Language selection

Search

Protecting Employee Privacy in the Modern Workplace

Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight

Québec, QC, October 4-5, 2023

Context

Remote work arrangements have changed how we work, blurring the line that used to exist between home and office. According to a recent Ipsos poll, only 36% of those who worked from home during the pandemic expect to return to the office on a regular basis in 2023.Footnote 1 Remote work is here to stay and will become the new normal for millions of Canadian workers well into the future.

This shift has accelerated the use of monitoring technologies as employers adopt new ways of tracking employees’ activity remotely, whether during work or off hours. According to a recent Canadian study, 70% of the surveyed employees said some aspect of their work is digitally monitored. More specifically, about 32% of the employees indicated experiencing at least one of the following: location tracking, webcam/video recording, keyboard/keystroke monitoring, computer screen capture, or biometrics such as facial features, voice or iris scan.Footnote 2

While the electronic surveillance of workers has recently surged amid the pandemic, many sectors have made longstanding use of employee surveillance – from GPS tracking of workers in shipping and trucking industries, timekeeping on factory and warehouse floors,Footnote 3 to call monitoring between agents and customers, and badges that nurses are required to wear to track their whereabouts in the hospital. This is now becoming a concern that impacts almost every sector of the workforce. 

In recent years, employee monitoring has undergone substantial expansion in its capabilities and application. Some forms of digital monitoring (referred to as “bossware”) are used to assess employees’ level of productivity, analyze employees’ moods, reactions, or fatigue level.Footnote 4 They may also be used to evaluate employees’ capacity to remain attentive on the job, their ability to stay calm under pressure, their effectiveness in providing good customer service or other aspects of their performance. Predictive analytics may even be used to monitor whether an employee is likely to succeed in their position or seek another job – meaning that information can be collected or inferred even about actions not yet taken. Artificial intelligence (AI) systems are increasingly being used to identify and source potential job candidates, to evaluate applicants’ resumes, and even to analyze the facial expressions of interviewees during video calls. Yet we have seen real instances where algorithms trained on past resumes have perpetuated gender discriminationFootnote 5 and where facial recognition in the hiring process has been seriously questioned for its biased and flawed results.Footnote 6

The federal, provincial and territorial Privacy Commissioners and Ombudsman with responsibility for privacy oversight across Canada (Canada’s FPT Privacy Commissioners) acknowledge that some level of information collection about employees is reasonable, and may even be necessary to ensure accountability of organizational resources and to manage the employer-employee relationship. However, irresponsible adoption of privacy-invasive technologies in employment management can lead to significant and measurable impacts on employees’ careers — like job compensation, promotion, or termination. Pervasive forms of electronic monitoring and surveillance can also have subtler impacts on employees that are more difficult to measure but just as significant, such as stress, a chilling effect on one’s creativity and sense of autonomy, a loss of dignity, and adverse mental health effects resulting from having one’s employer digitally watching them at all times, including in their homes.Footnote 7

Compounding the problem are the significant gaps in statutory privacy laws covering employees in Canada.Footnote 8 Federally regulated employees are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).Footnote 9 However, there is currently no privacy legislation applicable to non-federally regulated employees in provinces across Canada, with the exception of Alberta, British Columbia and Quebec that have their own provincial privacy laws. This patchwork of privacy laws across the country leaves many employees without any statutory privacy protections at all. Unfortunately, for the average Canadian employee, the question of ‘whether and what protections apply to information my employer collects about me’ may not offer a simple and reassuring answer.

Without an effective legislative regime, many employees will be left helpless to understand what information is being collected about them, how it is being used and for what purposes. These employees may have little to no meaningful recourse against employers who implement overly-invasive electronic monitoring policies and practices, contravene seemingly reasonable policies, or worse, have no transparent policies at all. This untenable situation further exacerbates the power imbalance between employees and employers, especially for vulnerable populations and marginalized communities across Canada’s workforce.Footnote 10

Therefore,

Canada’s FPT Privacy Commissioners are calling on their respective governments and relevant stakeholders to ensure that employee rights to privacy and transparency are respected and protected, particularly in a modern work context that relies increasingly on electronic monitoring and surveillance of employees’ activities.

In particular, we call on federal, provincial, and territorial Governments to:

  • Acknowledge the importance of protecting employee privacy rights, and the potential harms that can occur when these rights are not respected in the workplace or at home, where remote or hybrid work arrangements exist
  • Acknowledge the legislative gaps in their respective jurisdictions, and in those jurisdictions with no or limited legislative protections for employee personal information, take action to close those gaps
  • Work collaboratively to ensure there is a harmonized or consistent statutory framework of protections for employees across Canada that leaves no worker behind
  • Where statutory privacy protections do exist, consider the need to update and strengthen those protections in a context of increased risks resulting from privacy-invasive technologies in a modern workplace. This includes:
    • codifying a reasonableness, necessity and proportionality requirement to ensure reasonable and responsible deployment of these tools and technologies only for legitimate purposes
    • strengthening transparency and accountability of employers’ use of tracking tools, including electronic monitoring/tracking and AI technologies, in managing the employer-employee relationship
    • providing employees with a meaningful and accessible means of challenging unreasonable use of electronic monitoring tools and AI enabled systems and seeking redress against their employer for unfair decisions made about them
    • prohibiting inappropriate employment practices, or defining “no-go zones” beyond a certain threshold of risk

We also call on Employers to:

  • Respect the principles of reasonableness, necessity, and proportionality when considering or reviewing any collection or use of employee information through electronic surveillance
  • Recognize the particularly sensitive nature of biometric information and their high degree of intrusion into the privacy of employees. The use of biometrics must be lawful, necessary, proportional, and only when there is no other effective and less privacy-intrusive way to achieve the objective pursued
  • Use electronic monitoring tools and AI technologies only for fair and appropriate purposes and only to the extent they are reasonably necessary to manage the employer-employee relationship
  • Not use AI technologies to make significant decisions about an employee’s performance, candidacy, employment prospects or any other decision with potential to have consequential employment related impact without a ‘human-in-the-loop’
  • Conduct privacy impact assessments (against applicable laws, recognized privacy principles and best practices) and algorithmic impact assessments (wherever relevant) to identify risks to privacy and other human rights associated with the deployment of these tools and technologies, and take actions to mitigate these risks accordingly
    • Particularly in the case of AI technologies, seek information about the source of the data used to train the AI system, and assess whether the technology was developed in compliance with applicable privacy law
  • Adopt clear policies, controls, and procedures to prevent use beyond the identified purposes, and set out internal checks and balances to ensure proper governance and accountability mechanisms are in place
  • Inform employees and potential employees of the electronic monitoring tools and AI systems being used and for which purposes, explain their implications using clear and plain language and provide them with copies of relevant policies and procedures
  • Provide employees with clear information about how to object to the collection, use, or disclosure of their personal information, how to challenge decisions made about them, and how to exercise access rights
  • Take advantage of FPT Commissioners consultation services, where offered, before deploying new technologies and practices that could significantly impact employee privacy

As Canada’s FPT Commissioners, we commit to:

  • Engaging with government and other stakeholders in the development, modernization and application of statutory employee privacy protections in our respective jurisdictions
  • Continuing to monitor new technologies, developments and trends related to employee surveillance and privacy in the modern context of work
  • Collaborating in our efforts to educate and provide guidance to employers about their obligations, and to employees about their rights, in our respective jurisdictions
  • Taking joint or coordinated enforcement action on employee privacy-related matters as appropriate and where our laws permit
Office of the Privacy Commissioner of Canada signature

IPC-ON signature

CAI-QC signature

OIPC-NS signature

NB signature

Manitoba Ombudsman signature

OIPC-BC signature

OIPC-PEI signature

OIPC-SK signature

OIPC-AB signature

OIPC-NL signature

OIPC-NT signature

OIPC-YK signature

OIPC-NU signature
Date modified: