Liability risks surrounding personal files on devices are governed by privacy legislation
Question: Are there any liability risks regarding privacy if an employer confiscates a work laptop or mobile device from a dismissed employee that is full of the employee’s personal files?
Answer: The liability risks surrounding personal files on employer-owned electronic devices that were used by a dismissed employee are governed by privacy legislation. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs private sector employers, except those in provinces with substantially similar legislation: British Columbia, Alberta and Quebec. This discussion will focus on the federal PIPEDA; please refer to your provincial legislation if applicable.
Personal files on a dismissed employee’s work-issued electronic devices are the employee’s “personal information,” which is defined as information about an identifiable individual, where there is a possibility an individual could be identified through that information. Privacy legislation imposes strict obligations on organizations regarding the collection, use, disclosure and retention of personal information.
When an employer recovers electronic devices that contain personal files, this amounts to the collection of personal information. Employers have obligations under PIPEDA with regard to the collection, use and disclosure of personal information:
• Organizations are responsible for personal information under their control.
• The purpose of the collection, use or disclosure of the information must be one a reasonable person would consider appropriate in the circumstances.
• The knowledge and consent of the individual are usually required before personal information may be collected.
• The collection of personal information must be limited to that which is necessary for the purpose identified.
• Personal information must not be used or disclosed for purposes other than those for which it was collected.
• Personal information must be retained only as long as is necessary.
• Personal information must be as accurate, complete and as up-to-date as is necessary for the purposes for which it is to be used.
• Personal information must be protected by security safeguards.
• An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
• Upon request, an individual must be informed of the existence, use and disclosure of her personal information and be given access to that information
In most cases, there is no reasonable or appropriate purpose that would permit an employer to retrieve and view personal files on an electronic device recovered from a dismissed employee. Further, it is likely the individual has not consented to the collection of such personal information and it would therefore be in contravention of PIPEDA.
A dismissed employee has the right to inquire about and gain access to the personal information the organization has in its possession within 30 days. If a person discovers his former employer collected personal information from the electronic devices, the employee could make a complaint to the Privacy Commissioner.
When an employee is dismissed or resigns, ask if she has personal information on the devices she is returning. If she does, arrangements should be made to delete it and, if requested, provide a copy.
Colin Gibson is a partner at Harris and Company in Vancouver. He can be reached at (604) 891-2212 or email@example.com.