Insights Header image
Insights Header image
Insights Header image

Know your Obligations: Workplace Privacy in BC

June 2017 Employment and Labour Bulletin 3 minute read

All organizations operating in the private sector in British Columbia need to know their obligations under the Personal Information Protection Act, SBC 2003, c. 63 (“PIPA”).

No matter the size or scale of a private sector organization, PIPA governs the collection, use and disclosure of personal information. Personal information includes information about an organization’s employees.

In meeting its responsibilities under PIPA, an organization must do the following:

  • designate one or more individuals to be responsible for ensuring that the organization complies with PIPA (a “privacy officer”);
  • make the privacy officer’s contact information available to the public;
  • develop and follow policies and practices;
  • develop a process to respond to complaints that may arise respecting the application of PIPA; and
  • make information available on request about policies, practices, and the complaint process.[1]

How to Develop a Privacy Policy

While privacy policies vary between different industries and different sized organizations, best practices suggest that the following elements should be included in any privacy policy:

  • an introduction which explains why the organization developed its policy, a list of the organizations to which the policy applies, and a description of what is personal information;
  • an explanation of why the organization is collecting and using personal information;
  • a statement of the limits on the collection, use, and disclosure of personal information;
  • an explanation of under what circumstances the organization will disclose personal information;
  • an explanation of how the organization obtains consent for the collection, use, and disclosure;
  • information about how long the organization retains personal information;
  • an explanation of how the organization stores personal information;
  • an explanation of how the organization ensures that personal information is accurate;
  • an explanation of how individuals can access their personal information; and
  • instructions for how individuals can complain, access their personal information, or ask questions.

Handling Employee Personal Information

In developing a privacy policy, organizations must consider not only information collected from customers and clients but also personal information collected about their own employees.

There are special rules under PIPA for employee personal information. In considering what is employee personal information, it is important to note that the term employee is widely defined under PIPA. Not just paid employees are included, but also volunteers.

Employee personal information includes the type of records collected, used or disclosed for the purposes of establishing, managing, and terminating an employment relationship. While difficult to exhaustively set out what falls within the definition of employee personal information, it generally includes such things as personnel records, job applications, references, performance evaluations, and letters of resignation or termination.

PIPA prohibits the collection, use, or disclosure of employee personal information without consent unless specific exemptions apply[2] or the collection, use, or disclosure is reasonable for the purposes of establishing, managing, or terminating the employment relationship between the organization and the individual.

However, even where it is reasonable, organizations must notify their employees in advance about the collection, use, or disclosure, and the purposes for it. An employer can only avoid this obligation in the very limited circumstances where PIPA allows collection, use, or disclosure without consent (these limited circumstances include such rare situations as where it is necessary for medical treatment or it is necessary to determine suitability to receive an award).[3]

We encourage all employers to review their privacy policies, procedures for responding to privacy complaints, and handling of employee personal information to ensure they are compliant with PIPA.

by Melanie Harmer and Natalie Cuthill

[1] PIPA, sections 4 and 5.
[2] PIPA, sections 12, 15, and 18.
[3] PIPA, sections 12, 13, 15, 16, 18, and 19.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2017

Insights (5 Posts)View More

Featured Insight

Unpacking Partnership Contracts in Quebec’s New Bill 62 Public Infrastructure Legislation

Bill 62 – An Act mainly to diversify the acquisition strategies of public bodies and increase their agility in carrying out infrastructure projects (“Bill 62”) was passed on October 2024 by the Québec National Assembly.

Read More
Dec 11, 2024
Featured Insight

Ontario Employers: New Job Posting Requirements Come into Force January 1, 2026

Employers should note new requirements for publicly advertised job postings that will come into force January 1, 2026.

Read More
Dec 11, 2024
Featured Insight

Managing Climate Risk with Insurance and Contractual Provisions

Carefully crafted contractual clauses and tailor-made insurance can help effectively manage the escalating risks posed by extreme weather.

Read More
Dec 11, 2024
Featured Insight

Legal Considerations in Canada related to “Voice Cloning”

In this bulletin, we discuss some potential causes of actions that one may have in Canada if they become victim of voice cloning.

Read More
Dec 6, 2024
Featured Insight

Ontario Employers: Important Changes to the ESA and OHSA Now in Force

Amendments to the ESA and OHSA regarding doctor's notes, virtual harassment, remote workers, and electronic postings are now in force.

Read More
Dec 6, 2024