Return to policies

View the policies in French

Employee Privacy Policy

Last Updated: October 7, 2010
Date policy statement was approved by the Board of Directors: June 5, 2008

1. The Policy Statement

Canada Post has long recognized and accepted its responsibility to protect the privacy of its employees and to safeguard their personal information. Canada Post is committed to the management of employee personal information in a responsible and business-like manner. The collection, use, disclosure, retention, and disposal of employee personal information, and the privacy protection practices contained in this policy, were developed according to the requirements of, and in compliance with, the Privacy Act of Canada.

Employees should refer to the Canada Post Customer Privacy Policy for the standards that govern the treatment of personal information held by Canada Post on behalf of its customers and business partners.

2. More about the Policy

In the course of its daily activities, Canada Post needs to collect personal information from its employees to provide services, make decisions and support its business operations, programs and activities. The purpose of this policy is to outline Canada Post’s commitment to protect employee personal information and manage this information with the utmost responsibility and care.

This policy applies to all Canada Post employees. It governs the collection, use, and disclosure of all employee personal information, regardless of whether the information is held in hard copy or digital form. The policy sets out guidelines to ensure Canada Post has established systems and procedures, which will protect and maintain the confidentiality and security of employee personal information. The policy ensures that Canada Post provides employees with the right to access and correct personal information, which Canada Post holds on their behalf, and outlines a complaint-handling procedure should employees have concerns about the privacy of, and access rights to, their personal information.

In addition to the commitment outlined in this policy, Canada Post must prepare an Annual Report of its privacy practices for the Government of Canada and provide a listing of its personal information holdings in Info Source. It is also a Canada Post practice to conduct Privacy Impact Assessments that ensure privacy protections are built into the design of new systems or services involving the collection, use, disclosure or retention of employee personal information.

2.1 Collection of Personal Information

Canada Post shall only collect employee personal information that relates directly to employment and authorized employment programs or activities. Wherever possible, employee personal information used in decision-making is collected directly from the individual to whom the information relates and individuals are informed of the purpose of the collection at the time of the collection.

Employee personal information obtained from existing Canada Post records and/or systems must be used for a purpose that is consistent with the original purpose for which the information was collected, unless otherwise authorized under the Privacy Act.

2.2 Use and Disclosure of Personal Information

Canada Post shall only use employee personal information or disclose it to third parties for the purpose for which the information was originally obtained or compiled, or for a use consistent with that purpose. The consent of the employee must be obtained before their personal information is used or disclosed for any other purpose, unless the proposed use is authorized under the Privacy Act.

Canada Post accounts for all uses and disclosures not identified in the relevant Personal Information Bank description by attaching copies of the disclosure request and Canada Post’s response to the file from which the employee personal information was obtained.

Certain employee Personal Information Banks, such as federal investigative body enquiries, are exempt from disclosure under the Privacy Act. These include Personal Information Banks that contain employee personal information where:

  • Disclosure of the information could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada; or
  • The information was obtained or prepared in the course of lawful investigations pertaining to:
    1. Detection, prevention or suppression of crime,
    2. Enforcement of any law of Canada or a province, or
    3. Activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act.

2.3 Retention and Disposal of Personal Information

Canada Post retains and disposes of its employee personal information in accordance with the Corporation’s Records Management Policy, which is based on the timeframe specified in the Privacy Act and its regulations as well as other applicable legislation (i.e. the Library and Archives Act). The records management schedule for employee personal information incorporates a minimum two-year retention period for administrative records used in decision-making directly affecting an individual unless specified in a collective agreement.

Disposing of personal information, including the disposal of waste material containing personal information, must be done using secure means such as shredding or burning.

2.4 Accuracy of Personal Information

Canada Post takes all reasonable steps to ensure that employee personal information is as accurate, complete and up-to-date as possible to minimize the possibility that inappropriate information may be used to make a decision about an employee.

Upon written request, individuals can access information held in their employee files and ask that any inaccurate or incomplete information about them be corrected. However, some restrictions may apply.

Substantial modifications to existing employee personal information or the creation of new employee personal information must be done in consultation with the GM, Privacy Leader/Corporate Privacy Coordinator. The Coordinator must be involved at an early stage in the design and redesign of an employee information program, service or activity that involves the collection, use or disclosure of employee personal information.

2.5 Safeguarding Personal Information

Employee personal information is classified as “PROTECTED” in Canada Post’s Information Classification practice and is protected from unauthorized access, use, disclosure, removal, alteration, interruption and destruction in accordance with Canada Post’s Information Security Policy.

Employee personal information must not be disclosed by telephone, unless both the caller’s identity and reason for the request are verified, nor should it be posted or in any other way viewable by the general public or by employees other than those individuals who have a legitimate need to know to fulfill their official duties. Information should be made anonymous by removing the name or personal identifier (such as employee identification number) from the data file when the identity of the individual is not required for a particular use.

Employee personal information transmitted by mail must be securely sealed in double envelopes, with the inside envelope stamped “PROTECTED” and the intended recipient identified.

Computerized systems containing employee personal information must include special protective measures such as passwords to ensure that only authorized users have read and/or write access. Paper-based input/output reports must be produced by secure printers; desktop computers must be positioned to prevent casual observation and turned off when unattended. The electronic transmission of personal data, including by facsimile, must occur between controlled access points in secure locations.

Canada Post may use outside service providers or agents to collect and/or use employee personal information on its behalf, such as security checks prior to employment. As part of the contractual agreements, these suppliers must protect employee personal information in a manner consistent with the privacy policies and practices established by Canada Post and as obligated under the Privacy Act.

2.6 Access to Personal Information

Upon request, Canada Post shall provide an employee with a reasonable opportunity to access their personal information contained in their personal file. Employees must submit a written request to the GM Privacy Leader/Corporate Privacy Coordinator, Manager or Supervisor. Personal information shall be provided within 30 calendar days of receipt of a written request.

Access will not be provided when the records contain information that would be exempt from access under the Privacy Act, such as containing personal information about other individuals or investigative records. If access to personal information cannot be provided, Canada Post shall provide the reasons for denying access.

2.7 Right to Complain

Canada Post is committed to investigating and resolving all complaints related to privacy, confidentiality or its information-handling practices in the most thorough, prompt and confidential manner possible. Any employee who believes their privacy or access-related rights have been breached can submit a complaint in writing to one of the Privacy Coordinators. Unionized employees may choose to involve their union.

On completing the investigation, the investigator will communicate the findings to the individual who made the complaint and, in the case of unionized employees, to the union if it was involved.

Canada Post representatives involved in an investigation will not disclose the identity of anyone who: reports a violation of the policy; participates in the investigation of the violation; or is being investigated for having violated the policy, unless such disclosure is essential to resolving the incident or is required by law.

Individuals who are not satisfied with the measures taken by Canada Post may submit a complaint to the Privacy Commissioner of Canada, the nation’s ombudsman for addressing unresolved privacy and access complaints:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
1-800-282-1376
info@privcom.gc.ca

2.8 Definitions

2.8.1 Employee Personal Information:
refers to information about an identifiable individual who is employed by Canada Post and includes but is not restricted to:

  • Race, national or ethnic origin, colour, religion, age or marital status;
  • Medical, educational, financial, employment and criminal history;
  • Address and identifying numbers assigned to the individual;
  • Correspondence with Canada Post that is explicitly or implicitly of a private nature;
  • The views or opinions of another individual about the individual; and
  • The name of an individual, where disclosure of the name itself would reveal information about the individual.
2.8.2 Info Source:
Info Source is a series of publicly available directories containing information about the Government of Canada, its organization and employee personal information held by federal employers. Info Source is a key reference tool to help individuals exercise their rights under the Privacy Act.

2.8.3 Personal Information Banks (PIB):
Canada Post maintains, in hard copy or digital form, personal information on current and former employees, as well as employment applicants in Personal Information Banks.

As defined in the Privacy Act, a Personal Information Bank refers to a privacy-sensitive records system containing personal information which: 1) has been used, is being used or is available for use in decision-making affecting individuals directly, and/or 2) is retrievable by personal identifier.

Canada Post’s Personal Information Banks related to employees are published in Chapter 17 of Info Source. A Personal Information Bank listing in Info Source includes:

  • A description of the type of records under Description
  • The category of employees covered under Class of Individuals
  • The reason for collecting the information under Purpose
  • The intended use or disclosure of the information under Consistent Uses
  • How long the information is kept under Retention and Disposal Standards

2.9 Roles and Responsibilities

Employees

Canada Post employees at all levels are responsible for complying with this policy. Managers, Team Leaders and Supervisors share the responsibility for ensuring employee awareness of this policy.

General Manager, Privacy Leader/Corporate Privacy Coordinator

The General Manager, Privacy Leader/Corporate Privacy Coordinator is responsible for overseeing this policy including (but not restricted to): interpretation (in consultation with Legal Affairs), compliance, coordination of implementation activities, and monitoring results.

Head Office and Regional Privacy Coordinators

Head Office and Regional Privacy Coordinators are responsible for the administration of this policy in their respective divisions.

Personal Information Bank (PIB) Managers

Personal Information Bank Managers are responsible for ensuring their PIBs are registered annually, updated as required and managed in accordance with this policy.

Information Specialists (Records Management, Corporate and IT Security)

Information Specialists are responsible for ensuring their operations, with respect to the design, maintenance, disposal and/or inspection of privacy-sensitive (forms/records/IT) systems, are consistent with this policy.

Internal Audit

Internal Audit is responsible for conducting periodic compliance audits, as a component of normal management audits.

3. Breach of Policy

Canada Post employees at all levels, including contracted service providers, are responsible for complying with this policy. Failure to comply with this policy could result in sanctions up to and including dismissal from Canada Post. Failure to comply by contracted service providers will result in sanctions up to and including termination of contracted services.