compliance

2025-10-03 08:57:49 +00:00 · 2025-08-23 03:04:28 -04:00
parent d2af9893de
commit 06cb9be0e3
8 changed files with 996 additions and 87 deletions
--- a/docs/build/doctrees/2_compliance.doctree
+++ b/docs/build/doctrees/2_compliance.doctree
--- a/docs/build/doctrees/environment.pickle
+++ b/docs/build/doctrees/environment.pickle
--- a/docs/build/html/2_compliance.html
+++ b/docs/build/html/2_compliance.html
@@ -336,27 +336,216 @@ applicable statutory deductions.</p>
 </section>
 <section id="statistics-canada">
 <h2><span class="section-number">2.5. </span>Statistics Canada<a class="headerlink" href="#statistics-canada" title="Link to this heading">¶</a></h2>
 <p>Statistics Canada produces statistics that help Canadians better understand their country—its
 population, resources, economy, society and culture.
 In Canada, providing statistics is a federal responsibility. As Canada’s central statistical
 agency, Statistics Canada is legislated under the Statistics Act to serve this function for the
 whole of Canada and each of the provinces/territories.
 Objective statistical information is vital to an open and democratic society. It provides a solid
 foundation for informed decisions by elected representatives, businesses, unions and non-
 profit organizations, as well as individual Canadians.
 Statistics Canada is committed to protecting the confidentiality of all information entrusted to
 them and to ensure that the information delivered is timely and relevant to Canadians.</p>
 </section>
 <section id="personal-privacy">
 <h2><span class="section-number">2.6. </span>Personal Privacy<a class="headerlink" href="#personal-privacy" title="Link to this heading">¶</a></h2>
 <p>The Canadian federal government and all provincial governments have legislation that sets
 limits on the collection, use or disclosure of personal information. Private sector privacy laws
 in Canada currently only cover the employee personal information of employees that work
 for federally regulated companies or who are located in one of the four provinces with
 provincial private sector privacy laws: Alberta, British Columbia, Manitoba and Québec1.
 Public sector employees have some privacy protection under all jurisdictions except Ontario
 which excludes employee information from its public sector privacy legislation. Employees
 who are covered by a collective agreement also have statutory privacy protection based on
 arbitral jurisprudence and their particular collective agreement. Therefore, approximately
 half of workers in Canada have privacy rights backed by legislation, while the remaining
 50% of the country’s more than 20 million or so workers have privacy rights that are either
 voluntarily set in place by employers who have developed employee privacy codes or have
 privacy rights because they have a collective agreement in place.
 Employers should also be aware that egregious violations of privacy may open them up to
 civil damages, including class action lawsuits. Legislatures and the courts are recognizing
 privacy rights and providing opportunities for civil remedies.
 In drawing up its legislation for the protection of personal information, the Canadian
 government based its privacy provisions on a set of guidelines that had been developed by
 the Canadian Standards Association in its Model Code for the Protection of Personal
 Information.</p>
 <section id="the-privacy-principles">
 <h3><span class="section-number">2.6.1. </span>The Privacy Principles<a class="headerlink" href="#the-privacy-principles" title="Link to this heading">¶</a></h3>
 <p>The Canadian Standards Association (CSA) Model Code is a set of principles that was
 developed with input from organizations, governments, consumer associations and other
 privacy stakeholders. They are incorporated in Federal private sector privacy legislation and
 have become the generally accepted framework for evaluating privacy processes and systems
 in Canada2.
 Principle 1. Accountability
 An organization is responsible for personal information under its control and shall designate
 an individual or individuals to be accountable for the organization’s compliance with the
 following principles.
 Principle 2. Identifying Purposes
 The purposes for which personal information is collected shall be identified by the
 organization at or before the time the information is collected.
 Principle 3. Consent
 The knowledge and consent of the individual are required for the collection, use, or
 disclosure of personal information, except where inappropriate. Note: In certain
 circumstances, personal information can be collected, used, or disclosed without the
 knowledge and consent of the individual. For example, legal, medical, or security reasons
 may make it impossible or impractical to seek consent.
 Principle 4. Limiting Collection
 The collection of personal information shall be limited to that which is necessary for the
 purposes identified by the organization. Information shall be collected by fair and lawful
 means.
 Principle 5. Limiting Use, Disclosure, and Retention
 Personal information shall not be used or disclosed for purposes other than those for which it
 was collected, except with the consent of the individual or as required by law. Personal
 information shall be retained only as long as is necessary for the fulfillment of those
 purposes.
 Principle 6. Accuracy
 Personal information shall be as accurate, complete, and up-to-date as is necessary for the
 purposes for which it is to be used.
 Principle 7. Safeguards
 Personal information shall be protected by security safeguards appropriate to the sensitivity
 of the information.
 Principle 8. Openness
 An organization shall make readily available to individuals specific information about its
 policies and practices relating to the management of personal information.
 Principle 9. Individual Access
 Upon request, an individual shall be informed of the existence, use and disclosure of his or
 her personal information and shall be given access to that information. An individual shall be
 able to challenge the accuracy and completeness of the information and have it amended as
 appropriate. In certain situations, an organization may not be able to provide access to all the
 personal information it holds about an individual. Exceptions to the access requirement
 should be limited and specific. The reasons for denying access should be provided to the
 individual upon request. Exceptions may include information that is prohibitively costly to
 provide, information that contains references to other individuals, information that cannot be
 disclosed for legal, security, or commercial proprietary reasons, and information that is
 subject to solicitor-client or litigation privilege.</p>
 </section>
 </section>
 <section id="principle-10-challenging-compliance">
 <h2><span class="section-number">2.7. </span>Principle 10. Challenging Compliance<a class="headerlink" href="#principle-10-challenging-compliance" title="Link to this heading">¶</a></h2>
 <p>An individual shall be able to address a challenge concerning compliance with the above
 principles to the designated individual or individuals accountable for the organization’s
 compliance.</p>
 <section id="the-personal-information-protection-and-electronic-documents-act-pipeda">
-<h3><span class="section-number">2.6.2. </span>The Personal Information Protection and Electronic Documents Act (PIPEDA)<a class="headerlink" href="#the-personal-information-protection-and-electronic-documents-act-pipeda" title="Link to this heading">¶</a></h3>
+<h3><span class="section-number">2.7.1. </span>The Personal Information Protection and Electronic Documents Act (PIPEDA)<a class="headerlink" href="#the-personal-information-protection-and-electronic-documents-act-pipeda" title="Link to this heading">¶</a></h3>
 <p>The federal government drew upon the CSA Privacy Principles in its drafting of the federal
 Personal Information Protection and Electronic Documents Act (PIPEDA) and the spirit and
 much of the wording of the principles can be found throughout PIPEDA.</p>
 <p>The mandate of the Office of the Privacy Commissioner of Canada (OPC) is overseeing
 compliance with both the Privacy Act, which covers the personal information-handling
 practices of federal government departments and agencies (including employee data), and the
 Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private
 sector privacy law.</p>
 <p>PIPEDA has applied to federally regulated organizations such as banks, telecommunications
 and transportation companies since January 2001 and applies to the collection, use or
 disclosure of personal information in the course of any commercial activity within a province
 that does not have its own privacy legislation, since January 2004.</p>
 <p>While this protection of personal information legislation has a significant impact on how
 organizations collect, use and disclose personal information relating to commercial
 transactions (for example, customer/client lists and information), it is the effect of this
 legislation on employee personal information that concerns the payroll and human resources
 departments.</p>
 <p>Employers collect personal employee information to conduct and protect their business, and
 to comply with government legislation (for example, Employment/Labour Standards and
 statutory deductions relating to CPP/QPP contributions, EI and QPIP premiums along with
 income tax). As well, many employers provide benefits such as dental, medical and pension
 plans that require the collection of even greater amounts of personal data.</p>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
 <p>PIPEDA does not require that employers obtain consent from prospective employees, current
 employees, or terminated employees to collect, use, and disclose information about that
 person where the information is necessary for the creation, maintenance, and termination of
 the employment relationship. It is, however, the case that the employer will provide notice to
 the employee so that they are knowledgeable with respect to the information that the
 employer collects, uses, and discloses.
 This notice should be provided to prospective employees as part of the recruitment process
 and also as part of the on-boarding process. In addition, if there are changes to personal data
 practices for employee information, employees should be informed about such changes in a
 timely manner.</p>
 </div>
 <p><strong>Consent</strong></p>
 <p>According to PIPEDA, employers must obtain an employee’s consent before they collect
 personal information where that information is not required for the employment relationship.
 Further, the information collected must be for a specific purpose and must be destroyed once
 that purpose is no longer valid.</p>
 <p>There are two forms of consent that can be obtained from an employee - expressed and
 implied:</p>
 <p><strong>Expressed consent</strong> should be used for particularly sensitive employee information such as
 might be asked for in the case of a voluntary employee assistance program.</p>
 <p><strong>Implied consent</strong> means the employee is considered to have consented indirectly. An
 example of implied consent is when an employee completes a form for an employer provided
 but optional service such as a <em>social club</em> for birthday gifts and notices. Participating in this
 club is not required for the employment relationship so consent is required. But the
 information requested, and the context is not overly sensitive so consent for the collection
 and use of employee data may be implied by the fact that the employee completed the
 voluntary form. It doesn’t need an “I consent” checkbox.</p>
 <p>In essence, the more sensitive the information, the more one should use express written
 consent, which outlines in detail the specific purpose for which an employer is using the
 information. It is critical for those working in payroll to be aware of the requirements of
 privacy legislation that applies to their employees and to have the necessary procedures in
 place to comply with the legislation. If an employee chooses not to disclose the information
 and is not required to do so by law, an employer cannot force an employee to divulge it.</p>
 <p><strong>Exceptions to Consent Requirement</strong></p>
 <p>Subparagraph 7(3) of the Personal Information Protection and Electronic Documents Act
 (Bill C6) allows an employer to disclose personal information without the knowledge or
 consent of the individual if the disclosure is made to a government institution which has
 identified its lawful authority, and if the disclosure is for the purpose of administering any
 law of Canada.</p>
 <p>PIPEDA permits federal government agencies such as the CRA, ESDC, Service Canada and
 provincial/territorial Ministries of Labour to obtain personal employee information needed to
 administer programs or benefits, or to perform an audit. Legislation specifically provides
 these government bodies with the right to request personal employee information and inspect
 certain records and documents. As a result, the employer does not need to obtain the
 employee’s permission to provide the information.</p>
 <p>In addition to disclosures to government that are mandated by legislation and in relation to
 employment, subparagraph 7.3 of PIPEDA states that an employer that is regulated by
 federal labour codes can “…collect, use and disclose personal information without the consent of the individual if
 (a) the collection, use or disclosure is necessary to establish, manage or terminate an
 employment relationship between the federal work, undertaking or business and the
 individual; and
 (b) the federal work, undertaking or business has informed the individual that the personal
 information will be or may be collected, used or disclosed for those purposes”.</p>
 <p>Use and Storage of Personal Information
 According to PIPEDA, organizations can only use information for the purpose for which it
 was collected. Employers must fully disclose in writing to the employee the reasons why
 they require the information, as well as what will be done with it.</p>
 <p>Personal information must not be disclosed to external stakeholders without the employee’s
 consent and only for the purpose for which the information was collected. For example, if the
 organization is being audited by a government agency, such as the CRA, the employee’s
 medical information should not be included with the information provided for audit purposes.</p>
 <p>There are times when employers are required to collect information about employees in order
 to comply with employment/labour standards or human rights legislation. For example, to
 accommodate an employee for religious days and holidays, an employer needs to know about
 the employee’s religious beliefs. To seek out this type of information for any other reason
 invades the individual’s right to privacy.</p>
 <p>Limitations on Use - the Social Insurance Number example
 The purpose of a social insurance number (SIN) is to identify an individual for specific
 government programs. This information may not be collected, stored, used or disclosed for
 any other purpose without the employee’s consent. Where the SIN is to be used for purposes
 of identification, an organization must provide a convenient method for the employee to
 withdraw his/her consent for that use at any time.</p>
 <p>Employers are authorized to collect a SIN from employees in order to produce Records of
 Employment and income tax information slips. Unless the employee has provided a SIN for
 another specific use, and has consented to that specific use in writing, an employer could be
 subject to fines for each improper use of that number.</p>
 <p>As a general rule, an employer may not communicate the number to a third party without the
 employee’s specific consent to do so. Exceptions are cases in which it is the employer’s
 obligation to report an employee’s SIN to RQ, CRA, ESDC or Service Canada.</p>
 <p>The SIN should not be used on pay statements or communicated to unions or benefit carriers.
 They should not be used as an identifier by any organization other than the government
 agencies mentioned above, unless the employee provides written consent to do so.</p>
 </section>
 </section>
 <section id="pension-benefits-standards-act">
-<h2><span class="section-number">2.7. </span>Pension Benefits Standards Act<a class="headerlink" href="#pension-benefits-standards-act" title="Link to this heading">¶</a></h2>
+<h2><span class="section-number">2.8. </span>Pension Benefits Standards Act<a class="headerlink" href="#pension-benefits-standards-act" title="Link to this heading">¶</a></h2>
 </section>
 <section id="canadian-human-rights-act">
-<h2><span class="section-number">2.8. </span>Canadian Human Rights Act<a class="headerlink" href="#canadian-human-rights-act" title="Link to this heading">¶</a></h2>
+<h2><span class="section-number">2.9. </span>Canadian Human Rights Act<a class="headerlink" href="#canadian-human-rights-act" title="Link to this heading">¶</a></h2>
 </section>
 <section id="employment-equity-act">
-<h2><span class="section-number">2.9. </span>Employment Equity Act<a class="headerlink" href="#employment-equity-act" title="Link to this heading">¶</a></h2>
+<h2><span class="section-number">2.10. </span>Employment Equity Act<a class="headerlink" href="#employment-equity-act" title="Link to this heading">¶</a></h2>
 </section>
 <section id="summary">
-<h2><span class="section-number">2.10. </span>Summary<a class="headerlink" href="#summary" title="Link to this heading">¶</a></h2>
+<h2><span class="section-number">2.11. </span>Summary<a class="headerlink" href="#summary" title="Link to this heading">¶</a></h2>
 <blockquote>
 <div><ul class="simple">
 <li><p>Under the Canada Pension Plan Act and the Employment Insurance Act, the Canada Revenue Agency is responsible for determining:
@@ -378,35 +567,79 @@ applicable statutory deductions.</p>
 <li><p>the administration of provisions regarding Job Creation programs</p></li>
 </ul>
 </li>
 <li><p>Employment and Social Development Canada’s Employment Insurance program</p></li>
 </ul>
 </div></blockquote>
-<p>Employment and Social Development Canada’s Employment Insurance program
+<p>provides temporary financial assistance for unemployed Canadians while they look
-provides temporary financial assistance for unemployed Canadians while they look
+for work or upgrade their skills.</p>
 for work or upgrade their skills.
 Service Canada serves as the government’s operational arm while Employment and
 Social Development Canada operates as the policy-making body.
 Service Canada is responsible for:
 o the issuance of Social Insurance Numbers (SIN) and the protection and
 security of SIN information
 o the delivery of services to employers, including Record of Employment on the
 Web
 o the administration of Employment Insurance programs to individuals,
 including regular, illness, pregnancy/parental, critically ill or injured person
 and compassionate care benefits
 o the administration of the Employment Insurance Premium Reduction
 program, including granting qualified employers a reduced Employment
 Insurance premium rate</p>
 <blockquote>
 <div><ul class="simple">
-<li><p>the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children’s and death benefits</p></li>
+<li><p>Service Canada serves as the government’s operational arm while Employment and</p></li>
 <li><p>the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums</p></li>
 </ul>
 </div></blockquote>
-<p>on behalf of employees and employers. Payroll is responsible for capturing information related to insurable earnings and
+<p>Social Development Canada operates as the policy-making body.</p>
-hours, and reporting that information on the Record of Employment.</p>
+<blockquote>
 <div><ul class="simple">
 <li><p>Service Canada is responsible for:</p>
 <ul>
 <li><p>the issuance of Social Insurance Numbers (SIN) and the protection and security of SIN information</p></li>
 <li><p>the delivery of services to employers, including Record of Employment on the Web</p></li>
 <li><p>the administration of Employment Insurance programs to individuals, including regular, illness, pregnancy/parental, critically ill or injured person and compassionate care benefits</p></li>
 <li><p>the administration of the Employment Insurance Premium Reduction program, including granting qualified employers a reduced Employment Insurance premium rate</p></li>
 <li><p>the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children’s and death benefits</p></li>
 <li><p>the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers.</p></li>
 </ul>
 </li>
 <li><p>Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers.</p></li>
 <li><p>Payroll is responsible for capturing information related to insurable earnings and hours, and reporting that information on the Record of Employment.</p></li>
 <li><p>The Canadian government based its privacy provisions in its legislation for the</p></li>
 </ul>
 </div></blockquote>
 <p>protection of personal information on a set of guidelines called the Ten Privacy
 Principles.</p>
 <blockquote>
 <div><ul class="simple">
 <li><p>The Personal Information Protection and Electronic Documents Act has applied to</p></li>
 </ul>
 </div></blockquote>
 <p>federally-regulated organizations such as banks, telecommunications and
 transportation companies since January 2001.</p>
 <blockquote>
 <div><ul class="simple">
 <li><p>Since January 2004 the Personal Information Protection and Electronic Documents</p></li>
 </ul>
 </div></blockquote>
 <p>Act has applied to the collection, use or disclosure of personal information in the
 course of any commercial activity within a province that does not have its own
 privacy legislation.</p>
 <blockquote>
 <div><ul class="simple">
 <li><p>Express consent means the employee provides their consent either verbally (in which</p></li>
 </ul>
 </div></blockquote>
 <p>case when and how the consent was received should be documented) or in writing.</p>
 <blockquote>
 <div><ul class="simple">
 <li><p>Implied consent means the employee is considered to have consented indirectly.</p></li>
 <li><p>The employer does not need to obtain the employee’s permission to provide personal</p></li>
 </ul>
 </div></blockquote>
 <p>information where legislation provides federal government agencies such as the
 Canada Revenue Agency, Employment and Social Development Canada, Service
 Canada and provincial/territorial Ministries of Labour with the right to request
 personal employee information in order to administer programs or benefits, or in the
 case of an audit.</p>
 <blockquote>
 <div><ul class="simple">
 <li><p>Other than an employer’s obligation to report an employee’s Social Insurance</p></li>
 </ul>
 </div></blockquote>
 <p>Number to the Canada Revenue Agency, Employment and Social Development
 Canada, Service Canada or Revenu Québec, an employer may not communicate the
 number to a third party without the employee’s specific consent to do so.</p>
 </section>
 <section id="review-questions">
-<h2><span class="section-number">2.11. </span>Review Questions<a class="headerlink" href="#review-questions" title="Link to this heading">¶</a></h2>
+<h2><span class="section-number">2.12. </span>Review Questions<a class="headerlink" href="#review-questions" title="Link to this heading">¶</a></h2>
 <ol class="arabic simple">
 <li><p>What are the three main programs specifically related to payroll that the Canada Revenue Agency administers?</p></li>
 <li><p>If an organization deducts $27,400 in Canada Pension Plan contributions from its employees and $21,200 in Employment Insurance premiums, how much would have to be remitted in total to the Canada Revenue Agency?</p></li>
@@ -420,6 +653,13 @@ hours, and reporting that information on the Record of Employment.</p>
 <p>There is a new type of earning in the new collective agreement. You are not sure if it is insurable.</p>
 <p>The organization would like to apply for a reduction in its Employment Insurance premium rate.</p>
 </div></blockquote>
 <p>6. How does the Personal Information Protection and Electronic Documents Act
 legislation affect the handling of employee personal information?</p>
 <p>7. Explain the difference between implied and express employee consent and provide an
 example of each.</p>
 <p>8. The Personal Information Protection and Electronic Documents Act contains ten
 privacy principles. Choose two and develop a statement for each that could be included
 in your organization’s privacy policy.</p>
 </section>
 </section>
@@ -449,14 +689,17 @@ hours, and reporting that information on the Record of Employment.</p>
 <li><a class="reference internal" href="#statistics-canada">2.5. Statistics Canada</a></li>
 <li><a class="reference internal" href="#personal-privacy">2.6. Personal Privacy</a><ul>
 <li><a class="reference internal" href="#the-privacy-principles">2.6.1. The Privacy Principles</a></li>
 <li><a class="reference internal" href="#the-personal-information-protection-and-electronic-documents-act-pipeda">2.6.2. The Personal Information Protection and Electronic Documents Act (PIPEDA)</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#pension-benefits-standards-act">2.7. Pension Benefits Standards Act</a></li>
+<li><a class="reference internal" href="#principle-10-challenging-compliance">2.7. Principle 10. Challenging Compliance</a><ul>
-<li><a class="reference internal" href="#canadian-human-rights-act">2.8. Canadian Human Rights Act</a></li>
+<li><a class="reference internal" href="#the-personal-information-protection-and-electronic-documents-act-pipeda">2.7.1. The Personal Information Protection and Electronic Documents Act (PIPEDA)</a></li>
-<li><a class="reference internal" href="#employment-equity-act">2.9. Employment Equity Act</a></li>
+</ul>
-<li><a class="reference internal" href="#summary">2.10. Summary</a></li>
+</li>
-<li><a class="reference internal" href="#review-questions">2.11. Review Questions</a></li>
+<li><a class="reference internal" href="#pension-benefits-standards-act">2.8. Pension Benefits Standards Act</a></li>
 <li><a class="reference internal" href="#canadian-human-rights-act">2.9. Canadian Human Rights Act</a></li>
 <li><a class="reference internal" href="#employment-equity-act">2.10. Employment Equity Act</a></li>
 <li><a class="reference internal" href="#summary">2.11. Summary</a></li>
 <li><a class="reference internal" href="#review-questions">2.12. Review Questions</a></li>
 </ul>
 </li>
 </ul>
--- a/docs/build/html/_sources/2_compliance.rst.txt
+++ b/docs/build/html/_sources/2_compliance.rst.txt
@@ -310,15 +310,226 @@ applicable statutory deductions.
 Statistics Canada
 ~~~~~~~~~~~~~~~~~~~~~
 Statistics Canada produces statistics that help Canadians better understand their country—its
 population, resources, economy, society and culture.
 In Canada, providing statistics is a federal responsibility. As Canada’s central statistical
 agency, Statistics Canada is legislated under the Statistics Act to serve this function for the
 whole of Canada and each of the provinces/territories.
 Objective statistical information is vital to an open and democratic society. It provides a solid
 foundation for informed decisions by elected representatives, businesses, unions and non-
 profit organizations, as well as individual Canadians.
 Statistics Canada is committed to protecting the confidentiality of all information entrusted to
 them and to ensure that the information delivered is timely and relevant to Canadians.
 Personal Privacy
 ~~~~~~~~~~~~~~~~~
 The Canadian federal government and all provincial governments have legislation that sets
 limits on the collection, use or disclosure of personal information. Private sector privacy laws
 in Canada currently only cover the employee personal information of employees that work
 for federally regulated companies or who are located in one of the four provinces with
 provincial private sector privacy laws: Alberta, British Columbia, Manitoba and Québec1.
 Public sector employees have some privacy protection under all jurisdictions except Ontario
 which excludes employee information from its public sector privacy legislation. Employees
 who are covered by a collective agreement also have statutory privacy protection based on
 arbitral jurisprudence and their particular collective agreement. Therefore, approximately
 half of workers in Canada have privacy rights backed by legislation, while the remaining
 50% of the country’s more than 20 million or so workers have privacy rights that are either
 voluntarily set in place by employers who have developed employee privacy codes or have
 privacy rights because they have a collective agreement in place.
 Employers should also be aware that egregious violations of privacy may open them up to
 civil damages, including class action lawsuits. Legislatures and the courts are recognizing
 privacy rights and providing opportunities for civil remedies.
 In drawing up its legislation for the protection of personal information, the Canadian
 government based its privacy provisions on a set of guidelines that had been developed by
 the Canadian Standards Association in its Model Code for the Protection of Personal
 Information.
 The Privacy Principles
 -----------------------
 The Canadian Standards Association (CSA) Model Code is a set of principles that was
 developed with input from organizations, governments, consumer associations and other
 privacy stakeholders. They are incorporated in Federal private sector privacy legislation and
 have become the generally accepted framework for evaluating privacy processes and systems
 in Canada2.
 Principle 1. Accountability
 An organization is responsible for personal information under its control and shall designate
 an individual or individuals to be accountable for the organization's compliance with the
 following principles.
 Principle 2. Identifying Purposes
 The purposes for which personal information is collected shall be identified by the
 organization at or before the time the information is collected.
 Principle 3. Consent
 The knowledge and consent of the individual are required for the collection, use, or
 disclosure of personal information, except where inappropriate. Note: In certain
 circumstances, personal information can be collected, used, or disclosed without the
 knowledge and consent of the individual. For example, legal, medical, or security reasons
 may make it impossible or impractical to seek consent.
 Principle 4. Limiting Collection
 The collection of personal information shall be limited to that which is necessary for the
 purposes identified by the organization. Information shall be collected by fair and lawful
 means.
 Principle 5. Limiting Use, Disclosure, and Retention
 Personal information shall not be used or disclosed for purposes other than those for which it
 was collected, except with the consent of the individual or as required by law. Personal
 information shall be retained only as long as is necessary for the fulfillment of those
 purposes.
 Principle 6. Accuracy
 Personal information shall be as accurate, complete, and up-to-date as is necessary for the
 purposes for which it is to be used.
 Principle 7. Safeguards
 Personal information shall be protected by security safeguards appropriate to the sensitivity
 of the information.
 Principle 8. Openness
 An organization shall make readily available to individuals specific information about its
 policies and practices relating to the management of personal information.
 Principle 9. Individual Access
 Upon request, an individual shall be informed of the existence, use and disclosure of his or
 her personal information and shall be given access to that information. An individual shall be
 able to challenge the accuracy and completeness of the information and have it amended as
 appropriate. In certain situations, an organization may not be able to provide access to all the
 personal information it holds about an individual. Exceptions to the access requirement
 should be limited and specific. The reasons for denying access should be provided to the
 individual upon request. Exceptions may include information that is prohibitively costly to
 provide, information that contains references to other individuals, information that cannot be
 disclosed for legal, security, or commercial proprietary reasons, and information that is
 subject to solicitor-client or litigation privilege.
 Principle 10. Challenging Compliance
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 An individual shall be able to address a challenge concerning compliance with the above
 principles to the designated individual or individuals accountable for the organization's
 compliance.
 The Personal Information Protection and Electronic Documents Act (PIPEDA)
 --------------------------------------------------------------------------
 The federal government drew upon the CSA Privacy Principles in its drafting of the federal
 Personal Information Protection and Electronic Documents Act (PIPEDA) and the spirit and
 much of the wording of the principles can be found throughout PIPEDA.
 The mandate of the Office of the Privacy Commissioner of Canada (OPC) is overseeing
 compliance with both the Privacy Act, which covers the personal information-handling
 practices of federal government departments and agencies (including employee data), and the
 Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private
 sector privacy law.
 PIPEDA has applied to federally regulated organizations such as banks, telecommunications
 and transportation companies since January 2001 and applies to the collection, use or
 disclosure of personal information in the course of any commercial activity within a province
 that does not have its own privacy legislation, since January 2004.
 While this protection of personal information legislation has a significant impact on how
 organizations collect, use and disclose personal information relating to commercial
 transactions (for example, customer/client lists and information), it is the effect of this
 legislation on employee personal information that concerns the payroll and human resources
 departments.
 Employers collect personal employee information to conduct and protect their business, and
 to comply with government legislation (for example, Employment/Labour Standards and
 statutory deductions relating to CPP/QPP contributions, EI and QPIP premiums along with
 income tax). As well, many employers provide benefits such as dental, medical and pension
 plans that require the collection of even greater amounts of personal data.
 .. note::
    PIPEDA does not require that employers obtain consent from prospective employees, current
    employees, or terminated employees to collect, use, and disclose information about that
    person where the information is necessary for the creation, maintenance, and termination of
    the employment relationship. It is, however, the case that the employer will provide notice to
    the employee so that they are knowledgeable with respect to the information that the
    employer collects, uses, and discloses.
    This notice should be provided to prospective employees as part of the recruitment process
    and also as part of the on-boarding process. In addition, if there are changes to personal data
    practices for employee information, employees should be informed about such changes in a
    timely manner.
 **Consent**
 According to PIPEDA, employers must obtain an employee's consent before they collect
 personal information where that information is not required for the employment relationship.
 Further, the information collected must be for a specific purpose and must be destroyed once
 that purpose is no longer valid.
 There are two forms of consent that can be obtained from an employee - expressed and
 implied:
 **Expressed consent** should be used for particularly sensitive employee information such as
 might be asked for in the case of a voluntary employee assistance program.
 **Implied consent** means the employee is considered to have consented indirectly. An
 example of implied consent is when an employee completes a form for an employer provided
 but optional service such as a *social club* for birthday gifts and notices. Participating in this
 club is not required for the employment relationship so consent is required. But the
 information requested, and the context is not overly sensitive so consent for the collection
 and use of employee data may be implied by the fact that the employee completed the
 voluntary form. It doesn't need an “I consent” checkbox.
 In essence, the more sensitive the information, the more one should use express written
 consent, which outlines in detail the specific purpose for which an employer is using the
 information. It is critical for those working in payroll to be aware of the requirements of
 privacy legislation that applies to their employees and to have the necessary procedures in
 place to comply with the legislation. If an employee chooses not to disclose the information
 and is not required to do so by law, an employer cannot force an employee to divulge it.
 **Exceptions to Consent Requirement**
 Subparagraph 7(3) of the Personal Information Protection and Electronic Documents Act
 (Bill C6) allows an employer to disclose personal information without the knowledge or
 consent of the individual if the disclosure is made to a government institution which has
 identified its lawful authority, and if the disclosure is for the purpose of administering any
 law of Canada.
 PIPEDA permits federal government agencies such as the CRA, ESDC, Service Canada and
 provincial/territorial Ministries of Labour to obtain personal employee information needed to
 administer programs or benefits, or to perform an audit. Legislation specifically provides
 these government bodies with the right to request personal employee information and inspect
 certain records and documents. As a result, the employer does not need to obtain the
 employee's permission to provide the information.
 In addition to disclosures to government that are mandated by legislation and in relation to
 employment, subparagraph 7.3 of PIPEDA states that an employer that is regulated by
 federal labour codes can “…collect, use and disclose personal information without the consent of the individual if
 (a) the collection, use or disclosure is necessary to establish, manage or terminate an
 employment relationship between the federal work, undertaking or business and the
 individual; and
 (b) the federal work, undertaking or business has informed the individual that the personal
 information will be or may be collected, used or disclosed for those purposes”.
 Use and Storage of Personal Information
 According to PIPEDA, organizations can only use information for the purpose for which it
 was collected. Employers must fully disclose in writing to the employee the reasons why
 they require the information, as well as what will be done with it.
 Personal information must not be disclosed to external stakeholders without the employee's
 consent and only for the purpose for which the information was collected. For example, if the
 organization is being audited by a government agency, such as the CRA, the employee's
 medical information should not be included with the information provided for audit purposes.
 There are times when employers are required to collect information about employees in order
 to comply with employment/labour standards or human rights legislation. For example, to
 accommodate an employee for religious days and holidays, an employer needs to know about
 the employee's religious beliefs. To seek out this type of information for any other reason
 invades the individual's right to privacy.
 Limitations on Use - the Social Insurance Number example
 The purpose of a social insurance number (SIN) is to identify an individual for specific
 government programs. This information may not be collected, stored, used or disclosed for
 any other purpose without the employee's consent. Where the SIN is to be used for purposes
 of identification, an organization must provide a convenient method for the employee to
 withdraw his/her consent for that use at any time.
 Employers are authorized to collect a SIN from employees in order to produce Records of
 Employment and income tax information slips. Unless the employee has provided a SIN for
 another specific use, and has consented to that specific use in writing, an employer could be
 subject to fines for each improper use of that number.
 As a general rule, an employer may not communicate the number to a third party without the
 employee's specific consent to do so. Exceptions are cases in which it is the employer's
 obligation to report an employee's SIN to RQ, CRA, ESDC or Service Canada.
 The SIN should not be used on pay statements or communicated to unions or benefit carriers.
 They should not be used as an identifier by any organization other than the government
 agencies mentioned above, unless the employee provides written consent to do so.
 Pension Benefits Standards Act
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -356,28 +567,55 @@ Summary
    - the administration of provisions related to Wage Loss plans
    - the administration of provisions regarding Job Creation programs
-Employment and Social Development Canada’s Employment Insurance program
+  - Employment and Social Development Canada's Employment Insurance program
 provides temporary financial assistance for unemployed Canadians while they look
 for work or upgrade their skills.
-Service Canada serves as the government’s operational arm while Employment and
+
  - Service Canada serves as the government's operational arm while Employment and
 Social Development Canada operates as the policy-making body.
 Service Canada is responsible for:
 o the issuance of Social Insurance Numbers (SIN) and the protection and
 security of SIN information
 o the delivery of services to employers, including Record of Employment on the
 Web
 o the administration of Employment Insurance programs to individuals,
 including regular, illness, pregnancy/parental, critically ill or injured person
 and compassionate care benefits
 o the administration of the Employment Insurance Premium Reduction
 program, including granting qualified employers a reduced Employment
 Insurance premium rate
-  - the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children's and death benefits
+  - Service Canada is responsible for:
-  - the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums
+    - the issuance of Social Insurance Numbers (SIN) and the protection and security of SIN information
-on behalf of employees and employers. Payroll is responsible for capturing information related to insurable earnings and
+    - the delivery of services to employers, including Record of Employment on the Web
-hours, and reporting that information on the Record of Employment.
+    - the administration of Employment Insurance programs to individuals, including regular, illness, pregnancy/parental, critically ill or injured person and compassionate care benefits
    - the administration of the Employment Insurance Premium Reduction program, including granting qualified employers a reduced Employment Insurance premium rate
    - the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children's and death benefits
    - the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers. 
  - Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers.
  - Payroll is responsible for capturing information related to insurable earnings and hours, and reporting that information on the Record of Employment.
  - The Canadian government based its privacy provisions in its legislation for the
 protection of personal information on a set of guidelines called the Ten Privacy
 Principles.
  - The Personal Information Protection and Electronic Documents Act has applied to
 federally-regulated organizations such as banks, telecommunications and
 transportation companies since January 2001.
  - Since January 2004 the Personal Information Protection and Electronic Documents
 Act has applied to the collection, use or disclosure of personal information in the
 course of any commercial activity within a province that does not have its own
 privacy legislation.
  - Express consent means the employee provides their consent either verbally (in which
 case when and how the consent was received should be documented) or in writing.
  - Implied consent means the employee is considered to have consented indirectly.
  - The employer does not need to obtain the employee's permission to provide personal
 information where legislation provides federal government agencies such as the
 Canada Revenue Agency, Employment and Social Development Canada, Service
 Canada and provincial/territorial Ministries of Labour with the right to request
 personal employee information in order to administer programs or benefits, or in the
 case of an audit.
  - Other than an employer's obligation to report an employee's Social Insurance
 Number to the Canada Revenue Agency, Employment and Social Development
 Canada, Service Canada or Revenu Québec, an employer may not communicate the
 number to a third party without the employee's specific consent to do so.
 Review Questions
 ~~~~~~~~~~~~~~~~~~~~~
@@ -399,3 +637,13 @@ Review Questions
  There is a new type of earning in the new collective agreement. You are not sure if it is insurable.
  The organization would like to apply for a reduction in its Employment Insurance premium rate.
 6. How does the Personal Information Protection and Electronic Documents Act
 legislation affect the handling of employee personal information?
 7. Explain the difference between implied and express employee consent and provide an
 example of each.
 8. The Personal Information Protection and Electronic Documents Act contains ten
 privacy principles. Choose two and develop a statement for each that could be included
 in your organization's privacy policy.
--- a/docs/build/html/index.html
+++ b/docs/build/html/index.html
@@ -85,14 +85,17 @@ to confidently perform essential payroll functions encountered in day-to-day ope
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#statistics-canada">2.5. Statistics Canada</a></li>
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#personal-privacy">2.6. Personal Privacy</a><ul>
 <li class="toctree-l3"><a class="reference internal" href="2_compliance.html#the-privacy-principles">2.6.1. The Privacy Principles</a></li>
 <li class="toctree-l3"><a class="reference internal" href="2_compliance.html#the-personal-information-protection-and-electronic-documents-act-pipeda">2.6.2. The Personal Information Protection and Electronic Documents Act (PIPEDA)</a></li>
 </ul>
 </li>
-<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#pension-benefits-standards-act">2.7. Pension Benefits Standards Act</a></li>
+<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#principle-10-challenging-compliance">2.7. Principle 10. Challenging Compliance</a><ul>
-<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#canadian-human-rights-act">2.8. Canadian Human Rights Act</a></li>
+<li class="toctree-l3"><a class="reference internal" href="2_compliance.html#the-personal-information-protection-and-electronic-documents-act-pipeda">2.7.1. The Personal Information Protection and Electronic Documents Act (PIPEDA)</a></li>
-<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#employment-equity-act">2.9. Employment Equity Act</a></li>
+</ul>
-<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#summary">2.10. Summary</a></li>
+</li>
-<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#review-questions">2.11. Review Questions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="2_compliance.html#pension-benefits-standards-act">2.8. Pension Benefits Standards Act</a></li>
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#canadian-human-rights-act">2.9. Canadian Human Rights Act</a></li>
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#employment-equity-act">2.10. Employment Equity Act</a></li>
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#summary">2.11. Summary</a></li>
 <li class="toctree-l2"><a class="reference internal" href="2_compliance.html#review-questions">2.12. Review Questions</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="3_contracts.html">3. EMPLOYEE vs. INDEPENDENT CONTRACTOR</a><ul>
--- a/docs/build/html/searchindex.js
+++ b/docs/build/html/searchindex.js
--- a/docs/build/simplepdf/.buildinfo
+++ b/docs/build/simplepdf/.buildinfo
@@ -1,4 +1,4 @@
 # Sphinx build info version 1
 # This file records the configuration used when building these files. When it is not found, a full rebuild will be done.
-config: de8bce4b7e8bce4f1549e4895e84176d
+config: a68cb610408b8d34b8bbc7eb96642a3d
 tags: 62a1e7829a13fc7881b6498c52484ec0
--- a/docs/build/simplepdf/index.html
+++ b/docs/build/simplepdf/index.html
@@ -210,36 +210,43 @@
            2.6.1. The Privacy Principles
           </a>
          </li>
         </ul>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#principle-10-challenging-compliance">
          2.7. Principle 10. Challenging Compliance
         </a>
         <ul>
          <li class="toctree-l3">
           <a class="reference internal" href="#the-personal-information-protection-and-electronic-documents-act-pipeda">
-            2.6.2. The Personal Information Protection and Electronic Documents Act (PIPEDA)
+            2.7.1. The Personal Information Protection and Electronic Documents Act (PIPEDA)
           </a>
          </li>
         </ul>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#pension-benefits-standards-act">
-          2.7. Pension Benefits Standards Act
+          2.8. Pension Benefits Standards Act
         </a>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#canadian-human-rights-act">
-          2.8. Canadian Human Rights Act
+          2.9. Canadian Human Rights Act
         </a>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#employment-equity-act">
-          2.9. Employment Equity Act
+          2.10. Employment Equity Act
         </a>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#summary">
-          2.10. Summary
+          2.11. Summary
         </a>
        </li>
        <li class="toctree-l2">
         <a class="reference internal" href="#review-questions">
-          2.11. Review Questions
+          2.12. Review Questions
         </a>
        </li>
       </ul>
@@ -2021,6 +2028,18 @@ applicable statutory deductions.
            &para;
           </a>
          </h3>
          <p>
           Statistics Canada produces statistics that help Canadians better understand their country&mdash;its
 population, resources, economy, society and culture.
 In Canada, providing statistics is a federal responsibility. As Canada&rsquo;s central statistical
 agency, Statistics Canada is legislated under the Statistics Act to serve this function for the
 whole of Canada and each of the provinces/territories.
 Objective statistical information is vital to an open and democratic society. It provides a solid
 foundation for informed decisions by elected representatives, businesses, unions and non-
 profit organizations, as well as individual Canadians.
 Statistics Canada is committed to protecting the confidentiality of all information entrusted to
 them and to ensure that the information delivered is timely and relevant to Canadians.
          </p>
         </section>
         <section id="personal-privacy">
          <h3>
@@ -2029,6 +2048,28 @@ applicable statutory deductions.
            &para;
           </a>
          </h3>
          <p>
           The Canadian federal government and all provincial governments have legislation that sets
 limits on the collection, use or disclosure of personal information. Private sector privacy laws
 in Canada currently only cover the employee personal information of employees that work
 for federally regulated companies or who are located in one of the four provinces with
 provincial private sector privacy laws: Alberta, British Columbia, Manitoba and Qu&eacute;bec1.
 Public sector employees have some privacy protection under all jurisdictions except Ontario
 which excludes employee information from its public sector privacy legislation. Employees
 who are covered by a collective agreement also have statutory privacy protection based on
 arbitral jurisprudence and their particular collective agreement. Therefore, approximately
 half of workers in Canada have privacy rights backed by legislation, while the remaining
 50% of the country&rsquo;s more than 20 million or so workers have privacy rights that are either
 voluntarily set in place by employers who have developed employee privacy codes or have
 privacy rights because they have a collective agreement in place.
 Employers should also be aware that egregious violations of privacy may open them up to
 civil damages, including class action lawsuits. Legislatures and the courts are recognizing
 privacy rights and providing opportunities for civil remedies.
 In drawing up its legislation for the protection of personal information, the Canadian
 government based its privacy provisions on a set of guidelines that had been developed by
 the Canadian Standards Association in its Model Code for the Protection of Personal
 Information.
          </p>
          <section id="the-privacy-principles">
           <h4>
            The Privacy Principles
@@ -2036,7 +2077,69 @@ applicable statutory deductions.
             &para;
            </a>
           </h4>
           <p>
            The Canadian Standards Association (CSA) Model Code is a set of principles that was
 developed with input from organizations, governments, consumer associations and other
 privacy stakeholders. They are incorporated in Federal private sector privacy legislation and
 have become the generally accepted framework for evaluating privacy processes and systems
 in Canada2.
 Principle 1. Accountability
 An organization is responsible for personal information under its control and shall designate
 an individual or individuals to be accountable for the organization&rsquo;s compliance with the
 following principles.
 Principle 2. Identifying Purposes
 The purposes for which personal information is collected shall be identified by the
 organization at or before the time the information is collected.
 Principle 3. Consent
 The knowledge and consent of the individual are required for the collection, use, or
 disclosure of personal information, except where inappropriate. Note: In certain
 circumstances, personal information can be collected, used, or disclosed without the
 knowledge and consent of the individual. For example, legal, medical, or security reasons
 may make it impossible or impractical to seek consent.
 Principle 4. Limiting Collection
 The collection of personal information shall be limited to that which is necessary for the
 purposes identified by the organization. Information shall be collected by fair and lawful
 means.
 Principle 5. Limiting Use, Disclosure, and Retention
 Personal information shall not be used or disclosed for purposes other than those for which it
 was collected, except with the consent of the individual or as required by law. Personal
 information shall be retained only as long as is necessary for the fulfillment of those
 purposes.
 Principle 6. Accuracy
 Personal information shall be as accurate, complete, and up-to-date as is necessary for the
 purposes for which it is to be used.
 Principle 7. Safeguards
 Personal information shall be protected by security safeguards appropriate to the sensitivity
 of the information.
 Principle 8. Openness
 An organization shall make readily available to individuals specific information about its
 policies and practices relating to the management of personal information.
 Principle 9. Individual Access
 Upon request, an individual shall be informed of the existence, use and disclosure of his or
 her personal information and shall be given access to that information. An individual shall be
 able to challenge the accuracy and completeness of the information and have it amended as
 appropriate. In certain situations, an organization may not be able to provide access to all the
 personal information it holds about an individual. Exceptions to the access requirement
 should be limited and specific. The reasons for denying access should be provided to the
 individual upon request. Exceptions may include information that is prohibitively costly to
 provide, information that contains references to other individuals, information that cannot be
 disclosed for legal, security, or commercial proprietary reasons, and information that is
 subject to solicitor-client or litigation privilege.
           </p>
          </section>
         </section>
         <section id="principle-10-challenging-compliance">
          <h3>
           Principle 10. Challenging Compliance
           <a class="headerlink" href="#principle-10-challenging-compliance" title="Link to this heading">
            &para;
           </a>
          </h3>
          <p>
           An individual shall be able to address a challenge concerning compliance with the above
 principles to the designated individual or individuals accountable for the organization&rsquo;s
 compliance.
          </p>
          <section id="the-personal-information-protection-and-electronic-documents-act-pipeda">
           <h4>
            The Personal Information Protection and Electronic Documents Act (PIPEDA)
@@ -2044,6 +2147,174 @@ applicable statutory deductions.
             &para;
            </a>
           </h4>
           <p>
            The federal government drew upon the CSA Privacy Principles in its drafting of the federal
 Personal Information Protection and Electronic Documents Act (PIPEDA) and the spirit and
 much of the wording of the principles can be found throughout PIPEDA.
           </p>
           <p>
            The mandate of the Office of the Privacy Commissioner of Canada (OPC) is overseeing
 compliance with both the Privacy Act, which covers the personal information-handling
 practices of federal government departments and agencies (including employee data), and the
 Personal Information Protection and Electronic Documents Act (PIPEDA), Canada&rsquo;s private
 sector privacy law.
           </p>
           <p>
            PIPEDA has applied to federally regulated organizations such as banks, telecommunications
 and transportation companies since January 2001 and applies to the collection, use or
 disclosure of personal information in the course of any commercial activity within a province
 that does not have its own privacy legislation, since January 2004.
           </p>
           <p>
            While this protection of personal information legislation has a significant impact on how
 organizations collect, use and disclose personal information relating to commercial
 transactions (for example, customer/client lists and information), it is the effect of this
 legislation on employee personal information that concerns the payroll and human resources
 departments.
           </p>
           <p>
            Employers collect personal employee information to conduct and protect their business, and
 to comply with government legislation (for example, Employment/Labour Standards and
 statutory deductions relating to CPP/QPP contributions, EI and QPIP premiums along with
 income tax). As well, many employers provide benefits such as dental, medical and pension
 plans that require the collection of even greater amounts of personal data.
           </p>
           <div class="admonition note">
            <p class="admonition-title">
             Note
            </p>
            <p>
             PIPEDA does not require that employers obtain consent from prospective employees, current
 employees, or terminated employees to collect, use, and disclose information about that
 person where the information is necessary for the creation, maintenance, and termination of
 the employment relationship. It is, however, the case that the employer will provide notice to
 the employee so that they are knowledgeable with respect to the information that the
 employer collects, uses, and discloses.
 This notice should be provided to prospective employees as part of the recruitment process
 and also as part of the on-boarding process. In addition, if there are changes to personal data
 practices for employee information, employees should be informed about such changes in a
 timely manner.
            </p>
           </div>
           <p>
            <strong>
             Consent
            </strong>
           </p>
           <p>
            According to PIPEDA, employers must obtain an employee&rsquo;s consent before they collect
 personal information where that information is not required for the employment relationship.
 Further, the information collected must be for a specific purpose and must be destroyed once
 that purpose is no longer valid.
           </p>
           <p>
            There are two forms of consent that can be obtained from an employee - expressed and
 implied:
           </p>
           <p>
            <strong>
             Expressed consent
            </strong>
            should be used for particularly sensitive employee information such as
 might be asked for in the case of a voluntary employee assistance program.
           </p>
           <p>
            <strong>
             Implied consent
            </strong>
            means the employee is considered to have consented indirectly. An
 example of implied consent is when an employee completes a form for an employer provided
 but optional service such as a
            <em>
             social club
            </em>
            for birthday gifts and notices. Participating in this
 club is not required for the employment relationship so consent is required. But the
 information requested, and the context is not overly sensitive so consent for the collection
 and use of employee data may be implied by the fact that the employee completed the
 voluntary form. It doesn&rsquo;t need an &ldquo;I consent&rdquo; checkbox.
           </p>
           <p>
            In essence, the more sensitive the information, the more one should use express written
 consent, which outlines in detail the specific purpose for which an employer is using the
 information. It is critical for those working in payroll to be aware of the requirements of
 privacy legislation that applies to their employees and to have the necessary procedures in
 place to comply with the legislation. If an employee chooses not to disclose the information
 and is not required to do so by law, an employer cannot force an employee to divulge it.
           </p>
           <p>
            <strong>
             Exceptions to Consent Requirement
            </strong>
           </p>
           <p>
            Subparagraph 7(3) of the Personal Information Protection and Electronic Documents Act
 (Bill C6) allows an employer to disclose personal information without the knowledge or
 consent of the individual if the disclosure is made to a government institution which has
 identified its lawful authority, and if the disclosure is for the purpose of administering any
 law of Canada.
           </p>
           <p>
            PIPEDA permits federal government agencies such as the CRA, ESDC, Service Canada and
 provincial/territorial Ministries of Labour to obtain personal employee information needed to
 administer programs or benefits, or to perform an audit. Legislation specifically provides
 these government bodies with the right to request personal employee information and inspect
 certain records and documents. As a result, the employer does not need to obtain the
 employee&rsquo;s permission to provide the information.
           </p>
           <p>
            In addition to disclosures to government that are mandated by legislation and in relation to
 employment, subparagraph 7.3 of PIPEDA states that an employer that is regulated by
 federal labour codes can &ldquo;&hellip;collect, use and disclose personal information without the consent of the individual if
 (a) the collection, use or disclosure is necessary to establish, manage or terminate an
 employment relationship between the federal work, undertaking or business and the
 individual; and
 (b) the federal work, undertaking or business has informed the individual that the personal
 information will be or may be collected, used or disclosed for those purposes&rdquo;.
           </p>
           <p>
            Use and Storage of Personal Information
 According to PIPEDA, organizations can only use information for the purpose for which it
 was collected. Employers must fully disclose in writing to the employee the reasons why
 they require the information, as well as what will be done with it.
           </p>
           <p>
            Personal information must not be disclosed to external stakeholders without the employee&rsquo;s
 consent and only for the purpose for which the information was collected. For example, if the
 organization is being audited by a government agency, such as the CRA, the employee&rsquo;s
 medical information should not be included with the information provided for audit purposes.
           </p>
           <p>
            There are times when employers are required to collect information about employees in order
 to comply with employment/labour standards or human rights legislation. For example, to
 accommodate an employee for religious days and holidays, an employer needs to know about
 the employee&rsquo;s religious beliefs. To seek out this type of information for any other reason
 invades the individual&rsquo;s right to privacy.
           </p>
           <p>
            Limitations on Use - the Social Insurance Number example
 The purpose of a social insurance number (SIN) is to identify an individual for specific
 government programs. This information may not be collected, stored, used or disclosed for
 any other purpose without the employee&rsquo;s consent. Where the SIN is to be used for purposes
 of identification, an organization must provide a convenient method for the employee to
 withdraw his/her consent for that use at any time.
           </p>
           <p>
            Employers are authorized to collect a SIN from employees in order to produce Records of
 Employment and income tax information slips. Unless the employee has provided a SIN for
 another specific use, and has consented to that specific use in writing, an employer could be
 subject to fines for each improper use of that number.
           </p>
           <p>
            As a general rule, an employer may not communicate the number to a third party without the
 employee&rsquo;s specific consent to do so. Exceptions are cases in which it is the employer&rsquo;s
 obligation to report an employee&rsquo;s SIN to RQ, CRA, ESDC or Service Canada.
           </p>
           <p>
            The SIN should not be used on pay statements or communicated to unions or benefit carriers.
 They should not be used as an identifier by any organization other than the government
 agencies mentioned above, unless the employee provides written consent to do so.
           </p>
          </section>
         </section>
         <section id="pension-benefits-standards-act">
@@ -2146,46 +2417,177 @@ applicable statutory deductions.
               </li>
              </ul>
             </li>
             <li>
              <p>
               Employment and Social Development Canada&rsquo;s Employment Insurance program
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
-           Employment and Social Development Canada&rsquo;s Employment Insurance program
+           provides temporary financial assistance for unemployed Canadians while they look
 provides temporary financial assistance for unemployed Canadians while they look
 for work or upgrade their skills.
 Service Canada serves as the government&rsquo;s operational arm while Employment and
 Social Development Canada operates as the policy-making body.
 Service Canada is responsible for:
 o the issuance of Social Insurance Numbers (SIN) and the protection and
 security of SIN information
 o the delivery of services to employers, including Record of Employment on the
 Web
 o the administration of Employment Insurance programs to individuals,
 including regular, illness, pregnancy/parental, critically ill or injured person
 and compassionate care benefits
 o the administration of the Employment Insurance Premium Reduction
 program, including granting qualified employers a reduced Employment
 Insurance premium rate
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
-               the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children&rsquo;s and death benefits
+               Service Canada serves as the government&rsquo;s operational arm while Employment and
              </p>
             </li>
             <li>
              <p>
               the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
-           on behalf of employees and employers. Payroll is responsible for capturing information related to insurable earnings and
+           Social Development Canada operates as the policy-making body.
-hours, and reporting that information on the Record of Employment.
+          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               Service Canada is responsible for:
              </p>
              <ul>
               <li>
                <p>
                 the issuance of Social Insurance Numbers (SIN) and the protection and security of SIN information
                </p>
               </li>
               <li>
                <p>
                 the delivery of services to employers, including Record of Employment on the Web
                </p>
               </li>
               <li>
                <p>
                 the administration of Employment Insurance programs to individuals, including regular, illness, pregnancy/parental, critically ill or injured person and compassionate care benefits
                </p>
               </li>
               <li>
                <p>
                 the administration of the Employment Insurance Premium Reduction program, including granting qualified employers a reduced Employment Insurance premium rate
                </p>
               </li>
               <li>
                <p>
                 the administration of Canada Pension Plan benefits, including retirement, disability, survivor, children&rsquo;s and death benefits
                </p>
               </li>
               <li>
                <p>
                 the administration of benefits for seniors, including the Old Age Security Program and the Guaranteed Income Supplement Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers.
                </p>
               </li>
              </ul>
             </li>
             <li>
              <p>
               Payroll is responsible for deducting and remitting Employment Insurance premiums on behalf of employees and employers.
              </p>
             </li>
             <li>
              <p>
               Payroll is responsible for capturing information related to insurable earnings and hours, and reporting that information on the Record of Employment.
              </p>
             </li>
             <li>
              <p>
               The Canadian government based its privacy provisions in its legislation for the
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           protection of personal information on a set of guidelines called the Ten Privacy
 Principles.
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               The Personal Information Protection and Electronic Documents Act has applied to
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           federally-regulated organizations such as banks, telecommunications and
 transportation companies since January 2001.
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               Since January 2004 the Personal Information Protection and Electronic Documents
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           Act has applied to the collection, use or disclosure of personal information in the
 course of any commercial activity within a province that does not have its own
 privacy legislation.
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               Express consent means the employee provides their consent either verbally (in which
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           case when and how the consent was received should be documented) or in writing.
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               Implied consent means the employee is considered to have consented indirectly.
              </p>
             </li>
             <li>
              <p>
               The employer does not need to obtain the employee&rsquo;s permission to provide personal
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           information where legislation provides federal government agencies such as the
 Canada Revenue Agency, Employment and Social Development Canada, Service
 Canada and provincial/territorial Ministries of Labour with the right to request
 personal employee information in order to administer programs or benefits, or in the
 case of an audit.
          </p>
          <blockquote>
           <div>
            <ul class="simple">
             <li>
              <p>
               Other than an employer&rsquo;s obligation to report an employee&rsquo;s Social Insurance
              </p>
             </li>
            </ul>
           </div>
          </blockquote>
          <p>
           Number to the Canada Revenue Agency, Employment and Social Development
 Canada, Service Canada or Revenu Qu&eacute;bec, an employer may not communicate the
 number to a third party without the employee&rsquo;s specific consent to do so.
          </p>
         </section>
         <section id="review-questions">
@@ -2238,6 +2640,19 @@ hours, and reporting that information on the Record of Employment.
            </p>
           </div>
          </blockquote>
          <p>
           6. How does the Personal Information Protection and Electronic Documents Act
 legislation affect the handling of employee personal information?
          </p>
          <p>
           7. Explain the difference between implied and express employee consent and provide an
 example of each.
          </p>
          <p>
           8. The Personal Information Protection and Electronic Documents Act contains ten
 privacy principles. Choose two and develop a statement for each that could be included
 in your organization&rsquo;s privacy policy.
          </p>
         </section>
        </section>
        <span id="document-3_contracts">