• Retention

  December 6, 2023

Privacy in the Workplace

Comprehensive legislation concerning privacy and access to information has been in place for several years, but it is often overlooked by employers. It is important to consider the impact such legislation has on information you may have about your employees, customers, competitors or the general public. Below, we outline the existing legislation, recent amendments, and possible changes to the federal privacy regime in future.

4 min read

Privacy and access-to-information legislation has been around for years. Not all of it will apply to you. Nevertheless, it is important that you be familiar with such legislation in order to ensure that you are in compliance with whatever legislative scheme does apply to the information you hold as a business and an employer.

For provincially regulated private-sector employers in BC, the Personal Information Protection Act applies. For public bodies in BC, the Freedom of Information and Protection of Privacy Act applies. Finally, federally regulated employers are currently governed by the Personal Information Protection and Electronic Documents Act. Each of the three privacy statutes is briefly introduced below, along with proposed changes for federally regulated workplaces.

PERSONAL INFORMATION PROTECTION ACT (PIPA)

PIPA came into force in BC on Jan. 1, 2004. It regulates the collection, use and disclosure of personal information by provincially regulated private sector organizations. This act applies to most employers.

The purpose of this act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

In interpreting and applying PIPA, it is important to understand what we are talking about when we refer to “personal information.” The definition is very broad and includes almost everything that is capable of identifying a particular individual. Generally speaking, personal information that you have about your employees must be collected, stored, used, and consented to in accordance with the act.

There are many exceptions in the Act, however. The most important one regarding personal information about employees is the exception for “employee personal information,” which is personal information reasonably required for the employment relationship. This may include information documented on the employee’s resume and personnel file, such as performance issues, investigations or discipline, reference or background checks, and criminal record checks. Provided that the particular information falls within the statutory definition, employers are permitted to collect, use and disclose employee personal information without consent, provided that notice had been given to the employees in advance.

Other exceptions include contact information and work product information. Contact information is defined generally as information that enables an individual at a place of business to be contacted; it includes the individual’s name, position name or title, business telephone number, business address, business email or business fax number.

Work product information is information prepared or collected by individuals as part of their responsibilities or activities related to their employment or business. In short, what individuals do at work is not personal information and is therefore excluded from the act.

To learn more about your specific responsibilities as either a private or public sector employer governed by PIPA, visit the Office of Information and Privacy Commissioner (OIPC).

Other resources include tourism industry associations such as the BC Hotel Association and the BC Lodging and Campgrounds Association, which can provide information about how the PIPA affects your business.

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT (FIPPA)

Since 1993, public bodies in BC, including Crown corporations, health authorities, school boards and municipalities, have been subject to FIPPA. This act imposes specific statutory requirements on a provincial public sector body’s collection, use and disclosure of personal information. It also provides a general right of access to records in the custody or control of a public body.

The act is intended to make public bodies more accountable to the public and to protect personal privacy by:

  1. giving the public a right of access to records;
  2. giving individuals a right of access to, and a right to request correction of, personal information about themselves;
  3. specifying limited exceptions to the rights of access;
  4. preventing the unauthorized collection, use or disclosure of personal information by public bodies; and,
  5. providing for an independent review of decisions made under this act.

In October 2004, FIPPA was amended to extend certain sections of FIPPA to service providers. This refers to a person (or corporate entity) retained under a contract to perform services for a public body. As such, if your company operates under a contract with the provincial government, FIPPA might apply to you.

In February 2023, two new sections of FIPPA came into force. These include mandatory reporting requirements in the event of a privacy breach, and the requirement to develop and maintain a privacy management program.

The OIPC has published guidance for public employers working to design a privacy management program, which is accessible here.

The OIPC publishes a variety of helpful publications and resources – visit their website to learn more.

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)

PIPEDA regulates the collection, use and disclosure of personal information in the course of federally regulated commercial activities. As such, PIPEDA applies to federally regulated private-sector employers operating in British Columbia. It also applies to the inter-provincial flow of personal information. The Act is intended to recognize and protect the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

PIPEDA is administered through the Office of the Privacy Commissioner of Canada (OPC). The OPC provides a great deal of valuable resources on its website concerning the application and interpretation of the act, as well as news, case summaries and practical advice. If you are a federally regulated employer, you are encouraged to visit the Office of the Privacy Commissioner of Canada to learn more about PIPEDA.

A NEW FEDERAL PRIVACY REGIME?

In 2022, the federal government introduced the Digital Charter Implementation Act, which proposes to strengthen federal privacy regulations and enact a new statute that would replace Part 1 of PIPEDA. At the time of writing, the bill has not yet passed into law, however, federally regulated employers should be aware that its legal obligations in this area may be changing in near future.

Information provided by Ryan Anderson, an employment lawyer, and Jakob Sanderson, an articling student, with Mathews Dinsdale & Clark LLP. The information provided in this article is necessarily of a general nature and must not be regarded as legal advice. For more information about Mathews Dinsdale & Clark LLP, please visit mathewsdinsdale.com.

This article may not be republished without the express permission of the copyright owner identified in the article.