Protecting Employee Privacy in the Modern Workplace

Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight

Québec, QC, October 4-5, 2023

Context

Remote work arrangements have changed how we work, blurring the line that used to exist between home and office. According to a recent Ipsos poll, only 36% of those who worked from home during the pandemic expect to return to the office on a regular basis in 2023.^{Footnote 1} Remote work is here to stay and will become the new normal for millions of Canadian workers well into the future.

This shift has accelerated the use of monitoring technologies as employers adopt new ways of tracking employees’ activity remotely, whether during work or off hours. According to a recent Canadian study, 70% of the surveyed employees said some aspect of their work is digitally monitored. More specifically, about 32% of the employees indicated experiencing at least one of the following: location tracking, webcam/video recording, keyboard/keystroke monitoring, computer screen capture, or biometrics such as facial features, voice or iris scan.^{Footnote 2}

While the electronic surveillance of workers has recently surged amid the pandemic, many sectors have made longstanding use of employee surveillance – from GPS tracking of workers in shipping and trucking industries, timekeeping on factory and warehouse floors,^{Footnote 3} to call monitoring between agents and customers, and badges that nurses are required to wear to track their whereabouts in the hospital. This is now becoming a concern that impacts almost every sector of the workforce.

In recent years, employee monitoring has undergone substantial expansion in its capabilities and application. Some forms of digital monitoring (referred to as “bossware”) are used to assess employees’ level of productivity, analyze employees’ moods, reactions, or fatigue level.^{Footnote 4} They may also be used to evaluate employees’ capacity to remain attentive on the job, their ability to stay calm under pressure, their effectiveness in providing good customer service or other aspects of their performance. Predictive analytics may even be used to monitor whether an employee is likely to succeed in their position or seek another job – meaning that information can be collected or inferred even about actions not yet taken. Artificial intelligence (AI) systems are increasingly being used to identify and source potential job candidates, to evaluate applicants’ resumes, and even to analyze the facial expressions of interviewees during video calls. Yet we have seen real instances where algorithms trained on past resumes have perpetuated gender discrimination^{Footnote 5} and where facial recognition in the hiring process has been seriously questioned for its biased and flawed results.^{Footnote 6}

The federal, provincial and territorial Privacy Commissioners and Ombudsman with responsibility for privacy oversight across Canada (Canada’s FPT Privacy Commissioners) acknowledge that some level of information collection about employees is reasonable, and may even be necessary to ensure accountability of organizational resources and to manage the employer-employee relationship. However, irresponsible adoption of privacy-invasive technologies in employment management can lead to significant and measurable impacts on employees’ careers — like job compensation, promotion, or termination. Pervasive forms of electronic monitoring and surveillance can also have subtler impacts on employees that are more difficult to measure but just as significant, such as stress, a chilling effect on one’s creativity and sense of autonomy, a loss of dignity, and adverse mental health effects resulting from having one’s employer digitally watching them at all times, including in their homes.^{Footnote 7}

Compounding the problem are the significant gaps in statutory privacy laws covering employees in Canada.^{Footnote 8} Federally regulated employees are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).^{Footnote 9} However, there is currently no privacy legislation applicable to non-federally regulated employees in provinces across Canada, with the exception of Alberta, British Columbia and Quebec that have their own provincial privacy laws. This patchwork of privacy laws across the country leaves many employees without any statutory privacy protections at all. Unfortunately, for the average Canadian employee, the question of ‘whether and what protections apply to information my employer collects about me’ may not offer a simple and reassuring answer.

Without an effective legislative regime, many employees will be left helpless to understand what information is being collected about them, how it is being used and for what purposes. These employees may have little to no meaningful recourse against employers who implement overly-invasive electronic monitoring policies and practices, contravene seemingly reasonable policies, or worse, have no transparent policies at all. This untenable situation further exacerbates the power imbalance between employees and employers, especially for vulnerable populations and marginalized communities across Canada’s workforce.^{Footnote 10}

Therefore,

Canada’s FPT Privacy Commissioners are calling on their respective governments and relevant stakeholders to ensure that employee rights to privacy and transparency are respected and protected, particularly in a modern work context that relies increasingly on electronic monitoring and surveillance of employees’ activities.

In particular, we call on federal, provincial, and territorial Governments to:

Acknowledge the importance of protecting employee privacy rights, and the potential harms that can occur when these rights are not respected in the workplace or at home, where remote or hybrid work arrangements exist
Acknowledge the legislative gaps in their respective jurisdictions, and in those jurisdictions with no or limited legislative protections for employee personal information, take action to close those gaps
Work collaboratively to ensure there is a harmonized or consistent statutory framework of protections for employees across Canada that leaves no worker behind
Where statutory privacy protections do exist, consider the need to update and strengthen those protections in a context of increased risks resulting from privacy-invasive technologies in a modern workplace. This includes:
- codifying a reasonableness, necessity and proportionality requirement to ensure reasonable and responsible deployment of these tools and technologies only for legitimate purposes
- strengthening transparency and accountability of employers’ use of tracking tools, including electronic monitoring/tracking and AI technologies, in managing the employer-employee relationship
- providing employees with a meaningful and accessible means of challenging unreasonable use of electronic monitoring tools and AI enabled systems and seeking redress against their employer for unfair decisions made about them
- prohibiting inappropriate employment practices, or defining “no-go zones” beyond a certain threshold of risk

We also call on Employers to:

Respect the principles of reasonableness, necessity, and proportionality when considering or reviewing any collection or use of employee information through electronic surveillance
Recognize the particularly sensitive nature of biometric information and their high degree of intrusion into the privacy of employees. The use of biometrics must be lawful, necessary, proportional, and only when there is no other effective and less privacy-intrusive way to achieve the objective pursued
Use electronic monitoring tools and AI technologies only for fair and appropriate purposes and only to the extent they are reasonably necessary to manage the employer-employee relationship
Not use AI technologies to make significant decisions about an employee’s performance, candidacy, employment prospects or any other decision with potential to have consequential employment related impact without a ‘human-in-the-loop’
Conduct privacy impact assessments (against applicable laws, recognized privacy principles and best practices) and algorithmic impact assessments (wherever relevant) to identify risks to privacy and other human rights associated with the deployment of these tools and technologies, and take actions to mitigate these risks accordingly
- Particularly in the case of AI technologies, seek information about the source of the data used to train the AI system, and assess whether the technology was developed in compliance with applicable privacy law
Adopt clear policies, controls, and procedures to prevent use beyond the identified purposes, and set out internal checks and balances to ensure proper governance and accountability mechanisms are in place
Inform employees and potential employees of the electronic monitoring tools and AI systems being used and for which purposes, explain their implications using clear and plain language and provide them with copies of relevant policies and procedures
Provide employees with clear information about how to object to the collection, use, or disclosure of their personal information, how to challenge decisions made about them, and how to exercise access rights
Take advantage of FPT Commissioners consultation services, where offered, before deploying new technologies and practices that could significantly impact employee privacy

As Canada’s FPT Commissioners, we commit to:

Engaging with government and other stakeholders in the development, modernization and application of statutory employee privacy protections in our respective jurisdictions
Continuing to monitor new technologies, developments and trends related to employee surveillance and privacy in the modern context of work
Collaborating in our efforts to educate and provide guidance to employers about their obligations, and to employees about their rights, in our respective jurisdictions
Taking joint or coordinated enforcement action on employee privacy-related matters as appropriate and where our laws permit

Footnotes

Footnote 1

Two-Thirds (65%) of Working Canadians Say They Have Achieved a Better Work-Life Balance in 2022 | Ipsos

Return to footnote 1

Footnote 2

Future Skills Center. “Monitoring Remote Work in Canada: Support or Surveillance”. July 2023. Retrieved from Monitoring Remote Work in Canada: Support or Surveillance – Future Skills Centre • Centre des Compétences futures (fsc-ccf.ca)

Return to footnote 2

Footnote 3

Amazon’s (in)famous minute-by-minute tracking of employees in its warehouses has been long reported. A couple of latest reports with new evidence about such practices and the negative impacts. Retrieved from Internal Documents Show Amazon’s Dystopian System for Tracking Workers Every Minute of Their Shifts (vice.com) June 2022 and Amazon’s worker surveillance tech “leads to extreme stress and anxiety” – New Statesman February 2023.

Return to footnote 3

Footnote 4

Seeing the potential harm of this activity, the European Parliament has proposed that the inference of individuals’ emotions in the workplace be a prohibited practice under the EU’s Artificial Intelligence Act (Amendment 226).

Return to footnote 4

Footnote 5

Amazon scraps secret AI recruiting tool that showed bias against women | Reuters

Return to footnote 5

Footnote 6

Dr. Joy Buolamwini, a researcher at the MIT Media Lab, tested the accuracy of facial recognition systems. The results showed error rate of only 0.8 percent for light-skinned men while 34.7 percent for dark-skinned women and confirmed the technology’s flawed results, particularly with respect to visible minority groups. Retrieved from Study finds gender and skin-type bias in commercial artificial-intelligence systems | MIT News | Massachusetts Institute of Technology

Return to footnote 6

Footnote 7

Some recent researches/reports regarding workplace monitoring and its impacts on employees. 1) Masoodi, M.J., Abdelaal, N., Tran, S., Stevens, Y., Andrey, S. and Bardeesy, K. (2021, September). Retrieved from “Workplace Surveillance and Remote Work: Exploring the Impacts and Implications Amidst Covid-19 in Canada”; 2) Michael Coteau, Member of Parliament. December 2022. Retrieved from “Rise of BOSSWARE Protecting the Privacy of Canadians Who Work from Home”; 3) Future Skills Center. July 2023. Retrieved from “Monitoring Remote Work in Canada: Support or Surveillance”.

Return to footnote 7

Footnote 8

Teressa Scassa. “Privacy in the precision economy: the rise of AI-enabled workplace surveillance during the pandemic” CIGI, June 8, 2021. Retrieved from Privacy in the Precision Economy: The Rise of AI-Enabled Workplace Surveillance during the Pandemic – Centre for International Governance Innovation (cigionline.org)

Return to footnote 8

Footnote 9

Please note that organizations in the Northwest Territories, Yukon and Nunavut are also considered federally regulated, and are therefore covered by PIPEDA. Refer to PIPEDA in brief – Office of the Privacy Commissioner of Canada for a list of Federally regulated organizations subject to PIPEDA.

Return to footnote 9

Footnote 10

According to “Monitoring Remote Work in Canada: Support or Surveillance”, intense monitoring is not equitable. Workers who are low income, younger, have disabilities or are racialized are more likely to be monitored than other groups. Report retrieved from Monitoring Remote Work in Canada: Support or Surveillance – Future Skills Centre • Centre des Compétences futures (fsc-ccf.ca)

Return to footnote 10

Office of the Privacy Commissioner of Canada signature

Date modified:: 2023-10-06

Language selection

Search and menus

Search

Protecting Employee Privacy in the Modern Workplace

Context

Therefore,