What laws apply to the collection and use of individuals' personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The collection, use and disclosure of personal information in Canada is governed by federal and provincial legislation and the common law. The laws applicable to an organization depend on whether it’s federally or provincially located.
Employers who are federally regulated, generally fall under the definition of “federal work, undertaking or business” (Sec. 2, Canada Labour Code) and include specific industries (such as airports and banks) and specific activities that cross provincial or national borders. When employers are provincially regulated, the applicable provincial laws depend on the province in which it operates.
Quebec, Alberta and British Columbia (BC) are the only provinces with privacy-specific legislation that is applicable to provincially regulated employers. In Quebec, it is the Act Respecting the Protection of Personal Information in the Private Sector that applies (note that currently there is pending legislation (Bill 64) under review); in Alberta, the Personal Information Protection Act applies; BC also has a Personal Information Protection Act.
There are also statutory rights of action for invasion of privacy in Quebec, BC (under the Privacy Act), Manitoba, Newfoundland and Saskatchewan. In addition, there is a common law tort of “intrusion upon seclusion” which gives employees an avenue for recourse if their privacy rights in relation to their personal information are violated. This tort was originally recognized in Ontario in 2012. BC courts have declined to recognize it, given the existence of the statutory right. Treatment by Alberta courts suggests it could be applied, although that has not yet occurred.
Further, Manitoba, Saskatchewan, Quebec, Ontario, New Brunswick, Newfoundland, and Nova Scotia have specific legislation governing the collection, use and disclosure of personal health information. These statutes have limited application in the context of employee information collected by an employer in the private sector (i.e. outside of the health services sector).
For federally regulated employers, the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules on how to collect, use and disclose personal information about their employees (note that currently there is pending legislation (Bill C-11) under review). This includes all organizations located in Nunavut, the Yukon and the Northwest Territories, since all local businesses in the territories are considered to be federal in nature.
In Canada, employers should take active steps to protect and maintain the confidentiality of all employee personal information. Some HR data may be considered sensitive information (i.e. social insurance numbers, medical information, banking information). In addition, courts and privacy commissioners generally grant a high level of protection to employee health information, addressing unreasonable collection, use and disclosure by employers.
Each province which has privacy legislation also has its own Privacy Commissioner, or similar body, tasked with enforcing that legislation.
With respect to the torts available to employees, this is typically dealt with by Canadian courts in the event an employee commences a civil action; however, in some jurisdictions the Privacy Commissioner or similar body may have jurisdiction to award a remedy in respect to the applicable statutory tort.