Best Practices: what to do with employee personal information
Sep 23, 2019Resources
Belinda CarfraeDirector, Treasury & Governance, Payworks
Share this article
We live in a time where awareness regarding our personal information, especially who has it and what they are doing with it, is at an all-time high. As a result of this, businesses in particular need to be aware of the various privacy laws and privacy policies in Canada, how they differ between jurisdictions and the steps they can take to better protect the personal information of their employees.
In Canada, there’s federal legislation called The Personal Information Protection and Electronic Documents Act (PIPEDA) that outlines how personal information should be handled by businesses. However, it’s important for those operating in Canada to know that Alberta, British Columbia, and Québec have their own legislation similar to the federal laws. That means companies operating in more than one province may have more than one piece of privacy legislation to consider when handling personal information. This could include common information such as an employee’s name, address and telephone number, as well as highly confidential information like their bank, credit card or passport information.
Like many pieces of legislation, the laws pertaining to the access and protection of employee personal information are detailed and potentially overwhelming. While it’s the responsibility of the business to comply with both federal and provincial requirements, when in doubt, businesses can contact the Office of the Privacy Commissioner (OPC) for more information.
Here are some best practices that employers can consider regarding the personal information of their employees:
- When collecting, using, disclosing or storing your employees’ personal information, it’s best to obtain their consent. Workplaces can do this when an employee is first hired or during the on-boarding process. Further to that, it’s important to ensure your employees understand the true nature, purpose and consequences of what they’re consenting to.
- Employees have a reasonable expectation of privacy in the workplace, therefore employers should not engage in the unlimited collection, use, disclosure and retention of their information. Employers should only collect, use and disclose personal information that is necessary to accomplish specific activities and functions. If the data on file is no longer required or has no other meaningful use, it should be destroyed, erased or made anonymous.
- Train and educate your workforce on privacy rights. This can be done through online micro-learning programs specifically tailored to your business, office-wide refresher emails from your company’s privacy spokesperson, departmental presentations or whatever way best suits your company. Employees have a reasonable expectation of privacy in the workplace in that closed-door conversations are kept confidential, however, everyday conversations, especially in an open office setting, are not.
- Whether or not the privacy law in your jurisdiction covers employee personal information, respecting privacy in the workplace makes good business sense, as it shows your employees you care about their well-being and that you understand that compliance with privacy legislation is a priority. Something else to consider is that if your company also does business in Europe, the General Data Protection Regulation (GDPR) applies, whereby you will have to comply with data and privacy rules of the EU.
- Be open and transparent with your employees about your business’ privacy practices. You can limit any negative impact if you make your policies apparent with your staff starting on their first day and throughout the course of their employment.
Talking about the privacy of personal information can be overwhelming, frightening and make some employees uneasy. But with an open dialogue and a commitment to education and understanding, your business is showing your employees that you care about them – and people love to work for a company that cares (and also where they know their personal information will be safeguarded).
A workplace that shows it values and respects the privacy of its employees is one that distinguishes itself from other organizations and effectively builds and maintains consumer trust.