Fostering a workplace culture of respect for employees’ privacy is good for business, because it contributes to morale and mutual trust.
Employers’ privacy obligations in the workplace can vary from province to province, and even from workplace to workplace, depending on their operations and whether, for example, a collective agreement is in place.
Here are some practical tips that every employer can use to create an organizational culture of privacy:
- Know the law – Be aware of your legal obligations under federal or provincial privacy laws, as well as human rights and workplace laws, and any commitments that you might have under collective agreements.
- Map out the information that you collect from employees – Know whether the pieces of information, either alone or in combination, amount to personal information about the employee. Your organization’s privacy risks and obligations are linked to the sensitivity of the personal information that your organization collects, uses and discloses. See the OPC’s Interpretation Bulletin: Personal Information for additional information.
- Conduct a privacy impact assessment – A PIA can be a useful tool to help you identify your legal requirements and the potential impact your programs and activities will have on employee privacy.
- Test your proposed information management practices – Identify all purposes for which you plan to collect, use or disclose personal information. Then consider whether you need the information for a legitimate purpose, and whether there might be a less privacy-invasive way of achieving the same ends. See the OPC Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) for more information.
- Limit collection – Only collect the information that you need for a stated purpose, be transparent about how you will use it, and collect it by fair and lawful means. Remember that employee files should only contain necessary information.
- Be transparent and open – Create clear policies on practices such as monitoring employee attendance and activities in the workplace, and communicate the policies to your employees before implementing them. These policies should lay out why and how the information is being collected and how it will be used, including any potential consequences for employees. The policy should also state how long the information might be retained.
- Respect key privacy principles – You may not need employees’ consent to collect certain personal information, but other obligations to protect privacy continue to apply, such as accountability, accuracy, and individual access. You should have security safeguards in place that correspond to the sensitivity of the information.
- Be aware of inappropriate practices/no-go zones – Given the unequal positions of power between employers and employees, there is a risk that employers could ask for more information than they are allowed to collect, and that individuals may feel unduly pressured to provide it. For example, asking employees (or potential employees) to provide you with access to password-protected areas of their social media accounts would likely go too far. The OPC guidance on inappropriate data practices has more information about what information employers (or prospective employers) can request.
For more information, see Privacy in the Workplace.