third edition By Murray Long, John Wunderlich

Your Payroll Questions Answered, third edition By Murray Long, John Wunderlich As the authoritative source of Canadian payroll knowledge for of Canadian payroll As the authoritative source The book is based on the CPA’s payroll and privacy web seminars and privacy web payroll on the CPA’s The book is based Payroll, by its very nature, has always operated with the realities of operated with the realities has always by its very nature, Payroll, ISBN 978-0-9736167-6-7 more than 35 years, the CPA influences payroll service bureaus, bureaus, service influences payroll than 35 years, the CPA more of thousands of small, medium and large hundreds providers, software tax authorities. The CPA employers, as well as federal and provincial development seminars, professional also delivers certification courses, community to that enable the payroll and services and products address legislative requirements, enhance their operations, meet new emerging technologies. changing workplace needs and utilize About the CPA has been representing (CPA) Association The Canadian Payroll its mission of Payroll since 1978 through interests employers’ payroll and efficient . Effective Leadership through Advocacy and Education given the magnitude of administration is mission-critical payroll of legislative and the breadth paid by employers remuneration compliance requirements. and contains over 140 pages of answers based on real questions sub- 140 pages of answers based on real and contains over mitted by our members. Your updated edition of Your This privacy protection. confidentiality and - federal and pro Answered looks at how the Payroll Privacy Questions and what precedents management apply to payroll vincial privacy laws done, what should It discusses what must be far. have been set thus relates to privacy. would be beneficial to do, as it be done and what Created by the CPA, the authoritative source of Canadian payroll Canadian payroll of the authoritative source by the CPA, Created and John Wunderlich, Murray Long and privacy experts knowledge, must-have edition, is a Answered , third Privacy Questions Payroll Your and for payroll responsible are for those individuals who resource in their organizations. functions related Payroll & Privacy: Is Your Organization Organization Is Your & Privacy: Payroll EverythingDoing It Should? FOREWoRD

On January 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in Canada. This federal law applies to the collection, use or disclosure of personal information in the course of any commercial activity in Canada, except where similar provincial laws apply. However, PIPEDA only applies to the employment information of federally regulated companies. The provinces of , and have enacted similar laws, which expand beyond PIPEDA to include employee information of all enterprises in their respective provinces. Payroll, by its very nature has always operated under the assumption of confidentiality and non-disclosure of employ- ees’ personal information. Now there is a legal framework to back up that assumption. The Canadian Payroll Association offered our first webinar over 10 years ago on payroll and privacy, and has offered subsequent sessions on the topic since. Many of the questions that have been addressed on the topic are what are presented in this publication. Originally Murray Long was engaged to produce the first edition of this publication, which answers to all the questions. John Wunderlich has since been engaged to provide updated perspectives on the impact of privacy to the payroll function. What both authors have always found fascinating has been the range, variety and complexity of the questions asked from professionals working in the area of employment privacy. Since our first publication, new questions and new legislation related to PIPEDA have been enacted. Combined with the update to PIPEDA, that passed in 2015, this led to our third update of the book. What has remained consistent throughout time is the high priority employment privacy is given in . As increasingly more privacy complaints are resolved by Privacy Commissioners and the courts and increasingly more new employment privacy issues come to the fore- front, it will be interesting to watch the changing focus in this area. The breadth of questions addressed in this updated book also underscores the opportunity for payroll to play a key role in offering leadership and expertise in this important field. One thing remains true: There will always be a need for continuing busi- ness education about privacy laws and how they impact the work you do as payroll professionals to protect the privacy of others. It is the hope of the Association that this publication will represent a small contribution to that effort.

Steven Van Alstine, CPM, CAE Vice-President, Education The Canadian Payroll Association ABOUT THE AUTHORs

Murray Long is a noted Canadian privacy law expert. From 1993 to 1996, he participated in the development of the Canadian Standards Associa- tion (CSA) Model Code for the Protection of Personal Information. In 1997, he started his own consulting service focusing on privacy law. He has provided advice and guidance to organizations in virtually all sectors of the economy, including the financial services industry, telecommunications companies, the transportation sector, charities, health care delivery, the retail industry, and government agencies such as Health Canada, Industry Canada and the Office of the Privacy Commissioner. He has developed nu- merous tailored codes and procedures manuals based on the CSA Model. As an authority with practical implementation experience, Mr. Long is a much sought-after speaker at privacy conferences and workshops, and contributor to privacy publications. In 2007, he testified as an expert witness before the House of Commons committee reviewing PIPEDA. In 2008, he appeared before a committee of the British House of Lords ex- amining privacy and issues. He has most recently been asked to develop and present a training session on privacy for the small business sector at the request of the Office of the Privacy Commissioner. John Wunderlich is an and security expert with extensive experience in information privacy and . He has designed, built, operated and assessed systems for operations and compli- ance in the private and public sectors for over 25 years. This includes working or consulting in senior roles for Fortune 500 corporations, gov- ernment ministries, small companies, volunteer organizations, regulators, and health systems organizations of all sizes. He adds value to organiza- tions that need to meet multiple stakeholder expectations for the respon- sible information management of personal information. John works with organizations to enable them to focus on measurable performance and process improvement so that they can focus on risk management rather than crisis management.

Disclaimer The information presented in this publication represents solely the opinions of the au- thors. While efforts have been made to answer all questions to the best of the authors’ ability as privacy experts, there is no claim as to the absolute reliability and accuracy of any information presented herein, and there will be no acceptance of liability or responsibility for any errors or omissions either on the part of the authors or The Canadian Payroll Association. Readers are encouraged to seek qualified legal advice on points of law or matters of interpretation. TABLE OF CONTENTS

Foreword About the Author Disclaimer Overview 1 Application of Privacy Laws ...... 1 2 What is Personal Information? ...... 15 3 Roles and Duties of a Privacy Officer ...... 18 4 Recruitment Issues and References...... 22 5 social Insurance Numbers (SINs) ...... 36 6 Employee Privacy Policies ...... 46 7 Consent...... 48 8 Managing Employee Data within the Organization ...... 57 9 File Retention Periods...... 78 10 Access to Employee Files...... 85 11 Disclosing Employee Information to Third Parties, including Employment or Salary Verification ...... 89 12 Disclosing Employee Information to a Government Authority. . . . . 101 13 Transfers for Processing (Outsourcing)...... 108 14 Birthday Cards, Departmental Newsletters and Photographs . . . . . 111 15 Medical Data and Drug Testing...... 117 16 Safeguards...... 123 17 Breach Notification...... 138 18 Privacy Education and Training...... 141 19 Phone and Email Monitoring and Video Surveillance...... 143 20 Oversight and Redress...... 148 21 Data Transfers to Other Countries and the Impacts of the USA PATRIOT Act ...... 150 22 specific Questions about Provincial Laws...... 159 23 Application of PIPEDA by Insurance Carriers ...... 163 24 More Information about Privacy Laws and Tools...... 165 Appendices