Earlier this year, the Office of the Privacy Commissioner of Canada (OPC) revised its guideline, Privacy in the Workplace, which addresses employee rights and workplace obligations with respect to employee personal information under federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to employee information in federally regulated workplaces.
The guideline provides that employee personal information could include, “pay and benefit records, attendance reports, formal and informal personnel files, video or audio tapes, and records of web-browsing, electronic mail, and keystrokes, among other information,” and emphasizes that privacy obligations relating to such information applies generally to current, prospective, and former employees.
The guideline notes that, in addition to providing employers with authority for the collection, use, and disclosure of employee personal information, federal privacy laws also contain rules pertaining to employee consent, safeguards, retention, and access rights. It also lists key privacy considerations for the management of employee personal information in the workplace.
The guideline provides that employees cannot provide a “blanket waiver” of their privacy rights. It recommends that where consent is required, employers:
…specifically ask employees to consent to explicit, limited, and justified collections, uses, and disclosures of their personal information, while informing them openly and fairly of the impact of not providing the information. And where possible, to make alternatives available to employees who do not wish to consent.
The guideline cautions, however, that “individuals cannot consent to having their personal information handled contrary to legal requirements.”
The guideline addresses electronic monitoring “for verifying or assessing presence at work, tracking productivity, ensuring the appropriate use of networks, and to determine the location of company vehicles, among other examples.” This may have been inspired by Ontario’s recent requirement that certain employers ensure that they have a written policy in place for all employees with respect to electronic monitoring of employees. The guideline provides that:
- Such monitoring should be for the purpose of verifying or assessing the matters listed above;
- Consideration should be given to privacy invasion and any mitigating measures that can be taken, e.g., collect only what is necessary and use measures least likely to invade privacy;
- The technological, physical and governance measures to be used in monitoring employees should be identified, and how adherence to such measures will be monitored and enforced should be established;
- Guidelines for the retention of employee personal information collected for employee monitoring should be developed to ensure it is not retained longer than necessary;
- Transparency is fundamental: employees should be advised of the purpose, nature, extent and reasons for monitoring, and its potential consequences for workers; and
- Practices should be put in place to address employee access requests, and any privacy compliance challenges and complaints raised by employees.
Eight Practical Tips
Finally, the guideline recommends that employers build the following eight practical tips into their policies and procedures:
- Examine all relevant legal obligations and authorities, e.g., in collective agreements, federal and provincial privacy laws, in tort laws, human rights, and workplace laws;
- Determine what employee information is being collected, used, and disclosed, and understand its sensitivity;
- Conduct Privacy Impact Assessments to assist with the development of privacy management programs, policies, and training programs;
- Test your proposed employee management information practices;
- Limit what information collected to only what is necessary for a stated purpose;
- Be transparent about what information you collect, use and disclose by developing open and accessible policies;
- Follow key privacy principles:
- Limiting collection, use, disclosure and retention
- Using appropriate safeguards to protect information
- Being transparent and open about policies and practices
- Individual access
- Allowing affected individuals to challenge compliance; and
- Be aware of inappropriate practices.