The Personal Information Protection Act (“PIPA” or the “Act”) came into force on January 1, 2004 and regulates the collection, use and disclosure of personal information by private sector organizations in British Columbia. PIPA’s introduction saw organizations racing to bring themselves into compliance with the Act. While this initial flurry has since abated, it remains incumbent on all private sector organizations in B.C. to develop and follow policies that ensure compliance with the Act.
What Organizations Must Do To Ensure Personal Privacy
The Act requires all private sector organizations in B.C. to adopt policies setting out how they will maintain and protect personal information collected in the course of business. Privacy policies must address how personal information is collected, used, maintained and disclosed. An organization’s privacy policy should also address how employee (and prospective employee) personal information will be managed as employee personal information is specifically included in the definition of “personal information” in the Act.
No Consent Needed From Employees For Collecting Personal Information
While employee personal information is specifically contemplated in the Act, the treatment of an employee’s information will differ from the treatment of other types of personal information that an organization may collect. Specifically, PIPA dispenses with the requirement that an organization obtain the consent of its employees prior to collecting personal information, implying consent by virtue of the employment relationship. The employer is, however, required to give notice to all employees and candidates that it will be collecting personal information and to advise them both why the information is being collected and why the collection is required. .
Importance of Complying With Act’s Provisions
As consent is implied, it is imperative that employers govern themselves throughout both the hiring process and the employment relationship in strict compliance with the Act. The type of information gathered in the course of the hiring process and during the employment relationship must be restricted to information that is germane to the employee’s role or that is necessary to assess the candidate’s suitability for the position. Collecting information outside this scope could lead to complaints pursuant to the B.C. Human Rights Code. The collection of irrelevant information is a particular challenge for organizations that conduct social media background checks.
Exercising Diligence During Social Media Searches
Given the type of information that is readily available through social media and internet searches, the collection of personal information about employees and candidates is a potential minefield for employers. They should be particularly cautious about gathering information on social media sites that may be inaccurate, outdated, over-broad or irrelevant to the purpose for collection. Organizations must consider if they need to make use of social media in hiring and employee management and, if so, how they will make use of social media sites and other on-line resources when evaluating candidates and employees. Specifically, organizations must take steps to ensure that a policy setting out the parameters—including the purpose for collection, the types of information to be collected, and the controls in place to protect the information collected—is in place and followed.
How To Make Sure Your Organization Is Complying With The Act
In order to comply with the provisions of the Act and the protections afforded to employees’ personal information, organizations are encouraged to:
1. Adopt a privacy policy that clearly sets out how the organization will comply with PIPA, including how information will be collected, used and disclosed. This policy should address if, how, and when information will be collected from social media sites and the internet generally and should contain a statement setting out the scope of inquiry.
2. Train management and staff involved in the hiring process and in ongoing human resources roles on the organization’s privacy obligations. Training should address issues of confidentiality and the scope of questions and inquiry that can be made about prospective and current employees. Management and human resources staff must ensure that all employee and candidate files are complete and accurate.
3. Ensure that candidates are notified prior to conducting reference checks.
4. Prepare a list of questions prior to contacting references or conducting interviews to ensure that the discussion does not stray away from relevant, position specific discussions.
5. Ensure that all staff understand the organization’s policies with respect to résumé collection. In particular the organization has an obligation to ensure that all résumés, whether solicited or not, are collected and/or disposed of properly.
6. Designate a privacy officer who will be responsible for responding to requests for access to personal information and for responding to requests for corrections to personal information.
Compliance with PIPA plays an important role in establishing, managing and terminating employment relationships. While the above recommendations provide a starting point, they are not exhaustive. Every private sector organization in B.C. should take steps to introduce a privacy policy that is specifically tailored to that organization’s needs and to ensure that management and staff are trained and comfortable with the policy in order to ensure compliance with the Act.
For more information on how privacy legislation affects employers and employees, please contact
Veronica Rossos...................................vrossos@singleton.com