How does privacy law affect an employee’s right to access her or his personnel and payroll files?
Statutory requirements as to the confidentiality and privacy of employee information are slowly spreading. The federal Personal Information Protection and Electronics Documents Act (PIPEDA) was enacted in 2001. It covers employees under federally regulated jurisdiction and purports to govern all privacy rights in Canada, except in employment and where the provinces have enacted corresponding legislation. British Columbia, Alberta, Saskatchewan and Quebec either have, or are developing, privacy legislation that corresponds to PIPEDA. In other provinces, there is no privacy legislation covering the private sector.
Organizations must assess their current practices and make appropriate changes in policies to comply with PIPEDA, except in those provinces that have developed their own legislation (in which case compliance with the provincial legislation is required). In any case, employers with operations in a province with privacy legislation will want to ensure consistent policies across the company.
PIPEDA requires that federally regulated companies inform employees that they are collecting personal information and obtain the employees’ consent to collect the information. The information collected must be limited to that necessary for purposes defined by the company. The employee must be informed as to the existence of the personal information and be given access to it. There must be adequate security over the personal information, and it must be destroyed when it is no longer required.
10 best practice principles for privacy
Whether or not a statute applies, organizations should analyze their privacy practices following 10 principles first articulated by the Canadian Standards Association, and since adopted by the various privacy statutes:
- Accountability: One person in the organization should be clearly accountable for privacy issues and systems.
- Identifying purpose: The reasons for information being collected should be clearly stated.
- Consent: Consent should be obtained for the collection of personal information, except where collection is required by statute. Consent may be implied (such as by the submission of a résumé to a prospective employer).
- Limited collection: Collection of information should be specific, relevant and necessary, and only for the purposes specified.
- Limited use, disclosure and retention: Information should only be used for its intended purpose, disclosure should be limited and information only retained as long as necessary.
- Accuracy: Information should be accurate and processes should be in place to keep it up to date.
- Safeguards: Information should be safeguarded during use, storage and disposal.
- Openness: Privacy policies should be open and clear regarding accountabilities and rights of access.
- Individual access: Individuals should be informed of the existence of information, and of their rights to access it and correct it, subject to appropriate constraints (such as protecting the privacy of other employees).
- Challenging compliance: There should be a process to challenge compliance with these principles to the person accountable for privacy.
I discuss employee records further in the payroll section of Finance and Accounting PolicyPro, published by First Reference Inc. Steve Goldwaser and I discuss the technical side of privacy controls in chapter 8 of Information Technology PolicyPro. Find more information and take a free trial at of these two comprehensive publications at www.firstreference.com.
Jeffrey D. Sherman, BComm, MBA, CIM, FCPA, FCA
Author of Finance and Accounting PolicyPro®