Privacy in the Workplace
Posted on April 9, 2014
10 Frequently Asked Questions by BC Small Business Employers
Q1) Do privacy laws apply to private businesses in BC?
A: Yes. All businesses that collect, store, transfer or disclose personal information about their customers and employees are subject to either the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) or the British Columbia Personal Information Protection Act (“PIPA”). Under these laws private sector business must comply with privacy rules governing their collection and use of personal information.
PIPA applies to all provincially regulated private sector “organizations”, including:
· businesses such as corporations, partnerships and sole proprietorships; and
· non-profit organizations like unions, charities, foundations, trusts, clubs, religious institutions and amateur sports organizations.
Q2) As the owner of a small business in BC how do I comply with privacy laws?
A: It is important that all BC businesses have a Privacy Policy and know how to use it. Your Privacy Policy should be based on PIPA’s main rule: that organizations may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances and with the knowledge and consent of the individual.
Beyond this, personal information collected by a business:
· must be fair and limited to what is necessary for identified purposes;
· must be accurate, kept secure, and only used/stored for as long as needed to fulfill the purposes for which it was collected; and
· must be accessible by an individual on their request. To manage this businesses are required to have procedures for storing and responding to requests for personal information.
Q3) Can I ask for personal information when hiring?
A. Yes. PIPA allows an employer to request any personal information that is reasonably relevant to making a decision about hiring an employee. This would usually include, asking for relevant qualifications and experience, the applicant’s educational background and skills. PIPA also allows employers to collect, use or disclose “employee personal information” without the consent of the applicant if it is reasonable for the purposes of establishing, managing or terminating an employment relationship.
Q4) What do I do with resumes received from job applicants?
A. If you make a decision based on the resume (i.e. either to hire or not to hire the applicant), you are required to keep the resume for one year. As a business you are also responsible for protecting the personal information in the resume and for responding to the applicant’s enquiries about how their personal information has been used or disclosed.
Q5) Can I contact people for references?
A. Yes. If an applicant has listed references in their resume or job application, then the applicant has consented to you contacting the listed references. Also, by listing someone as a reference, the applicant consents to the referee disclosing personal information to the prospective employer.
However, if you make inquiries about an applicant with previous employers who are not listed as references by the applicant then PIPA requires you to give notice to the applicant in advance of your intention to do this. To avoid disputes, it may be a good idea for businesses to include wording in their job application forms which specifically confirms that the applicant consents to the employer contacting persons other than the references listed by the job applicant.
Q6) What personal information can I ask for after hiring?
A. Once an employee is hired you can collect, use and disclose employee personal information without consent if doing so is reasonable for managing or terminating an employment relationship. For example, you can request information necessary for income tax purposes or for enrollment in employee benefit plans. However you generally still need to notify the employee in advance of your purpose for collecting and using this information.
Q7) Do I need to take any security precautions in storing employee information?
A. Yes. PIPA requires businesses to make “reasonable security arrangements” to protect personal information from unauthorized access or use. This means that you should at least protect this information in the same way you would protect other confidential business information. Furthermore, greater security should be accorded to more sensitive employee information. For example storing information about an employee’s home address will not require the same degree of security as storing an employee’s medical information. Information regarding an employee’s health and medical conditions should be kept highly confidential and only accessible to those who have a clear need to know.
Q8) Is there a retention period for employee information?
A. Yes. If you have “used” the employee’s personal information to make a decision that affects the employee, then you must retain it for at least one year.
Q9) Can an employee access the personal information held in our files?
A. Yes. Employees (and job applicants) can generally request access to their own information. Note however the person requesting information is only entitled to receive their own information. Before disclosing any information you have to therefore be careful to remove the personal information of other employees.
PIPA also allows you to refuse an employee’s request to access their own personal information if the disclosure would harm someone or something else. For example, you are not required to disclose information if this would harm an employee investigation, a legal proceeding or disclose your confidential business information. However, if such information can be removed then the rest of the information must generally be disclosed.
Q10) Are there penalties for non-compliance?
A. Yes. Besides the negative publicity that may result from a breach of BC’s privacy laws, there are also legal and financial consequences for violating these laws. For example, the B.C. Information and Privacy Commissioner has the power to investigate and order remedies. Businesses can also face fines (of up to $100,000 for breach of PIPA) and lawsuits, including class action proceedings for breach of privacy laws.
To avoid these consequences, we recommend that you:
· Audit the personal information held by your business;
· Review your privacy practices and develop or update your Privacy Policy;
· Appoint a Chief Privacy Officer to oversee compliance with privacy laws;
· Implement mandatory staff training on privacy issues; and
· Improve the technical security for storing confidential and private information in your business.
PS: Finally, if as a BC small business you are just learning about BC’s privacy laws, then it may also be a good time to get ready for Canada’s new anti-spam law. This legislation, set to come into force this year on Canada Day (July 1, 2014) has the distinction of being the world’s toughest anti-spam legislation. Although named the “Canadian Anti-Spam Act” the law extends far beyond the sending of true “spam” e-mails, and will impact businesses in almost all of their electronic communications, including the use of e-mail, SMS and social media. As this legislation gets closer to being implemented, stay tuned for further updates from us on how to best manage its challenges for your business and your employees.