Under the Personal Information Protection Act (“PIPA”) any company which handles personal data will be deemed a ‘data handler’ and must comply with strict requirements. This includes employee personal data.

Privacy Policy

The PIPA requires a data handler to prepare a privacy policy covering:

  1. the purposes for which the personal data is being handled
  2. the duration for which data will be handled and retained
  3. the transfer of personal data to third parties
  4. the transfer of personal data to outsourced providers
  5. the data subject’s rights and obligations and how to exercise them
  6. what personal data is being handled
  7. how the personal data will be destroyed once used
  8. how the personal data will be secured

Clearly Articulated Purposes

Each and every purpose for which the personal data is being handled must be clearly articulated to the data subject. Generic statements are unlikely to satisfy the requirements. Employers must therefore carefully review how they are handling personal data and ensure that these purposes are captured within their privacy policy.

Minimum Use Principle

The recommendations by the regulator are that only the minimum amount of personal data should be handled, and for the minimum number of purposes. Employers often collect data without regard to its real purpose; this forces employers to carefully review what personal data is actually required in order to allow them to manage the employment relationship.

Once the purpose has been satisfied, the personal data should be destroyed immediately unless there is a law or regulation which requires or permits the personal data to be retained. In an employment context, personal data is often retained for tax and auditing purposes but again, a careful review of what personal data should be retained is important to prevent an inadvertent breach.

Distinction Between Third Parties and Outsourced Providers

The PIPA distinguishes between third parties (who receive the personal data for their own benefit) and outsourced providers (who receive the personal data for the benefit of the employer). The rules differ between the two categories. It is therefore important to clearly identify whether personal data is being transferred to a third party or to an outsourced provider.

Reviewing Your Privacy Policies

Whilst there are certain exceptions to consent rules in relation to the collection and use of employee personal data, employers should review what personal data they are handling, and for what purposes. For multi-national organisations in particular, care should be taken when transferring employee data (either to third parties or outsourced providers) as the usual consent exceptions may not apply.