Fact Sheets

Application of the Personal Information Protection and Electronic Documents Act to Employee Records

You may be wondering how the Personal Information Protection and Electronic Documents Act applies to employment in the private sector. The answer is that it's limited to the federally-regulated sector.

The Act applies to personal information about employees of an organization that collects, uses, or discloses the information in connection with the operation of a federal work, undertaking, or business — that is, any work, undertaking, or business that falls within the legislative authority of the Parliament of Canada, such as the following:

  • Telecommunications
  • Broadcasting
  • Interprovincial or international trucking, shipping, railways, or other transportation
  • Aviation
  • Banking
  • Nuclear energy
  • Activities related to maritime navigation and shipping (including, for example, ports and longshoring)
  • Local businesses in Yukon, Nunavut, and the Territories (where all private sector activity is in federal jurisdiction).

The Act applies to employment in these industries, as well as to employment in Federal Crown corporations bound by order under the Act.

You may also be wondering about changes after January 1, 2004. As of that date, wherever substantially similar provincial legislation doesn't apply, the Act applies to all organizations in Canada that collect, use, or disclose personal information in the course of commercial activities.

So will the Act apply to employment in all organizations in Canada? No, it will not.

The Act applies to employee information only in organizations that are engaged in federal works, undertakings or businesses. The extension of the Act's scope in 2004 does not change that.

For organizations engaged in federal works, undertakings or businesses, what does the Act mean for employer-employee relationships?

The Act recognizes two fundamental points: individuals have a right to privacy with respect to their personal information, and organizations need to collect, use, and disclose personal information for appropriate purposes. Compliance with the Act requires that these two realities mesh.

Employers in federal works, undertakings or businesses must ensure that they collect, use, and disclose employees' personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

Employers need to respect the ten principles set out in Schedule 1 of the Act, as modified or clarified in the Act itself:

  1. Accountability: the employer is responsible for the personal information under its control, and must designate someone who is accountable for its compliance with the Act.
  2. Identifying purposes: the employer must specify why it is collecting personal information from employees at or before the time it does so.
  3. Consent: the employee's knowledge and consent is required for the collection, use, or disclosure of personal information. (The Act permits certain specific exceptions to this principle).
  4. Limiting collection: employers may only collect the personal information that's necessary for the purpose they've identified, and must collect it by fair and lawful means.
  5. Limiting use, disclosure, and retention: unless they have the consent of the employee, or are legally required to do otherwise, employers may use or disclose personal information only for the purposes for which they collected it, and they may retain it only as long as necessary for those purposes. (Again, the Act permits exceptions.)
  6. Accuracy: the employees' personal information must be accurate, complete, and up-to-date.
  7. Safeguards: personal information must be protected by appropriate security safeguards.
  8. Openness: the employer must make its personal information policies and practices known to its employees.
  9. Individual access: employees must be able to access personal information about themselves, and be able to challenge the accuracy and completeness of it. (The Act permits some exceptions.)
  10. Challenging compliance: employees must be able to present a challenge about the employer's compliance with the Act to the person that the employer has designated as accountable.

Complaints under the Act

Employees in federal works, undertakings, or businesses who think that their employer has not respected the provisions of the Act should try to resolve the matter internally. If this does not work, they may file a complaint with the Privacy Commissioner, who acts as a "privacy ombudsman". The Commissioner will investigate and try to resolve the matter, as appropriate. If they are dissatisfied with the outcome of the Commissioner's investigation, in some cases they can apply to the Federal Court for a hearing of the complaint.

A final note

Employers whose employee information is not covered by the Personal Information Protection and Electronic Documents Act can still benefit from informing themselves about it.

Organizations covered by the Act for their customer information may wish to consider extending the same protections to their employee information. The principles of the Act are widely accepted both in Canada and internationally as the basis of ethical personal information practices. Employers with international operations who have to comply with privacy legislation in other countries will find the Act a helpful guide. In Canada, several provinces have passed privacy laws that apply to employment, and more are expected to do so. Many of these laws are or will be substantially similar to the Personal Information Protection and Electronic Documents Act. Understanding the federal Act can also give organizations a head start on compliance with future provincial legislation.