On May 29, 2023, the Office of the Privacy Commissioner of Canada (“OPC”) updated its Guidance Document (the “OPC Guidance”) on Privacy in the Workplace. This was a welcome update to the original document first published by the OPC in April 2004. While not all jurisdictions in Canada have enacted privacy laws that extend to employment, in this OPC Guidance, the OPC reminds all employers of the importance of privacy in the workplace.
The OPC oversees and has jurisdiction over the application of privacy legislation to federal government entities and to private sector organizations that are federally regulated and subject to the Personal Information Protection and Electronic Documents Act, such as banks, telecommunication companies and transportation companies.
However, the OPC Guidance seeks to provide all employers with information about the importance of privacy in the workplace. The OPC Guidance provides a useful summary of employee privacy principles, and the following cautions.
1) Employees Cannot Waive their Privacy Rights
Employers seeking to require their employees to waive privacy rights as a condition of employment are cautioned in the OPC Guidance. Employees cannot be required to waive privacy rights. Imposing overly broad consents on employees can also not be used as a shortcut to achieving privacy compliance. Consent, when given, must be clear, specific and voluntary. Further, even with valid consent, employers are still subject to requirements that they collect, use and disclose employee personal information for legitimate purposes.
2) Employee Monitoring Must be Reasonable
The OPC Guidance also addresses growing trends and technology directed to monitoring employees in the workplace.
Employers have numerous legitimate reasons for seeking to monitor employee activities in the workplace, and emerging technologies have provided employers with an increasingly wider range of tools to do so. However, the OPC Guidance cautions employers to be conscious of employee privacy in taking such steps. New monitoring technologies may be cost effective, efficient and easy to implement but must still be subject to scrutiny through a privacy lens.
In particular, employee monitoring must be limited to purposes that are specific, targeted, and reasonable in the circumstances. The OPC Guidance also clearly sets expectations that employers will be open and transparent with employees about the use of monitoring technologies. Employers should also plan for and anticipate that an employee may want access to their personal information that is collected through monitoring and employers should ensure that the personal information is safeguarded accordingly and retained for an appropriate time period.
While the OPC Guidance cautions employers to take a privacy conscious approach to workplace monitoring, it also supports the legitimate use of monitoring technologies for some purposes, such as verifying or assessing an employees presence at work, tracking productivity, ensuring the appropriate use of networks, and monitoring employer-owned vehicles (such as, for example, by GPS).
3) Limits to the Collection, Use, and Disclosure of Personal Information
The OPC Guidance also sets out clearer guidelines on the obligations of an employer with respect to the implementation of appropriate limitations on the collection, use and disclosure of personal information. Employers are expected to carefully consider and limit the personal information that they collect and use to what is reasonable and necessary for the employment relationship.
The OPC Guidance also highlights the importance of transparency with employees. Fundamental to privacy legislation is the notion that individuals should ordinarily be informed of the purposes for which their personal information may be collected and used. That principle also applies to the employment relationship.
Conclusion
The OPC Guidance emphasizes the importance of an employee’s privacy rights in the workplace and the importance of employers approaching the employment relationship with an appropriate awareness of privacy obligations. The OPC leaves employers with the following eight practical tips:
- Examine all relevant legal obligations and authorities;
- Map out what employee information is being collected, used, and disclosed;
- Conduct Privacy Impact Assessments (PIAs);
- Test your proposed employee management information practices;
- Limit collection;
- Be transparent and open;
- Respect key privacy principles; and
- Be aware of inappropriate practices/no-go zones
If you have questions about this article, please contact any member of the firm’s privacy group: Suzanne Kennedy, Michela Fiorido or Joyce Chiang.
