Privacy in the private sector workplace

Privacy legislation has descended on the private sector workplace and employers must comply to protect their employees’ data.

Éloïse Gratton of Montreal and Lyndsay Wasser of Toronto, both partners at McMillan are co-authors of Privacy in the Workplace, 3rd Edition.  National asked the co-authors about governance, employee monitoring, cross-border transfer of employee information and employer best practices.

National: Who governs workplace privacy legislation in Canada?

Éloïse Gratton:  In Canada, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) sets out rules and restrictions applicable to collection, use, storage and disclosure of employee information for private-sector federal works, undertakings and businesses. PIPEDA also applies to personal information that organizations collect, use and disclose in the course of their commercial activities, unless such activities are regulated by provincial legislation that has been declared substantially similar to PIPEDA. The provinces of British Columbia, Alberta and Quebec have each enacted provincial, private-sector data protection legislation that has been recognized as substantially similar to PIPEDA, and therefore, such legislation governs workplace privacy in these jurisdictions. Manitoba has also recently passed private-sector data protection legislation, which is expected to be declared substantially similar to PIPEDA once it has been proclaimed in-force.  In Quebec, privacy is also governed by the Civil Code of Quebec, at articles 3, and 35 to 41 inclusively. More specifically, article 35 states a general principle under which every person has a right to the respect of his reputation and privacy, and that no one may invade the privacy of a person without the consent of such person unless authorized by law. Article 36 (4) states that keeping someone’s private life under observation by any means may be considered an invasion of privacy of a person. In addition, the Quebec Charter of Human Rights and Freedoms, a statutory bill of rights adopted by the National Assembly of Quebec in 1975  which applies to private sector entities states, at article 5, that “every person has a right to respect for his private life.”

Lyndsay Wasser: Each province has a privacy commissioner or ombudsman, which is responsible for administering and enforcing both the public and private sector privacy legislation.  At the federal level, the Office of the Privacy Commissioner of Canada investigates complaints, conducts audits and pursues court action under PIPEDA and the federal Privacy Act. In addition to the privacy commissioners and ombudsmen, the courts can consider claims of “intrusion upon seclusion” under the common law, as evidenced by the recent certification of a class action in Hopkins v. Kay for alleged breaches of Ontario’s Personal Health Information Protection Act.  Finally, in unionized workplaces, arbitrators often consider grievances related to alleged breaches of employee privacy rights.

N: What are the common reasons for employers to monitor their employees using computer monitoring, GPS tracking or video surveillance?

LW: Employers’ reasons for monitoring employees generally vary depending upon the type of monitoring at issue.  For example:

Computer monitoring is often aimed at ensuring compliance with the employer’s policies (e.g., ensuring employees do not access prohibited websites or engage in harassment of other employees), investigating potential misconduct (e.g., disclosure of company confidential information), and performance management (e.g., to ensure that employees are not engaging in excessive personal Internet/email use during work hours). 

Common reasons for video monitoring include protection of company assets (e.g., to prevent theft or vandalism), protecting employee safety (e.g., in parking lots and reception areas), and performance monitoring (e.g., to ensure that employees are working efficiently and effectively). 

Reasons for GPS monitoring generally include co-ordinating efficient client service (e.g., locating the closest employee to service a customer), tracking lost or stolen property, and performance monitoring (e.g., ensuring that off-site employees are where they are supposed to be). 

N: Do clear guidelines on employee monitoring exist in Canada?

ÉG: Monitoring in Canada is governed in some cases by the privacy laws discussed above, as well, in some cases, by additional laws or provisions that govern working conditions to be provided by employers. For instance, in Quebec, under s. 2087 C.C.Q., an employer is bound to take any measures consistent with the nature of the work to protect the dignity of the employee and under the terms of article 46 of the Quebec Charter of Human Rights and Freedoms, which recognizes the right to fair and reasonable working conditions, an employer may be prohibited from consistently monitoring his employees. Monitoring in Canada is also governed by the various guidelines which have been adopted by the various privacy commissioners and which pertain to email monitoring of employees, CCTV employee monitoring inside and outside the workplace, on monitoring employees’ telephone conversations, on tracking employees using RFDI technology, identifying their employees using their biometric information, etc. Finally, various courts have issued decisions which provide for additional guidance as to what kind of monitoring will be acceptable in Canada. For instance, for CCTV covert surveillance, in the unionized context, courts apply the following three-part “Doman test” (from Doman Forest Products Ltd. v. I.W.A., Local 1-357, 1990 CarswellBC 2012 (Arb.) (Vickers)) which includes whether the surveillance is reasonably required in light of the circumstances, whether the surveillance is conducted in a reasonable manner, and whether there are no alternatives to the surveillance. Both the Federal Commissioner and the Alberta courts apply a similar test. In Quebec, the key decision which has established the test that an organization should use before deciding on whether to use covert video surveillance can be found in Le syndicat des travailleurs (euses) de Bridgestone Firestone de Joliette (CSN) c. Trudeau. For overt CCTV surveillance, the Federal Court in Eastmond v. Canadian Pacific Ltd., has followed the same test applied by the Federal Commissioner. As for email and Internet usage monitoring, in the recent 2012 decision R v. Cole, the Supreme Court of Canada has shed some light on whether employees have an expectation of privacy in their emails and Internet use, even when the computer that they are using is owned by the employer. Each jurisdiction may have additional provincial court decisions that may be used for additional guidance.

N: What privacy concerns arise when Canadian employees’ data is sent to foreign countries for storage or processing?  

LW:  When Canadian organizations send their employees’ data to foreign countries, they must ensure that they comply with any applicable Canadian privacy laws.  Some jurisdictions, such as Alberta and Quebec, have specific legislative requirements that apply to cross-border transfers. 

More particularly, in Alberta, there are notice and policy requirements that must be met when organizations transfer personal information to a service provider outside Canada (including a parent or affiliate that directly or indirectly provides a service to the Canadian organization).  In addition, under Quebec legislation, an organization must take all reasonable steps to ensure that personal information transferred outside Quebec will not be used for purposes that are not relevant to the object of the file or communicated to the individual.  If the organization cannot ensure that the information will not be used for improper purposes, it must refuse to transfer the information outside of Quebec.  This generally means that a data protection agreement is required to transfer information to a third party outside Quebec.  

Although legislation in other jurisdictions does not specifically address transfers of employee information outside Canada, the case law and general requirements under such legislation (e.g., informed consent, openness, and continued responsibility for information that is under the organization’s control) indicate that organizations should:

• Notify individuals that their information will be transferred to the foreign jurisdiction and will be subject to the laws and disclosure requirements in such jurisdiction, and
• Conduct a risk assessment prior to the transfer, including considering the sensitivity of the information as well as the political, economic and social conditions of the recipient country.

In addition, PIPEDA requires that an organization use “contractual or other means” to protect information that is transferred to a third party for processing. This generally means that organizations should have a data protection agreement with any foreign service provider.  If the information is being transferred to a foreign affiliate, the organization should either have a data protection agreement with its affiliate or take proactive steps to ensure that the affiliate’s data protection policies and practices are similar to those of the Canadian organization.

Finally, before transferring information outside Canada, the organization should consider (and seek legal advice) on the privacy laws of the recipient jurisdiction, since such laws will apply to the information once it is transferred.  For example, if the information will be transferred to a jurisdiction with stringent privacy laws (such as the European Union), the organization should consider whether it is prepared to comply with such laws.  If the recipient jurisdiction has patchwork privacy laws or no privacy laws, the organization should consider whether contractual protections would be sufficient to protect the information, since the organization may still be held responsible for the protection of information that is being held or processed on its behalf by a third party.  

N: What best practices can an organization adopt to ensure that it complies with its privacy responsibilities? 

ÉG: Businesses should ensure that privacy compliant business practices are in place. This means that they should have a Chief privacy Officer, and they should adopt proper policies which relate to the privacy of employees and customers, the retention and destruction of personal information, employees’ computer and social media use, as well as policies pertaining to their security breach response strategy. They have to ensure that they are being transparent about the type of personal information that they may be collecting, that only “necessary” information is collected and used, and also ensure that they have obtained the proper consent from customers and employees, which consents are properly documented. They should be investing in preventive measures such as conducting privacy training for their staff which are managing personal information and which may have to deal with employees’ or customers’ complaints pertaining to their data handling practices. These employees should be trained to deal with privacy complaints promptly, responsively, and to document each exchange taking place with the complainant. Finally, businesses should take privacy complaints seriously and participate in any privacy commissioners’ investigation. A breach of privacy may trigger damages to the reputation of a business, bad publicity, loss of trust or public confidence, loss of prestige as well as loss of future business. On top of these types of damages as well as the hard costs of responding to a privacy breach, the business’ financial exposure following a claim for damages in connection with a violation of privacy rights should also be taken into account, especially since damages granted by Canadian courts in these types of privacy matters are on the rise.