HR Home › Forums › Community › Record retention requirements and privacy legislation › Reply To: Record retention requirements and privacy legislation
Yes – Ontario is a little more nuanced but here are my findings and recommendations.
Under the Employment Standards Act, 2000 (ESA) in Ontario:
Employers must keep records for each employee of their name, address, and start date of employment. These must be kept for three years after the employment ends.
Ontario
For other records (hours, wages, etc) the same three-year retention after termination generally applies.
The ESA sets the minimum retention timeframe; it doesn’t necessarily prevent keeping longer records, but it does indicate how long they must be kept.
Privacy laws and employee personal information
There is no general Ontario provincial statute that governs private-sector employers’ collection/use/retention of employee personal information (outside of health information) analogous to FIPPA for public institutions.
Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally regulated enterprises and sets broad principles regarding personal information: collection, use, disclosure and retention must be limited, transparent, necessary, deceased when no longer required, etc.
The workplace privacy guidance from the Office of the Privacy Commissioner of Canada emphasizes that employee privacy rights persist (even for former employees) and that retention of personal information must be addressed.
Key privacy / retention principles
Some of the fundamental “fair information principles” relevant here are:
-Purpose limitation – collect only what’s needed for a stated purpose.
-Retention limitation – keep personal information only as long as necessary for the stated purpose.
-Transparency / policy – inform employees (or former employees) about what is collected, how long it will be kept, for what purpose.
What the law does not require / allow
The ESA gives a minimum retention period; it doesn’t mandate indefinite retention of all employee data.
There is no Ontario statute that says you must delete all employee personal information after X years (for private sector employers). The retention must be reasonable under privacy principles.
Blanket indefinite retention of personal information without a clear purpose and retention policy may raise privacy-risk issues.
Applying this to your scenario
You mention:
The CRA payroll records must be kept for 6 years + current year (for tax compliance).
You want to retain former employees’ name and position (and perhaps limited other info) beyond the minimum three-year ESA requirement.
Question: Would this be a breach of privacy?
Here’s how I’d analyse it:
Legitimate purpose: You have a legitimate business/tax purpose in keeping basic former employee information (name, position) for historical, auditing, or reference reasons. This supports purpose limitation.
Minimum requirement from ESA: For name/address/start date etc you must retain for at least 3 years after termination. If you keep longer, you are going beyond minimum—but that is not automatically prohibited.
Retention beyond that: The key is whether the extended retention remains justified (purpose still valid), documented, and proportionate. If you only keep “name + position” (low sensitivity) and you can show business value (e.g., for referencing past roles, verifying experience, responding to inquiries) then the privacy risk is low.
Sensitive vs non-sensitive info: The greater the sensitivity of the personal information (e.g., SIN, health information, detailed performance review, disciplinary records) the more careful you must be. Name + position is relatively benign compared to more sensitive personal data.
Transparency / policy: Have a clear retention and deletion policy that states: “We retain former employee basic records for X years (or until end of business need) then we review and either archive securely/deidentify or delete.” Communicate this to employees (or include in employment agreement/HR policy).
Secure storage: Even basic information must be protected from unauthorized access/disclosure.
Deletion/archival plan: After the business purpose ceases, you should delete or anonymise the data. For example if you say you’ll keep name+position for up to 10 years for reference, after 10 years you might move to a “former employees archive” or remove altogether.
Regulatory compliance (CRA): Because you have a regulatory requirement for payroll records (6 years + current year) you must retain certain data for tax audit purposes. That gives you a clear purpose and time frame. For other info (like name+position beyond that requirement) you need to ensure you still have a purpose.
So: Is it a breach of privacy?
In my view: It is unlikely to be a breach of privacy if you:
-Limit what you keep (name + position) to what you need.
-Have a documented purpose (e.g., auditing, historical reference).
-Have a retention limit or periodic review for deletion/archiving.
-Apply appropriate safeguards.
-Are transparent with employees.
It could become problematic if you keep large amounts of personal information indefinitely without purpose or policy, or if the information is more sensitive than necessary.
Practical recommendations for your checklist
Here are some steps to build into your retention checklist to ensure you’re aligned with ESA + privacy best practices:
-Record the regulatory retention requirement:
-Payroll tax / CRA related: keep for 6 years + current year (you have).
-ESA minimum: name/address/start date etc for 3 years after termination.
-Define your business-purpose extension:
Example: Keep “name + position (and termination date)” for up to X years (e.g., 10 years) for reference/historical purposes.
-Document rationale for X years.
-Classify data types:
Minimal (name + position + termination date) → lower sensitivity → you may keep longer.
More sensitive (home address, SIN, health info, disciplinary records) → limit retention and delete when no longer needed.
-Establish retention review/deletion schedule:
For each data class define: retention period, storage format, deletion method, review trigger.
Example: Every year review “former employee basic records older than X years” for deletion or archival.
Transparency / policy:
Include in your HR/Privacy policy: that you retain certain former employee basic records, for how long, why, how they can request their data etc.
Consider letting former employees (or employees) know about the retention policy.
Safeguards:
-Ensure access control, encryption where appropriate, secure deletion procedures.
-Ensure when archived the data is still protected.
-Document decision-making:
-Document how you determined the retention period and business rationale in case you need to justify it (e.g., if challenged).
A few nuances & caveats
If your organization is federally regulated (banks, airlines, telecoms), then PIPEDA (and its privacy obligations) apply. Then your obligations around retention, access and correction are stricter. In Ontario private sector for provincially-regulated employers there’s less specific statute but best practice is still to follow PIPEDA-style principles.
Even in private sector, there is emerging case law around employee privacy expectation (especially with electronic devices) which emphasizes that employers must still respect privacy rights and not treat “anything goes”.
Just because you can retain something doesn’t mean you should retain it indefinitely. Privacy risk grows over time (lost records, accumulation of data, cross-reference risk).
If you share, disclose, or transfer former employee personal information (even basic name/position) externally, you must also consider privacy obligations around disclosure and consent.
-HRInsider Staff