Workplace Privacy

Workplace Privacy

The information provided on this webpage is of a general nature and does not constitute legal advice. Moreover, it addresses only some issues in information privacy, labour and employment law. If you have questions about privacy and your workplace, you should consult a lawyer, your union representative, or the human resources department of the organization you work for. For general information on private sector data protection laws, see CIPPIC's webpage on Privacy. CIPPIC welcomes feedback and comments on this webpage at cippic@uottawa.ca.
 
The information on this webpage is current as of May 2007
 
This F.A.Q. was supported by the Social Sciences and Humanities Research Council.
 

Introduction

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability. Throughout these FAQs, we cite key privacy findings from privacy commissioners, courts and labour arbitrators. Although the findings of privacy commissioners are important in determining legal rights and remedies, they do not always have the same legal consequences as a decision of a court of law. In particular, the federal Privacy Commissioner's findings under PIPEDA and the federal Privacy Act are not legally binding. In contrast, rulings by the Alberta, B.C., and Quebec Privacy Commissioners do have legal force in those jurisdictions. Privacy commissioner rulings in one jurisdiction are not binding on another. However, findings and decisions by privacy commissioners do carry weight and offer considerable guidance across sectors and jurisdictions when workplace privacy cases arise.
 

F.A.Q.


Contents

Do I have a right to privacy in my workplace?

Employees have privacy rights vis-a-vis employers, but these rights are not absolute.  Some arbitrators have recognized an inherent right to privacy on the part of individual employees, but this view is not universally accepted.  In any given situation, an employee's right to privacy will be weighed against the employer's legitimate business needs, taking into account such factors as:
 
  • applicable contractual provisions (e.g., in collective agreement or employment contract)
  • applicable statutory provisions (varies by jurisdiction)
  • reasonableness of the employer's rationale for the activity in question
  • reasonableness of the employee's expectation of privacy in the circumstances
  • adequacy of notice to employees of general policy that invades privacy
  • whether the invasion of privacy is surreptitious (if so, the threshold for justification is higher)
  • the nature and extent of privacy loss suffered
  • whether there are less invasive means of achieving the employer's goal
  • whether the loss of privacy is proportional to the benefit gained thereby.

What legislation protects public sector workers?

If you work for the government, a governmental agency, or a public institution such as a school board, university, college, or public library, your personal information is likely protected by public sector privacy legislation. Each government in Canada, federal and provincial, has legislation governing what it can and cannot do with your personal information (see list of legislation below). Municipal employees are regulated by provincial legislation. Saskatchewan, Ontario and Nova Scotia have specific legislation that pertains to municipal workers. These statutes usually list, in a schedule, the agencies and public institutions to which they apply.

Federal Public Sector Privacy Legislation:

Privacy Act, R.S.C., 1985, c. P-21.
Schedule of Federal Government Institutions that are covered by the Privacy Act.

Provincial Public Sector Privacy Legislation:

Alberta: Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25

British Columbia: Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165.

Manitoba: The Freedom of Information and Protection of Privacy Act, C.C.S.M. c. F175.

New Brunswick: Protection of Personal Information Act, S.N.B. 1998, c. P-19.1.

Newfoundland: Access to Information and Protection of Privacy Act,S.N.L. 2002, c. A-1.1.

Northwest Territories: Access to Information and Protection of Privacy Act, S.N.W.T. 1994, c. 20.

Nova Scotia: Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5, and Part XX of the Municipal Government Act.

Nunavut: Access to Information and Protection of Privacy Act,R.S .N.W.T. 1994, c. 20.

Ontario: Freedom of Information and Protection of Privacy Act, R.S.O. 1990, F.31, and Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56.

Prince Edward Island: Freedom of Information and Protection of Privacy Act, R.S.P.E.I. 2001, c. F-15.01.

Quebec: An Act respecting access to documents held by public bodies and the protection of personal information, R.S.Q., c. A-2.1.

Saskatchewan: Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. F-22.01 and The Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1.

Yukon: Access to Information and Protection of Privacy Act, R.S.Y. 2002, c. 1.

Public sector employers are also subject to the Canadian Charter of Rights and Freedoms, which includes guarantees against "unreasonable search and seizure", subject to "such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society".  While there is no right to privacy per se in the Charter, the Supreme Court has found that section 8's freedom from unreasonable search and seizure is based on individual's "reasonable expectations of privacy".Both public and private sector employers are subject to Human Rights legislation, which applies to such privacy issues as mandatory drug and alcohol testing of employees.  Each jurisdiction (federal, provincial, territorial) has its own human rights legislation.

What legislation protects private sector workers?

The personal information of private sector workers is not uniformly covered by privacy legislation across Canada. As of March 2007, only those companies that are federally regulated or provincially regulated in Alberta, B.C., or Quebec, are subject to data protection laws in Canada. Federally regulated employers are subject to the Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c.5 (PIPEDA), while employers in Alberta, B.C., and Quebec are subject to those province's data protection laws (see list of legislation below). The private sector privacy legislation in Alberta and B.C. contain specific provisions that define "employee personal information."
Private sector employers are also subject to Human Rights legislation, which applies to such privacy issues as mandatory drug and alcohol testing of employees.  Each jurisdiction (federal, provincial, territorial) has its own human rights legislation.

As in the case of public sector employees, unionized workers in the private sector may have further protection by way of provisions in their collective agreements. Individual employment contracts may also contain provisions that protect employee privacy.
 
Private Sector  Privacy Legislation:

 

How do I know if my employer is federally regulated?

If you work in an industry that is regulated by the federal government, you work for a federally regulated employer. Examples of federally regulated employers are:
 
  • chartered banks;
  • buses and railway companies that travel between provinces;
  • airline companies;
  • employers involved in maritime navigation and shipping such as port authorities and long shoring companies;
  • TV and radio stations;
  • certain mining companies;
  • the nuclear energy sector;
  • telephone and cable companies;
  • local businesses in the Yukon, Nunavut, and the Northwest Territory. In these areas, all private sector activity is regulated by federal laws.
These particular industries are governed by the federal government and not the provinces.  This division of powers between the federal government and the provinces is set out in sections 91 and 92 of the Constitution Act, 1867. PIPEDA also sets out, in section 2(1), a list of “federal works, undertakings and businesses.” For more information, see the Federal Privacy Commissioner’s Fact Sheet on the Application of PIPEDA to Employee Records.

 

How does being unionized affect my privacy rights?

Unionized employees may have an additional measure of privacy protection in the workplace through provisions in the collective agreements govern the terms and conditions of their employment.
 
Some unions have been successful in advancing their members’ privacy interests even where such interests are not explicitly protected in legislation or collective agreements. In a number of cases, unions have been able to prove that an employer encroached on a worker’s privacy by violating the general duty of fairness and the duty to act in good faith. Arbitral jurisprudence has supported employee privacy interests in cases where an employer requested unnecessary personal information, improperly shared personal information within the workplace, or inappropriately disclosed personal information to a third party. Generally, the more sensitive the personal information being handled by an employer, the greater scrutiny it will attract.
 

What is employee “personal information” under privacy laws?

Privacy legislation in Canada protects “personal information.” “Personal information” is defined in most privacy laws as information about an identifiable individual. Personal information therefore includes your SIN, employee number, date of birth, home/personal telephone number and address, salary, performance appraisals and discipline records, and medical information. However, employment-related information is exempted from the definition of “personal information” in some statutes. Thus, not all information that relates to an employee is necessarily considered that employee’s “personal information” for the purposes of privacy legislation.
 
For example, under the federal Privacy Act, information that relates to an employee’s position or that is collected, used and shared within a business or professional context is not considered to be “personal information” under the Act and does not, therefore, benefit from the protections granted by the Act. In general, information such as an employee’s work product, materials or other information generated in the course of employment would not constitute employee “personal information.” Nor is an employee’s name, position, business address and business telephone number considered personal information.
 
Under PIPEDA, an employee's name, title, business address or telephone number are not considered personal information. However, the Federal Privacy Commissioner has found that an employee’s work e-mail address is “personal information” under PIPEDA.
 
Alberta’s Personal Information Protection Act and B.C.’s Personal Information Protection Act  contain definitions of “employee personal information,” which is treated differently from “personal information” outside the employment context. Alberta’s statute contains a comprehensive definition that defines “employee personal information” as personal information about an individual who is an employee or a prospective employee that is “reasonably required by an organization…for the purposes of establishing, managing or terminating an employment relationship or a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to the relationship.”
 
In some cases, information about the classification, salary range, the provision of discretionary benefits or expense claims and responsibilities of the position held by an individual are routinely disclosed to a Board of Directors or reported to the public. In these circumstances, employers do not normally require employee consent, although it is considered good practice to notify employees beforehand that such a disclosure will take place.

 

What are my employer’s obligations under privacy statutes?

Privacy legislation in Canada generally provides that employers must collect, use and disclose personal information with employee consent. Consent is usually given expressly, either in writing or verbally. Highly sensitive data, such as health or medical information, normally requires express consent to collect, use, or disclose.
 
Consent can be implied for certain categories of personal information in order to facilitate the administration of the employer-employee relationship. For example, an employer may have to disclose your SIN, banking information and address to a payroll administrator in order for you to get paid. Some workplace investigations concerning disciplinary issues may not require explicit consent during the investigatory phase.
 
Data protection legislation provides employees with the right to access personal information held by their employer, and the right to request corrections to those holdings. Employers are obligated to:
 
  • safeguard employee personal information;
  • appoint a privacy officer within the organization to handle disputes;
  • respond to complaints and requests to access personal information within a certain amount of time; and
  • direct dissatisfied complainants to the appropriate Privacy Commissioner’s Office.
The federal private sector statute, PIPEDA, contains 10 Principles of Personal Information Protection. These principles are generally reflected, in various ways and to varying degrees, in privacy legislation across Canada.

 

Why does my employer need to collect my personal information?

An employer may need to collect your personal information for a variety of purposes in order to manage the employment relationship. Some examples of purposes of collection are to:
 
  • administer payroll and benefit plans;
  • comply with tax and employment standards law requirements for record keeping and reporting;
  • uphold statutory health and safety record keeping and reporting requirements;
  • investigate workplace accidents and injury claims - possibly recording off-duty conduct;
  • abide by human rights laws that may require employers to collect workplace statistics, prevent harassment or discrimination and stop the dissemination of hateful or obscene materials;
  • gather evidence in employee discipline or discharge cases;
  • investigate workplace harassment complaints or customer complaints;
  • prevent theft or vandalism;
  • protect trade secrets and other proprietary information;
  • reduce risks of copyright infringement or defamation by employees through email and internet use;
  • comply with warrants or other official requests from law enforcement;
  • respond to court or regulatory body orders for a proceeding (e.g. a subpoena or production order);
  • perform a credit or security check when hiring individuals for security sensitive positions;
  • perform drug testing on individuals in safety sensitive positions, discipline cases or insurance matters;
  • manage the virtual workplace for off-site employees working from home; and
  • monitor productivity or customer interactions for “quality control.”
Whether or not an employer has the right to collect your personal information for any of these purposes will depend on the statute that applies to your workplace, whether you are a unionized worker (and therefore what labour arbitrators have said about a given type of collection and its purposes), and the factual circumstances of each case.
 
The appropriateness of the collection will rest on:
 
  1. whether or not consent was obtained;
  2. the intrusiveness of the collection; and
  3. the purpose of collection.
The answer will ultimately depend on an overall balance between the employer’s legitimate business interests to manage the workplace and the employee’s privacy interests.

 

What information about me can my employer gather?

Employees should be aware that technology has given employers a powerful ability to collect information from employees in several different ways. Some example of data collection are:
 
  • background credit checks and criminal records;
  • resumes, cover letters and job applications;
  • video surveillance of work premises and off-duty conduct;
  • Global Positioning Systems for couriers, delivery and transport workers;
  • telephone monitoring;
  • keystroke logging;
  • monitoring internet activities;
  • “smart” ID cards that track work attendance, access to the workplace, resources, and drug and dental plans;
  • biometrics (fingerprint, handprint, voice and eye scanning to verify employee identity for security purposes);
  • drug and alcohol tests; and
  • workplace investigations.
Whether any particular method of collection is permissible depends on whether:
  1. the employee was aware of the monitoring;
  2. whether consent was obtained;
  3. the intrusiveness of the collection;
  4. the appropriate balance between employer and employee interests; and
  5. the facts of the situation.
 

What information about me can my employer disclose?

Under privacy legislation, your consent is required for your employer to disclose your personal information to a third party. However, there are exceptions to consent. The following are certain circumstances under which your information can be disclosed without your express consent:
 
  • information that is requested by an adjudicative body, court or law enforcement by law or regulation;
  • implied consent allows sharing personal information within the organization and sharing information with third parties for administering health, pension, disability and other benefits and for compensation purposes;
  • if an employee is managed by a third party, that third party can be privy to the employee’s personal employment information, as this type of information sharing is not considered “disclosure” under the Act (PIPEDA Case #145);
  • third party insurance companies normally obtain express consent to disclose information to employers in their claim forms (PIPEDA Case #293).
See additional information on what your employer can disclose about you.

 

Can I see what personal information my employer has about me?

Both federal and provincial privacy legislation provide employees with access rights to their personal information. Employees can access their personal information to ensure accuracy and completeness.
 
Access requests must be made by an employee in writing. The employer must respond to the request within various time limits, according to the governing Act. If the employer refuses access based on a statutory exemption, the employee must then be informed in writing. The employer must also provide the employee contact information for the federal or provincial privacy commissioner should the employee decide to appeal the employer’s refusal.
 
The Federal Privacy Commissioner has made the following rulings about what constitutes employee personal information and access rights to that information:
 
  • an employee’s personal opinions expressed in the course of employment are not personal information (PIPEDA Case #15);
  • opinions expressed by management and colleagues about another employee are the employee’s personal information (see the LEcuyer case below);
  • even during litigation, employees still have access to their own personal information (PIPEDA Cases #285 and #87);
  • arguably, unsolicited resumes are protected under PIPEDA, but there have been no findings from the Federal Commissioner on this issue; and
  • an employer can withhold an employee’s personal information if that information is protected by solicitor-client privilege and if it has already been generated in the course of a formal dispute resolution process such as a grievance process (PIPEDA Case # 330).
The Courts have ruled that employees may request access to disciplinary documentation and complaints made against them by others in  L’Ecuyer v. Aeroparts de Montreal (2003) FCT 573 (T-2228-01, 13th May, 2003); Upheld on appeal – [2004] F.C.A. 237.
         
In LEcuyer, an employee was denied access to complaints made against her and her disciplinary letters. The refusal letter was copied to two union representatives and the employer’s Labour Relations Coordinator. The Federal Privacy Commissioner held that the disclosure of the letter to the two union representatives was a breach of her privacy rights, but the disclosure to the Labour Relations Coordinator was not a breach of her privacy rights.
 
The Federal Court took a different view. Due to the Coordinator’s role within the organization (he had been involved in her access application), the Court found that a reasonable person would find that the disclosure to him and the union representatives was appropriate. Justice Pinard stated at paragraph 26 that in a unionized environment, “it can reasonably be expected that correspondence between the employer and the unionized employee will also be sent to the latter’s union.”
 
The union is the “exclusive spokesperson” or bargaining agent for its members. An employer risks being charged with conducting unfair labour practices under section 94(1) of the Canada Labour Code (R.S., 1985, c. L-2), parallel provisions in provincial labour statutes, and the union security clause in the collective agreement if the employer fails to disclose correspondence with employees to the union. An employer that directly communicates with employees by disclosing personal information without going through the employee’s certified bargaining agent risks being perceived as undermining the role of the union as the exclusive spokesperson for its members.
 

What can I do if I think my employer has violated my privacy?

If your workplace is subject to privacy legislation, you can complain to your provincial privacy commissioner or the Federal Privacy Commissioner’s office if you believe that your employer has breached your privacy under that legislation.
If you are a unionized worker and you believe that your personal information was mishandled or your privacy has been compromised, you should follow your workplace’s internal dispute resolution process and consult your union representative. If you are a unionized worker and your employer is subject to privacy legislation, you may also choose to complain to the relevant privacy commissioner’s office for an alleged breach of applicable privacy law.
 
Employees who are not covered by privacy legislation or a collective agreement may choose to make a claim for breach of privacy or the duty of confidentiality in the courts. It should be noted, however, that there is no general common law right to workplace privacy yet recognized in Canadian law.
 
See additional information on the complaint process.