HR Home Forums Community Record retention requirements and privacy legislation Reply To: Record retention requirements and privacy legislation

Haley O’Halloran
Keymaster
October 16, 2025 at 6:56 am
Post count: 203
#97271

Great question — you’re thinking about exactly the right balance between employment and tax record retention requirements and privacy law obligations to minimize or delete personal information. Here’s a structured overview to guide you, specifically for BC and Alberta employees, under employment standards, CRA, and private sector privacy legislation.

1. Employment Standards & CRA Retention Requirements

Canada Revenue Agency (CRA)

Payroll records must be kept for six years from the end of the last tax year to which they relate.

Records include: name, address, SIN, pay information, deductions, and T4 slips.

This is the longest mandatory retention period, and overrides shorter retention periods under other legislation.

Employment Standards (BC & Alberta)

Both provinces require employers to retain payroll and employment records for a minimum of three years after employment ends.

BC: Employment Standards Act, s. 28(1) — payroll records must be kept for 2 years after the employment ends.

Alberta: Employment Standards Code, s. 15 — records must be kept for 3 years from the date the record was made.

Practically, most employers align with CRA’s 6+1 year requirement for consistency.

2. Privacy Legislation (PIPA BC & Alberta)

Both provinces are governed by their Personal Information Protection Acts (PIPA) (separate from the federal PIPEDA):

Organizations must retain personal information only as long as necessary to fulfill the identified purposes or to comply with legal/regulatory requirements.

Once the legal purpose has expired, personal information must be destroyed, erased, or made anonymous.

However, PIPA allows retaining non-sensitive information for archival or historical purposes, provided:

-There’s a reasonable purpose consistent with the original collection,
-Access is limited,
-Information retained is minimal and proportionate.

Key point: Keeping limited identifying information (e.g., name, position, employment dates) after the CRA/employment record retention period has expired is not automatically a breach, if:

-The information is kept for legitimate business or historical purposes (e.g., reference checks, workforce history, recognition records),
-You have policies limiting access and use, and
-You no longer retain sensitive data (e.g., SIN, addresses, bank info).

3. Recommended Approach

To comply with both privacy and retention rules:

Document your retention schedule clearly, linking each category of information to the legal basis and retention period (e.g., payroll → CRA → 6+1 years).

After the retention period, delete or anonymize sensitive personal information (e.g., SIN, addresses, performance records).

Retain a minimal record (name, job title, dates of employment) for legitimate business purposes.

Keep this in a separate, access-controlled historical register.

Note the purpose (e.g., “to verify past employment or organizational history”).

Include this practice in your privacy policy or retention schedule to demonstrate compliance with PIPA’s accountability principle.

4. BC vs Alberta – Differences

There are no major differences between BC and Alberta PIPA in this area. Both focus on reasonableness and purpose limitation.

Neither jurisdiction has an absolute “delete after X years” rule — instead, you must justify why you are keeping the data and ensure it’s no more than necessary.

Caution

Do not retain SIN numbers or other government-issued IDs beyond legal retention periods.

Limit access strictly to HR or records personnel.

Have a written deletion/anonymization procedure to demonstrate compliance if audited.

Payroll and tax records, including information such as Social Insurance Numbers (SIN), T4 slips, and wage details, must be retained for six years plus the current year to comply with Canada Revenue Agency (CRA) requirements. Employment standards legislation in BC and Alberta requires employment records—such as hours worked and wage information—to be kept for two to three years after employment ends. Once these legal retention periods have expired, sensitive personal information (such as SIN, addresses, and detailed payroll data) should be securely deleted or anonymized. However, organizations may retain a minimal record of former employees—typically limited to their name, position, and dates of employment—for legitimate business or historical purposes, such as verifying past employment or maintaining organizational history. This retained information should be stored securely, with access restricted to authorized personnel, and clearly documented in the organization’s records retention schedule or privacy policy to demonstrate compliance with privacy legislation.

In short:

No — retaining just name and position of former employees beyond statutory periods is not considered a privacy breach, provided you have a documented purpose and safeguard the data. It’s common and permissible to maintain a “former employees directory” or organizational history record that has been stripped of sensitive information.

I hope this helps!
-HRInsider Staff