Office of the Privacy Commissioner of Canada (“OPC”) updated their guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA applies to federal works, undertakings or businesses. It applies to the collection, use and disclosure of personal information in the course of commercial activity and across borders.
Changes to the Guidelines:
- Removed “balancing” language. Removed wording that discussed the need for “balance” between the employer’s need for information and the employee’s right to privacy. New guidelines emphasize the specific legal requirements set out under PIPEDA. There are two primary exceptions to PIPEDA’s consent requirement applicable to the employment relationship:
1. Consent is not required where the collection, use or disclosure of employee personal information is necessary in order to establish, manage, or terminate the employment relationship (though the employee must still be notified in accordance with PIPEDA);
2. Knowledge or consent is not required if the personal information was produced by an individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
- No blanket waiver of privacy rights. Employers cannot tell employees that their loss of privacy is a condition of employment. It is crucial for employers to obtain consent in a clear, informed and voluntary manner.
- Employee monitoring - employee monitoring should be specific, targeted, and appropriate in the circumstances. Employers should only undertake employee monitoring after an assessment of the privacy risks and any mitigating measures. Such an assessment should establish the necessity of the practice, and consider whether any less intrusive methods would achieve the same purposes.
The guidance also provides the following tips for employers:
- Be aware of all legal obligations, including collective agreements and federal and provincial privacy laws
- Map out what employee information is being collected and used and whether this information is employee personal information.
- Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks
- Assess the purposes of processing employee information. An assessment should take into account:
(i) the sensitivity of the personal information;
(ii) whether the organization’s purpose represents a legitimate need or bona fide business interest;
(iii) whether the collection, use or disclosure would be effective in meeting the need;
(iv) whether there are less privacy-invasive means of achieving the same ends at comparable cost and with comparable benefits; and
(v) whether the loss is proportional to the benefits gained.
- Limit what information is collected to only what is necessary for a stated purpose.
- Be transparent about what information you collect, use and disclose by developing open and accessible policies. Employee privacy policies should identify:
a. (i) what personal information is being collected from employees;
b. (ii) the purpose for which the personal information is being collected;
c. (iii) how the personal information will be collected;
d. (iv) how the information will be used, including potential consequences for employees; and
e. (v) how long the personal information may be retained.
7. Follow key privacy principles:
c. Limiting collection, use, disclosure and retention
d. Using appropriate safeguards to protect information
e. Being transparent and open about policies and practices
f. Individual access
g. Allowing affected individuals to challenge compliance
8. Be aware of inappropriate practices.