What privacy obligations do Ontario employers have regarding employee information?
Ontario private sector employers are subject to federal privacy legislation — the Personal Information Protection and Electronic Documents Act (PIPEDA) — with respect to employee personal information, but PIPEDA's application to employment data is narrower than it might seem. PIPEDA applies to personal information collected, used, or disclosed in the course of commercial activities, and federal courts have found that some routine employment matters may fall outside its scope.
Ontario has not enacted provincial private sector privacy legislation equivalent to what exists in Alberta and British Columbia, which complicates the picture for Ontario employers. What is clear is that employees have a reasonable expectation of privacy in their personal information, and employers should collect only what is necessary, use it only for disclosed purposes, and protect it from unauthorized access or disclosure.
In practice, employer obligations include: having a privacy policy that explains what information is collected and why, obtaining consent where required, implementing security safeguards appropriate to the sensitivity of the information, and being prepared to respond to employee access requests.
With the impending potential reform of Canada's federal privacy law, employers should review their data handling practices and be ready to adapt. A lawyer can help you assess your current practices against applicable requirements.
Key takeaways
- PIPEDA applies to Ontario private sector employers, though employment data has some complexity.
- Ontario lacks provincial private sector privacy legislation — federal law fills the gap.
- Collect only necessary information, use it for disclosed purposes, and protect it securely.
- Have a privacy policy and a process for responding to employee access requests.