Embed Size (px)
Citation preview
Your Payroll P
riv
ac
y Q
uestions Answ
ered, third edition
Payroll & Privacy: Is Your Organization Doing Everything It Should?Created by the CPA, the authoritative source of Canadian payroll knowledge, and privacy experts Murray Long and John Wunderlich, Your Payroll Privacy Questions Answered, third edition, is a must-have resource for those individuals who are responsible for payroll and related functions in their organizations.
Payroll, by its very nature, has always operated with the realities of confidentiality and privacy protection. This updated edition of Your Payroll Privacy Questions Answered looks at how the federal and pro-vincial privacy laws apply to payroll management and what precedents have been set thus far. It discusses what must be done, what should be done and what would be beneficial to do, as it relates to privacy.
The book is based on the CPA’s payroll and privacy web seminars and contains over 140 pages of answers based on real questions sub-mitted by our members.
About the CPAThe Canadian Payroll Association (CPA) has been representing employers’ payroll interests since 1978 through its mission of Payroll Leadership through Advocacy and Education. Effective and efficient payroll administration is mission-critical given the magnitude of remuneration paid by employers and the breadth of legislative compliance requirements.
As the authoritative source of Canadian payroll knowledge for more than 35 years, the CPA influences payroll service bureaus, software providers, hundreds of thousands of small, medium and large employers, as well as federal and provincial tax authorities. The CPA also delivers certification courses, professional development seminars, and products and services that enable the payroll community to enhance their operations, meet new legislative requirements, address changing workplace needs and utilize emerging technologies.
By M
urray Long, John Wunderlich
ISBN 978-0-9736167-6-7
third edition
By Murray Long, John Wunderlich
FOREWORD
On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in Canada. This federal law applies to the collection, use or disclosure of personal information in the course of any commercial activity in Canada, except where similar provincial laws apply. However, PIPEDA only applies to the employment information of federally regulated companies. The provinces of Alberta, British Columbia and Quebec have enacted similar laws, which expand beyond PIPEDA to include employee information of all enterprises in their respective provinces. Payroll, by its very nature has always operated under the assumption of confidentiality and non-disclosure of employ-ees’ personal information. Now there is a legal framework to back up that assumption.The Canadian Payroll Association offered our first webinar over 10 years ago on payroll and privacy, and has offered subsequent sessions on the topic since. Many of the questions that have been addressed on the topic are what are presented in this publication. Originally Murray Long was engaged to produce the first edition of this publication, which answers to all the questions. John Wunderlich has since been engaged to provide updated perspectives on the impact of privacy to the payroll function. What both authors have always found fascinating has been the range, variety and complexity of the questions asked from professionals working in the area of employment privacy. Since our first publication, new questions and new legislation related to PIPEDA have been enacted. Combined with the update to PIPEDA, that passed in 2015, this led to our third update of the book.
What has remained consistent throughout time is the high priority employment privacy is given in privacy law. As increasingly more privacy complaints are resolved by Privacy Commissioners and the courts and increasingly more new employment privacy issues come to the fore-front, it will be interesting to watch the changing focus in this area. The breadth of questions addressed in this updated book also underscores the opportunity for payroll to play a key role in offering leadership and expertise in this important field.One thing remains true: There will always be a need for continuing busi-ness education about privacy laws and how they impact the work you do as payroll professionals to protect the privacy of others. It is the hope of the Association that this publication will represent a small contribution to that effort.
Steven Van Alstine, CPM, CAEVice-President, EducationThe Canadian Payroll Association
ABOUT THE AUTHORs
Murray Long is a noted Canadian privacy law expert. From 1993 to 1996, he participated in the development of the Canadian Standards Associa-tion (CSA) Model Code for the Protection of Personal Information. In 1997, he started his own consulting service focusing on privacy law. He has provided advice and guidance to organizations in virtually all sectors of the economy, including the financial services industry, telecommunications companies, the transportation sector, charities, health care delivery, the retail industry, and government agencies such as Health Canada, Industry Canada and the Office of the Privacy Commissioner. He has developed nu-merous tailored codes and procedures manuals based on the CSA Model. As an authority with practical implementation experience, Mr. Long is a much sought-after speaker at privacy conferences and workshops, and contributor to privacy publications. In 2007, he testified as an expert witness before the House of Commons committee reviewing PIPEDA. In 2008, he appeared before a committee of the British House of Lords ex-amining privacy and surveillance issues. He has most recently been asked to develop and present a training session on privacy for the small business sector at the request of the Office of the Privacy Commissioner.
John Wunderlich is an information privacy and security expert with extensive experience in information privacy and data security. He has designed, built, operated and assessed systems for operations and compli-ance in the private and public sectors for over 25 years. This includes working or consulting in senior roles for Fortune 500 corporations, gov-ernment ministries, small companies, volunteer organizations, regulators, and health systems organizations of all sizes. He adds value to organiza-tions that need to meet multiple stakeholder expectations for the respon-sible information management of personal information. John works with organizations to enable them to focus on measurable performance and process improvement so that they can focus on risk management rather than crisis management.
Disclaimer
The information presented in this publication represents solely the opinions of the au-thors. While efforts have been made to answer all questions to the best of the authors’ ability as privacy experts, there is no claim as to the absolute reliability and accuracy of any information presented herein, and there will be no acceptance of liability or responsibility for any errors or omissions either on the part of the authors or The Canadian Payroll Association. Readers are encouraged to seek qualified legal advice on points of law or matters of interpretation.
TABLE OF CONTENTsForewordAbout the Author
Disclaimer
Overview
1 Application of Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2 What is Personal Information? . . . . . . . . . . . . . . . . . . . . . . . . . . .15
3 Roles and Duties of a Privacy Officer . . . . . . . . . . . . . . . . . . . . . .18
4 Recruitment Issues and References . . . . . . . . . . . . . . . . . . . . . . .22
5 social Insurance Numbers (sINs) . . . . . . . . . . . . . . . . . . . . . . . . .36
6 Employee Privacy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
7 Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8 Managing Employee Data within the Organization . . . . . . . . . . . . .57
9 File Retention Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
10 Access to Employee Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
11 Disclosing Employee Information to Third Parties, including Employment or salary Verification . . . . . . . . . . . . . . . . .89
12 Disclosing Employee Information to a Government Authority . . . . . .101
13 Transfers for Processing (Outsourcing) . . . . . . . . . . . . . . . . . . . .108
14 Birthday Cards, Departmental Newsletters and Photographs . . . . .111
15 Medical Data and Drug Testing . . . . . . . . . . . . . . . . . . . . . . . . . .117
16 safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
17 Breach Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
18 Privacy Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . .141
19 Phone and Email Monitoring and Video surveillance . . . . . . . . . .143
20 Oversight and Redress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
21 Data Transfers to Other Countries and the Impacts of the UsA PATRIOT Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
22 specific Questions about Provincial Laws . . . . . . . . . . . . . . . . . .159
23 Application of PIPEDA by Insurance Carriers . . . . . . . . . . . . . . .163
24 More Information about Privacy Laws and Tools . . . . . . . . . . . . .165
Appendices
