- within Employment and HR topic(s)
- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Automotive, Business & Consumer Services and Insurance industries
- in European Union
Privacy is not just a concern for large corporations or highly regulated industries. In Alberta, most businesses have legal obligations to protect employee personal information and to handle that information carefully throughout the employment relationship and even after the employment relationship has ended.
Many privacy issues arise not because employers act in bad faith, but because they are unaware of what the law requires, or assume their business is "too small" to be affected. This article provides a brief overview of privacy and access laws affecting Alberta businesses including which laws apply, what employers are responsible for, and how to respond when employees ask to see their personal information.
Which Privacy Legislation Applies to Your Business?
The first step is understanding which privacy law governs your organization. In Alberta, this depends largely on the type of organization you operate and the industry you are in.
Generally private-sector organizations are governed by the Personal Information Protection Act (PIPA). PIPA mandates how private-sector organizations must collect, use, and disclose personal information, including personal information of employees.
Under PIPA, "personal employee information" refers to information about an individual who is a potential, current, or former employee of an organization. Personal employee information does not include personal information about the individual that is unrelated to the employment relationship.
When Other Legislation May Apply
Some businesses are governed by different privacy laws:
- Public sector organizations (such as municipalities, school boards, post-secondary institutions) are governed by the Protection of Privacy Act (POPA) and the Access to Information Act (ATIA). POPA and ATIA recently replaced the Freedom of Information and Protection of Privacy Act (FOIP).
- Health-related organizations such as provincial health agencies, licensed healthcare providers, and their affiliates are generally subject to Alberta's Health Information Act (HIA).
- Private sector, federally regulated organizations (such as banks and telecommunications companies) are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Public sector federal institutions (such as the Department of Justice or Statistics Canada) are governed by the federal Privacy Act.
If you are unsure which legislation applies, it is worth confirming early. Applying the wrong rules can create unnecessary risk for businesses.
Navigating Access to Information Requests
Employers in organizations governed by PIPA ought to take steps to ensure compliance with PIPA for the collection, use, and disclosure of personal employee information. Employers have obligations to respond to access requests from current and former employees in accordance with PIPA.
For example, the Alberta Office of the Information and Privacy Commissioner (OIPC) discussed an employer's responsibilities when a former employee requests their personal information in Canem Systems Ltd. (Re), 2022 [Canem].
In Canem, a former employee (the "Former Employee") formally requested his personal employee information from Canem Systems Ltd. (the "Employer") for various records including performance reviews, pension information, and email correspondence. The Employer did not respond to the request within the prescribed timeline of 45 days, which was a breach of section of 28 PIPA.
After the Employer failed to respond to the Former Employee's request within the prescribed timeline, the Former Employee requested a review by the OIPC. The OIPC found that the Employer failed to comply with the 45-day timeline; failed to meet its duty to assist the Former Employee with respect to his access request; and failed to conduct a reasonable search for the requested information.
As a result, the OIPC ordered the Employer to conduct further searches for responsive records, including archived emails, and to provide any additional records to the Former Employee. The Employer was also ordered to inform the Former Employee of the reasons for any refused information, if applicable.
The principles in Canem demonstrate that an employer's duties pursuant to PIPA do not conclude at the end of an employment relationship. Employers have a duty to assist employees and former employees who request access to their personal employee information. Further, employers ought to ensure that they are compliant with the timelines and content of response as outlined in PIPA.
In some circumstances, employers may withhold or redact certain information when providing records in response to an access request. For example, organizations should not disclose records that reveal personal information about another individual. If an employer intends to withhold or redact certain information from a response to an access request, they must inform the applicant of the reasons for the refusal and cite the relevant provision of PIPA that supports the refusal.
About Mackrell International - Canada - Scott Venturo LLP is a full service business law firm in Calgary, AB and a member of Mackrell International. Mackrell International - Canada is comprised of four independent law firms in Alberta, British Columbia, Ontario and Quebec. Each firm is regionally based and well-connected in our communities, an advantage shared with our clients. With close relations amongst our Canadian member firms, we are committed to working with clients who have legal needs in multiple jurisdictions within Canada.
This article is intended to be an overview and is for informational purposes only.
