Model Policy: Privacy for Employees of a Law Firm
Date: December 2003
Questions / comments? Please contact Policy and Legal Services
Copyright © 2003 The Law Society of British Columbia
[Name of law firm], the "Firm"
The Personal Information Protection Act ("the Act") regulates the way private sector organizations within British Columbia collect, use, keep, secure and disclose personal information. "Personal Information" means all information about an identifiable individual. This firm recognizes the importance of privacy and recognizes the sensitivity of personal information received by us in the course of our legal practice.
We recognize our professional obligation to maintain the confidentiality of our clients' information and also recognize our obligations concerning the personal information of all individuals that we collect, use or disclose in our practice, including the personal information of our employees. This policy has been developed with those obligations in mind.
Employee Personal Information
An employee is someone employed by this firm or someone who performs a service for us and includes a volunteer, a student and a temporary employee.
Employee personal information refers to personal information that is reasonably needed to establish, manage or end a work or volunteer relationship with us. Personal information may include, for example, name, home address, home telephone number, ID numbers, educational qualifications, social insurance number and employment history. Employee personal information does not include business contact information or work product information.
Contact information refers to an individual's name and position or title, business telephone number, business address, business email, business fax number and other business contact information.
Work Product Information refers to information prepared by individuals or employees in the context of their work or business, but does not include personal information about other individuals. For example, a document prepared and signed by an employee is work product information, but if the document contains personal information about our firm's clients, that portion of the document would remain the personal information of the client.
Collection, Use and Disclosure of Personal Information
The law provides that we can collect, use and disclose employee personal information without consent if it is reasonable for the purposes of establishing, managing or terminating an employment relationship between our firm and an individual.
Where practical, we endeavour to collect employee personal information directly from the person to whom the information pertains. When necessary, we will collect personal information from other sources. When we collect personal information from employees, we will tell them the purpose for collecting the information and who can answer their questions about the collection.
When collecting employee personal information from other sources, or when using or disclosing the personal information we have collected, we will, where required, first obtain the consent of the employee.
If we use an employee's personal information to make a decision that directly affects an employee, we will retain that information for at least one year after using it. In other cases, we have an obligation to destroy documents containing employee personal information once the purpose for which the information was collected is no longer being served and our retention of the information is not necessary for legal or business purposes.
The Act provides that an individual is deemed to consent to the collection, use or disclosure of personal information if, at the time the consent is deemed to be given, the purpose would be considered obvious to a reasonable person. When such circumstances exist, we may collect, use or disclose personal information without first obtaining the consent of the individual.
In addition to the circumstances outlined above, there are other times when the law permits us to collect, use or disclose personal information about an individual without that person's consent. These include (but are not limited to) circumstances in which:
- the collection, use or disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- it is reasonable to expect that the collection or use with the consent of the individual would compromise the availability or accuracy of the personal information, and the collection or use of the information is necessary for an investigation or proceeding;
- it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure of the information is necessary for an investigation or proceeding;
- the personal information is available to the public from a prescribed source;
- the collection, use or disclosure of personal information is required or authorized by law.
When we collect, use or disclose employee personal information, we will make reasonable efforts to ensure that it is accurate and complete.
Security of Personal Information
We recognize our obligations to protect personal information during the course of our practice of law. We have therefore made arrangements to secure against the unauthorized access, collection, use, disclosure, copying, modification and disposal of personal information.
Requests for Access to Personal Information
The Act permits individuals, including employees, to submit written requests to us to provide them with:
- their personal information under our custody or control;
- information about how their personal information under our control has been and is being used by us;
- the names of the individuals and organizations to whom their personal information under our control has been disclosed by us.
We will respond to access requests within the time allowed by the Act and will make a reasonable effort to assist applicants and to respond as accurately and completely as reasonably possible.
Limitation on Access to Personal Information
An employee's ability to access his or her personal information under our control is not absolute. The Act provides that we must not disclose personal information if:
- the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
- the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
- the disclosure would reveal personal information about another individual;
- the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.
The Act further provides that we are not required to disclose personal information if:
- the personal information is protected by solicitor-client privilege.
- the disclosure of the personal information would reveal confidential commercial information that, if disclosed, could, in the opinion of a reasonable person, harm the competitive position of an organization;
- the personal information was collected without consent for the purposes of an investigation, and the investigation and associated proceedings and appeals have not been completed;
- the personal information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he or she was appointed to act:
(i) under a collective agreement,
(ii) under an enactment, or
(iii) by a court.
Requests for Correction of Personal Information
The law permits individuals, including employees, to submit written requests to us to correct errors or omissions in their personal information that is in our custody or control. We will:
- correct the personal information and, if reasonable to do so, send correction notifications to any other organizations to whom we disclosed the incorrect information; or
- decide not to correct the personal information, but annotate the personal information that a correction was requested but not made.
Contacting or Communicating with Us
If you have any questions with respect to our policies concerning the handling of your personal information, or if you wish to request access to, or correction of, your personal information under our care and control, please contact our Privacy Officer at
If you are dissatisfied with our handling of your personal information, we invite you to contact our Privacy Officer in writing, setting out the reasons for your concern. If, after our Privacy Officer has reviewed and responded to your concern you remain dissatisfied, you may wish to contact the Office of the Information and Privacy Commissioner at:
P.O. Box 9038, Stn Prov Govt
Victoria, BC V8W 9A4