Best Practices: what to do with employee personal information

Belinda Carfrae, CTP
Belinda Carfrae, CTP
Former Director of Treasury & Governance, Payworks (Retired 2019)

Before her retirement in 2019, Belinda had almost 30 years of experience in Trust Operations within the payroll industry, the last nine of which she spent building a robust treasury and governance team at Payworks. Belinda will always be part of the Payworks family and we’re grateful for her many contributions over her years of service.
Ex-directrice, Trésorerie et gouvernance, Payworks (départ à la retraite en 2019)

Avant son départ à la retraite en 2019, Belinda comptait presque 30 années d’expérience dans les activités de fiducie du secteur du traitement de la paie, les neuf dernières ayant été occupées à bâtir une solide équipe responsable de la trésorerie et de la gouvernance chez Payworks. Belinda fera toujours partie de la famille de Payworks et nous lui sommes reconnaissants de ses nombreuses contributions à notre société pendant ses années de service.

We live in a time where awareness regarding our personal information, especially who has it and what they are doing with it, is at an all-time high. As a result of this, businesses in particular need to be aware of the various privacy laws and privacy policies in Canada, how they differ between jurisdictions and the steps they can take to better protect the personal information of their employees.

In Canada, there’s federal legislation called The Personal Information Protection and Electronic Documents Act (PIPEDA) that outlines how personal information should be handled by businesses. However, it’s important for those operating in Canada to know that Alberta, British Columbia, and Québec have their own legislation similar to the federal laws. That means companies operating in more than one province may have more than one piece of privacy legislation to consider when handling personal information. This could include common information such as an employee’s name, address and telephone number, as well as highly confidential information like their bank, credit card or passport information.  

Like many pieces of legislation, the laws pertaining to the access and protection of employee personal information are detailed and potentially overwhelming. While it’s the responsibility of the business to comply with both federal and provincial requirements, when in doubt, businesses can contact the Office of the Privacy Commissioner (OPC) for more information.

Here are some best practices that employers can consider regarding the personal information of their employees:

  1. When collecting, using, disclosing or storing your employees’ personal information, it’s best to obtain their consent. Workplaces can do this when an employee is first hired or during the on-boarding process. Further to that, it’s important to ensure your employees understand the true nature, purpose and consequences of what they’re consenting to.
  2. Employees have a reasonable expectation of privacy in the workplace, therefore employers should not engage in the unlimited collection, use, disclosure and retention of their information. Employers should only collect, use and disclose personal information that is necessary to accomplish specific activities and functions. If the data on file is no longer required or has no other meaningful use, it should be destroyed, erased or made anonymous.
  3. Train and educate your workforce on privacy rights. This can be done through online micro-learning programs specifically tailored to your business, office-wide refresher emails from your company’s privacy spokesperson, departmental presentations or whatever way best suits your company. Employees have a reasonable expectation of privacy in the workplace in that closed-door conversations are kept confidential, however, everyday conversations, especially in an open office setting, are not.
  4. Whether or not the privacy law in your jurisdiction covers employee personal information, respecting privacy in the workplace makes good business sense, as it shows your employees you care about their well-being and that you understand that compliance with privacy legislation is a priority. Something else to consider is that if your company also does business in Europe, the General Data Protection Regulation (GDPR) applies, whereby you will have to comply with data and privacy rules of the EU.
  5. Be open and transparent with your employees about your business’ privacy practices. You can limit any negative impact if you make your policies apparent with your staff starting on their first day and throughout the course of their employment.

Talking about the privacy of personal information can be overwhelming, frightening and make some employees uneasy. But with an open dialogue and a commitment to education and understanding, your business is showing your employees that you care about them – and people love to work for a company that cares (and also where they know their personal information will be safeguarded).

A workplace that shows it values and respects the privacy of its employees is one that distinguishes itself from other organizations and effectively builds and maintains consumer trust.

Interested in a Demo or more info?

We would be more than happy to show you how to get the most from our suite of workforce management solutions. Simply contact your sales representative at  to start the conversation.