Canadian Workplace Privacy: Updated Guidance for Employers

In an effort to adopt rules and practices which are more aligned with the digital age, the Office of the Privacy Commissioner of Canada (the “OPC”) has recently updated its Privacy in the Workplace guidance document (the “Guidance”). Through this update, the Guidance confirms a more strict approach to employee rights, sets out guidance regarding employee monitoring, and provides useful practical suggestions for employers. While these rules and the Guidance is, strictly speaking, only intended to address Canadian federal privacy law, and a number of the substantive points are likely to be widely adopted across the country, including as they relate to provincial law.

The Guidance sets out what the OPC considers to be its current interpretation of privacy laws, together with the related obligations which apply to employee personal information. A key component is how the federal statutes, including the Personal Information and Protection of Electronic Documents Act (“PIPEDA”) operate.

Continued Patchwork of Laws

The Guidance does not amount to a legislative change to the approach adopted by Canadian jurisdictions to privacy laws. Instead, the law in this area continues to be a complex and potentially confusing mix of legislation from Canadian federal government and provincial legislatures. As such, there is still not one set of Canadian privacy laws which apply to all types of private sector employers and employees – there is still a requirement at the outset to review the nature of the relevant organization, and first determine if Canadian federal law applies. If not, then the laws of the relevant province need to be reviewed, since not every Canadian province has its own privacy statutes. Even in those cases where the Guidance does not apply (which, formally speaking, includes all provincially-regulated organizations or activities), the recommendations of the OPC are often recognized as best practices or recommended approaches, including as adopted by provincial privacy regulators.

Employment: Specific Exemptions to Consent

The updated Guidance says that organizations must focus on the specific legal requirements (under PIPEDA) or the relevant issue in order to determine whether or not consent is required with respect to the use of personal information. For the employment context, the Guidance confirms that there are two main exceptions to PIPEDA’s consent requirements, which are as follows:

1. Consent is not required whether the collection, use or disclosure of employee personal information is necessary to establish, manage or termination the employment relationship. (In this case, however, there is still a requirement that employees be notified.); and

2. Consent is also not required if the personal information was produced by an individual in the course of their work (as an employee, contractor or business), and the collective, use or disclosure is consistent with the purposes for which the information was produced.

The Guidance does not provide details about the scope of the above exceptions, so this may well be an area for further disputes.

No Employee Waiver of Privacy Rights

The Guidance notes that some organizations may wish to advise employees that they will be required to give up their privacy rights as a condition of employment. The prior version of the Guidance said that any such blanket waiver of employee consent was likely questionable. The updated Guidance makes it clear that employees cannot grant an unqualified waiver to their employer, since doing so does not amount to an informed or appropriate consent. When consent is required, it is essential that employer obtain the consent in a manner which is clear, informed and voluntary. This means that there must be express wording or information provided to the employee, whose agreement needs to be limited to the specific purposes stipulated. There should also be an explanation by the organization about the consequences if the employee declines to provide consent. Further, even when employees do provide consent, the Guidance makes it clear that this does not mean that there has been any contracting out of privacy laws, which will continue to apply.

Employee Monitoring

The Guidance says that the OPC considers it advisable to take a similar approach with employee monitoring to that which applies to consent more generally. In particular, employee monitoring should be specific, targeted and appropriate. As a general rule, employee monitoring should use the least intrusive means, and be based on a legitimate organizational reason. Employers should also establish procedures to deal with internal accountability (for data collective), retention guidelines (for storing and safely deleting relevant information), and dealing with employee access requests.

Tips for Employers

The OPC has included the following recommendations for employers when implementing or updating workplace privacy policies and procedures:

1. Examine all relevant legal obligations and authorities. This includes a review of applicable law, together with any relevant contract and policies.

2. Conduct a data mapping exercise. This requires organizations to identify all types of employee personal information which is collected and used. This helps to identify relevant procedures, including necessary controls relating to access and use of relevant information.

3. Conduct privacy impact assessments (PIAs). A PIA is a formal risk management exercise which identifies the privacy impacts of organizational programs, and seeks to minimize organizational risks.

4. Assess the Purposes of Processing Employee Information. For employers, a key initial step is to be clear about what specific purposes are being served by collecting and using personal information

5. Limit Collection. All organizations should collect only that personal information which is genuinely necessary for the stated purposes identified (and as reviewed and amended from time to time.)

6. Be Transparent and Open. Given that privacy legislation and related legal rules are based on informed consent, it is essential that organizations adopt clear and transparent policies regarding employee privacy and personal information. Employers should focus on what information is being collected, the purposes of any collection and use, and what administrative or other procedures apply.

7. Respect Key Privacy Principles. Even if consent is obtain, it is quite important for employers to abide by applicable privacy laws and related principles as developed and published by regulators.

8. Be Aware of Inappropriate Practices. The OPC also makes is clear in the Guidance that employers must recognize that certain types of information, such as personal passwords, will virtually always be off limits.

When taken together, the Guidance highlights the importance that employers regularly review the approach which the organization takes to privacy laws and personal information. Any data which is collected and used must be in accordance with a proper purpose, with proper and clear consent being obtained as appropriate. And even when consent is obtained, this does not absolve employers from the ongoing requirements of complying with privacy laws and best practices as adopted and updated from time to time.