Electronic surveillance provides employers with increasing opportunities to protect, manage and monitor both property and people in the workplace. Although such systems are efficient, convenient and simple to operate and install, they also attract significant privacy considerations that may be overlooked.
Under the Personal Information Protection Act (“PIPA”), the Freedom of Information and Protection of Privacy Act (“FIPPA”), and the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which apply to private, public, and federally regulated organizations respectively, organizations are responsible for the collection, use, and disclosure of personal information obtained in the course of activities. When an individual’s photographic image and/or discussions are recorded using electronic surveillance devices, then personal information is collected which triggers an employer’s privacy obligations.
Although the individual pieces of legislation differ, the following questions should be considered by private, public, and federally regulated organizations before surveillance is implemented:
Has the organization identified the reasons why surveillance is being used?
Before incorporating a surveillance system, organizations should first carefully consider and identify the purposes for using the surveillance. Surveillance is invasive of personal privacy, and there needs to be reasonable justification for its use, such as safety or property protection. Use of surveillance to monitor employees or customers/clients without a reasonable justification is not consistent with privacy legislation.
Does the organization provide sufficient notice to employees and customers that surveillance is in use?
Employees and others must be informed not only that surveillance is in use, but how the information that is collected through surveillance may be used by the organization. Notice can be given by posting visible signs to alert customers and employees to the existence of surveillance before they enter the premises being monitored. This is respectful of an individual’s privacy and gives them the option not to enter. Notice should indicate what is being collected (video, audio or both) and for what purpose. It is also recommended that organizations provide the contact information for someone in the organization that can answer questions about the surveillance.
Does the applicable legislation allow the collection of personal information through surveillance?
FIPPA, PIPA and PIPEDA all impose limits on the personal information that an organization may collect, use and disclose. In the event of a complaint or investigation, a public body must be prepared to demonstrate with specific evidence, that one or more provisions of s. 26 of FIPPA authorize its proposed or existing collection of personal information by a surveillance system.
With regard to the private sector, s. 11 of PIPA states that an organization may collect personal information if a reasonable person would consider it appropriate in the circumstances. For example, it would not be appropriate to have video surveillance in the bathroom of a mechanic shop but it may be reasonable to have it in the shop garage where cars are being stored.
Under s. 5(3) of PIPEDA, federally regulated organizations also must only collect information for purposes that a reasonable person would consider appropriate in the circumstances.
Has the organization considered other less privacy invasive means of achieving the business purposes for which surveillance is to be used?
To demonstrate that surveillance is reasonable, an organization should be able to show that less invasive methods of collecting the information would not be effective. Wherever possible, less invasive methods should be attempted before surveillance is used.
Is the collection of personal information limited to what is reasonable to collect?
In implementing a surveillance system, it is also necessary for an organization to consider what information is being collected and whether the organization is collecting more information than it reasonably needs. For example, if surveillance is designed to address a problem with break ins, the cameras should be directed to areas where break-ins have occurred in the past or are likely to occur, rather than the entire premises. The scope of surveillance can also be limited by reducing the time periods that cameras are in use.
Does the organization have appropriate privacy policies and programs in place?
Organizations should be transparent with their employees and customers about what personal information they collect, use and disclose in the course of their activities. To achieve this objective, organizations should have privacy policies in place, and those policies should address surveillance if it is in use.
Is surveillance data protected by reasonable security arrangements?
The legislation also requires that public and private sector organizations have reasonable security arrangements to protect any personal information that is collected through the use of surveillance against unauthorized access, use, disclosure, loss or theft. Such measures include tracking access to surveillance recordings, physical security, staff training, and timely destruction when recordings are no longer needed.
A decision to implement surveillance in the workplace should not be undertaken lightly – careful thought and planning is needed to ensure that surveillance is appropriately justified and used under the applicable privacy legislation.
If you have any questions about this article, please contact Michela Fiorido.