Personal Information Protection Act. Information Sheet 5: 1. Personal Employee Information

Transcription

1 Personal Information Protection Act Information Sheet 5 Introduction The Personal Information Protection Act (PIPA) governs the collection, use, disclosure, retention and protection of personal information by private sector organizations in Alberta, including the personal information of employees. PIPA recognizes the special relationship that exists between employees and employers in specific provisions that address how organizations manage the personal information of their employees. These provisions for personal employee information balance an employee s right to informational privacy with an employer s legitimate need to collect, use and disclose personal employee information for purposes of human resource management. The general provisions of PIPA regarding personal information apply to personal employee information, including an employee s right to request access to his or her personal information held by the employer and to learn how that information has been used and to whom it has been disclosed. Employees may also ask an organization to correct personal information they believe is inaccurate. The purpose of this Information Sheet is to explain: what personal employee information is, the circumstances in which an organization may collect, use or disclose personal employee information without the consent of the employee, the obligations of the employer to provide access to or to correct personal employee information, the duty of the employer to safeguard the information, and how long an employer may retain the information. The Information Sheet also discusses business contact information. A number of amendments to the provisions for personal employee information were made by the Personal Information Protection Amendment Act, 2009 and the Personal Information Protection Act Amendment Regulation, both of which came into force on May 1, The most significant change is that personal employee information now clearly applies to former employees and the postemployment relationship. The collection, use and disclosure provisions have been restructured to parallel the language in the definition of personal employee information and to set out more clearly the conditions under which an organization may collect, use or disclose personal employee information without consent. A new provision more clearly permits the disclosure of employment references without consent. These and other relevant amendments are reflected in this Information Sheet. Definition of personal employee information PIPA applies to personal information about an identifiable individual, that is, information that can identify an individual or is about an individual (e.g. name, address, age, educational history, blood type). The Act protects personal information whether or not it is recorded. Personal employee information is personal information that may, in a particular context, be considered personal employee information. The Act defines personal employee information as personal information about an individual who is a Information Sheet 5: 1

2 potential employee, a current employee or a former employee, that is reasonably required by an organization for the purposes of establishing, managing or terminating an employment or a volunteer work relationship, or managing a postemployment or post-volunteer work relationship, between the organization and the individual (section 1(1)(j)). An employee is defined by PIPA in such a way as to encompass individuals who are not traditionally thought of as employees. In PIPA, employee means an individual employed by the organization or who performs a service for the organization, whether or not the individual is paid, and includes: an apprentice; a volunteer; a participant; a student; a partner, a director, officer or other office-holder, and an individual who performs a service for the organization under a contract or is an agent of the organization (section 1(1)(e)). A corporation that is performing a service for the organization under contract is not an employee of the organization, nor are the employees of that corporation employees of the organization. An individual who is performing a service for the organization under a contract is an employee of the organization for purposes of human resource management but a subcontractor of that individual is not an employee of the organization. The expanded definition of employee enables organizations to handle the personal information of volunteers, apprentices, participants, students, contractors, agents, partners, directors and officers for human resource management purposes in the same manner as they would for traditional employees. A potential employee means an individual who is being considered or may be considered for a position with the organization. A potential employee would include a potential apprentice, volunteer, participant, student, contractor, agent, partner, director or officer. A former employee means an individual who is no longer employed by the organization or performing a service for the organization. A former employee would include a former apprentice, volunteer, participant, student, contractor, agent, partner, director or officer. A volunteer work relationship is a relationship whereby the individual provides a service for the organization and the individual is acting as a volunteer or is otherwise unpaid for the service being provided (e.g. a volunteer answering phones for a local theatre group). A volunteer work relationship includes any similar relationship between an organization and an individual where the individual is a participant or a student (e.g. a work experience or co-op student). Managing an employment or volunteer work relationship means the carrying out of that part of human resource management that relates to the duties and Information Sheet 5: 2

3 responsibilities of employees. Managing also refers to activities carried out to administer personnel (PIPA Regulation, section 3), such as classification and compensation, training and development, succession planning, and administering a benefits program. Managing a post-employment or post-volunteer work relationship refers to the carrying out of those limited activities that arise out of the employment or volunteer work relationship but that occur after termination, such as payment of a pension or other post-employment benefits or income tax reporting. For ease of reference, the remainder of this Information Sheet discusses personal employee information in the context of establishing, managing or terminating the employment relationship. Unless otherwise indicated, the reader should consider this phrase as an abbreviation for establishing, managing or terminating the employment or volunteer-work relationship or for managing the post-employment or post-volunteer work relationship. When personal information is personal employee information There is no definitive category of personal employee information. It is the context in which personal information is being collected, used or disclosed that determines when personal information may be personal employee information. If an organization reasonably requires a piece of personal information about an employee or a potential employee for the purposes of establishing, managing or terminating the employment relationship with the individual, then the information can be considered personal employee information for that purpose. Personal information may be personal employee information in one situation; this does not mean that the same piece of personal information is personal employee information in all situations. The information will be personal employee information only when it is reasonably required for the employment relationship. For example, an individual s Social Insurance Number is personal information. The Social Insurance Number is personal employee information when the employer uses it to provide the employee with a T4 income tax slip. Other examples of personal information that may also be personal employee information include: personal contact information date of birth employee number salary or wages taxation or superannuation details hours worked, absences, vacation dates terms and conditions of employment performance assessments resumes and references work history disciplinary matters Not all personal information collected by an employer about the employee is personal employee information. By definition, only personal information that is Information Sheet 5: 3

4 reasonably required for the establishment, management or termination of the employment relationship can be personal employee information. Personal information that is not reasonably required for these purposes will not be regarded as personal employee information under PIPA (e.g. information about an employee s hobbies or extracurricular activities). Business information Business information created by or provided to an employee as part of their workplace duties (e.g. correspondence, memoranda or reports written or received by the employee on behalf of the organization) is not created or provided for the purpose of establishing, managing or terminating the employment relationship and, therefore, is not personal employee information. These records represent an organization s position on a particular matter and differ from records that are about the individual as an employee of an organization, such as a report for performance planning purposes, a record regarding leave or information about participation in a benefits program. Records of business information may contain some personal information, but it is likely to be business contact information, i.e. the employee s name, position title, business address and telephone number. The differentiation between records containing business information and those containing personal employee information is significant in determining what records may be disclosed on an access request by the employee. This is discussed later in this publication (page 14). Business contact information An employee s name, title or position, business telephone number, address, fax number and address is business contact information under PIPA (section 1(1)(a)). PIPA does not apply to business contact information when it is being collected, used or disclosed for the purposes of enabling the individual to be contacted in relation to his or her business responsibilities and for no other purpose (section 4(3)(d)). The provision applies to business contact information of individuals in the public sector as well as the private sector. The exclusion allows an organization to routinely collect, use and disclose business contact information as part of its daily operations. It applies to situations where the organization collects, uses or discloses business contact information for the purposes of enabling staff members to be contacted (e.g. posting contact information of sales representatives on the organization s website), or making contact with individuals outside the organization (e.g. compiling a list of telephone numbers of suppliers for staff use). Collection, use and disclosure of personal employee information The employment relationship is a special relationship that brings the parties into continual contact, places obligations and responsibilities on each party and requires mutual trust and respect. An employee has a right to privacy but it is not an absolute right. An employer has a legitimate need to collect, use and disclose certain types of personal information about employees in order to operate the business and fulfill its obligations as an employer (see PIPA Investigation Report P2005-IR-004). There are circumstances where an employer would not be able to carry out its functions and legal obligations if an employee could withhold consent to the Information Sheet 5: 4

5 collection, use or disclosure of certain personal information. For example, an employer requires certain personal information to process the payroll and must follow laws regarding income tax, employment insurance and pension plans. The consequences of an employee withholding consent would be that the employee could not be paid and the employer would be in breach of various laws. PIPA balances the interests of the employer and employee by permitting an organization to collect, use or disclose personal employee information without consent for reasonable purposes related to the recruitment, management or termination of employees (sections 15, 18, and 21). The employer is held accountable because the Act requires the collection, use or disclosure of the information to be solely for the purposes of recruitment, management or termination, and it must be reasonable to collect, use or disclose the information for the particular purpose. The employer is also required to provide current employees with notice of the purposes for which the information is being collected, used or disclosed. If notice is not given, consent is required. (See page 6 for more information on notification.) The privacy rights of the employee are further protected by the employee s right to request access to and correction of his or her own personal information (section 24) and by the obligations on the employer to make a reasonable effort to ensure the information collected, used or disclosed is accurate and complete (section 33), is safeguarded against unauthorized access, modification or destruction (section 34), and is retained only for as long as it is reasonably required for business or legal purposes and thereafter stripped of personal identifiers or the records destroyed (section 35). Consent is not required under sections 15, 18 and 21 Sections 15, 18 and 21 establish the conditions under which an employer may collect, use or disclose personal employee information without the consent of the employee. An organization may collect, use or disclose personal employee information without consent of the employee the information is about, if: the information is collected, used or disclosed solely for the purposes of establishing, managing or terminating the employment or volunteer work relationship between the organization and the employee; it is reasonable to collect, use or disclose the information for the particular purpose for which the information is being collected, used or disclosed (as the case may be); and notice is given to current employees that the organization is going to collect, use or disclose the information and of the purposes for the collection, use or disclosure. Solely for the purpose Since sections 15, 18 and 21 are exceptions to the general principle of consent, the provisions make it clear that employer organizations can only collect, use or disclose the information without consent for the stated purposes of establishing, managing or terminating the employment relationship. An organization would have to obtain the employee s consent to collect, use or disclose the information Information Sheet 5: 5

6 for any other purpose, unless another without consent provision of the Act applies. Reasonable for the particular purpose The application of sections 15, 18 and 21 is further restricted by requiring that the collection (or use or disclosure) of a specific element of information be reasonable not only for general employment-related purposes, but also for the particular purpose for which the element is being collected. For example, it would be reasonable for a potential employer to collect information about the candidate s education history for the particular purpose of determining the candidate s suitability, but it would not be reasonable to collect the candidate s Social Insurance Number for that purpose. Notification An organization must give current employees reasonable notification that their personal information is going to be collected, used or disclosed and of the purposes for the collection, use and disclosure. Notification needs to occur prior to the collection, use and disclosure. A good business practice for organizations is to create a general written notification statement that is circulated to every current employee and given to each new employee when they start work. The statement can be comprehensive, specifying all the purposes for which the organization collects, uses and discloses personal employee information, the type of personal information that is involved, the sources from which the information is collected, to whom the information will be disclosed, and the name of the individual in the organization who can answer the employee s questions about the collection, use and disclosure. Any new purpose for which information is to be collected, used or disclosed without consent requires new notification. For example, a transportation company uses the Global Positioning System (GPS) to track the locations of its vehicles in order to schedule additional deliveries. The company would have to give new notification to its employees if it wanted to use the GPS information for any other purpose. When consent may or must be obtained The provisions of sections 15, 18 and 21 are permissive. They permit, but do not require, an employer to collect, use or disclose personal employee information without consent. An employer organization may have a policy that it will collect, use or disclose all or some of its personal employee information only with the consent of its employees. An organization must obtain consent if it wishes to collect, use or disclose personal information about an employee for a purpose other than establishing, managing or terminating the employment relationship between itself and the employee, and none of the other provisions in the Act allowing for the collection, use and disclosure of personal information without consent apply. Information Sheet 5: 6

7 An organization must also obtain consent when, in relation to an employee, it collects personal information about other individuals. For example, an employer may collect the name and telephone number of another individual as the employee s emergency contact information or personal information about the employee s spouse for a benefits program. The personal information in these instances is not personal employee information because it is personal information about individuals who are not in the employment relationship with the employer. Example: A charitable fund-raising program occurs in the workplace. The employer organization will need consent to collect, use and disclose personal information in relation to employees participation in the program. Consent would also be required for the collection, use and disclosure of personal information about employees purchasing Canada Savings Bonds through the workplace. Example: A retail store at which an individual is seeking chequing privileges contacts an organization to confirm the individual s employment with the organization. The organization cannot rely on the personal employee information provisions to disclose the information to the store, as the disclosure is not for the purpose of managing the employment relationship. The organization will need the individual s consent to disclose the personal information. Similarly, an organization would need consent to disclose to a credit union the salary of an employee of the organization who is seeking a mortgage from the credit union. Medical information Certain medical information about employees may be regarded as personal employee information which an organization may collect, use or disclose without consent for purposes of managing its employment relationship. Example: An employer may need to ensure that employee absences are justified or to confirm that an employee is fit to return to work. A doctor s certificate attesting to the need for sick leave or for modified duties upon a return to work may be regarded as personal employee information. While it is generally reasonable for an employer to know what accommodations are needed for an employee to be able to return to work, an employer would rarely need to know the medical diagnosis and treatment. (See PIPA Case Summary P2006-CS-004 and PIPA Investigation Report P2007-IR-001.) Example: Some employers are required by occupational health and safety legislation to have hearing tests conducted on their employees. The employer contracts with an independent physician to conduct the tests. Summaries of the tests are sent to the employer. The summaries would be personal employee information as the employer is required by law to collect the information as part of its obligations as an employer. As personal employee information, the employer can collect the information without consent but the employer must provide prior notice of the collection to the employees. The employer could also collect the information without consent or notice under section 14(b), as the collection is authorized or required by a statute or regulation of Alberta. Other medical information that may be considered personal employee information includes reports of workplace injuries, first aid logs, and return to work requirements. Information Sheet 5: 7

8 Medical information is considered sensitive information and should be safeguarded in a manner appropriate to its sensitivity. This means appropriate physical, technical and administrative security measures are required to protect records containing medical information. For example, medical information should be segregated from other personal employee information and access to the medical information should be limited to those in the organization who have a need to know. Employment references The Act allows an organization to provide, without consent, a reference for a current or former employee to a potential or current private or public sector employer if the personal information being disclosed by the organization was collected by it as personal employee information (i.e. the information was reasonably required by the organization for the purpose of establishing, managing or terminating it s employment relationship with the employee), and the disclosure is reasonable for the purpose of assisting the employer seeking the reference to determine the employee s eligibility or suitability for a position with that employer. (section 21(2)) Example: A current employee of organization A is applying for a position with organization B. When asked by organization B for an employment reference, organization A could provide, without consent of the employee, information about the employee s work responsibilities. However, organization A could not rely on section 21(2) to disclose, without consent, the employee s Social Insurance Number. Although the information was collected by organization A as personal employee information, the disclosure of the Social Insurance Number would not be reasonable for the purpose of assisting organization B to determine the employee s suitability for the position. As section 21(2) is permissive, an organization is not required to give a reference without consent. PIPA does not prevent an organization from establishing a policy that it will only give references with the individual s consent. An organization subject to PIPA can collect, without consent, an employment reference about a job candidate because it is collecting personal information about a potential employee for the purpose of establishing an employment relationship with that candidate. The information collected must be reasonably required for the purpose of determining the individual s eligibility or suitability for the position (section 15(1)). For more information regarding the collection, use and disclosure of employment references, see the General FAQs for Organizations and Individuals Workplace published by Access and Privacy,. Information Sheet 5: 8

9 Unsolicited resumés Organizations often receive unsolicited resumés from individuals. The receipt of a resumé is a collection of personal information by the organization, but it is a collection with consent as the individual voluntarily submitted the resumé to the organization. The organization can use the personal information only for the purpose for which it was sent, i.e. to consider the individual for a position within the organization. The organization could not use the personal information for other purposes, such as marketing. An organization should include in its policies and practices a statement as to how it will handle unsolicited resumés; for example, it will treat the resumés as transitory records and will destroy them immediately in a secure manner, or it will retain the resumés for a period of six months, after which time the resumés will be destroyed in a secure manner. Monitoring employees Organizations increasingly monitor the activities of their employees in the workplace through video surveillance, recorded telephone calls, electronic security passes, and monitoring computer usage and . The same rules regarding the collection, use and disclosure of personal employee information without consent apply to these activities. The first rule is that the information must be reasonably required for establishing, managing or terminating the employment relationship with that individual employee and it is reasonable to collect, use or disclose the information for the particular purpose. The organization should consider whether the information is necessary to fulfill the stated need and whether the information could be obtained in a less privacy-intrusive manner. It may not be reasonable to collect the same type of personal information about all employees in the organization. For example, it may not be reasonable to require the same level of security screening for a researcher working on highly sensitive information and a receptionist who will have no access to sensitive information. When determining whether monitoring is reasonable in a particular situation, an organization should consider the following three-part test established by the Information and Privacy Commissioner of Alberta: Are there legitimate issues that the organization needs to address through surveillance? Is the surveillance likely to be effective in addressing these issues? Was the surveillance conducted in a reasonable manner? [PIPA Investigation Report P2005-IR-004] It may be reasonable for an employer to use non-surreptitious video surveillance in the workplace where there are substantial security issues, but it will be more difficult to justify the use of surveillance for productivity issues. In PIPA Investigation Report P2005-IR-004, the Commissioner s Office applied the test stated above and found that the organization s use of visible video surveillance cameras in common areas of the shop and office was reasonable in the circumstances to address issues of theft and employee safety. However, it was not reasonable to use the cameras for monitoring employee performance. Information Sheet 5: 9

10 The second rule is that the organization must notify current employees that the information is going to be collected, used or disclosed and of the purposes for the collection, use or disclosure of the information. For example, the organization must notify employees of its policy of monitoring computer usage and the purposes for which the organization is collecting, using or disclosing that information. It may also be beneficial for the organization to state in its notification the purposes for which the information will not be collected, used or disclosed. For example, if the information is being collected for security purposes, the notification should state that the information collected will not be used for productivity or disciplinary matters. The notification must occur before the collection, use or disclosure takes place. The third rule is that the information is subject to the provisions in PIPA regarding accuracy, security, retention, destruction, access and correction. Other legislation and labour relations and human rights decisions may also have an impact on the ability of an organization to collect, use and disclose this type of information. Outsourcing An organization must consider PIPA when it outsources certain of its human resource functions to another organization (e.g. payroll, pension plan administration). The transfer of personal employee information by the employer organization to the service provider is considered a use rather than a disclosure under PIPA. The transfer of information would be permitted without consent under section 18 as it is a use for the management of the employment relationship. The employer organization is responsible for ensuring that the service provider complies with the provisions of PIPA in the same manner as the employer is required to (section 5(2)). This should be addressed in the contract or agreement between the parties. An employer organization that uses a service provider outside Canada has certain obligations under PIPA with respect to policies and notification. For more information about these obligations, see PIPA Information Sheet 12: Service Providers Outside Canada: Notification, Policies and Practices, published by Access and Privacy,. Consider other provisions in PIPA The Act provides that personal information may be collected, used and disclosed without consent in certain circumstances. These provisions also apply to personal information about employees. Sections 14, 17 and 20 Employer organizations may collect, use or disclose, without consent, personal information about their employees or other individuals in the limited circumstances enumerated in sections 14, 17 or 20. Information Sheet 5: 10

11 When personal information about employees is collected, used or disclosed under sections 14, 17 and 20, the notification provisions for current employees under section 15, 18 and 21 do not apply. Example: The Maintenance Enforcement Act requires an employer to provide, upon request, certain information about an employee to the Director of the Maintenance Enforcement for the purpose of enforcing a maintenance order. The employer can disclose the information to the Director of Maintenance Enforcement, without the consent of the employee, under section 20(b) of PIPA, as this provision permits disclosure without consent where the disclosure is authorized or required by a statute of Alberta. Trade unions An employer organization that is subject to a collective agreement under section 128 of the Labour Relations Code, may disclose, without consent, personal information about its employees to the union when the disclosure is necessary to comply with the collective agreement (section 20(c.1)). If the collective agreement is silent on or does not require the organization to provide personal information about an employee to the union and there is no Alberta or federal statute or regulation that otherwise authorizes the disclosure, the organization can provide the information only with the consent of the employee. Example: One of the terms of a collective agreement under the Labour Relations Code is that the employer will provide the union with the names, home addresses and telephone numbers of all employees subject to that agreement. The employer may disclose this information to the union without the consent of the employees. Although notification may not be required in this circumstance, it is a good practice for an organization to set out in its employee information policy that the organization will be disclosing this information in accordance with the collective agreement. Investigations Sections 14(d), 17(d) and 20(m) permit an employer organization to collect, use or disclose personal information without consent when it is reasonable for the purposes of an investigation. Section 1(1)(f) defines an investigation as an investigation related to a breach of an agreement, a contravention of an enactment of Alberta or Canada or other another province of Canada, or circumstances or conduct that may result in a remedy or relief being available at law if the breach, contravention, circumstances or conduct in question has or may have occurred or is likely to occur, and it is reasonable to conduct an investigation. A breach of an agreement includes a breach of an employment contract. It does not include a breach of a policy that is not expressly included in the contract. Information Sheet 5: 11

12 In some cases, it is the organization that is conducting the investigation (e.g. an organization s own investigation into a workplace accident or a breach of the employment contract). In other cases, an organization will be collecting, using or disclosing the personal information to assist another body with its investigation (e.g. a client of a temporary employment agency conducts an investigation to determine if monies were misplaced or were stolen by an employee of the agency). In either case, the organization may collect or disclose only as much personal information as is reasonable. An organization may also disclose personal information to a public body or a police service to assist with an investigation leading to a law enforcement proceeding or from which a law enforcement proceeding is likely (section 20(f)). For example, a police service may request an individual s name and home address from the employee file to assist with an investigation into a motor vehicle accident that is not related to the individual s employment with the organization. For a more detailed discussion of an organization s ability to collect, use and disclose personal information for the purposes of an investigation, see PIPA Information Sheet 2: Investigations, published by Access and Privacy, Service Alberta. Acquisition of a business Section 22 of PIPA allows parties involved in a purchase, sale, lease, merger, amalgamation, etc. of all or part of an organization or of a business asset to collect, use and disclose personal information without consent for the purpose of determining whether to proceed with the transaction and subsequently to carry on the business acquired. This means that a vendor organization can disclose, without consent, personal information about its employees to a prospective purchaser for the purposes of a due diligence investigation. The information must be necessary for the parties to determine whether to proceed with the transaction or to complete the transaction, and the parties must first agree that the information will only be used for this purpose. This is not a disclosure or collection of personal employee information as the vendor is not disclosing the information for the purposes of managing its employment relationship with the employees and the purchaser is not collecting the information for purposes of recruitment. If the transaction is completed, the purchaser must agree to use and disclose the personal information only for the purpose for which it was originally collected by the vendor. If the transaction is not completed, the information must be destroyed by the prospective purchaser or returned to the vendor. An organization cannot rely on section 22 to disclose personal information without consent where the purchase, sale, lease, etc. of personal information is the primary purpose of the transaction. Information Sheet 5: 12

13 Employee information collected before 2004 Organizations will have collected personal information about their former, current or prospective employees prior to PIPA coming into force on January 1, Section 4(4) of PIPA deems that this personal information was collected with consent. Most of the personal information collected by an organization about its employees will be personal employee information. An organization may use or disclose this personal employee information without the consent of employees for reasonable purposes related to the employment relationship, provided that current employees are given notice of the purposes for which their information is going to used or disclosed. An organization may, however, have collected other personal information about its employees that does not fall within the definition of personal employee information (e.g. the organization has collected information about an employee s hobbies, charity work, or favourite sports and the information is not reasonably required for the employment relationship). Section 4(4) permits the organization to continue to use or disclose this information for the purpose(s) for which it was originally collected, as long as the use or disclosure is for a reasonable purpose and is limited to what is needed to fulfill that purpose. However, a better practice would be to obtain the consent of the employee for the continued use or disclosure of this information. An organization should evaluate the information it has about its employees to determine what is reasonably required to establish, manage or terminate the employment relationship. Personal information on file that is not required for these purposes should be disposed of, unless consent is obtained. For further discussion of use and disclosure of personal information collected by an organization prior to January 1, 2004, see PIPA Information Sheet 4: Personal Information Collected Before 2004, published by Access and Privacy,. Accuracy, security, retention and destruction The Act requires organizations to ensure that personal information that is collected, used or disclosed is accurate and complete (section 33), is protected by reasonable security measures (section 34) and is retained only for as long as it is reasonably required for business or legal purposes (section 35). Once the information is no longer required for business or legal purposes, an organization must strip the information of all personal identifiers or destroy the records containing the information (section 35). These provisions apply to personal employee information. An organization must ensure that the personal information it is using or disclosing about an employee is as accurate and complete as is reasonably required for the purposes for which the information is being collected, used or disclosed. Decisions being made about an employee should not be based on incomplete or wrong information. For example, an organization should ensure it has accurate information about an employee s family status if dependents are entitled to certain benefits under the employer s group medical plan. Information Sheet 5: 13

14 Organizations may also be required by other legislation to keep certain employee records up-to-date (e.g. Employment Standards Code). An organization is required to use reasonable safeguards (physical, administrative and technical) to protect personal information from unauthorized collection, use, disclosure, copying, modification, loss, destruction or access. The level of protection must be appropriate to the sensitivity of the information. Financial and medical information is generally considered to be very sensitive in nature. Therefore, everyone in the organization should not have access to such information as payroll, leave taken or eligibility for benefits. Access to this type of information should be limited to the few individuals within the organization who have a need to know. For example, an organization can use passwords to prevent access to computer records and limit employees access to filing cabinets. An organization may keep personal employee information for as long as it is reasonably required for business or legal purposes. An organization should develop a retention schedule for personal employee information records that takes into account financial, operational, audit, archival, and legal (including statutory) requirements. For example, an organization is legally required by the Employment Standards Code to retain certain employment records for at least 3 years from the date each record is made. When personal employee information that is no longer required for legal or business purposes, the organization must, within a reasonable period of time, destroy the records containing the information or render the information nonidentifying. Destruction must be done in a secure manner to prevent unauthorized parties from gaining access to the information (e.g. shredding records instead of placing them in a garbage bin or recycling box). When personal employee information is de-identified, it must not be possible to re-identify the remaining information (e.g. personal employee information in a database or spreadsheet cannot simply be hidden ). Access and correction An employee has the right under PIPA to request access to and correction of his or her own personal information that is in a record in the custody or under the control of the employer organization (sections 24 and 25). This includes personal employee information. Access An employee s right of access to his or her own personal information is not unconditional. The Act allows an organization to take into consideration what is reasonable when providing access. The Act also specifies circumstances where access must or may be refused. For some of these exceptions to access, the Act requires an organization to remove or sever the information from the record. If the information can reasonably be severed, the individual must be given access to the remainder of the record. Information Sheet 5: 14

15 An organization must refuse an employee access in the following cases. The disclosure of the information could reasonably be expected to threaten the life or security of another individual. Threaten means to expose to risk or harm. Example: An organization fired an employee for uttering threats to his supervisor. The employee is considered to be volatile. The employee requests access to his personnel file. The organization refuses to give the employee access to records containing the statements of colleagues who witnessed the threats made against the supervisor because of the reasonable expectation that the colleagues would be exposed to harm from the employee. If the organization can reasonably sever this information from the records, it must give the employee access to the remainder of the records. Personal information about another individual would be revealed. Example: The employee requests access to the record containing information about his parking permit. The record contains a list of every individual in the organization who has a parking permit. The organization must sever the information about the other individuals from the record before giving the employee access to it. The identity of an individual who gave an opinion in confidence would be revealed against his or her wishes. Example: An employer obtains opinions from clients about the employer s customer service representative. The employee who is the customer service representative asks for access to the records containing the opinions. The written opinions were submitted in confidence and the authors do not wish their identities to be revealed. The employer removes the names of the authors and any other information from the records that would identify the authors before giving the employee access to the records. (See PIPA Order P for a discussion of the meaning of opinion and as an example of where the identifying information could not reasonably be severed because of the specificity and nature of the opinions.) In other situations, the Act permits, but does not require, an organization to refuse access. The information is protected by legal privilege. Example: The information is subject to solicitor-client privilege because it is the opinion obtained by the employer from its solicitors regarding an employee s wrongful dismissal action. Information Sheet 5: 15

16 The information was collected for an investigation or legal proceeding. Example: The records contain the information compiled by the organization during its investigation into an employee s misuse of the company credit card. The information would reveal confidential commercial information and it is not unreasonable to withhold that information. Example: The record shows how an employee s time was expensed against a research and development project. Granting the employee access to the record would reveal confidential information about the project. If the organization can reasonably sever the confidential information from the record, it must give the employee access to the remainder of the record that contains his or her personal information. The information was collected by a mediator or arbitrator appointed under an agreement, by a court, or under a statute or regulation. Example: The record contains submissions by parties to an arbitrator appointed under the contract to resolve a dispute about the contract. The information is of a type that may no longer be provided if it is disclosed and it is reasonable for the information to be provided to the organization. Example: Individuals may stop providing references to an organization if the organization discloses the comments of the referees. Business information that is created or received by an employee in the performance of his or her employment duties as a representative of the organization will not normally contain the personal information of the employee, apart from business contact information. Business information and business contact information that is collected, used and disclosed for the purpose of enabling an individual to be contacted in relation to his employment responsibilities is outside the scope of an access request under the Act. The organization is not required to provide the information to the individual but may choose to do so. For further information regarding access requests, see PIPA Information Sheet 3: Personal Information, published by Access and Privacy, Service Alberta. Correction Employees may also request that their employers correct an error or omission in the personal employee information that is under the control of the employer. The employer organization will make the correction if it determines an error or omission has occurred. The employer organization must also notify all other organizations to whom it may have disclosed the incorrect information of the correction, if it is reasonable to do so. Information Sheet 5: 16

17 If the employer organization determines an error or omission has not occurred, it must annotate the relevant record with the request for the correction. The Act prohibits an organization from correcting or otherwise altering an opinion, including a professional opinion. This means that an employer organization cannot change an opinion that is given in a reference letter, a performance evaluation, or other record. Fees An organization is not permitted to charge an individual a fee for processing an access request for personal employee information (section 32(1.1)) or a request for correction of personal information (section 32(2)). An organization may charge an employee a reasonable fee for processing an access request for personal information that is not personal employee information (section 32(1)). For example, an employee of a department store may also be a customer of the store. The store may charge a reasonable fee for processing the employee s request for access to the records containing the employee s personal information as a customer. Review by the Commissioner Whistleblower protection An employee has the right to make a complaint to the Information and Privacy Commissioner regarding the employer organization s collection, use or disclosure of the employee s personal information, including personal employee information. An employee may also ask the Commissioner to review a decision of the employer regarding access to or correction of his or her personal information. An organization is prohibited from taking any adverse employment action against an employee or denying an employee a benefit where the employee, acting in good faith and with reasonable belief, informs the Commissioner that the organization or another person has contravened the Act or is about to contravene the Act, refuses to do anything that is in contravention of the Act, does something that is required to be done in order to avoid having any person contravene the Act, or where the organization believes the employee will do any of the above (section 58). Example: Mary informs the Office of the Information and Privacy Commissioner of Alberta that her employer shredded certain records about an employee after the employee requested access to those records. The employer has committed an offence under the Act by destroying the records with an intent to evade the request for access (section 59(1)(c)). The employer cannot fire, demote or take any other adverse action against Mary for advising the Commissioner of its activities. It is an offence for an employer organization to take any adverse employment action against an employee who acted in good faith (section 59(1)(e.2)). Information Sheet 5: 17

18 Other resources A Guide for Businesses and Organizations on the Personal Information Protection Act provides an overview of the Act with examples and tips for incorporating good privacy practices in the work place. The Personal Information Protection Act, A Summary for Organizations summarizes of the key obligations of organizations. PIPA Information Sheet 3: Personal Information discusses the concept of personal information in greater detail. PIPA Information Sheet 4: Personal Information Collected Before 2004 discusses the use and disclosure of personal information collected by an organization prior to January 1, PIPA Information Sheet 12: Service Providers Outside Canada: Notification, Policies and Practices outlines an organization s obligations when it uses a service provider outside Canada for collecting, using, disclosing or storing personal information on its behalf. General FAQs for Organizations and Individuals Workplace provides more information about collection, use and disclosure of employment references. Publications are available online from: Access and Privacy pipa.alberta.ca The website of the Office of the Information and Privacy Commissioner also contains resources, at This document is an administrative tool intended to assist in understanding the Act. It is not intended as, nor is it a substitute for, legal advice. For the exact wording and interpretation of the Act, please read the Act in its entirety. This Information Sheet is not binding on the Office of the Information and Privacy Commissioner of Alberta. Information Sheet 5: 18