Common menu bar links

Home > News Room > Speeches

Institutional links

Got Spam? Learn how to protect yourself Securing Personal Information: A Self-Assessment Tool for Organizations Privacy For Small Business Online Tool Privacy Quiz for businesses Research funded by the OPC Privacy Breach? Information for Organizations How to lodge a Privacy complaint

News Room

  • News

    Year
  • Speeches

    Year
  • Upcoming Events

Media Relations

Contact:
Anne-Marie Hayden
Tel: (613) 995-0103

Non-journalists are invited to contact our Information Centre. Please call
1-800-282-1376 (toll free) or (613) 947-1698 and ask to speak with an Information Officer.

Address:
112 Kent Street
Ottawa, ON
K1A 1H3
Fax: (613) 995-1139

Speeches

Privacy in the Workplace

Lancaster House Workplace Privacy 2006 Conference

April 11, 2006
Toronto, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

1. Introduction

I suppose the question that some of you may want to ask is, “Why workplace privacy?”  Why should employers not have a right to control their workplaces, and to use some or all of the abundance of technologies available to them to conduct surveillance of their employees?  Why not use drug testing, video cameras, telephone monitoring, computer keystroke loggers, and location tracking devices on company vehicles?  If we have the technology to monitor employees to ensure they are working efficiently and not misbehaving, why not use it?  Others among you might ask just the opposite:  “What gives employers the right to monitor my every activity?  I owe my employer a fair day’s work, not my privacy.” 

With the exception of employment in government, this is not a matter of the state intruding on our privacy.  In our relations with the state, the role of privacy is elemental.  Human rights conventions – the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, for example – make this quite clear.  As Justice La Forest of the Supreme Court of Canada famously remarked 18 years ago in R. v. Dyment, the restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state. Privacy, he continued, is essential for the well-being of the individual.

But can the same be said of privacy in the context of private sector employment?  After all, most employers are not the state.  They do not have overarching powers that can so profoundly affect the lives of individuals. Or do they?

2. Why workplace privacy is important

Let me suggest that workplace privacy is in fact important – not in the traditional sense of the relationship between individuals and the state, but in the sense of the basic autonomy of individuals in our society.  Let’s not forget that people spend a very substantial portion of their lives in the workplace.  Their ability to find work is crucial to their economic and social well-being.  Many are not there by choice, but by necessity.  And they often do not feel they have sufficient might to challenge inappropriate actions of their employers, including matters of surveillance.

What happens in the workplace – including how the workplace responds to matters such as privacy – can have a profound effect on employees’ sense of dignity, their sense of freedom, their sense of autonomy.  A workplace rife with surveillance can be very dehumanizing. A constantly watched, and likely dehumanized, workforce is almost certainly not an enthusiastic workforce, and the oppressive environment created by surveillance can play out in other ways that are damaging to society as a whole. 

Widespread surveillance is also more consistent with the climate of authoritarian approaches to social phenomena.  And just because our governments have too easily embraced surveillance as a response to the perceived ills of our society does not mean that the private sector should follow suit.  Do we really live in a world of “all surveillance, all the time?”

A safe and productive workplace is important in the competitive environment of globalized business activity.  However, that does not mean that going to work should have to become an exercise in total surveillance.

3. Why some workplace surveillance may be reasonable

Now lest you think me about to criticize all workplace surveillance, I want to make it clear that I am not.  I am not saying that all workplace surveillance is inappropriate.  Surveillance in the workplace has existed since feudal lords watched over their fiefs, since foremen (for they were mostly men) watched over their employees on the assembly lines of Canadian factories, since employees punched time clocks.  But there is a line to be drawn, and it is not a line to be dictated simply by the availability of the many technologies of surveillance now on offer.

Yes, there are bad employees.  There are dishonest employees.  But I still have faith that most Canadian employees perform honest, decent work, and that they can be trusted to do that work without overwhelming levels of surveillance.  The trick is to weed out the bad employees without destroying the dignity and privacy rights of the good employees.  I stress that this does not mean letting egregious employee behaviour slip by under the guise of protecting employee privacy.

There is a clear analogy here with policing.  In looking at the powers of surveillance of the state, we might be able to catch a few more bad guys if we increase the powers of state agencies. 

But we have decided – at least, a cynic might say, until the government’s sometimes excessive response to fears of terrorism – that we will not give the state untrammeled powers to intrude, to conduct surveillance.  We have decided that police efficiency is not the Holy Grail of our society. Rather, our goal is the promotion of the fundamental human rights that so often have been denied in this world, and yet that are so elemental to making our lives meaningful.  That means that some state powers must be kept in check for the sake of protecting fundamental values, including privacy. 

So much for the philosophy.  Let me move out of the clouds and talk about the realities of workplace privacy, and my role in addressing workplace privacy issues.

4. Federal oversight of employee privacy issues

My jurisdiction to address employment matters under PIPEDA is limited by the constitutional niceties of our Canadian federation.  PIPEDA clearly applies to the collection, use and disclosure of personal information about employees in the course of commercial activities by federal works, undertakings and businesses.  However, it does not apply to employee information in the provincially-regulated private sector.  Some provinces such as Alberta and British Columbia – have filled this gap by introducing specific private sector data protection legislation that applies to personal information about these employees.  And, of course, provincial human rights codes and policies, and court decisions – such as those on employee drug testing, HIV and pre-employment testing generally – provide additional direction about employee privacy rights in both the provincially-regulated and federally-regulated private sectors.

In the course of my work, I investigate and report on complaints about employee privacy issues in areas under PIPEDA’s jurisdiction.  Occasionally, those complaints find their way to the Federal Court.  Section 14(1) of PIPEDA permits a complainant to apply to the Federal Court after receiving the Commissioner’s report containing findings and recommendations relating to a complaint under PIPEDA.  Note that only the complainant, not any organization representing the complainant, such as a union, has standing to take the complaint to the Federal Court.  In the recent Federal Court case, Turner v. Telus Communications Inc., my Office intervened to make this very argument.  Justice Gibson agreed, making it quite clear that a union was not entitled to make a complaint under section 14(1).  To me, that means that an organization such as a union cannot apply to the court in lieu of the complainant, although of course it can support the complainant indirectly.

5. Workplace privacy – not a new issue

Although employment privacy issues are a relatively recent concern – PIPEDA started coming into force only in 2001 – employment privacy issues have a much longer history of my Office.  In 1989, my Office published a major study on HIV/AIDS and the Privacy Act.  In 1990, we did another study, this time dealing with drug testing and privacy.  And in 1992, we published a major report on genetic testing and privacy. 

There was a common thread to these studies.  They all found a frequently misplaced enthusiasm for employee surveillance.  You will remember how, in the mid-1980s, there was such enormous concern about AIDS.  People were calling for employees to be tested, for teachers to be tested, for servers in restaurants to be tested.  The privacy implications of mandatory HIV testing in the workplace were enormous, given the irrational fears about casual transmission of the disease and its association with marginalized groups in society.  The concern about workplace transmission turned out to be grossly overblown, and the need for testing in the workplace largely vanished.

As with the earlier study on AIDS and privacy, our later studies on drug testing and genetic testing also urged great caution about introducing such surveillance technologies in the workplace. 

6. OPC’s current experience dealing with workplace privacy issues

We have continued to monitor developments in employment privacy ever since those reports.  We address employment privacy issues under both the Privacy Act and, more significantly for this audience, under the Personal Information Protection and Electronic Documents Act – PIPEDA.  

Not surprisingly, technologies such as video surveillance have become an employment issue.  In one case we dealt with (PIPEDA Case Summary #290), a Canadian Food Inspection Agency employee, working at a federally registered meat processing plant, complained that the organization was collecting personal information without consent through video cameras aimed at his workstation.  The company stated that the cameras could help it address food safety concerns.  However, there was no evidence that the cameras could capture sufficiently detailed images to do this effectively.  We concluded that the organization was indeed collecting the complainant’s personal information without his consent, contrary to Principle 4.3 of the Schedule to PIPEDA.  Principle 4.3 reads, in part, that “the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”  We concluded that the purposes for which the surveillance was being undertaken would not likely be considered appropriate in the circumstances.  Remember that section 5(3) of PIPEDA permits an organization to collect personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

This case serves to highlight one of the frequent failings of employee surveillance.  Even if the surveillance is being carried out for an acceptable reason, the method used may be inappropriate for the purpose.  In this case, using video cameras would not help it address food safety concerns.  We see similar flaws with employee drug testing.  Employers don’t want employees impaired by drugs or alcohol at work. 

Employees themselves don’t want to work in a factory environment, for example, where someone is impaired and could threaten their safety.  However, with the exception of alcohol testing, which can give an indication of present impairment, drug testing can give very little indication that an employee is impaired.  In other words, drug testing doesn’t answer the question.  I raise this since I know you will be discussing employment drug testing here today. 

7. Proposed whistleblowing legislation – “surveillance” of employers

To this point, I have been speaking about surveillance of workers by employers.  There is another side to the surveillance issue – surveillance of employers by workers.  And it may give some employers pause to reflect whether they want to poison relations with workers by conducting surveillance, if that in turn makes workers more willing to conduct surveillance on them. 

You are all aware of proposed whistleblowing legislation that is intended to protect federal employees who report misconduct within the federal government.  The private sector is faced with another sort of whistleblowing situation – the obligation on American companies and their subsidiaries that US Congress has attempted to impose through the Sarbanes-Oxley Act of 2002

That Act requires publicly traded companies to establish procedures for employees to file internal whistleblower complaints about questionable accounting or auditing matters.  The Act also establishes procedures to protect the confidentiality of employees who file these complaints. 

Although this is American legislation, its effect reaches into other countries, including Canada, via the corporate network.  In France, the French data protection body known by the acronym “CNIL” has circumscribed attempts by some major companies – including McDonald’s – to extend the full Sarbanes-Oxley-type whistleblowing provisions into the French workplace.  Of particular concern – understandable in light of the dark history of secret denunciations during the war years in France – was anonymous reporting of allegations of misconduct, a procedure that Sarbanes-Oxley envisaged.

In late 2005, the French data protection authority and then the European Commission’s Working Group issued guidance for applying whistleblowing legislation.  The guidance suggested a restrictive, careful and respectful application of data protection principles to protect the whistleblower, while avoiding the most dangerous abuses of unattributable allegations.

In Canada, we have sometimes taken an approach that recognizes the need for workers and citizens to come forward with complaints about neighbours or employers without immediately having to reveal the identity of the complainant.  This is the case under Quebec’s personal information protection legislation.  It is also the case to a limited extent under PIPEDA, which permits anyone who reports a contravention of the Act to ask the Privacy Commissioner to keep his or her identity confidential.

As an aside, the implications of Sarbanes-Oxley on Canadian affiliates of US-based corporations is an issue that Canadian federal and provincial privacy commissioners must address.  It is symptomatic of a larger problem that first obtained a public profile with the reach of the USA PATRIOT Act and other US legislation on national security issues into Canada. 

We have often asked the question in government, “Who watches the watchers?”  This may increasingly be an issue in the private sector, with the watchers – employers – being watched by their workers, as under the Sarbanes-Oxley scenario, or under PIPEDA when it comes to reporting breaches of the Act.  As with the case of surveillance of employees, we must address the issues that arise with surveillance by employees.  And we need to ask how to draw the line on workplace efficiency and workplace privacy in a way that addresses legitimate concerns but that does not poison workplace relations in the process.

8. Privacy training for employees

There is a final point I wish to make about privacy in the employment context, but it is not about employee privacy, or employer privacy.  It is about ensuring that employees respect the privacy of customers through measures to protect the confidentiality of their personal information.  While many organizations appear to be doing their best to understand the new privacy world under laws such as PIPEDA, some have been laggards.  They have been laggards in educating their employees about the importance of customer privacy and how to protect it. 

There have been too many lapses of security of personal information as a result.  Organizations that have been covered by PIPEDA since its first phase came into force in 2001 no longer have any excuse for failing to bring their privacy practices up to snuff.  I am particularly concerned that organizations covered by PIPEDA since 2001, and the banking sector is not alone, seem to be so vulnerable to employee misuse of customer personal information. Has training been neglected? Are supervisory procedures deficient? Does no one check the data trail periodically?

9. Conclusion

Our world is inching precariously close to an environment of total surveillance.  As Canadians who for the most part have never lived in an authoritarian environment, we may lack the instinct to sense the dangers of a world characterized by overwhelming surveillance.  We may be too willing to believe calls for surveillance that promise to increase national security and workplace efficiency and provide safer streets. 

As I hope I made clear at the outset, I am not opposed as a matter of course to employee surveillance.  But that surveillance must be justifiable.  I urge you to look past what is sometimes little more than commercial hype by the surveillance industry about the need to conduct massive levels of surveillance in the workplace.  I ask you instead to reflect on just how the business community managed to prosper before without sophisticated surveillance technologies, without being driven by the fear that because a few employees cannot be trusted, we must destroy the privacy of the vast majority who can.



Date Modified: 2006-05-19
Return to Top of Page
Top of Page
Important Notices