In this series of blogs, we will share the sections of employee privacy and components of a privacy program from one of the chapters, Cybersecurity, Privacy and Data Protection of our publications: Cross Border Retailers Guide To Doing Business in Canada 2021.

We hope you will find it informative. For more information, please contact Joyce Lee, Michael Scherman and Jade Buchanan.

Employee Privacy

Brands who hire employees in Canada may need to comply with privacy laws as they apply to employees (depending on the situation). For example, in British Columbia and Alberta, employee personal information is subject to the same privacy legislation as consumer information, but there are special exceptions for employees. For example, employers may collect, use and disclose employee information without consent where: (i) it is reasonable to establish, manage or terminate an employment relation; and (ii) the employee has notice of the purpose of that collection, use and disclose before collection. To comply, organizations who hire individuals in Canada should develop a set of policies and processes for collecting, using and disclosing employee personal information. For simplicity, organizations can include notices in employee handbooks or include them with other employee privacy training or policies.

Components of a Privacy Program

Components of a brand's privacy program include:

- an assessment of which laws apply and when;

- the adoption of a privacy policy, and personal information management practices, to ensure compliance with applicable privacy laws;

- the appointment of an individual (a "privacy officer") who will be responsible for the administration and oversight of the organization's personal information management practices and who will be prepared to implement any changes required by applicable legislation;

- a review of the current personal information practices of the organization outside Canada in order to align with how current personal information practices of the organization may need to be changed for the collection, use and disclosure of personal information in Canada. This will include:

  • determining what personal information is collected and from where;
  • assessing what consents are obtained and what purposes are identified when collecting personal information;
  • tracking where personal information is stored and how it is used, transferred and disclosed.
  • a review of the organization's data management infrastructure to ensure that the infrastructure is adequately flexible and robust to facilitate implementation of the organization's privacy policies and data management practices;

- the implementation of consent language in contracts, forms (including web forms) and other documents utilized when collecting personal information from individuals (including customers and employees);

- the development and testing of an incident response plan (or update of the existing response plan to comply with Canadian requirements) to comply with mandatory breach notification; and

- a standard approach to dealing with third parties who may have access to the personal information for which the organization is responsible. This may include appropriate contractual terms, such as:

- specifying the ownership of the data, ensuring that the third party will provide adequate security safeguards for the information;

- ensuring that the personal information will be used only for the purposes for which it was provided to the third party;

- ensuring that the third party will cease using (and return or destroy) the personal information if requested; and

- that the third party will assist the organization in complying with privacy legislation, including the breach notification obligations (discussed above).

Brands should also consider risk allocation, such as requiring indemnification by the third party for any breach of such terms.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.