Contact: Barry Prentice; Blaney McMurtry LLP (Ontario, Canada)
What is “Personal Information”?
Employers collect and store an enormous amount of data about their employees. This information is often required in order to properly process payroll and administer benefit programs. Any information about an identifiable individual is considered “personal information,” namely, name, SIN, age, sex, marital status, address, phone number, medical information, performance data, etc. and may have privacy rights attached to it.
Risk Scenarios
- You are contacted by a landlord, credit agency or mortgage broker asking you to confirm payroll information about a current or former employee.
- Your Human Resources Manager is subpoenaed to court and asked to bring the personnel file of an employee.
- A prospective employer requests a reference for a former employee in respect of whom you have negative comments.
In each of the above situations, personal information belonging to an employee may be disclosed. What are the restrictions on such disclosure and the risks if the restrictions are ignored?
- An employee accesses the personal information of a colleague from the company’s records and uses it against the interests of that employee.
In this fourth scenario, does the employer have any risk of liability?
Privacy Rights
If you are a federally regulated employer (bank, telecommunications’ company, etc.) the Personal Information Protection and Electronic Documents Act (“PIPEDA”) requires you to collect, store, use and disclose personal information solely in accordance with the employee’s consent or as otherwise required at law. There are no equivalent statutory obligations governing the use of an employee’s personal information by private Ontario employers.
While private Ontario employers are not subject to PIPEDA in respect of their employees, employers should nonetheless put in place appropriate policies and safeguards to protect employees’ personal information. Common law obligations require employers to collect, use and disclose employee personal information solely in accordance with an employee’s consent and to safeguard that information while it is in the employer’s possession.