it must be as accurate, complete and up-to-date as necessary for the purpose of the collection.

Once the information is collected, employers must protect it — and establish procedures and policies to do so — and keep the information for a reasonable time. According to PIPEDA, employers must also destroy information that is no longer needed and provide individuals access to their own personal information upon request.

Alberta and British Columbia: PIPA and personal employee information

Both Alberta and British Columbia have adopted respective legislation entitled Personal Information Protection Act (PIPA) which take a substantially similar approach to PIPEDA. Both provincial acts, for example, require consent be given before “personal information” is collected, used or disclosed.

However, employers in these two provinces enjoy an important exception when collecting “personal employee information.” Personal employee information refers to personal information that is collected, used or disclosed and is “reasonably required” in order to establish, manage or terminate an employment relationship. Under the Alberta and British Columbia legislation, personal employee information can be collected without the individual’s consent if the individual is an employee of the organization or a potential employee who is being recruited.

This exception was recently tested in Orders P2006-006 and P2006-007 of the Alberta Privacy Commissioner. An individual claimed both the collection and disclosure of information during a reference check was a breach of PIPA. The Alberta Privacy Commissioner said ‘‘personal employee information’’ under PIPA applied to a former employee of an organization and that information provided on the individual’s job skills and job performance during a reference check was “personal employee information.” The commissioner observed PIPA did not require consent to collect or disclose personal employee information and found no evidence to support the claim personal information unrelated to work had been collected or disclosed without consent. The commissioner held there was no breach of PIPA.

There is a significant difference between the exceptions for “employee personal information” under the respective acts. In B.C., notification and the reasons for collection must be provided if no consent is given for collection of employee personal information. In Alberta, no notification has to be provided to prospective employees.

In Alberta Privacy Commissioner Order P2006-001, the complainant was an existing employee who applied for a new position within the organization. She was not hired, and she subsequently made a complaint that the employer did not have the authority, without her consent, to collect or use her personal information and it did so without reasonable notification or explanation. The Alberta Privacy Commissioner found the employee to be a “potential employee” for the purposes of PIPA and, as such, held consent was not required for the collection of personal employee information because the information collected was reasonable for the purposes of recruitment. The commissioner also found no notification was required because the statute explicitly states only an employee must be given notification before collection.

Once personal employee information has been collected, employers in Alberta and B.C. have other obligations similar to those under PIPEDA, such as making reasonable efforts to ensure the information is accurate and complete, providing arrangements to ensure the security and protection of the information, retaining the information for as long as reasonable and allowing the individual to access her personal information.

Best practices

Privacy legislation across Canada is substantially similar, so both federally regulated employers and provincially regulated employers in Alberta, B.C. and Quebec should establish and follow similar policies when conducting reference checks. Those employers not subject to privacy legislation should also follow best practices as employees are increasingly expecting their personal information will be collected and treated with care.

Best practices for checking references include:

•informing potential employees, in writing, their former employers will be contacted for the purposes of recruitment and obtaining written consent to do so;
•making reasonable efforts to ensure the information collected is accurate;
•collecting only work-related information required to assess the candidate’s ability to perform the job, rather than conducting fishing expeditions about a candidate’s personal life or general “character”;
•keeping accurate, detailed notes of references;
•remaining aware of human rights legislation after receiving information about prohibited grounds such as age, religion or disability;
•following established policies and procedures to keep reference information on file safe and secure;
•providing an individual access to her own personal information, but disclosing information which may be confidential or constitute personal information of another party with care;
•keeping the information on file for a reasonable amount of time after the candidate has left the position so she might access it if she wants, and destroying the information in a timely way once it is no longer needed.

For more information see:

Alberta Office of the Information and Privacy Commissioner Orders P2006-006 and P2006-007 (Jan. 2, 2008), Frank Work — Adj.
Alberta Office of the Information and Privacy Commissioner Order P2006-001, (April 4, 2007), Frank Work —Adj.

Anthony R. Moffatt is a lawyer with the labour and employment group at Ogilvy Renault’s Ottawa office. He can be reached at (613) 780-1546 or [email protected]

Latest stories