Privacy Law for HR and Recruitment Firms in Canada
By Yong Du
PIPEDA and provincial PIPA obligations for Canadian HR firms and recruiters — what candidate and employee data you hold, consent requirements for background checks, breach reporting, and compliance for organizations that handle data on behalf of client employers.
What makes HR and recruitment firms distinct
HR and recruitment firms sit between two sets of privacy obligations: their own, as an organization that collects and processes personal information, and those of their client employers, whose employee data they process on behalf of. A breach at an HR or recruitment firm may trigger the firm's own PIPEDA obligations and also the client employer's obligations for data the firm holds on the client's behalf.
Recruitment data is particularly sensitive because it encompasses the full range of personal information collected in a structured assessment context: identity, employment history, references, background check results, compensation expectations, and in some roles, health-related information relevant to workplace accommodation.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The firm handles personal information in commercial activity, including employee information held on behalf of client employers | OPC — priv.gc.ca |
| Alberta PIPA | Candidates or employees whose information is held are Alberta residents | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Candidates or employees whose information is held are BC residents | OIPC BC — oipc.bc.ca |
What personal information HR and recruitment firms hold
Candidate files: Name, address, contact information, resume (employment history, education, skills), references and reference check notes, interview notes and assessments, salary expectations, background check results (criminal record, credit, education verification), and in some roles, professional licence verification.
Employee files (held for client employers): SINs, banking details for payroll, T4s, compensation and benefits records, performance reviews, discipline records, accommodation requests and supporting health information, termination records.
Applicant tracking system data: Candidate application history, status at each stage, recruiter notes, communication records, rejection reasons.
Own staff: SINs, banking details, T4s, employment records.
Common breach scenarios
ATS platform breach: Applicant tracking systems (Greenhouse, Lever, Workday, BambooHR) are cloud platforms that hold large volumes of candidate data. A breach of the ATS provider is a vendor breach scenario — the firm's accountability for candidate data held there does not transfer to the provider. See Vendor or Third-Party Breach.
Phishing: A recruiter's email account compromised by phishing exposes years of candidate correspondence, resume attachments, offer letters, and background check results. See Phishing and Business Email Compromise.
Unauthorized employee access: An employee accessing candidate files from competitors' workforces, or a departing recruiter accessing the candidate database to take it to a new employer. See Unauthorized Employee Access.
Ransomware: HR and recruitment systems holding employee records for multiple client organizations are high-value ransomware targets because a single breach affects multiple downstream employers and their employees. See Ransomware Attack: What Canadian SMEs Must Do.
RROSH in an HR and recruitment breach
Candidate data: Background check results — criminal records, credit history — are sensitive personal information whose disclosure can cause significant harm (employment discrimination, reputational damage). RROSH is likely present whenever background check results are part of a breached dataset.
Employee payroll records: SINs, banking details, and compensation information for employees held on behalf of client employers is a high-RROSH combination. A breach of this data requires notification of both the employees directly and the client employer (so the employer can meet their own obligations).
Rejection reasons and interview notes: Interview notes and rejection documentation can contain sensitive assessments about a candidate. If these are breached and reach the candidate or others, the reputational and dignity harm may meet the RROSH threshold.
Core compliance obligations
Privacy officer: Designate a named individual responsible for PIPEDA compliance for both the firm's own data and for candidate data it holds.
Privacy policy: Describe what candidate and employee information is collected, the purposes, which third parties it may be shared with (background check providers, client employers), retention periods, and how candidates and employees can access their information. Candidates must be given your privacy policy before submitting their personal information.
Consent at application: Candidates must consent to the collection and use of their personal information before you collect it. This includes: what you collect, why, which client employers their information may be shared with, and whether their resume may be retained in your database for future opportunities. Each of these requires separate, specific consent — bundled catch-all consent is not adequate for PIPEDA compliance.
Background check consent: Express written consent before any check is run. Specify the type of check, who conducts it, and what happens with the results. Background check results must be retained only as long as necessary and shared only with those who need them for the hiring decision.
SIN collection timing: Collect SINs only after a hire is confirmed and only for the purpose of payroll and tax reporting. Do not collect SINs at the application stage.
Client employer contracts: If you process employee data on behalf of client employers, your contract with each client must define your data handling obligations, confirm you act as a processor on their behalf, and require you to notify them promptly if a breach affecting their employees' data occurs.
Retention: Unsuccessful candidate files should typically be retained for 1–2 years after the search closes — long enough to address any human rights complaint related to the hiring process, but not indefinitely. Employee records held for clients follow the client employer's retention obligations. See Personal Information Retention and Destruction.
Experienced a breach? ClearBreach walks HR and recruitment firms through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA and generates regulator reports and individual notification letters in under 15 minutes. Start your assessment →
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- Unauthorized Employee Access: What Canadian Organizations Must Do
- Personal Information Retention and Destruction Under Canadian Privacy Law
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for HR and recruitment firms. Human rights legislation obligations related to hiring processes are separate and not covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to HR and recruitment firms?
Yes. Recruitment firms and HR service providers collect and process personal information in the course of commercial activity. PIPEDA applies to candidate data and to employee data held on behalf of client employers. Alberta PIPA and BC PIPA apply for candidates and employees who are Alberta or BC residents. Note that PIPEDA and the provincial PIPs apply to employee information held by private-sector organizations — employment relationships are within scope.
Can we collect a SIN from a job candidate before a job offer is made?
Generally no. A SIN is a sensitive identifier that should only be collected when legally required — primarily for payroll and tax reporting after a hire is made. Collecting SINs during the application or interview process, when there is no legal requirement to do so yet, is a collection beyond what is necessary for the purpose (PIPEDA Principle 4). The OPC has specifically addressed SIN collection: collect it only at the point of hire for payroll purposes, not as a general identifier.
We conduct background checks on candidates — what consent do we need?
Express written consent from the candidate before conducting any background check. The consent must be specific about what type of check is being run (criminal record, credit, reference verification, education verification) and who will conduct it. Candidates must understand what is being checked and must consent voluntarily — consent to a background check cannot be a condition of being considered for the role unless the check is directly relevant to the position. Using a third-party background check provider requires a contract with that provider covering their data handling obligations.
We hold employee records for our client companies — who is responsible under PIPEDA?
Both you and your client may be accountable, depending on the nature of the arrangement. If you are processing employee data on behalf of the client employer, the client employer is the accountable organization — you are a processor acting on their behalf. Your contract with the client must define the data handling obligations. However, if you make independent decisions about how the employee data is used — for example, building your own candidate database from data supplied by clients — you may be an independent accountable organization for that data. The distinction matters for breach notification: if you are breached and client employee data is affected, notify the client immediately so they can meet their own PIPEDA obligations.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.