The current emphasis on security and safety has dramatically increased the number of criminal background checks conducted in the workplace. Job applicants and existing employees may be asked to submit to such background checks. Therefore, an individual’s successful application for an employment position can depend on the information revealed in a criminal background check. In certain circumstances screening is even mandated by federal or provincial legislation (e.g. Safe Schools Act).

In short, employers are being cautious. At the same time, applicants and employees are concerned that employers are requiring access to information that are irrelevant to their competencies and the applicable position.

An employer may lawfully conduct a criminal background check on a prospective employee. In addition, it is permissible to make an offer of employment conditional upon a candidate’s consent to a criminal background check even where the candidates are existing employees. However, a signed release which gives the applicant's consent to check criminal records must be obtained.

With the implementation of the PIPEDA employers should ensure that compliance mechanisms are in place for accessing information from prospective employees. The purpose and necessity of their request for a criminal background check can be scrutinized under this legislation.

In order to access information of an applicant’s criminal background certain steps must be taken at the interview stage of the employment process. During an interview, employers are permitted to ask whether applicants have been convicted of a criminal offence for which a pardon has not been granted.

Keep in mind however, that an employer is not at liberty to discriminate on the basis of a candidate’s “record of offences” and must tailor interview and application form questions accordingly. Section 3(1) of the Canadian human Rights Act (“CHRA”) extends this protection to criminal convictions for which a pardon has been granted. However, if the individual has not received a pardon for their offence they are not afforded any protection under the CHRA.

An employer can also ask if an applicant is bondable. If driving is an essential job duty (e.g. bus driver), questions pertaining to an employee’s record of convictions under the Highway Traffic Act are also permissible.

It is however important for employers to keep in mind that the Canadian Human Rights Commission suggests as a matter of policy, that employers avoid questions about or relating to whether an applicant has ever been arrested; convicted of any offence or has a criminal record. Generally, the Commission discourages inquiries about criminal records or convictions unless related to job duties. As stated, under the PIPEDA the purpose and necessity such requests are considered relevant.

Nevertheless, such questions are not unlawful if they are prefaced with the qualification that the employer does not want the response to include reference to any offence for which a pardon was ultimately granted, and if they are reasonably related to the position being applied for.

Employees should be aware that if criminal background inquiries are reasonably related to the requirements of the position, giving a false answer to such questions will likely constitute just cause for dismissal.

By and large, employers cannot be held liable for declining to employ an individual based on their refusal to submit to a criminal background check. As human rights legislation does not limit the employer's right to request such information it is unlikely that such an action against an employer would be successful.

Prospective employees may however now generally rely on s. 5(3) of the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 which states, "an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances."

Thus, where an organization seeks personal information for reasons that are not “appropriate” an aggrieved applicant may seek a remedy under the PIPEDA, including an Order for compensation for losses incurred and/or failure to obtain the position. No such complaints have been filed to date.

If an existing employee consents to a background check and the results indicate that the employee has committed a criminal offence then an employer cannot unilaterally dismiss the employee. An employer must first establish that the nature of the offence (which was presumably not related to the employees work for this employer) was directly related to the ability of the employee to carry out his job duties or materially impacted on the operations of the employer. For example, if bondability is a genuine requirement for a position and if the employer can establish that the employee can no longer be bonded then the loss of that bondabilty may constitute cause for dismissal. Whether cause is established in any particular case will depend on the nature and circumstances of the offence and the employee’s position.

Employers are advised to review the compliancy mechanisms outlined under the PIPEDA in order to determine whether such checks are permissible with a mind to the requirements of the position being advertised.

A New Face for Privacy in the Workplace

The right of employers to protect their business interests has often conflicted with the right of the individual to protect their privacy. In Ontario specifically, no provincial legislation has directly addressed the individual’s right to privacy. As a result, the implementation of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) on January 1, 2004 has made privacy in the workplace an issue for Ontario employers to address. To this end, understanding how this legislation will impact organizations is the first step towards addressing the concerns of employers, workers, and consumers in the current market place.

PIPEDA requirements came into effect for all Ontario businesses pursuant to a federal government mandate that PIPEDA would operate in all Canadian provinces which failed to enact substantially similar legislation by January 1, 2004.

PIPEDA has been in force since January 1, 2001 for all federal works, undertakings or businesses. However, prior to January 2004 there was no privacy legislation in place directly applicable to private sector Ontario businesses.

PIPEDA is essentially designed to make provincially regulated businesses more accountable for personal information they gather about consumers and members of the public. The legislation specifically prohibits the collection and disclosure of personal information without their specific consent. In addition, PIPEDA targets the purpose for requesting information, making the inquiry contingent upon what a reasonable person would consider appropriate in the circumstances. The initiative is designed to give individuals more control over their personal information. However, the exact implications of this legislation are still unclear.

Legislators and the Privacy Commission have provided few guidelines to provincial businesses as to the form of compliancy it meant to take. For example, the legislation does not provide any guidelines as to how specific the consent has to be or the manner in which the consent should be obtained.

Because Ontario has never had specific legislation for privacy protection, the uncertainty surrounding PIPEDA will likely impact on a “smooth transition”. Small businesses will be subject to the same privacy protection demands as federal banks, including formal approval mechanisms and the designation of staff to implement compliance. Clearly, the legislation was designed for application to large businesses and federal works, rather than smaller provincial organizations.

Initially, the Ontario Ministry of Consumer and Business Services proposed draft privacy legislation – the Privacy of Personal Information Act (PPIA) that would apply to both private and health sector privacy issues. However, this draft bill was never approved due to criticisms and internal disputes as to its content. As no substantially similar legislation on privacy was put into place prior to January 1, 2004 in Ontario, PIPEDA requirements came into effect provincially.

PIPEDA applies to all businesses that collect, use, or disclose personal information during the course of a commercial activity.

Under PIPEDA, personal information is defined as information about an identifiable individual. A commercial activity is described as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Due to this broad definition, the PIPEDA essentially governs most private sector organizations in Ontario.

Some confusion about the implementation of PIPEDA surrounds its application to employees of an organization. Generally, the view is that PIPEDA will not affect personal information collected about an employee, other than in relation to a federal work, undertaking or business. This is due to the fact that the federal government does not have constitutional authority to regulate employment, property, and civil rights. Other legislation such as the Occupational Health and Safety Act and the Human Rights Act provide some indirect safeguards for employee privacy rights.

The general trend towards privacy protection rights for individuals is however, making businesses more aware of their obligations to their employees as well as consumers.

Schedule 1 of PIPEDA lays out 10 principles that all businesses are required to adopt to ensure compliance. These principles include accountability, identifying purposes, consent, limiting collection, use, disclosure and retention, safeguards and individual access and include some issues of compliance that all small businesses should be made aware of.

In this regard, employers are encouraged to develop compliance mechanisms that will address the requirements of PIPEDA. Organizations must ensure that they obtain meaningful consent for the release of the personal information requested. Contracts should detail the purpose and conditions under which consent is sought.

Meaningful consent involves alerting individuals to the purposes for which the information will be used or disclosed in a “reasonable” manner. As previously stated, PIPEDA does not provide guidelines as to the form the consent should take, however, it is required to meet the objective test specified under PIPEDA. This purpose must also be perceived as objectively reasonable under the circumstances.

Consent can be explicit or implied depending on the nature of the information and the circumstances under which it is obtained. Explicit consent should be obtained if the data is to be shared with others or can be considered “sensitive”. PIPEDA states that information such as health or financial records will be considered “sensitive” in most cases. However, any personal information can be deemed sensitive with a view to the context in which it is collected, used, or disclosed. In certain circumstances, an agreement must be made with a third party source to guarantee the records will only be used for the specified purpose.

Individuals must be granted access to any personal information that an organization has in its possession within 30 days of making a formal request for such information. Organizations that do not promptly comply with such requests face sanctions under PIPEDA.

When storing information businesses must maintain the accuracy of their records, keeping in mind that consent is not unlimited. That is, businesses may only update records with the purpose of the original consent in mind. Records may only be retained for as long as the purpose for which the consent was obtained. In addition, safeguards to protect the information must be implemented along with an inquiry and complaint procedure in the event breaches occur. To this end PIPEDA requires the appointment of an individual to oversee the organization’s privacy management practices.

In addition to internal complaint mechanisms, it should also be noted that PIPEDA has rather onerous enforcement guidelines. Under PIPEDA the Privacy Commissioner has the ability to initiate complaints and audits. Furthermore, individuals may initiate personal complaints alleging violations of the legislation. The Commissioner must investigate all complaints. Following an investigation into a complaint a report and recommendation may be issued. The Commissioner has broad powers to audit an organization’s information practices, order search and seizure of business records, and compel testimony to determine whether a violation has occurred.

If a report is issued a complainant may request a trial based on any matter alleged in the original complaint. Offenders can be fined up to $100,000 for a breach, in addition to punitive damages. Public denunciation of the organization’s practices may follow.

While there appears to be a marked importance to implementing PIPEDA compliance mechanisms, the new face of privacy in the workplace is still obscured. At the moment the legislation does not seem to affect the privacy rights of employees, but could have implications for individuals who leave or are dismissed from employment.

There are obvious implications for business clients and customers, but the scope and extent of these guidelines are not defined and will certainly be tested.