When you’re starting to drown between employee concerns, payroll duties and helping your CEO -- HR Insider is there to help get the logistical work out of the way.
Need a policy because of a recent regulatory change? We’ve got it for you. Need some quick training on a specific HR topic? We’ve got it for you. HR Insider provides the resources you need to craft, implement and monitor policies with confidence. Our team of experts (which includes lawyers, analysts and HR professionals) keep track of complex legislation, pending changes, new interpretations and evolving case law to provide you with the policies and procedures to keep you ahead of problems. FIND OUT MORE...
How to Get Consent to Use Employees’ Personal Information for HR Functions

Consent isn’t valid unless it’s “meaningful”.

HR directors need personal information about employees to carry out basic functions like verifying an employee’s eligibility for disability benefits and filling out their T4 slip. But personal privacy laws of some jurisdictions require employers to get employees’ consent to collect, use and disclose their personal information Getting employee consent can be tricky. Consent doesn’t count unless it’s meaningful. Simply having employees sign a boilerplate consent form may not work.  The consent form must be clear and specific so employees know exactly what they’re consenting to.

How can you tell if the consent form you’re using meets this test? Because the privacy laws don’t address that issue, you must look at privacy commission guidelines and actual cases where individuals claimed that a consent form they signed was defective. The good news is that you don’t have to gather up and analyzing the cases yourself—or shell out about $10,000 to have a lawyer do it. We’ve done the heavy lifting for you.

Which Employers Must Get Employee Consent?

Employers in Alberta, BC and Québec are subject to provincial privacy laws. All other employers are covered by the federal Personal Information Protection & Electronic Documents Act (PIPEDA). Among those, only federally regulated employers must get employee consent. In the other jurisdictions where PIPEDA applies, that is, everywhere but AB, BC and QC, it covers customer but not employee information.

However, employers in those jurisdictions aren’t necessarily free and clear. The duty to get consent to collect employees’ personal information may derive from other sources, including case law, aka, “common law,” and/or the terms of collective agreements or individual employment contracts. Bottom Line: Employee consent is an issue all employers have to reckon with.

When Is Consent Required?

Exceptions to personal privacy laws authorize collection, use and disclosure of protected information without consent in certain situations, such as where the collection, use and/or disclosure is:

  • Required by law, such as to comply with a subpoena or report injury information to workers comp;
  • Clearly in the interests of the employee and consent can’t be obtained in a timely manner;
  • Reasonably necessary for a legal investigation; and
  • Reasonably necessary to carry out a legitimate and essential employment function.

In each instance, you must limit the collection, use and disclosure to the personal information you need to accomplish the purpose of the exception. Thus, for example, you can request medical information about an employee’s prognosis and chances of returning to work but not their diagnosis.

How to Create a Legally Sound Employee Consent Form

Where consent is required, it must be meaningful. According to joint guidelines from the FED, AB, BC and QC privacy commissioners, individuals must “organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. . . in a form that is readily accessible to those interested individuals who wish to read it in full.” Specifically, consent forms must list:

  • What personal information they are or may collect so that employees “meaningfully understand what they are consenting to”;
  • The parties with which the organization will share the protected information they collect or, at the very least, the types of third parties if those individuals and entities may change or are too numerous to specify;
  • The specific purposes for collecting, using and disclosing the protected information—such purposes must be described in “meaningful language, avoiding vagueness like ‘service improvement’”; and
  • The risk of significant harms employees incur in consenting to the collection, use or disclosure if those harms are “more than a minimal or mere possibility,” including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

How to Avoid 6 Employee Consent Form Errors

Based on our research of cases, we found 6 different problems that could render a consent form invalid. Rather than list them, we stuck language exhibiting each of these problems into the Template below. In essence, we created the consent form from hell. Your job: Look at the Template, see how many problems you can spot and make sure those same problems don’t appear in your own consent forms.


A. ABC Company reserves the right to collect, use and disclose certain information of a personal nature in regards to its employees.

B. ABC’s purposes for collecting, using and disclosing said personal information is to:

i. Manage the business of the company;
ii. Perform its administrative functions as an employer;
iii. Fulfill its legal obligations under tax laws, workers’ compensation and other statutes and regulations; and
iv. Conduct other legitimate functions.

C. Employees who want more specific examples of the personal employee information ABC Company collects, uses and discloses and/or the purposes of said collections, uses and disclosures may request such information from the ABC Company personnel office [list contact].

D. Any employee who objects to the collection, use or disclosure of his or her personal information as described in the foregoing shall notify the personnel office in writing. Failure to provide said notification within five business days of the receipt hereof shall be deemed acceptance and consent to the terms herein.

I hereby agree to the above terms:_________________________________ [Employee signature] __________________________________ [Date]

What’s Wrong With This Form?

There are 6 problems with this consent form.

1. Text Is Too Small

Consent forms must be easy to read—both visually and textually. The Canadian Privacy Commission (the Commission) has struck down at least one consent form in part because the font was too small (PIPEDA Case #296).

2. Too Densely Worded

Principle 4.3 of PIPEDA says that employers must write the consent form “in such a manner that an individual can reasonably understand” what it says. This Template is larded with legal jargon that only a lawyer can love and a privacy commission would hate. Examples: “said personal information” (B), “as described in the foregoing” (D) [See for example, PIPEDA Case #184].

3. Doesn’t Specify Kinds of Personal Information Used

The Template just says that the employer intends to collect, use and disclose “information of a personal nature” (A). It doesn’t say what that information is.

4. Doesn’t Specify Uses of Information

The consent form must specify how the employer proposes to use the individual’s personal information and the reason the information is necessary for those uses. Vague and open-ended descriptions like “administrative functions of an employer” (B, ii) and “conduct other legitimate functions” (B, iv) fall far short of this standard and are unacceptable (PIPEDA Case #258 and Case #358 (Rather than use the word “administration,” an insurance company should have specifically referred to the functions it proposed to carry out with the information, namely, assessment and investigation)).

5. It Requires Employee to Make a Request for Details About Uses

Employees shouldn’t have to make a separate request to find out what information the employer wants to use and how it plans to use it (C). Those are essential items that should be listed right in the consent form.

6. Use of an Opt-Out

Use of an opt-out consent is allowed only under limited circumstances. One of the requirements is that the information must be “demonstrably non-sensitive in nature” (See, for example, PIPEDA Case #192). The kinds of personal information HR directors collect from employees, including medical records, tend to be highly sensitive. Thus, an opt-out provision like the one in para. D of the Template is completely inappropriate.