If there is no job open, then you are not making a decision using the personal information in unsolicited résumés and the one-year retention requirement described below does not apply. Even if you do not keep unsolicited résumés when you receive them, you should take reasonable care when disposing of them so that no one can misuse the personal information they contain. You should shred paper copies and delete electronic copies.
Keep a résumé for a year if you use it to make a decision. If you use it to make a decision to hire or not hire the individual, you have to keep the résumé for at least a year so the individual can obtain access to it.
If you use information in a résumé (or simply hold onto to it for possible future use), you are responsible for protecting the personal information in it and for responding to the individual's enquiries about how her or his personal information has been used or disclosed.
The FOIP Act allows an employer to request any personal information that is necessary to the hiring decision. Typically, that might include relevant qualifications, experience, knowledge, skills and abilities as well as answers to interview questions and skill tests. It would not be necessary for an employer to require personal information for any purpose other an assessing suitability for the job and establishing an employment relationship.
You have to be able to show your collection and use of the personal information is reasonably required to determine the job applicant's suitability for the position. For example, credit checks on a job applicant should only be conducted if you can establish that the information is both relevant and necessary to verify the applicant's ability to perform the job functions and that the verification cannot be done through less intrusive means.
Once you have made a hiring decision, you can use and disclose employee personal information without consent if doing so is reasonable for the purpose of establishing or managing an employment relationship. Canada Revenue Agency registrations for income tax purposes or enrollment in employee benefit plans are two examples of post-hiring use of employee personal information.
Assume the job applicant's consent for contact with listed references. An applicant who has listed references in a job application or résumé implicitly consents to your contacting listed references, but only so you can collect reference information that is reasonably related to the job requirements. Although not strictly required when you conduct a reference check on a job applicant, it is a good practice to first confirm that the applicant has authorized the referee to talk to you. Although you do not need the job applicant's consent, notify applicants about reference inquiries from persons other than those the job applicant lists as references. If the applicant objects, the FOIP Act would not stop you from inviting him or her to withdraw from the hiring process or from weighing the refusal to consent in determining the applicant's suitability for the position.
Confirm confidentiality with referees. If you prefer not the reveal a referee's comments to the job applicant, it is best to make it clear to the referee in advance that his or her opinions will be received in confidence, document this agreement, and tell the applicant that all references will be received in confidence. However, there is no guarantee that job applicants will not be able to access comments by referees to prospective employers, as the FOIP Act gives individuals a right of access to their own personal information. Any factual information obtained about a job applicant and referees' opinions about an applicant are the applicant's personal information. Referees' opinions about a job applicant are the applicant's personal information and, therefore, you cannot guarantee that referees' comments will remain confidential. As for a referee's identify, the referee's name is the personal information of the referee and may be withheld.
You can use personal information you collect during the hiring process for another purpose only if that other purpose has a reasonable and direct connection to the original purpose. Orientation and training can be considered part of the hiring process, so it is reasonable to assume that personal information collected from job applicants might be used for that purpose.
If the other purpose is not reasonably and directly connected to the original purpose, then you have to tell the job applicant what the other purpose is and get the applicant's consent. For example, it would not seem obvious that you would send someone's résumé to another employer who might be hiring, even though that might appear to benefit the applicant. When in doubt, give notice and get consent.
Section 38 of FOIP requires an organization to make "reasonable security arrangements" to protect personal information from "unauthorized access, collection, use, disclosure or destruction". In other words, you should at the very least take the same precautions you might use for any document you want to protect from improper use by staff or anyone else. The greater the sensitivity of the employee personal information, the greater the need for protection. For example, it is reasonable to expect a higher level of security for an employee's medical information than for a résumé. If you use an individual's personal information to make a decision that directly affects him or her (like hiring or not hiring), you have to keep it for at least a year after you make the decision, so that the individual has a reasonable opportunity to obtain access to it. This would include interview notes and other information about or related to the assessment of candidates. If an individual requests her or his own information of this kind, personal information of other candidates found in records containing the applicant's information would have to be withheld from the applicant. If you do not use personal information for a decision, you either have to destroy it or else make it anonymous by removing any information that would identify a particular individual. You need to do this as soon as the purpose for which it was collected is no longer being served and you no longer need it for legal or business purposes.
Know when information can not be given out. The bottom line is that anyone - including an employee and an unsuccessful job applicant - has a right to be given access to his or her own personal information, to know how it is being used or has been used, and to know to whom and in what situations it has been disclosed. However, the FOIP Act permits or requires you in certain circumstances to deny someone access to their own personal information - for example, where disclosure would harm someone else, harm an investigation or legal proceeding, result in the disclosure of someone else's personal information, or disclose confidential business information. If such information can be removed from a document, you have to give access to the rest of the document after the information is removed. Make sure information is accurate and complete. Respond to requests for correction. Anyone who believes there is an error or omission in his or her personal information can ask the organization to correct it. If the information needs correction, you must make the correction as soon as possible. If, on the other hand, you decide the information needs no correction, you must annotate the personal information to record the correction that was requested but not made. Like all of the FOIP Act requirements, this applies to paper and electronic records. If you do make a requested correction, you must send the corrected information to every organization to which you have disclosed the information during the year before the correction date. And if you are notified by another organization that it has corrected an individual's personal information that was disclosed to it, you must also correct that personal information if it is under your organization's control. If you need more information or have questions about situations not covered by this document, you can call the Privacy and Policy Coordinator.
AU wishes to acknowledge its reliance on information published by the Office of the Information and Privacy Commissioner for British Columbia, which was used in the preparation of this guideline.
Office of the University Secretariat, July 2006
Updated May 30 2014 by Office of the University Secretariat