Record retention requirements and privacy legislation

[NFinnerty@nhcwater.com]

#97265

Forum: Community

We are currently putting together a personal information retention checklist that captures the requirements under employment standards and CRA and balancing with privacy legislation’s requirements to delete identifiable personal information.

CRA payroll records have the longest retention year of 6 plus current year. We would still like to have history of former employee’s which would include their name and position.

I am looking for some guidance on whether keeping this information would be deemed a breach of privacy legislation. We have employee’s in both BC and Alberta.

Thanks!

[Haley O’Halloran]

#97271

Great question — you’re thinking about exactly the right balance between employment and tax record retention requirements and privacy law obligations to minimize or delete personal information. Here’s a structured overview to guide you, specifically for BC and Alberta employees, under employment standards, CRA, and private sector privacy legislation.

1. Employment Standards & CRA Retention Requirements

Canada Revenue Agency (CRA)

Payroll records must be kept for six years from the end of the last tax year to which they relate.

Records include: name, address, SIN, pay information, deductions, and T4 slips.

This is the longest mandatory retention period, and overrides shorter retention periods under other legislation.

Employment Standards (BC & Alberta)

Both provinces require employers to retain payroll and employment records for a minimum of three years after employment ends.

BC: Employment Standards Act, s. 28(1) — payroll records must be kept for 2 years after the employment ends.

Alberta: Employment Standards Code, s. 15 — records must be kept for 3 years from the date the record was made.

Practically, most employers align with CRA’s 6+1 year requirement for consistency.

2. Privacy Legislation (PIPA BC & Alberta)

Both provinces are governed by their Personal Information Protection Acts (PIPA) (separate from the federal PIPEDA):

Organizations must retain personal information only as long as necessary to fulfill the identified purposes or to comply with legal/regulatory requirements.

Once the legal purpose has expired, personal information must be destroyed, erased, or made anonymous.

However, PIPA allows retaining non-sensitive information for archival or historical purposes, provided:

-There’s a reasonable purpose consistent with the original collection,
-Access is limited,
-Information retained is minimal and proportionate.

Key point: Keeping limited identifying information (e.g., name, position, employment dates) after the CRA/employment record retention period has expired is not automatically a breach, if:

-The information is kept for legitimate business or historical purposes (e.g., reference checks, workforce history, recognition records),
-You have policies limiting access and use, and
-You no longer retain sensitive data (e.g., SIN, addresses, bank info).

3. Recommended Approach

To comply with both privacy and retention rules:

Document your retention schedule clearly, linking each category of information to the legal basis and retention period (e.g., payroll → CRA → 6+1 years).

After the retention period, delete or anonymize sensitive personal information (e.g., SIN, addresses, performance records).

Retain a minimal record (name, job title, dates of employment) for legitimate business purposes.

Keep this in a separate, access-controlled historical register.

Note the purpose (e.g., “to verify past employment or organizational history”).

Include this practice in your privacy policy or retention schedule to demonstrate compliance with PIPA’s accountability principle.

4. BC vs Alberta – Differences

There are no major differences between BC and Alberta PIPA in this area. Both focus on reasonableness and purpose limitation.

Neither jurisdiction has an absolute “delete after X years” rule — instead, you must justify why you are keeping the data and ensure it’s no more than necessary.

Caution

Do not retain SIN numbers or other government-issued IDs beyond legal retention periods.

Limit access strictly to HR or records personnel.

Have a written deletion/anonymization procedure to demonstrate compliance if audited.

Payroll and tax records, including information such as Social Insurance Numbers (SIN), T4 slips, and wage details, must be retained for six years plus the current year to comply with Canada Revenue Agency (CRA) requirements. Employment standards legislation in BC and Alberta requires employment records—such as hours worked and wage information—to be kept for two to three years after employment ends. Once these legal retention periods have expired, sensitive personal information (such as SIN, addresses, and detailed payroll data) should be securely deleted or anonymized. However, organizations may retain a minimal record of former employees—typically limited to their name, position, and dates of employment—for legitimate business or historical purposes, such as verifying past employment or maintaining organizational history. This retained information should be stored securely, with access restricted to authorized personnel, and clearly documented in the organization’s records retention schedule or privacy policy to demonstrate compliance with privacy legislation.

In short:

No — retaining just name and position of former employees beyond statutory periods is not considered a privacy breach, provided you have a documented purpose and safeguard the data. It’s common and permissible to maintain a “former employees directory” or organizational history record that has been stripped of sensitive information.

I hope this helps!
-HRInsider Staff

[Trisha Drew]

#97354

Thank you for this great question and the valuable guideline response. Could you comment on the requirements for the province of Ontario?

[Haley O’Halloran]

#97356

Yes – Ontario is a little more nuanced but here are my findings and recommendations.

Under the Employment Standards Act, 2000 (ESA) in Ontario:

Employers must keep records for each employee of their name, address, and start date of employment. These must be kept for three years after the employment ends.
Ontario

For other records (hours, wages, etc) the same three-year retention after termination generally applies.

The ESA sets the minimum retention timeframe; it doesn’t necessarily prevent keeping longer records, but it does indicate how long they must be kept.

Privacy laws and employee personal information

There is no general Ontario provincial statute that governs private-sector employers’ collection/use/retention of employee personal information (outside of health information) analogous to FIPPA for public institutions.

Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally regulated enterprises and sets broad principles regarding personal information: collection, use, disclosure and retention must be limited, transparent, necessary, deceased when no longer required, etc.

The workplace privacy guidance from the Office of the Privacy Commissioner of Canada emphasizes that employee privacy rights persist (even for former employees) and that retention of personal information must be addressed.

Key privacy / retention principles

Some of the fundamental “fair information principles” relevant here are:

-Purpose limitation – collect only what’s needed for a stated purpose.
-Retention limitation – keep personal information only as long as necessary for the stated purpose.
-Transparency / policy – inform employees (or former employees) about what is collected, how long it will be kept, for what purpose.

What the law does not require / allow

The ESA gives a minimum retention period; it doesn’t mandate indefinite retention of all employee data.

There is no Ontario statute that says you must delete all employee personal information after X years (for private sector employers). The retention must be reasonable under privacy principles.

Blanket indefinite retention of personal information without a clear purpose and retention policy may raise privacy-risk issues.

Applying this to your scenario

You mention:

The CRA payroll records must be kept for 6 years + current year (for tax compliance).

You want to retain former employees’ name and position (and perhaps limited other info) beyond the minimum three-year ESA requirement.

Question: Would this be a breach of privacy?

Here’s how I’d analyse it:

Legitimate purpose: You have a legitimate business/tax purpose in keeping basic former employee information (name, position) for historical, auditing, or reference reasons. This supports purpose limitation.

Minimum requirement from ESA: For name/address/start date etc you must retain for at least 3 years after termination. If you keep longer, you are going beyond minimum—but that is not automatically prohibited.

Retention beyond that: The key is whether the extended retention remains justified (purpose still valid), documented, and proportionate. If you only keep “name + position” (low sensitivity) and you can show business value (e.g., for referencing past roles, verifying experience, responding to inquiries) then the privacy risk is low.

Sensitive vs non-sensitive info: The greater the sensitivity of the personal information (e.g., SIN, health information, detailed performance review, disciplinary records) the more careful you must be. Name + position is relatively benign compared to more sensitive personal data.

Transparency / policy: Have a clear retention and deletion policy that states: “We retain former employee basic records for X years (or until end of business need) then we review and either archive securely/deidentify or delete.” Communicate this to employees (or include in employment agreement/HR policy).

Secure storage: Even basic information must be protected from unauthorized access/disclosure.

Deletion/archival plan: After the business purpose ceases, you should delete or anonymise the data. For example if you say you’ll keep name+position for up to 10 years for reference, after 10 years you might move to a “former employees archive” or remove altogether.

Regulatory compliance (CRA): Because you have a regulatory requirement for payroll records (6 years + current year) you must retain certain data for tax audit purposes. That gives you a clear purpose and time frame. For other info (like name+position beyond that requirement) you need to ensure you still have a purpose.

So: Is it a breach of privacy?

In my view: It is unlikely to be a breach of privacy if you:

-Limit what you keep (name + position) to what you need.
-Have a documented purpose (e.g., auditing, historical reference).
-Have a retention limit or periodic review for deletion/archiving.
-Apply appropriate safeguards.
-Are transparent with employees.

It could become problematic if you keep large amounts of personal information indefinitely without purpose or policy, or if the information is more sensitive than necessary.

Practical recommendations for your checklist

Here are some steps to build into your retention checklist to ensure you’re aligned with ESA + privacy best practices:

-Record the regulatory retention requirement:
-Payroll tax / CRA related: keep for 6 years + current year (you have).
-ESA minimum: name/address/start date etc for 3 years after termination.
-Define your business-purpose extension:
Example: Keep “name + position (and termination date)” for up to X years (e.g., 10 years) for reference/historical purposes.
-Document rationale for X years.
-Classify data types:
Minimal (name + position + termination date) → lower sensitivity → you may keep longer.
More sensitive (home address, SIN, health info, disciplinary records) → limit retention and delete when no longer needed.
-Establish retention review/deletion schedule:
For each data class define: retention period, storage format, deletion method, review trigger.
Example: Every year review “former employee basic records older than X years” for deletion or archival.

Transparency / policy:

Include in your HR/Privacy policy: that you retain certain former employee basic records, for how long, why, how they can request their data etc.

Consider letting former employees (or employees) know about the retention policy.

Safeguards:

-Ensure access control, encryption where appropriate, secure deletion procedures.
-Ensure when archived the data is still protected.
-Document decision-making:
-Document how you determined the retention period and business rationale in case you need to justify it (e.g., if challenged).

A few nuances & caveats

If your organization is federally regulated (banks, airlines, telecoms), then PIPEDA (and its privacy obligations) apply. Then your obligations around retention, access and correction are stricter. In Ontario private sector for provincially-regulated employers there’s less specific statute but best practice is still to follow PIPEDA-style principles.

Even in private sector, there is emerging case law around employee privacy expectation (especially with electronic devices) which emphasizes that employers must still respect privacy rights and not treat “anything goes”.

Just because you can retain something doesn’t mean you should retain it indefinitely. Privacy risk grows over time (lost records, accumulation of data, cross-reference risk).

If you share, disclose, or transfer former employee personal information (even basic name/position) externally, you must also consider privacy obligations around disclosure and consent.

-HRInsider Staff

[Author]

Posts