On May 29, 2023, The Office of the Privacy Commissioner of Canada (OPC) updated their guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act (PIPEDA). This was the first time that OPC updated its Guidance, Privacy in the Workplace, in 19 years. Just some of the technological trends that now impact the workplace: big data, the gig economy, spam, corporate espionage, bad actors who perpetrate malware and ransomware attacks, and working-from-home (WFH).
PIPEDA applies to federal workers, undertakings or businesses. It applies to the collection, use and disclosure of personal information in the course of commercial activity and across borders.
Within the private sector, however, workplace privacy legislation is a patchwork quilt. British Columbia, Alberta, and Quebec have provincial privacy laws. In all other provinces, including Ontario, employers are subject to privacy requirements at common law, collective agreements, and Ontario’s electronic monitoring policy.
Nevertheless, the Guidance is a valuable resource for those employers looking to improve proactively their workplace privacy policies and procedures.
Highlights of the Guidance changes
“Balancing” language has been removed. The Guidance removed wording that discussed the earlier need for “balance” between the employer’s need for information and the employee’s right to privacy. New guidelines emphasize the specific legal requirements set out under PIPEDA.
No blanket waiver of privacy rights. Employers cannot tell employees that their loss of privacy is a condition of employment. Nor can employees waive their privacy rights. It is crucial for employers to obtain consent in a clear, informed and voluntary manner.
Employee monitoring. Employee monitoring should be specific, targeted, and appropriate in the circumstances. Employers should only undertake employee monitoring after an assessment of the privacy risks and any mitigating measures. Such an assessment should establish the necessity of the practice, and consider whether any less intrusive methods would achieve the same purposes.
There are two main exceptions to PIPEDA’s consent requirement applicable to the employment relationship laid out in the Guidance:
1. Consent is not required where the collection, use or disclosure of employee personal information is necessary in order to establish, manage, or terminate the employment relationship (though the employee must still be notified in accordance with PIPEDA);
2. Knowledge or consent is not required if the personal information was produced by an individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
The Guidance is silent on when these two exceptions would apply, including whether monitoring employees for security reasons would be necessary for managing them.
Employers’ obligations to respect employee privacy
Here are the key privacy considerations for employers for managing employees’ personal information in the workplace:
- Employers must limit collection of employee information to only that which is necessary for the purposes identified by the organization.
- Employers are generally required to obtain meaningful consent for the collection, use and disclosure of personal information unless an exception to consent applies.
In this regard, with respect to Canada’s private sector privacy legislation the OPC has outlined seven guiding principles for obtaining meaningful consent that should inform consent practices.
- Even in cases where consent for the collection, use or disclosure of employee information is not required by law, the employer may still be required to be transparent, provide employees with meaningful notice, and outline their practices in organizational policies.
- The employer must generally only use or disclose personal information for the purposes that it was originally collected for and keep it only as long as necessary for those purposes unless the employer has the employee's consent to do otherwise or is legally permitted to use or disclose it for other purposes.
- Employers must limit access to employee information on a need-to-know basis.
- Employers should have policies and procedures in place regarding the collection, use and disclosure of employees’ personal information. Policies should cover practices such as any monitoring of employees in the workplace (physical and/or virtual). Existing policies should be updated when new programs are introduced or when existing programs are materially changed.
- Employers developing policies and procedures are recommended to address employee monitoring in a way that is reasonable, proportionate and minimally intrusive.
Employees’ right to privacy in the workplace
Below are employees’ rights with respect to the monitoring, collection, storage, and use of their personal information in the workplace:
- Employees have a right to know how their information is being collected and used. They also have a right to access their personal information and to challenge the accuracy and completeness of it.
- Policies and procedures should be made readily available to employees such as through signage and direct emails.
- Employees' personal information needs to be kept accurate, complete, and up-to-date.
- There should be physical, organizational and technological safeguards put in place to protect employees’ personal information from inappropriate access or disclosure, and to prevent “employee snooping”—where employees inappropriately access other employees’ personal information.
OPC’s 8 tips for employers
- Be aware of all legal obligations, including collective agreements and federal and provincial privacy laws.
- Map out what employee information is being collected and used and whether this information is employee personal information. The purpose of data mapping is to pinpoint lack of controls and safeguards. Data mapping is also a useful tool to analyze the impact of a potential privacy breach.
- Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks.
- Assess the purposes of processing employee information. An assessment should take into account:
- the sensitivity of the personal information;
- whether the organization’s purpose represents a legitimate need or bona fide business interest;
- whether the collection, use or disclosure would be effective in meeting the need;
- whether there are less privacy-invasive means of achieving the same ends at comparable cost and with comparable benefits; and
- whether the loss is proportional to the benefits gained.
- Limit what information is collected to only what is necessary for a stated purpose.
- Be transparent about what information you collect, use and disclose by developing open and accessible policies. Employee privacy policies should identify:
a. what personal information is being collected from employees;
b. the purpose for which the personal information is being collected;
c. how the personal information will be collected;
d. how the information will be used, including potential consequences for employees; and
e. how long the personal information may be retained.
7. Follow key privacy principles:
c. limiting collection, use, disclosure and retention
d. using appropriate safeguards to protect information
e. being transparent and open about policies and practices
f. individual access
g. allowing affected individuals to challenge compliance
8. Be aware of inappropriate practices.