If you are a federally-regulated business, or a company carrying out business across provincial borders, you fall under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). In any event, Ontario companies are required to comply with PIPEDA in their commercial dealings.
The private sector privacy laws applicable to employees contain substantially the same provisions relating to collection, use and disclosure of employee information as exist for individuals generally under those laws. Therefore, consent is a required condition for any such handling of the employee information.
Here is the specific language in PIPEDA:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.