Companies in British Columbia, Canada are responsible for employee personal information they hold even after the employee has left the company.
In British Columbia, private sector organizations are governed by the Personal Information Protection Act of British Columbia, (“PIPA”) rather than the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). This is because BC’s legislation has been deemed to be “substantially similar” to PIPEDA by the federal government, which means provincially regulated organizations in BC follow PIPA instead of PIPEDA for commercial activities that fall within the province.
Your organization may still be subject to PIPEDA, in other circumstances such as inter-provincial, and international activity, as well as international privacy regulations depending on the circumstances.
Section 2 of PIPA simply states that the Act applies to every organization. As such, you can safely assume that if you are an employer in British Columbia, you have certain obligations under PIPA both during the employment relationship and that survives the termination of the employment relationship.
PIPA defines “employee personal information” as personal information collected, used, or disclosed solely for the purposes reasonably required to establish manage, or terminate an employment relationship between the organization and that individual, but does include personal information that is not about an individual’s employment.
PIPA’s substantive provisions map onto and give effect to the same fair information principles that underpin
PIPEDA, though it does so through its own operative sections. Below is a discussion of these principles as they relate to managing the post employment relationship.
1. Accountability: the organization is still responsible for the former employee’s personal information for as long as it holds it, not on the employee’s last day of work. If you have handed a former employee’s records to a third party, for example, a pay-roll processor, or an off-site storage company, you are still
accountable for how that information is handled.
2. Identifying Purposes: the purpose for which you have collected employee personal information should have been identified before or at the time of collection. After termination, the question you should be asking is whether you have a continuing purpose for holding that information. Post-termination, there are legitimate purposes for holding information, such as processing final pay, issuing a Record of Employment, responding to reference checks, and defending against potential litigation.
3. Consent: During the employment relationship, PIPA allows organizations to collect, use, and disclose employee information without consent, where doing so was reasonable for the purposes of establishing, managing, or terminating the employment relationship, and provided that the employee was notified (s.16, and 19 of PIPA).
This exemption to seek consent in these limited circumstances continues to apply to post-employment activities that are related to terminating the relationship. However, it does not extend to new purposes that have nothing to do with winding down the employment relationship.
4. Limiting Use, Disclosure, and Retention: As previously indicated, an employer can only collect, use and disclose employee personal information where it is reasonable for establishing, managing or terminating the employment relationship. After termination, this might be for the legitimate purposes as
previously described such as processing final pay, issuing a Record of Employment, and defending against potential litigation.
You might be wondering what you can or should disclose when a potential employer calls for a reference check about your previous employee. The safest practice is to confirm only the dates the employee held the position and only go further with the former employee’s express consent.
On the issue of retention, section 35 (1) of PIPA sets a floor, if the organization used the information to make a decision that directly affected the employee, which a termination obviously is, it must retain that information for at least one year, so the individual has a reasonable opportunity to request that information. While PIPA requires retention of personal information of one year, the Employment Standards Act (“ESA”) imposes longer retention depending on what personal information is at issue. This is
discussed further below. Keep in mind that a greater retention period can be advisable. It is always a good ideato consult with a lawyer whenever termination has the potential to result in a lawsuit.
Section 35(2) of PIPA then sets a ceiling: once the original purpose is no longer being served and retention is no longer necessary for legal or business purposes, the organization must destroy the information or remove the means by which it can be associated with the individual.
Statutes layer on top of each other. For example, you won’t know all there is to know about retaining records simply from reading PIPA. In the employment context, you would also need to review the relevant sections of both the ESA, and the IncomeTax Act (“ITA”).
Section 25(2)(c) of the ESA states that where an employer and the majority of the affected employees at a workplace agree that the employees will clean their own special clothing and maintain it in a good state of repair, the employer must retain for 4 years records of the agreement and the amounts reimbursed.
Section 28 of the ESA in British Columbia, states that, an employer must keep payroll records for at least four years from the date that the records were created, at the employer’s principal place of business, and in English.
It is important to note that a failure to keep payroll records may attract a monetary penalty pursuant to s.98 of the Employment Standards Act in BC.
Section 37(13) of the ESA states that an employer must retain an averaging agreement under that section for four years following the latest expiry of the agreement.
Section 48 of the ESA states that agreements between the employer and the employee about substituting another day for a statutory holiday must be retained for four years.
Additionally, s.230(4) of the ITA requires that tax-related records be kept for six years from the end of the last tax year to which they relate.
So, while PIPA states that information regarding an employee, is to be retained for one year, employers have the additional obligation of retaining certain agreements and payroll records, as indicated above for four years, and tax-related records for even longer.
For this reason, not all personal information can be treated the same, and depending on the size and breadth of personal information your organization handles you may need robust classification and retention schedules. It is generally a good idea to at the very least document the personal information your organization holds, where it holds it, and what the retention period is for that personal information to ensure that your organization is in compliance with its obligations under the various laws we have discussed thus far.
5. Accuracy: Employers have an obligation to ensure that the personal information that they collect from an employee is accurate, complete, and up to date as necessary for the purposes it is being collected. After termination, this is not as applicable but could come up for example if you are administering a pension or responding to a reference request. If a former employee tells you the information you have about them is incorrect, you have an obligation to deal with that request.
6. Safeguards: Personal information must be protected by security measures appropriate to the sensitivity of the information. This does not expire when the employment relationship ends. For as long as you hold a former employee’s data, you need to be safeguarding it in some shape or form, hopefully multiple, for example technical and physical safeguards (i.e firewall, encrypted files, locked filing cabinet and others).
If a breach occurs that compromises highly sensitive data, for example, payroll records that contain a former employees full address, social insurance number, etc., and tax-related documents, at the very least the employer will be required to notify the affected former employees but depending on the sensitive nature of the personal information at stake, the employer could also be liable and face litigation by the affected former employees for the breach of their information.
This is an important point that is worth raising, as in our practice we have seen remarkably casual approaches to storing employee files, such as filing boxes in an unlocked storage room to digital files on a shared drive with no role-based access restrictions.
7. Openness: The organization must make information about its privacy policies and practices readily available to its employees. Ideally your privacy policy should address what happens to employee data including employee personal information after termination, how long it is retained, and how it is eventually destroyed.
8. Individual Access: Former employees retain the right to access to their personal information that is being held by the employer, and to ask for corrections. The organization has 30 days to respond to the request. An employer cannot simply refuse the request because the employee is no longer employed by the
organization. There are limited exceptions for solicitor-client privilege, and confidential commercial information, but the default is access. When faced with an access request, it may be a good idea to speak with a privacy lawyer to understand what must be disclosed and what should be redacted to comply with PIPA.
For employers, former employees request access to their information for various reasons, sometimes it is shortly after termination and for their own record keeping, or when the former employee is contemplating a wrongful dismissal claim. Other times, it is pure curiosity, and because the avenue exists to seek this
information.
9. Challenging Compliance: A former employee who believes that the organization is not complying with PIPA can challenge that compliance. An employer must have a designated Privacy Officer who can deal with access requests when that happens. If a former employee is not satisfied with the employer’s handling of their personal data or access request, they may complain to the Office of the Information and Privacy Commissioner of British Columbia (OIPC). OIPC has the authority to investigate these complaints, conduct audits, and issue orders.
For BC employers, it is best practice to set up robust privacy policy, designate a privacy officer and a process to handle access requests and other questions related to handling of personal data of individuals. If the employer is a small or medium size business, you may find it beneficial for your organization to outsource the role of a Privacy Officer to an external organisation. If youwould like to hear how we can assist with setting up this structure, or if you have any other questions about privacy practices for BC employers, we invite you to contact our office for further guidance.