Privacy in the Workplace
Individuals have a right to privacy at work, even if they are on their employer's premises and/or using their employer's equipment. At the same time, employers need certain pieces of information about employees for activities like payroll, staffing and to ensure employee performance management and workplace safety.
Employers should be aware of how relevant privacy laws and obligations apply to employee personal information. The Privacy Act, for example, applies to employee information in federal government institutions. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to employee information in federal works, undertakings, and businesses (such as banks, telecommunication companies and transportation companies).
Employers and unions may also agree to provisions in the collective agreement that may apply to workplace privacy policies and practices.
Whether or not privacy is protected by legal requirements, fostering a workplace culture where privacy is valued and respected contributes to morale and mutual trust, and makes good business sense.
While this document refers to obligations with respect to federal privacy legislation, several provinces have privacy legislation applying to employee information or may have specific laws in relation to employee rights and workplace obligations.Footnote 1
Respecting employees’ privacy
Employee personal information could include pay and benefit records, attendance reports, formal and informal personnel files, video or audio tapes, and records of web-browsing, electronic mail, and keystrokes, among other information.
Privacy obligations relating to employee information generally apply not only to current employees, but also to prospective and former employees.
In addition to providing authority for the collection, use and disclosure of personal information, federal privacy laws also set out specific requirements, such as rules concerning consent, safeguards, retention, and access rights.
Key privacy considerations for the management of employee personal information in the workplace include:
- Employers must limit collection of employee information to only that which is necessary for the purposes identified by the organization.
- Employers are generally required to obtain meaningful consent for the collection, use and disclosure of personal information unless an exception to consent applies. In this regard, with respect to Canada’s private sector privacy legislation the OPC has outlined seven guiding principles for obtaining meaningful consent that should inform consent practices.Footnote 2
- Even in cases where consent for the collection, use or disclosure of employee information is not required by law, the employer may still be required to be transparent, provide employees with meaningful notice, and outline their practices in organizational policies.
- The employer must generally only use or disclose personal information for the purposes that it was originally collected for and keep it only as long as necessary for those purposes unless the employer has the employee's consent to do otherwise or is legally permitted to use or disclose it for other purposes.
- Employees have a right to know how their information is being collected and used. They also have a right to access their personal information and to challenge the accuracy and completeness of it.
- Employers must limit access to employee information on a need-to-know basis.
- Employees' personal information needs to be kept accurate, complete, and up-to-date.
- Employers should have policies and procedures in place regarding the collection, use and disclosure of employees’ personal information. Policies should cover practices such as any monitoring of employees in the workplace (physical and/or virtual). Existing policies should be updated when new programs are introduced or when existing programs are materially changed.
- Employers developing policies and procedures are recommended to address employee monitoring in a way that is reasonable, proportionate and minimally intrusive.
- Policies and procedures should be made readily available to employees such as through signage and direct emails.
- There should be physical, organizational and technological safeguards put in place to protect employees’ personal information from inappropriate access or disclosure, and to prevent “employee snooping” — where employees inappropriately access other employees’ personal information.
Do employees’ privacy rights conflict with an employer's right to manage?
Employers have legitimate requirements for collecting, using and disclosing personal information about their employees. They need to know who they are hiring. They need to address performance issues and ensure the physical security of their workplace. They may see electronic monitoring and other surveillance as necessary to ensure productivity, stop leaks of confidential information, and prevent workplace harassment.
Under PIPEDA, in addition to establishing, managing and terminating the employment relationship, federally-regulated employers may also collect personal information without knowledge and consent if it was produced by an individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
Of note is that depending on the exemptions to consent, there may be obligations to inform employees about what is being done with their information. For example, while there are exemptions to consent for managing an employment relationship under PIPEDA, other requirements in the Act continue to apply, such as limiting the collection, use, and disclosure and retention of personal information.
Under the Privacy Act, federal government employers are allowed to collect personal information, including employee information, only if it relates directly to an operating program or activity of the government institution. Employers may then use that information only for the purpose for which it was collected, or a purpose consistent with that purpose, unless an employee consents to its use for a different purpose or a specific exemption under s.8(2) of the Privacy Act applies. Thus, for example, a federal government employer that collects surveillance video for security purposes cannot, without an employee’s consent, use that video for performance management purposes or to monitor employee attendance, unless a s.8(2) exemption applies. Subject to limited exceptions, employees must also be informed of the purpose(s) for which their information may be used at the time the information is collected.
Can employees waive their privacy rights?
Employers may be tempted to advise employees or prospective employees that they have no privacy in the workplace — that the loss of privacy is a condition of employment.
Where consent is required, such an approach does not align with consent needing to be clear, informed, and voluntary. Further, it is not in-keeping with the general principle of only collecting personal information for appropriate purposes.
A better approach is to specifically ask employees to consent to explicit, limited, and justified collections, uses, and disclosures of their personal information, while informing them openly and fairly of the impact of not providing the information. And where possible, to make alternatives available to employees who do not wish to consent.
It is important to note that consent does not waive an organization’s other obligations under privacy laws, such as the requirement to have the legal authority to collect information, or being subject to obligations related to accountability, collection limitation, and safeguards, depending on the applicable statute. In other words, individuals cannot consent to having their personal information handled contrary to legal requirements.
Employee monitoring
Privacy rights must be considered in any instance where employers are contemplating monitoring their employees. Employee monitoring can include measures for verifying or assessing presence at work, tracking productivity, ensuring the appropriate use of networks, and to determine the location of company vehicles, among other examples.
It is important that any employee monitoring be limited to purposes that are specific, targeted and appropriate in the circumstances. Monitoring measures should take into consideration an assessment of the privacy risks and any mitigating measures, including limiting collection to only that which is necessary for the stated purpose, and ensuring that the least privacy invasive measure in the circumstances is used.
While there may be a number of technological measures that are available to monitor employees, not all measures will necessarily be the most effective in meeting the desired goals or be the least intrusive means available to achieve the stated purpose. For example, a technological measure for monitoring access to certain areas/zones may not necessarily be appropriate or effective for attendance monitoring.
To ensure accountability for monitoring practices, employers should identify what technological, physical and governance measures they plan to use and establish how adherence will be monitored and enforced. Guidelines for the retention of personal information that is collected for employee monitoring should be developed to ensure that information is not retained any longer than is necessary to fulfil the identified purpose.
Transparency about employee monitoring is fundamental. Employers must make employees aware of the purpose, nature, extent and reasons for monitoring, as well as potential consequences for workers, unless there are exceptional circumstances at play.
Employee access rights extend to personal information collected for monitoring. Employers therefore need to ensure they have practices in place to address employee access requests, any privacy compliance challenges that employees may raise, as well as potential complaints.
Eight practical tips for employers
While each organization may have to consider different laws specific to their operations and collective agreements, the following 8 practical tips are a good starting point for employers to build into their policies and procedures:
1. Examine all relevant legal obligations and authorities
This may include commitments made in collective agreements, federal and provincial privacy laws, as well as other legal areas, such as tort, human rights, and workplace laws.
2. Map out what employee information is being collected, used, and disclosed
This includes examining if information alone or in combination with other information may result in being classified as “personal information”. Employers should also seek to understand the sensitivity of the information that they collect, use and disclose as this can have implications for the privacy risks their organization will face as well as the associated privacy requirements.
- Organizations subject to PIPEDA can refer to the OPC’s Interpretation Bulletin: Personal Information for additional information on personal information in the employment context.
- Departments and Agencies subject to the Privacy Act can consult the OPC’s summary of Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, which outlines considerations related to personal information in the workplace for government department and entities.
3. Conduct Privacy Impact Assessments (PIAs)
PIAs are a proven way to minimize privacy risks. They consist of a risk management process that helps identify legislative requirements and the potential impacts of programs and activities on individuals’ privacy. This should also contemplate access controls and data segregation of databases and directories to mitigate risks of inappropriate disclosures.
The OPC's Guide to the Privacy Impact Assessment Process can assist government institutions that are required to undertake a PIA in identifying and minimizing privacy risks when initiating a new program that requires the collection of personal information.
While organizations subject to PIPEDA are not legally required to undertake a PIA, it is a useful tool to help them develop their respective privacy management programs, policies, and training programs.
4. Test your proposed employee management information practices
Identify all purposes for which you plan to collect, use or disclose personal information. Consider whether the planned collection, use and disclosure is appropriate in the circumstances, by considering the sensitivity of the information in question, and other relevant factors. For example, organizations subject to PIPEDA must evaluate whether their purposes are appropriate “in the circumstances” and should consider:
- The degree of sensitivity of the personal information at issue;
- Whether the organization’s purpose represents a legitimate need / bona fide business interest;
- Whether the collection, use and disclosure would be effective in meeting the organization’s need;
- Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
- whether the loss of privacy is proportional to the benefits.
Under this investigation the employer installed a dash camera into a vehicle that continuously recorded audio and video without the employee’s consent. The organization claimed that it was to improve the safety of its operations.
In this case, the recording device was active when the truck was on or idling; the system could therefore be active when drivers are off duty.
Given the circumstances of the case, the Commissioner found that the continuous monitoring of employees resulted in the loss of privacy that was disproportionate to the benefits being gained, and that the company could have achieved their objectives in a less privacy-intrusive manner, by recording only when the driver was on duty and/or driving.
Please also see: OPC Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)
5. Limit collection
Only collect the personal information that is necessary for a stated purpose, and collect it by fair and lawful means.
- Employee files should only contain necessary information and organizations should be fully transparent about how that information is to be used.
- For example, when interviewing job candidates, consider writing in the interview invitation or instructions that candidates may blur their backgrounds (to avoid the inadvertent collection of personal information).
6. Be transparent and open
At a minimum this should involve:
- Telling employees what personal information will be collected, used, and disclosed.
- Developing clear policies and communicating them to affected employees before putting them into practice.
- For example, employers should develop and implement a clear policy on collection, use and disclosure of personal information with respect to any monitoring of employee attendance and activities (physical and/or virtual) in the workplace, in the event that such monitoring takes place. Such a policy should clearly identify:
- What personal information is being collected from employees;
- The purpose for which the personal information is being collected;
- How the personal information will be collected;
- How the information will be used, including potential consequences for employees;
- How long the personal information may be retained.
- For example, employers should develop and implement a clear policy on collection, use and disclosure of personal information with respect to any monitoring of employee attendance and activities (physical and/or virtual) in the workplace, in the event that such monitoring takes place. Such a policy should clearly identify:
Investigation Under the Privacy Act – January 31 2020
In this case, a government department used surveillance cameras to track employee attendance in the workplace. Following an investigation, the OPC found that the policy did not identify this purpose, and recommended that the department use less intrusive measures.
7. Respect key privacy principles
Whether consent is required for the collection, use, and/or disclosure of personal information, other obligations to protect privacy continue to apply, including:
- Accountability
- Accuracy of personal information
- Limiting collection, use, disclosure, and retention
- Having security safeguards in place to protect personal information
- Openness of policies and practices
- Individual access
- Affected individuals being able to challenge compliance
8. Be aware of inappropriate practices/no-go zones
Given the unequal positions of power between employers and employees (or potential employees), there is a risk that employers ask for more information than they are allowed to collect, and that individuals may feel unduly pressured to provide such information. For example, employers would likely go too far in requesting that employees (or potential employees) provide them with access to password-protected areas of their social media accounts.
OPC guidance on inappropriate data practices has noted that requiring passwords to social media accounts for the purpose of employee screening would generally not be considered appropriate by a reasonable person. It also notes that profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights is a further inappropriate practice.
- Date modified: