Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2006-351
Use of personal information collected by Global Positioning System considered
[Section 2; subsections 5(3), 7(1), and 7(2); and Principles 4.2, 4.2.3, 4.3, 4.3.5, 4.3.6, 4.4, 4.5, 4.7 and 4.8]
The effects of technology on employee privacy were at the centre of a number of complaints before the Office of the Privacy Commissioner of Canada. In her deliberations, the Assistant Privacy Commissioner spelled out the acceptable purposes for the use of Global Positioning Systems (GPS), and cautioned organizations about “function creep” and the negative cumulative effects of various forms of technology on privacy.
Several employees of a telecommunications company complained to the Office when they learned that their employer was installing GPS in their work vehicles. They believed that the company was improperly collecting their personal information, namely their daily movements while on the job. The employees contended that their employer had not obtained their consent to the collection of this information, and that the company had failed to identify the reasons for the collection or state why the information was needed, how it would be used, and how long it would be retained.
The Assistant Commissioner accepted most of the company’s purposes for collecting and using personal information gathered by GPS and found that implied consent was present for these purposes. Her primary concern rested with using such data in managing employees. The company agreed to develop and communicate a policy on the utilization of such data in this context, and committed to training its managers on the appropriate use of GPS. The Assistant Commissioner was pleased with this outcome and considered the complaints resolved.
The following is a detailed overview of the investigation and the Assistant Commissioner’s deliberations.
Summary of Investigation
The system in question allows the company to view and track the location of its vehicles in real-time and to produce reports using historical data. The company’s goal is to have GPS installed in all of its installation and repair, and construction vehicles.
Noting that GPS is not new and is used in a variety of service businesses, the company indicated that in order for it remain competitive, it needed to change the way it conducts business. For this reason, it decided to install GPS in vehicles typically used by field employees. It cited the need to manage workforce productivity, ensure safety and development, and protect and manage assets as its reasons for installing the technology.
Some of the affected employees are home-based, meaning they are allowed to take the work vehicles home at the end of each shift, while others report to a compound at the start and end of their shift. The employees who are home-based are required to comply with the company’s vehicle use policy, which clearly outlines the conditions under which an employee may use a company vehicle. Personal use is prohibited.
Purpose: Managing workforce productivity
According to the company, GPS will be used to locate, dispatch and route employees to job sites. Information on the start and stop times of the vehicle and its location will be used in capacity planning, productivity analysis, and performance management, as required. The company was of the view that GPS allows it to manage field employees in a more efficient manner, based on knowledge of their current work locations and assignments. The company states that, in the past, employees were often dispatched to job sites that were not close to their physical location. This resulted in a lack of efficiency in dispatching work, and time wasted on traveling. The company planned to integrate an automated dispatch system at some point in the future. The company believed that increasing dispatch efficiency will result in enhanced service levels to customers – an ongoing requirement in an increasingly competitive environment.
Some employees affected by this decision expressed concern that GPS is being used to monitor work performance and punish employees. They believed that their employer will use GPS to show that they are not productive.
The company indicated that, for many years, the employees who operated company vehicles enjoyed a considerable degree of unsupervised freedom as their whereabouts at any given time were not available to the manager. This situation differs from that of office workers, who are often co-located with their managers. The company, however, rejected the notion that managers will spend time monitoring employees via GPS. According to the company, managers are on the road and at work sites, reviewing work and meeting with employees most of the time. GPS does not automatically notify managers if an employee is, for instance, exceeding a speed limit. In order to glean such information, a manager would have to generate a report. GPS does not have any system that notifies a manager if an employee is violating its vehicle use policy.
The company acknowledged that a manager would be inclined to use GPS to investigate or monitor situations regarding an employee when problems are reported about shoddy work, not showing up to job sites on time, or when complaints are made about the individual’s driving habits. The company stated that, in some cases, GPS may help to refute allegations regarding an employee.
As for after-hour use of vehicles, the company stated that once an employee parks the vehicle at his or her residence, it has no need to monitor its activities using GPS. The company’s Vehicle Use Policy clearly outlines the conditions under which an employee may use the vehicle. The company stated that it would only monitor the employee’s use of the vehicle after hours if complaints were received about an employee using the vehicle for personal use or if the company had other reason to suspect that the employee was contravening the Vehicle Use Policy.
In the company’s view, GPS only provides an additional tool for management to use. It stated that managers use a variety of methods to assess an employee’s performance – time sheets, work completed, customer complaints. GPS is not used on its own to measure performance, but it could be used in conjunction with other methods. Managers can now review GPS to address concerns and to have factual information on which to base decisions.
Purpose: safety and development
According to the company, GPS will be used to determine if a vehicle has remained stationary for an inordinate amount of time and could provide an indication that the employee’s safety may be at risk. As well, the information gathered by GPS may identify those employees who may require defensive/safe driver training or individual coaching based on speed statistics.
Purpose: asset protection and management
The company stated that information gathered by GPS on a vehicle’s location could be used to retrieve it in the event that it is stolen, abandoned or scheduled for maintenance. According to the company, since the installation of the system, asset management of its vehicles has improved to the extent that it has been able to reduce the number of vehicles in its fleet. The company also reported that the number of kilometers driven by its vehicles has decreased and fuel consumption reduced.
The company’s position
The company contended that GPS does not collect employee personal information, but rather collects GPS information related to a vehicle, and not location information associated with a particular individual. Anyone viewing the system will see a vehicle identifier, not the driver’s name. The company stated that it is only when the identity of a particular operator is associated with that vehicle, and then only when the vehicle is in use, that there may be personal information collected regarding the location of the driver.
As for whether the company considered the possibility of using less privacy-invasive methods to obtain the information it requires to meet its purposes, it stated that it does not regard GPS as privacy invasive. While it acknowledges that GPS enhances a manager’s capability to ascertain the whereabouts of employees and to monitor certain aspects of their use of company vehicles, it contends that in an office setting, managers are usually able to keep much closer tabs on the whereabouts and behaviour of staff, which in its view, is not an invasion of privacy. The company further stated that, with GPS, field employees are only “visible” to their managers when they are in their vehicles, and even then to a much lesser extent than if they worked in the same location as the manager.
What information does GPS collect?
We attended demonstrations of GPS. The system captures vehicle start and stop times, speed, location, mileage, and off-shift parking location. This data is collected by a GPS modem located in the vehicle and is transmitted to a central application. Vehicle users cannot turn the GPS off. Once a vehicle’s transmission is turned off, the modem for the GPS goes into “sleep mode” after a period of time, and only the vehicle’s last known location is reported.
Uses of GPS
Certain groups within the organization have access to “real-time” (current day) information and others have access to both real-time and historical data based on specific needs. The vehicles are identified by a number and not by an employee’s name. The manager is the only individual who knows the identity of the driver.
By using real-time data captured by GPS, a manager can relay information to staff. The operator of the vehicle can also use GPS to determine the location of his/her next work assignment and the location of company’s facilities. The operator cannot, however, access information regarding other vehicle locations.
The company’s GPS Policy (which will be considered later in this report) outlines the specific groups that have or will have access to GPS. Such access is based on their job requirements. The company can prepare a number of reports using the data collected by GPS, including reports on travel time and distance, last known location, first departure of the day and so on. The company indicated that it could not customize the reporting capability.
Notification, safeguards and retention
The company sent a memorandum to affected employees, informing them of the rationale for implementing GPS. It also held meetings with all employees who would be operating vehicles that had GPS installed in them, and provided a copy of its GPS Policy.
The policy outlines what information is being collected and the purposes for this collection. It indicates which business units within the organization will be given access to real-time information, and which ones will have access to historical data. As for safeguards, the policy states that all users will have restricted access to real-time data, historical data, or both, based on their user-specific profile. The policy indicates that the company manages all user profiles, which are set up with certain security safeguards. All employees who have access to GPS must complete the company’s privacy course and be familiar with the company’s ethics policy. The company also informed us that the information on the system is maintained behind firewalls.
Finally, the policy covers the disclosure and retention of information collected via GPS. Specifically, it states that personal information will not be disclosed outside of the company except if required by law or as permitted under relevant privacy legislation. As for retention, the policy states that personal information will be retained for one year unless special circumstances warrant retention for a longer period of time (for example, where a vehicle has been involved in an accident and there are claims against the company, or to satisfy Workers’ Compensation Board reporting requirements).
Issued November 9, 2006
Application: Section 2 of the Act states that personal information means information about an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization. Principle 4.3, 4.3.5, 4.3.6, and subsections 7(1) and 7(2) of the Act make clear that an organization must not collect or use an individual’s personal information unless consent from the individual is first obtained. Principle 4.3 states that knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.5 provides that, in obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.3.6 speaks to the manner in which organizations seek consent. It states that the way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Subsections 7(1) and 7(2) make clear that collection and use of personal information without knowledge or consent can occur only if one of the specified preconditions set out in these subsections has been met.
Principles 4.2, 4.4, and 4.5 are also relevant to collecting and using personal information with consent. Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Principle 4.2.3 states that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.8 requires an organization to make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Finally, subsection 5(3) of the Act states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
In making her determinations, the Assistant Commissioner deliberated as follows:
- The first issue to address was whether the information being collected via GPS is personal information as defined in section 2. As the information can be linked to specific employees driving the vehicles, they are identifiable even if they are not identified at all times to all users of the system.
- She therefore determined that the information in question is personal information for the purposes of the Act.
- The employees alleged that the company collects their personal information by way of GPS, installed in a service vehicle that they use in the course of performing their duties, without their knowledge or consent. They also contended that GPS collects more information than is necessary and that the company failed to specify to them the reasons for installing the system, its uses and retention of information collected.
- As in previous cases brought before us on the issue of employee consent to some perceived privacy-invasive measure introduced by an employer, the Assistant Commissioner considered whether the purpose for the collection is appropriate in the circumstances and whether consent is present.
- She first addressed the question of consent, whether the exceptions to consent apply and whether consent is present in this situation, before turning to the purposes for installing GPS.
- Could the company have relied on the exceptions to consent to collect personal information outlined in section 7? In her view, the answer was no.
- Admittedly, GPS could collect information for a purpose that falls under an exception set out in subsection 7(1).
- For example, if an employee is thought to be breaching the employment contract, personal information could be collected via GPS for investigative purposes, where obtaining knowledge or consent would compromise the accuracy or availability of the information.
- But GPS is collecting the personal information of all vehicle drivers – not just the one thought to be breaching some agreement or contravening a law. Given the nature of the technology and the fact that it is installed on all vehicles, reliance on subsection 7(1) is inappropriate.
- Similarly, if the personal information was not collected for any of the purposes outlined in subsection 7(1), it cannot be used without knowledge or consent for any of the purposes provided under subsection 7(2).
- Therefore, the company was obliged to obtain employee consent.
- The company confirmed that its intent was to have GPS installed in all of its trucks. However, she noted, if all trucks are GPS-enabled, and the use of GPS-enabled vehicles becomes mandatory for all employees, including existing employees who accepted employment on different terms, the question of consent and choice becomes problematic.
- Principle 4.3.6 allows an organization to seek consent in different ways, depending on the circumstances and type of information collected. If the information collected is sensitive, then express consent is recommended. If it is less sensitive, then implied consent may be appropriate. When considering the reliance on implied consent, Principle 4.3.5 should also be considered. This principle stresses the relevance of the individual’s reasonable expectations, and presents as guidance, a scenario wherein the individual’s consent can be implied for certain purposes but not for others. In short, where consent is being implied, it should only be implied for the purposes for which the employee could reasonably expect that the data would be used.
- The company provided a number of purposes for installing GPS: the need to remain competitive, workforce productivity, safety, and asset protection and management. Though not explicitly stated, the Assistant Commissioner contended that another of its purposes is that of employee management.
- She has previously considered the argument about the need to remain competitive and the consequences such a need has on employees in a complaint regarding the collection of biometric data.
- As she had stated at the time, if a company cannot make money and remain competitive, it cannot stay in business, and employees are soon out of work. The question, however, is whether that need and the measures used to meet that need have been balanced against the privacy rights of employees. The loss of privacy must always be weighed against the benefits, and purposes for the measure must be grounded in a defensible need.
- The company stated that GPS will help it remain competitive by allowing it to manage workforce productivity, to ensure safety, and to protect and manage its assets. The company also noted that its competitors use GPS.
- To assess the appropriateness of using GPS to meet those purposes, the Assistant Commissioner considered the following questions:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?
- With respect to workforce productivity, GPS will be used to dispatch, locate and route employees to job sites. As the system will be integrated with its dispatch system, it was easy to understand how GPS could improve efficiency, by minimizing the amount of time employees spend on the road getting to work sites.
- The Assistant Commissioner believed it is reasonable to assume that such improvements could lead to better service to customers. Thus, the measure clearly meets a specific need and does so effectively.
- She then questioned the privacy-invasiveness of the measure. The answer to that question, in her view, depended on the purpose under consideration.
- There is no question that, generally speaking, there is some loss of privacy attached to the use of GPS in a vehicle that an employee uses in the course of carrying out his or her duties. Whereas before, the employee’s whereabouts at any given moment were not necessarily known, with GPS they are, relatively speaking. At least what is known is the location of the vehicle the employee is using.
- Within the context of using GPS for dispatch purposes, she was of the view that the loss of privacy is proportional to the benefit gained and there is no less privacy-invasive way of achieving the same end.
- The Office had informed the company that we had concerns with respect to some of its proposed purposes for installing GPS. For example, the safety purpose for equipping GPS in vehicles seemed somewhat of an afterthought. We questioned whether the company had shown that employee safety is generally at risk and wondered how the company would know that a field employee’s safety is at risk because the vehicle has not moved.
- The company provided us with additional information and examples. It contested our view that an unmoved vehicle may not indicate that an employee’s safety was at risk, and pointed to the occasional use of GPS during a recent labour dispute to support its view. The company also gave us a hypothetical scenario in which a spouse contacts it to report that the employee had not returned home or made contact as expected, and GPS is used to locate the vehicle and, it is hoped, the employee.
- The company believed that the use of GPS for safety purposes is one that employees generally support. Although it could be argued, from the Office’s perspective, that using GPS to identify those employees who require defensive or safe driver training or individual coaching properly belongs under the purpose of employee management, the company noted that organizations have an obligation to provide a safe workplace and, in the case of any organization that has company vehicles in use, an obligation to investigate allegations from the public about poor driving. GPS information could contribute to the safety of the employees in the workplace, as well as public safety, through appropriate actions associated with the information. It believed that requiring an employee to take a defensive driving course or otherwise improve his or her driving skills is neither punishment nor an invasion of privacy.
- The company stated that GPS information has been used to refute allegations of dangerous driving, and noted a motor vehicle accident, involving a company truck and a pedestrian, who was fatally injured. The driver of the vehicle was suspected of speeding, but GPS information demonstrated that this was not the case.
- Upon consideration, the Assistant Commissioner accepted the use of GPS for safety purposes. She noted that it can be, and has been, used to meet the need of ensuring the safety of employees and the public, and is reasonably effective in doing so. The loss of privacy is proportional to the benefit gained, and, she could accept that GPS is not, in this particular instance, a particularly privacy-invasive measure.
- The company also cited asset management as a reason for installing GPS. Again, we questioned it on this point and indicated that we did not think the company had adequately demonstrated a pressing need in this regard. The company noted that since installing GPS, there have been at least four cases where trucks had gone missing and GPS was used to locate them.
- It also noted that the use of GPS information for asset management does not involve linking that information to specific individuals. It stated that if the company used GPS to locate a stolen vehicle, it is concerned with the location of the vehicle, not the identity of the employee who normally drives it. While the company would like to be able to use GPS to link the vehicle to the thief, GPS does not provide that capability. It is therefore the case, according to the company, that the use of GPS to locate a stolen vehicle does not involve any personal information.
- The Assistant Commissioner noted, however, that in the case of an employee using a vehicle, the driver is “identifiable” and GPS is therefore collecting personal information.
- She pointed out to the company that employees already provide odometer readings and presumably inform maintenance employees of any problems regarding the operation of the vehicle, and that a less privacy-invasive measure already existed to meet this particular need. Less time wasted in dispatch might translate into savings in terms of fuel and vehicle maintenance, but we noted that this point was already covered as an incidental benefit of an improved dispatch process.
- The company pointed out that if it uses GPS to obtain the odometer readings for vehicle maintenance purposes, it is concerned with how far the vehicles have been driven, not with who was driving them. It went on to state that using GPS information for the purpose of asset management does not involve the linking of that information to specific employees and therefore does not infringe upon the privacy of those employees in any meaningful way.
- While the Assistant Commissioner did not agree that such information is not linked to specific employees, she contended that GPS does not link such information to specific employees to any greater degree than the current system does, in which a specific employee reports the odometer readings of the particular vehicle he or she is driving.
- She was therefore persuaded that using GPS for asset management is not more privacy invasive than the current method. She also agreed that GPS would be, and is, very effective in locating a stolen vehicle.
- On the whole, she was satisfied that asset protection and management is an appropriate purpose under subsection 5(3) and one for which implied consent is present.
- The company stated that information collected on start and stop times, speed, and location will be used in capacity planning, productivity analysis, and performance management, as required. It was this last point that is probably of most concern to some employees. They feared that such information will be used to monitor their performance and to discipline them.
- In its representations, some aspects of the arguments the company put forward, under the headings “workforce productivity” and “safety” seemed to speak to a fourth purpose for which it intends to use GPS: employee management.
- For instance, the company claimed that part of “workforce productivity” will include “performance management” purposes. Similarly, under “safety,” the company argued that information gathered by GPS may identify those employees who require defensive/safety driver training or individual coaching based on speed statistics. This strongly suggested to the Assistant Commissioner that GPS data will be used for employee management.
- She acknowledged that performance measurement of some kind is part of the employment context. A manager has an obligation to ensure that employees are performing their duties and a certain amount of employee personal information forms part of performance management. On the one hand, employees rightly have some expectation of privacy in the workplace. At the same time, employers have legitimate requirements for a certain amount of employee personal information. She also acknowledged the company’s responsibility to ensure that its employees who use its vehicles are driving safely, for their own sake and for the public’s.
- The question then remained how privacy invasive is GPS when considered within the context of employee management? The company pointed out that in an office situation, the manager can see the employees at work, which it argues could be considered more privacy invasive than GPS.
- The Assistant Commissioner agreed that GPS, in and of itself, is not highly privacy-invasive, because it only tells “part of the story.” In other words, if, for example, a vehicle is parked and the employee is at lunch, GPS does not tell the employer exactly where the employee is. It may indicate how long an employee is at lunch, but then again it may not. It was this very “imprecision,” however, that concerned this Office.
- We informed the company that we were troubled by the potential to evaluate the performance of an individual based on inferences drawn from GPS data. We believed that using GPS for such purposes is no longer so much about tracking the location of company vehicles as it is about measuring the performance of an individual based on assumptions made from GPS data. In our view, such a use would shift the balance significantly towards the “loss of privacy” end of the spectrum.
- While using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions draw from GPS information impinges on individual privacy.
- While the Assistant Commissioner could accept its use in certain situations, which are defined and communicated to employees beforehand, GPS data should not be used as a matter of course in employee management situations. Should the company contemplate using GPS for such employee management purposes, we asked that it be clear to employees about such purposes and establish a policy outlining an appropriate process of warnings and progressive monitoring. We asked that the company ensure that only through that process should GPS data be collected and used for employee management purposes.
- The company provided us with a copy of a policy on GPS data utilization for performance management. This document spells out the situations in which the company will use GPS data for performance management. These include investigating a complaint from a member of the public; investigating concerns raised internally; and addressing productivity issues.
- Under productivity issues, it noted that productivity is measured in various ways (other than by GPS) and reported and reviewed on a regular basis. If an individual is found to have below-standard metrics, the manager is expected to address the issue. According to the policy, in exceptional cases, further investigation may be required before arriving at any conclusions, and GPS data may provide information and assist in addressing a productivity issue.
- It also noted that GPS will be used to provide high-level vehicle utlilization reporting at senior levels to allow comparison and analysis of productivity. GPS information may be used by the manager to address productivity concerns with specific team members as required.
- The company also committed to train all managers to ensure that they use GPS appropriately and not for continual monitoring of individuals’ locations.
- On the basis of this, the Assistant Commissioner was satisfied that the company’s use of GPS data was for an appropriate purpose, as per subsection 5(3), and that this use will be clearly explained to employees beforehand, as required by Principle 4.8.
- As for identifying the reasons for the system, its uses, and retention, she was satisfied that the company did highlight this information to its employees – albeit after the installation of the equipment had begun. It conducted meetings with affected individuals and developed a GPS policy, which it distributed. While some complaints were filed with this Office shortly before the company’s communications efforts began, the company did undertake to inform its employees about the system and how it will be used.
- She did remind the company that, in future, it should provide appropriate information to employees prior to the roll-out of a particular program, not afterward, in order to be in compliance with Principle 4.2.3.
- To conclude, the Assistant Commissioner found the use of GPS to improve the dispatch process to be compelling and an acceptable purpose under subsection 5(3). She was satisfied that implied consent is present and appropriate for such a purpose as the collection meets the reasonable expectations of the individual and, for this purpose, is not overly privacy invasive. Likewise, she was persuaded by the need to use such a system for safety and asset management, and would agree that implied consent is present and appropriate for such a purpose. As for employee management, given that the company took measures to limit the use of GPS for such a purpose, would be informing its employees accordingly, and was implementing training to ensure that managers are aware of the appropriate use of the technology, she was satisfied that use of GPS for such a purpose is appropriate in certain limited, exceptional, and defined circumstances, as per subsection 5(3) and Principle 4.8, and that implied consent is present.
Accordingly, the Assistant Commissioner concluded that the complaints were resolved.
With respect to limiting the collection and use of information, the Assistant Commissioner noted that, generally speaking, “function creep” is not acceptable. In other words, the purposes and uses of a particular technology should be precisely specified, and that technology should be restricted to its intended purposes.
She stated that, organizations, in their quest to be proactive, often resort to technology in anticipation of problems or as a means of maintaining competitiveness. In addition to the problems that arise from function creep, the individual’s rights are slowly eroded by the cumulative effects of measures intended to meet the bottom line. She cautioned all organizations subject to the Act that the effects on the dignity of employees of all of the measures in place – taken as a whole, not just as one measure alone – must be considered in balancing the rights of the individual to privacy and the needs of organizations to collect, use or disclose personal information for appropriate purposes. She was pleased that the company at the centre of these complaints had taken steps to recognize the dignity of its employees by instituting the policy on the use of GPS with respect to employee management. Such a measure, she noted, helps maintain that balance in the workplace.