Managing employee personal information

Although businesses are well aware of the importance of managing customer information, they are often unaware that employee information must be managed in a similar manner. Failure to properly deal with this is a serious risk

By Darren Charters

Managing customers’ personal information has become a priority for many private sector businesses and organizations. It can provide a valuable competitive advantage but there may also be a legal imperative for making it a priority. Despite this increased awareness of customer information management obligations, many private sector businesses and organizations aren’t aware that they could be subject to similar legislative requirements regarding their employee’s personal information as well.

Fortunately, employee personal information management obligations aren’t dramatically different from consumer information collection requirements. The challenge is that no single uniform standard exists across the country. The result is a patchwork of requirements with minor variations and, in some provinces, no requirements whatsoever. Managing compliance can be a challenge under such circumstances.

Federally regulated businesses

It is common knowledge that the Personal Information Protection and Electronic Documents Act (PIPEDA) became fully effective on January 1, 2004. Although initially slow to appreciate the importance of this legislation, businesses have increasingly embraced the need to establish proper procedures and limitations relating to customers’ personal information. All businesses are now subject to its requirements relating to the collection, use, and disclosure of customers’ personal information unless they are operating in a province with substantially similar provincial legislation. However, PIPEDA’s employee-related personal information obligations have not received the same attention.

PIPEDA’s employee information provisions apply to every organization involved in a federal undertaking that collects, uses or discloses personal information about an employee. Businesses that are federally regulated, such as banks, airlines, and railways have had a legal obligation to comply with PIPEDA’s employee information collection requirements since January 1, 2001, well before the general effective date of the act.

For federally regulated undertakings, PIPEDA excludes the name, business address, telephone number, and job title of an employee from qualifying as personal information. However, all other information collected about an employee is covered by the act and is subject to the same legal requirements for use, collection, and disclosure as customers’ personal information.

If a federally regulated employer fails to comply with its legal obligations, an employee can make a complaint to the federal Privacy Commissioner. Similar to customer complaints, the Privacy Commissioner will investigate and try to resolve the matter. If this proves unsatisfactory, the employee can apply to have the complaint heard in federal court.

Provincially regulated businesses

Provincially regulated businesses and organizations aren’t subject to PIPEDA’s rules regarding the collection of personal information about employees. However, PIPEDA enables every province to pass substantially similar legislation. When this occurs, the requirements of the provincial legislation govern. To qualify as substantially similar, provincial legislation must be at least equal to the federal legislation in both degree and quality of privacy protection. Quebec, British Columbia and Alberta have all passed legislation deemed substantially similar by the federal Privacy Commissioner. In these provinces, one must consult the provincial private sector privacy legislation to determine if, and how, employee personal information is addressed.

These three provinces have dealt with matters relating to employee personal information in a similar manner. Quebec first passed private sector privacy legislation in 1993. It was deemed substantially similar by the federal Privacy Commissioner in 2003. As a result, Quebec employers have had longstanding obligations on the collection, use, and disclosure of employee personal information.

Both Alberta and British Columbia’s private sector privacy legislation came into effect on January 1, 2004. Alberta’s definition of personal employee information includes information that is collected, used, or disclosed, solely for the purposes of establishing, managing or terminating the employment or voluntary work relationship. Note that this includes personal information collected about potential employees. However, it excludes personal information unrelated to the employment relationship. Employers are given general freedom to use, collect, and disclose such information without the consent of an employee, provided that certain requirements are met. First, the information must be connected to the purpose for which it is collected. Second, the information must relate to the employment or volunteer work relationship. Third, the employee must be notified that the information will be collected, and the purpose for which it is collected.

Although there are differences in the legislative wording, the effect of the BC legislation is similar to Alberta’s. It requires that employers declare their purpose for collecting employee personal information, and that use of the information be limited to those purposes. Employees don’t have the right to refuse consent although they are entitled to access the personal information. Generally, although provincial legislation provides employers with the flexibility to collect personal information about employees, it isn’t unfettered.

Similar to federal legislation, any breaches of provincial privacy legislation entitle a complainant to seek redress through the governing Privacy Commissioner’s office.

The remaining provinces and territories haven’t passed similar legislation. Accordingly, provincially regulated businesses in those jurisdictions have no similar legislative obligations. However, employers should be aware that such legislation could be proposed. For instance, there has been some discussion that Ontario may propose legislation by late 2005.

Response

Employers should learn what, if any, legal obligations they have in how they collect employee information. If operating in multiple provinces, it is possible that different legislation will apply at each location. Likewise, if information is collected in one province but disclosed in another, different acts could govern each activity. Minor variations in the legislation will create compliance challenges, so employers operating in multiple jurisdictions may find it valuable to engage counsel in this process.

Privacy policies should be reviewed to determine if the collection of employee personal information is currently addressed. If not addressed, consider revising the policy to cover employee personal information. In some circumstances, a separate policy may be justified. An organization that has a standalone human resource function may be sufficiently complex to justify a separate employee personal information policy.

There are a few practical matters that should be addressed in any policy. They include:

• Defining who qualifies as an employee under the policy. Both temporary and volunteer workers should be included as they are typically included in the legislative requirements.
• Identifying what qualifies as work-related personal information as well as the kind of personal information that is included (e.g. if an employer monitors e-mail and/or Internet activity, the employer should be able to identify what work purpose it serves as well).
• Addressing when personal information will be destroyed. Employee records, including information collected from prospective employees, should be destroyed at appropriate intervals (e.g. when hiring employees, the information should only be kept until the position is filled or a reasonable period of time thereafter).

An audit should be conducted to determine current compliance and, if necessary, how to achieve full compliance. Finally, employers should ensure that appropriate security exists to protect information, whether it’s in hard copy or electronic form.

Employers not currently covered by any specific legislation should still consider undertaking such measures. Employee privacy rights are not going away and, if anything, will be further entrenched. For employers who are currently covered, an overhaul of current practices isn’t required, but failing to adapt will leave employers with unnecessary legal exposure.

Darren Charters is an assistant professor of business law in the School of Accountancy, University of Waterloo. He has taught, written and consulted on privacy matters.

Top