What laws apply to the collection and use of individuals' personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The collection, use and disclosure of personal information in Canada is governed by federal, provincial and sectoral laws. The laws applicable to an organization depend on:
- where the organization is located
- which Canadian jurisdiction(s) the organization collects, uses and discloses personal information
- whether the organization transfers personal information across provincial, territorial or national borders
- the sector in which the organization operates
Quebec, Alberta and British Columbia are the only provinces with privacy-specific legislation that is applicable to provincially regulated employers. In Quebec, it is the Act Respecting the Protection of Personal Information in the Private Sector that applies; in Alberta, the Personal Information Protection Act applies; BC also has a Personal Information Protection Act. There are also statutory rights of action for invasion of privacy in Quebec, BC, Manitoba, Newfoundland and Saskatchewan. In addition, there is a common law tort of “intrusion upon seclusion” which gives employees an avenue for recourse if their privacy rights in relation to their personal information are violated.
Further, Manitoba, Saskatchewan, Alberta, Quebec, BC, Ontario, New Brunswick, Newfoundland, and Nova Scotia have specific legislation governing the collection, use and disclosure of personal health information. These statutes have limited application in the context of employee information collected by an employer in the private sector (i.e. outside of the health services sector).
For federally regulated employers, the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) sets out ground rules on how to collect, use and disclose personal information about their employees. This includes all organizations located in Nunavut, the Yukon and the Northwest Territories, since all local businesses in the territories are considered to be federal in nature.
Each province which has legislation specific to privacy or health information also has its own Privacy Commissioner, or similar body, tasked with enforcing that legislation.
With respect to the torts available to employees, this is typically dealt with by Canadian courts in the event an employee commences a civil action; however, in some jurisdictions the Privacy Commissioner or similar body may have jurisdiction to award a remedy in respect to the applicable statutory tort.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.