Protecting privacy in the digital workplace

July 16, 2024

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal government. We encourage you to share this information with colleagues.

---

With the rapid evolution of technology, navigating the privacy obligations in the digital workplace involves a wide range of issues, from innovative staffing practices to adapting to hybrid work environments, to employee monitoring and employee rights.

The OPC’s Government Advisory Directorate (GA) and the Treasury Board of Canada Secretariat’s (TBS) Privacy and Responsible Data Division (PRDD) addressed federal government employees about protecting privacy in the digital workplace as part of a Privacy Awareness Week event at the Canada School of Public Service.

This Bulletin provides key takeaways for your institution to consider. If your institution has questions, contact GA and PRDD for more in-depth advice.

Monitoring compliance with the TBS Direction on prescribed presence in the workplace

• Government institutions must use the least privacy-invasive means of verifying compliance available to them. This means that they should access only the minimum amount of personal information and only on a need-to-know basis.
• Employee compliance with the Direction should be handled at the manager level. A detailed review of personal information should only be undertaken if an issue is identified at the manager level.
• Under the current Standard personal information banks (PIB), personal information cannot be used to proactively monitor employee compliance.
• An institution wishing to conduct proactive monitoring must conduct a Privacy Impact Assessment (PIA) and register an institution-specific PIB.
• PIAs should include a thorough justification of the necessity of proactive monitoring activities.
• Duty to Accommodate requests for telework often include sensitive personal information and need to be managed with care. Institutions should minimize access to this personal information, and carefully consider what personal information they require to make a decision regarding the request.
• Government institutions should also develop clear privacy notices to employees concerning how their personal information will be collected, used, retained, and disclosed.

Innovations in staffing

• In the hybrid workplace, technologies such as live video interviews, asynchronous staffing platforms and artificial intelligence (AI) tools are increasingly being leveraged to help expedite staffing processes.
• Institutions should consider advising candidates on how to protect their privacy during a live video interview – including using a background or blurring feature, and/or removing personal items from view of the camera.
• It is important to remember that asynchronous platforms collect everything that is recorded – not just what is written down by selection board members. This may include responses to questions, the person’s likeness, their voice biometric and anything in view of the camera.
• Contracts with staffing platforms should include clauses on data ownership, retention, and safeguarding.
• Any use of AI tools within staffing will likely be subject to TBS’s Directive on Automated Decision Making, and therefore require an Algorithmic Impact Assessment.
• When leveraging AI, it is very important that there be human intervention. No candidate should be denied employment based solely on a decision made by AI.
• Institutions need to consider mitigation measures by applying privacy principles and ensuring full transparency with candidates.
• We strongly recommend institutions undertake PIAs for their use of innovative staffing platforms.

Employee Devices

• Work devices such as smartphones or laptops are the property of the Government of Canada and are meant to be used for work. However, some employees may also use these devices for personal activity.
• These devices have the capacity to collect far more personal information than a desktop computer at a workstation.
• So, while institutions’ device use policies and procedures apply to the use of government devices, employees still have a right to privacy on their work devices.
• Institutions using on-device investigative tools for administrative investigations should consult with their privacy and legal teams to determine if the use of such a tool would trigger the need for a PIA.

Resources

• TBS Directive on Automated Decision Making
• OPC Guidance – Privacy in the Workplace
• Federal, Provincial and Territorial Privacy Commissioners Resolution on Protecting Employee Privacy in the Modern Workplace
• 45^th Global Privacy Assembly Resolution on Artificial Intelligence and Employment

---

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.