Employer obligations related to the collection of personal information during the hiring process
In Quebec, privacy is a basic right protected by several pieces of legislation. The Civil Code of Québec,1the Charter of Human Rights and Freedoms2 and laws protecting personal information govern how organizations are authorized to process individuals' personal information.
The necessity criterion is a key principle underpinning privacy legislation. Accordingly, a company can only collect personal information that is truly required to achieve a specific, predefined objective. The collection of such information must be lawful, transparent and proportionate.
When it comes to recruitment, this principle makes perfect sense. Even before hiring, the employer must ensure that any information requested is relevant to the position, justified by a legitimate interest and used only for the intended purpose. This is not only good practice; it's a legal requirement.
In this spirit, the Commission d'accès à l'information (the "CAI") has published guidelines3 on collecting personal information. We will examine them here in light of labour law and the right to privacy, as they apply to private sector businesses.
Pre-hiring process: The "necessity" criterion
The "necessity" criterion imposes a duty on the employer to collect only personal information that is necessary to assess applications. In addition to being essential to the hiring process, this collection must be specific, justified and proportional to the need at each stage of that process. Even the candidate's consent is not sufficient to justify the collection of unnecessary information.
At the application stage, the CAI states that only information necessary to assess the skills and qualifications required for the position in question may be requested, such as training and work experience. This information can be collected through assessments, tests, interviews and questionnaires, as long as those tools are suited to the specific requirements of the position. It is important to note that the use of psychological, psychometric or medical tests at this stage is considered highly intrusive. However, such use may be justified under the "necessity" criterion if the employer can demonstrate a direct link with the requirements of the position.
During the hiring interview, and according to the CAI, the employer may not ask questions relating to personal characteristics such as age, religion, ethnic background, civil status and sexual orientation if they have no bearing on the assessment of the candidate's suitability for the position. There are nevertheless exceptions when the question concerns a requirement of the position to be filled (e.g. being old enough to serve alcohol). After the interview, external checks (criminal record or references) may be considered, but only if a conditional offer of employment has been presented. We will address this in more detail below. If performed, such checks must be justified by the criterion of "necessity" and focus on the requirements of the position.
Lastly, the CAI states that the employer is authorized to collect certain additional data, such as social insurance number, bank details, date of birth or emergency contact, but only upon hiring and to facilitate human resources operations (payroll, compliance with tax laws, etc.).
Failure to comply with obligations
Employers who violate privacy rights during the recruitment process may incur legal penalties. Recent cases illustrate this risk. For example, a drug screening test and medical tests that were unnecessary given the nature of the position were considered an invasion of a candidate's privacy, and the employer was ordered to pay $50,0004 in compensation. Similarly, the Human Rights Tribunal ruled that an employer had contravened the Charter of Human Rights and Freedoms by asking discriminatory questions about a candidate's age, pregnancy, civil status and number of children during a job interview. The employer was ordered to pay $5,000.5
With regard to the protection of personal information, the Act respecting the protection of personal information in the private sector6 (the "Private Sector Act") provides for penalties of up to $25,000,000 or 4% of worldwide turnover for any business that collects, uses, communicates, keeps or destroys personal information in contravention of this law.7
Lastly, the CAI reiterates that anyone can file a complaint under the Private Sector Act if they suspect an employer of improperly processing their personal information.
Rapid-fire Q&A on employers' obligations to protect personal information obtained during the hiring process
AI in recruitment: How can employers reconcile innovation and privacy?
In the age of artificial intelligence (AI), companies are increasingly turning to autonomous systems to process personal information. While AI can refine the analysis of applications and make the process more efficient, it also raises important privacy issues. For example, the Private Sector Act stipulates that before using an AI-driven system to process personal information, a company must conduct a privacy impact assessment (PIA). When a decision is made solely by an AI system without human involvement, the employer must inform applicants accordingly at the time of the decision, provide explanations and offer the applicant the opportunity to request a review.
The CAI advises against the use of AI systems that are designed to analyze emotional or psychological states in video interviews, generally deeming them to be disproportionate and contrary to the right to privacy.
What checks are employers authorized to make after an interview?
According to the CAI, an employer can carry out certain checks following an interview, but only after presenting a conditional offer and obtaining the candidate's consent to the various checks. For instance, the employer may contact work references, check criminal records if the position warrants it and if the employer can show a legitimate need, or consult a credit file, while demonstrating caution with respect to the conclusions drawn from them.
At the same time, the CAI advises against consulting social media profiles, even those that are open and accessible, unless clearly required by the nature of the position (e.g. political staff). It also points out that the collection of medical information is permissible only if it is strictly necessary, specific and handled with the utmost confidentiality.
For details on the form of consent and level of transparency required, please see the diagram we prepared earlier, which sets out the requirements of the Private Sector Act as well as the CAI's guidelines on the validity of consent.8
Does the use of an external recruitment service relieve employers of their obligations regarding the protection of candidates' personal information?
The CAI reiterates that employers remain responsible for protecting candidates' personal information, even when an external service provider is involved in the recruitment process. The Private Sector Act stipulates that information may be communicated to a third party without the consent of the person concerned, if the information is necessary for carrying out a mandate or performing a contract. However, this transmission must be governed by a written contract specifying the measures the service provider must take to ensure the protection of the information received, and to limit its use to what is strictly necessary for carrying out the mandate.
Footnotes
1 CQLR, c. CCQ-1991, ss. 3, 35 and 37.
2 CQLR, c. C-12, ss. 5 and 18.1.
3/a> Commission d'accès à l'information, "Recrutement de personnel et respect de la vie privée," March 17, 2025, online (in French only): https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/operation-recrutemement-emploi.
4 Société de transport de Montréal, 2021 QCTDP 35.
5 Éco-Logixx - Grossiste alimentaire et produits d'emballage inc., 2019 QCTDP 16.
6 Act respecting the protection of personal information in the private sector, as amended by the Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25.
7 Private Sector Act, ss. 90.1 et seq. and 91 et seq.
8 Commission d'accès à l'information, "Ligne directrices 2023-1 - Consentement : critères de validité," October 31, 2023, online (in French only): https://www.cai.gouv.qc.ca/uploads/pdfs/CAI_Criteres_Validite_Consentement.pdf.
9 Commission d'accès à l'information, "Recrutement de personnel et respect de la vie privée," March 17, 2025, online (in French only): https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/operation-recrutemement-emploi.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
