What laws apply to the collection and use of individuals' personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The collection, use and disclosure of personal information in Canada is governed by federal and provincial legislation and the common law. The laws applicable to an organization depend on whether it’s federally or provincially located.
Employers who are federally regulated, generally fall under the definition of “federal work, undertaking or business” (Sec. 2, Canada Labour Code) and include specific industries (such as airports and banks) and specific activities that cross provincial or national borders. When employers are provincially regulated, the applicable provincial laws depend on the province in which it operates.
Quebec, Alberta and British Columbia (BC) are the only provinces with privacy-specific legislation that is applicable to provincially regulated employers. In Quebec, it is the Act Respecting the Protection of Personal Information in the Private Sector that applies along with an Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (Law 25) which passed in September 2021; in Alberta, the Personal Information Protection Act applies; BC also has a Personal Information Protection Act.
There are also statutory rights of action for invasion of privacy in Quebec, BC (under the Privacy Act), Manitoba, Newfoundland and Saskatchewan. In addition, there is a common law tort of “intrusion upon seclusion” which gives employees an avenue for recourse if their privacy rights in relation to their personal information are violated. This tort was originally recognized in Ontario in 2012. BC courts have declined to recognize it, given the existence of the statutory right. Treatment by Alberta courts suggests it could be applied, although that has not yet occurred.
Further, Manitoba, Saskatchewan, Quebec, Ontario, New Brunswick, Newfoundland, and Nova Scotia have specific legislation governing the collection, use and disclosure of personal health information. These statutes have limited application in the context of employee information collected by an employer in the private sector (i.e. outside of the health services sector).
The Ontario government recently amended its Employment Standards Act, 2000 to require that Ontario employers have a written policy on the electronic monitoring of employees in place. This applies to employers who have employees 25 or more employees on January 1 of any year, and the employer must ensure, before March 1 of that year, that it has the written policy in place for all employees (note that for 2022 the employer has until October 11, 2022 to comply with this requirement and the policy must be provided to employees by November 10, 2022).
For federally regulated employers, the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules on how to collect, use and disclose personal information about their employees (note that currently there is pending legislation). This includes all organizations located in Nunavut, the Yukon and the Northwest Territories, since all local businesses in the territories are considered to be federal in nature.
In Canada, employers should take active steps to protect and maintain the confidentiality of all employee personal information. Some HR data may be considered sensitive information (i.e. social insurance numbers, medical information, banking information). In addition, courts and privacy commissioners generally grant a high level of protection to employee health information, addressing unreasonable collection, use and disclosure by employers.
Each province which has privacy legislation also has its own Privacy Commissioner, or similar body, tasked with enforcing that legislation.
With respect to the torts available to employees, this is typically dealt with by Canadian courts in the event an employee commences a civil action; however, in some jurisdictions the Privacy Commissioner or similar body may have jurisdiction to award a remedy in respect to the applicable statutory tort.