Investigation into the Treasury Board of Canada Secretariat’s implementation of the Direction on Prescribed Presence in the Workplace

Complaint under the Privacy Act (the “Act”)

March 18, 2026

Overview

In December 2022, the Treasury Board of Canada Secretariat (TBS) announced the implementation of a common hybrid work model across the core public administration as occupational health guidance eased COVID-19 restrictions and departments and agencies returned to full building occupancy. The Direction on prescribed presence in the workplace (the Direction) initially required employees to work on-site at least two or three days per week by March 31, 2023. It was subsequently updated to mandate a minimum of three days per week on-site, effective September 9, 2024.

Under the current Direction, deputy heads of federal government institutions are responsible for implementing the minimum on-site presence requirement and for establishing verification regimes to report on organizational compliance with the Direction. To fulfill this mandate, the Direction states that institutions can measure on-site presence using turnstile data, existing attendance reports and/or Internet Protocol (IP) login data to collect aggregated departmental data.^{Footnote 1}

With respect to individual compliance, the Direction did not change managers’ pre-existing authority to ensure that employees abide by their terms and conditions of employment. As the employer has the exclusive management right to designate the location of work and to require employees to report to their designated workplace, managers are responsible for ensuring that their employees comply with the mandated on-site presence requirements.

In November 2024, after receiving a complaint, the Office of the Privacy Commissioner of Canada (OPC) launched an investigation against TBS to examine its personal information practices related to the administration of the Direction. In light of the concerns raised by the complainant, the OPC’s investigation sought to assess TBS’s compliance with the requirement 1) under section 4 of the Privacy Act (the Act) for the collection of employees’ personal information to be related directly to an institution’s operating programs or activities; 2) to retain and dispose of personal information in accordance with section 6; and 3) to obtain consent from individuals for the use and disclosure of personal information, except where certain conditions apply, under sections 7 and 8.

The OPC’s investigation also considered 4) TBS’s transparency and openness related to its hybrid compliance monitoring approach, including the standard Personal Information Banks (PIBs)^{Footnote 2} that reflect the collection and use of its employees’ personal information for the purposes of administering a hybrid work model; 5) TBS’s compliance with the broadly recognized necessity and proportionality data principles; and 6) the policy requirement to complete a Privacy Impact Assessment (PIA).^{Footnote 3}

The OPC’s assessment of TBS’s compliance with the Act considered the personal information used by TBS to implement a verification regime to report on organizational compliance with the Direction, as well as management’s practices related to monitoring individual compliance with the hybrid work model. We made the following key findings:

Organizational compliance

To generate a high-level, aggregate dashboard for senior management which is used to assess organizational compliance with the on-site presence requirement, TBS relies on i) turnstile data, ii) work arrangements, iii) MyGCHR data, and iv) data from the Salary Forecasting Tool.^{Footnote 4} TBS’s collection of these data elements already occurs and is authorized by existing statutory provisions, including sections 7 and 11 of the Financial Administration Act which authorize the collection of turnstile data and employee personal information. The collection relates directly to TBS’s operating programs or activities, including security and human resources management, for the purposes of section 4 of the Act.
TBS’s collection of these data elements is for statistical purposes only (aggregate reporting) and the information is not used to make decisions that affect individual employees. Therefore, this information is used for non-administrative purposes that do not trigger retention obligations under subsection 6(1) of the Act.^{Footnote 5} TBS disposes of this personal information when it is no longer required for compliance reporting purposes (within 3 months of its use), in accordance with its established retention and disposal schedule and obligations under subsection 6(3).
TBS’s use of these data elements to verify and report on organizational compliance with the Direction is a use consistent with the original purpose for which the information was initially collected and therefore authorized under subsection 7(a) of the Act – that is, the information can be used without the consent of the individuals.^{Footnote 6}
With respect to the disclosure of the dashboard to senior management, TBS’s implementation of privacy protection measures, including data aggregation, sufficiently reduces the risk of re-identification. We find that there is no serious possibility that the dashboard information could be used to identify individual employees. As such, we consider this information to be non-personal information that falls outside the scope of the Act.

Monitoring individual compliance

Overall, we found that managers carry out their responsibilities with an awareness of privacy obligations, relying primarily on observation and employee self-reporting to verify individual compliance (e.g., self-reported work arrangements). In cases of suspected non-compliance with the on-site presence requirement, managers consider how to address the issue with the employee first and engage with Labour Relations for guidance when needed. For issues that require detailed reviews of employee personal information (e.g., in the context of a formal investigation), managers follow established Labour Relations processes to ensure privacy compliance. We found that TBS mitigates privacy risks associated with manager flexibility and discretion under the Direction mandate through departmental resources (FAQs) and guidance that outline the acceptable and responsible collection and use of personal information for monitoring on-site compliance. We found no evidence during the investigation that personal information was collected, used or disclosed by managers in contravention of the Act.

Key privacy principles and policy requirements

With respect to openness and transparency, TBS communicated its implementation of the requirements of the Direction, as well as the changes that were made to the standard PIBs that it relies on for the administration of the Direction,^{Footnote 7} through various channels during the transition to the updated hybrid work model (e.g., emails from senior management). However, our review found that the description of PIB PSU 907 (Physical Access Controls), does not explicitly reflect the potential use of access logs in formal investigations related to compliance with the Direction and that TBS did not clearly communicate this potential use to employees. We encourage TBS to update its description accordingly.
From a necessity and proportionality perspective, TBS’s approach for assessing organizational compliance is effective in meeting the objectives of the Direction mandate without creating an unnecessary risk to employees’ privacy. Overall, we found that TBS’s consideration of several privacy-friendly measures^{Footnote 8} has helped it to maintain a reasonable balance between operational necessity to comply with the Direction, and respect for employees’ privacy rights. We also found that TBS managers have implemented a proportional, privacy-first approach, ensuring that the Direction is enforced effectively and responsibly while respecting the right to privacy.
TBS did not conduct a PIA for its verification regime because its approach is aligned with the Direction and supporting privacy guidance and does not result in the collection or use of personal information beyond those permitted under the current policy framework. TBS relies on existing data sources to generate aggregate dashboards for senior management and uses only the minimum amount of personal information for verification and compliance reporting.

Overall, the OPC found that TBS’s personal information handling practices related to the administration of the Direction mandate are compliant with the requirements of the Act. We therefore find the complaint to be not well-founded.

TBS has demonstrated that a balanced approach can be achieved to protect employee privacy while ensuring compliance. We would encourage other federal departments and organizations to follow the TBS approach and leadership on this issue.

Background

Prior to the COVID-19 pandemic, federal public servants worked almost exclusively at their designated worksite (i.e., on-site in government offices).^{Footnote 9} Flexible work arrangements were available, but largely exceptional and temporary. In March 2020, the pandemic forced the government to rapidly shift to remote work for public service employees in order to comply with public health measures. The Government of Canada adopted a remote-by-necessity operating model where the majority of employees worked from home on a full-time basis.
Following occupational health guidance and updates from Health Canada’s Public Service Occupational Health Program,^{Footnote 10} the Government of Canada moved towards the implementation of a hybrid approach to work. In November 2021, TBS developed the Guidance on optimizing a hybrid workforce to help organizations implement a hybrid approach to work. By May 2022, departments and agencies could return to full building occupancy with the appropriate use of workplace preventive practices, and Deputy Heads were encouraged to begin testing hybrid work models.
TBS announced the implementation of a common hybrid work model across the core public administration^{Footnote 11} in December 2022, which required over 262,000 employees eligible for a hybrid work arrangement to work on site at least 2 or 3 days per week, or 40 to 60% of their regular schedule. This was the new baseline for how most federal public servants would work since prior to the pandemic (when the baseline was on-site full time). Through a phased approach, the hybrid work model was introduced in January 2023, and full implementation was required by March 31, 2023.
TBS subsequently updated the Direction in May 2024 to establish a consistent approach to hybrid work and to ensure fairness across the public service. The updated mandate, which currently remains in effect, requires the core public administration with hybrid work arrangements to work on-site at least 3 days per week.^{Footnote 12} It also launched the transition to on-site presence for Information Technology (IT) employees who had previously been exempted from the Direction.^{Footnote 13}
The Direction requires Deputy Heads to implement verification regimes and states that on-site presence could be measured using turnstile data, existing attendance reports, and/or Internet Protocol (IP) login data to collect aggregated departmental data. It also states that Departmental Assistant Deputy Minister (ADM)-level compliance and coherence committees should be in place to monitor data trends and to ensure coherence in deeming exceptions (i.e., formal release from the hybrid work requirement).^{Footnote 14}
As the employer has the exclusive management right to designate the location of work and to require employees to report to their designated workplace, managers therefore have a responsibility to monitor their employees’ compliance with on-site presence requirements under the hybrid work model. Managers are expected to proactively discuss with their employees any barriers they may encounter (e.g., those linked to accessibility, harassment or discrimination) and define solutions to address those barriers in the hybrid workplace. Managers must also ensure that individual circumstances are considered on a case-by-case basis, including human rights obligations (e.g., the duty to accommodate ^{Footnote 15}), or whether an employee has a reasonable explanation for absences from the designated workplace (e.g., illness).^{Footnote 16}
The implementation of the Direction has generated significant public attention, including opposition from union groups that advocate for a more flexible approach to hybrid work that considers individual circumstances and "presence with purpose," rather than a strict 3-day return-to-office policy.^{Footnote 17} The Direction has also sparked requests for OPC guidance around how institutions can monitor and report on-site attendance and compliance with the hybrid work model, including which individual employee data can be collected and used for this purpose.^{Footnote 18}

Complaint

In November 2024, the OPC launched an investigation against TBS after receiving a complaint related to TBS’s implementation of the Direction. The complainant alleged that the collection of on-site presence data about employees (e.g., network connectivity (Internet Protocol (IP) data ^{Footnote 19}) or ID card swipe data) and the sharing of this data across senior management levels in order to measure and validate on-site presence is an invasive use of personal information.
Specifically, the complainant raised concerns regarding (i) the scope and purpose(s) of the collection of personal information by TBS to administer and enforce the Direction, (ii) whether personal information is aggregated and/or anonymized to avoid identifying individuals, (iii) TBS’s retention and disposal practices in relation to this personal information, and (iv) how TBS uses and discloses personal information to administer the Direction mandate.

Scope and Methodology

As a central agency and the administrative arm of the Treasury Board (TB), TBS provides oversight and leadership to help federal departments and agencies fulfill government priorities and achieve results for Canadians. One of TBS’s core responsibilities is to develop policies and to set the strategic direction for people and workplace management in the public service, which includes developing, updating and overseeing the implementation of the Direction.^{Footnote 20} TBS also employs approximately 2,500 employees, and is subject to the mandatory requirements in TBS policy instruments, including compliance with the Direction.
This report examines TBS’s compliance with privacy principles related to its implementation of the requirements of the Direction. The OPC’s investigation assessed TBS’s personal information handling practices at both the organizational and management levels for compliance with sections 4 (collection), 6 (retention and disposal), 7 and 8 of the Act (use and disclosure).
We also considered TBS’s openness and transparency in relation to its hybrid compliance monitoring approach, including the standard PIBs that were updated for the purposes of administering a hybrid work model. Additionally, we considered the broadly recognized necessity and proportionality data principle, and the policy requirement to complete a PIA for any changes to existing programs or activities that may have an impact on the personal information of individuals related to the administration of the Direction (e.g., to proactively monitor employee compliance with the Direction).
The OPC’s investigation focused on the use of personal information at both the organizational level (aggregate reporting) and individual level (identifiable employee information) to verify and report on compliance with the on-site presence mandate. While employees’ personal information may also be used in the context of formal investigations related to compliance with the Direction, this process is managed under pre-existing Human Resources (HR) and Labour Relations frameworks. Because the formal investigation process is consistent with existing government-wide administrative practices, and since the Direction does not require any new personal information to be collected in that context, the investigation process was excluded from the scope of the OPC’s review.^{Footnote 21}
Our investigation was informed by written submissions from TBS and meetings with key TBS stakeholders, including various levels of management within TBS.^{Footnote 22} Our review covered the period from September 9, 2024, when TBS was required to implement a minimum three days per week attendance requirement for its employees, to the date of writing of this report.

Analysis

The implementation of a hybrid work model requires employees to have a regular presence on-site. Verifying and reporting on compliance with the on-site presence mandate involves the use of personal information at both the organizational level (aggregate reporting) and individual level (identifiable employee information). This is a new management activity and a significant shift from the pre-pandemic operational structure where federal public servants worked almost exclusively on-site and flexible work arrangements were largely exceptional and temporary.
The collection and use of personal information to report on employees’ compliance with the Direction mandate, and the tools relied on to verify on-site presence, can introduce new privacy risks (e.g., intrusive tracking, unintentional data misuse). To mitigate such risks, institutions must ensure that the least privacy-invasive means of verifying compliance are used. This translates into several key operational best practices, including prioritizing methods that use the least amount of and least sensitive personal information (e.g., the information must be demonstrably necessary for the activity, and the loss of privacy must be outweighed by the operational need), to ensure that the principles of necessity and proportionality are adhered to.
While verifying and reporting on compliance with the Direction is a new operational activity, institutions can rely on personal information that they already collect to report on organizational compliance (i.e., how many employees or what percentage of employees are coming into the office).^{Footnote 23} Under the current Direction policy framework, compliance reporting must only be used for statistical purposes and not to make administrative decisions that affect individual employees.^{Footnote 24}
With respect to individual compliance with the on-site presence requirement, the Direction has not changed managers’ pre-existing authority to ensure that their employees are abiding by their terms and conditions of employment. Nevertheless, on-site presence monitoring requires managers to adapt from daily face-to-face supervision to a more nuanced approach that balances operational compliance with employee privacy rights.
As outlined below, the OPC’s assessment of TBS’s compliance with the Act considered how employee personal information is used by TBS to 1) implement a verification regime (to report on organizational compliance with the Direction), and 2) monitor individual compliance with the hybrid work model.

Issue 1: TBS’s verification regime

i) TBS’s collection of personal information to fulfill the requirements of the Direction is compliant with section 4 of the Act

To comply with section 4 of the Act, the personal information collected must “relate directly to the institution’s operating programs or activities”.^{Footnote 25} This applies to personal information collected for both administrative purposes (i.e., information used to make a decision that directly affects an individual) and non-administrative purposes (e.g., statistics). Consent is not required under section 4 for a government institution to collect personal information.
As outlined below, the OPC’s investigation confirmed that TBS’s collection of personal information to fulfill the requirements of the Direction mandate at the organizational level (i.e., to verify and report on compliance with on-site presence requirements) is for non-administrative purposes. As such, the collections do not trigger the direct collection obligations under section 5 of the Act.^{Footnote 26}
To fulfill the requirements of the Direction, TBS created a high-level monthly dashboard for senior management.^{Footnote 27} The monthly dashboard is used as a data point to identify general trends that may indicate non-compliance in the organization. It is designed strictly to provide senior management with aggregated, high-level insights on workplace presence trends.
Responsibility for the dashboard rests with TBS’s HR Analytics team, which leverages existing data sources to support hybrid work compliance reporting. The data elements that TBS relies on to assess organizational compliance with the Direction include i) turnstile data, ii) work arrangement information, iii) MyGCHR data, and iv) data from the Salary Forecasting Tool.^{Footnote 28}
TBS’s implementation of a verification regime did not require the collection or creation of new personal information. TBS’s collection of the data elements noted above already occurs and is authorized by existing statutory provisions. Specifically, sections 7 and 11 of the Financial Administration Act authorize the collection of turnstile data and employee personal information (work arrangement, attendance and leave information) for security and human resources management activities.
We are satisfied that these collections for the purpose of verifying and reporting on compliance with the Direction relate directly to TBS’s operating programs or activities for the purposes of section 4 of the Act. We therefore find that the collection issue is not well-founded.

ii) The personal information collected by TBS for compliance reporting purposes does not trigger retention obligations under section 6 of the Act

Section 6 of the Act triggers obligations for institutions to retain and dispose of personal information.^{Footnote 29} Specifically, subsection 6(1) of the Act and supporting Privacy Regulations require institutions to retain personal information that has been used for an administrative purpose for a minimum of two years following its last use. Subsection 6(3) of the Act requires institutions to dispose of all personal information under the institution’s control (including information used for non-administrative purposes), in accordance with the regulations and any directives or guidelines issued by the designated minister.
While the Act does not prescribe a fixed minimum retention period for personal information that is used for non-administrative purposes, institutions are responsible for managing and disposing of this personal information in accordance with the Act. As a best practice, non-administrative data should be disposed of as soon as it is no longer required by the program or activity to mitigate privacy risks.^{Footnote 30}
The OPC’s investigation confirmed that the personal information compiled by TBS to verify and report on organizational compliance with the Direction [to generate the high-level dashboard] is used for statistical purposes only and not to make administrative decisions that affect an individual or groups of individuals.
TBS has established a 3-month retention period for this personal information, based on its specific business needs related to organizational compliance reporting and trend analysis. TBS then securely disposes of the spreadsheet reports, in accordance with its legal and policy obligations.^{Footnote 31}
Institutions must set a reasonable retention period for personal information that is used for non-administrative purposes. The standard is to dispose of it as soon as it is no longer required for the purpose for which it was collected, which depends on the specific context of its collection, the institution’s business needs and any other legal obligations. In this case, we find TBS’s 3-month retention period for the personal information reasonable. It provides a sufficient data sample for accurate trend analysis, and from a data minimization perspective, a 3-month retention period also reduces the volume of employee information that could be targeted or compromised (e.g., unauthorized access). We note that TBS’s established retention and disposal schedule related to this personal information is outlined in its Privacy Protocol.^{Footnote 32}
The personal information that TBS relies on to assess organizational compliance with the Direction is used solely for non-administrative purposes (aggregate reporting); therefore, the OPC finds that TBS’s retention obligations under subsection 6(1) of the Act are not engaged in the circumstances. As for subsection 6(3), however, we found these obligations to be engaged but confirmed that TBS is meeting its obligations to dispose of the personal information in accordance with its established retention and disposal schedule. Consequently, we find this issue not well-founded.

iii) TBS’s use of personal information for compliance reporting is compliant with section 7 of the Act

Under section 7 of the Act, government institutions can use personal information without the consent of the individual to whom it relates in certain circumstances.^{Footnote 33} For instance, institutions do not require an individual’s consent to use personal information for a secondary purpose that is directly and reasonably related to the original purpose for which the information was collected (a “consistent use”).
Nevertheless, transparency about secondary uses of employees’ personal information is fundamental. Subject to limited exceptions, employees must be informed of the purpose(s) for which their information may be used at the time the information is collected. On this point, we note that TBS has updated the relevant standard PIBs to reflect the new consistent use of employee personal information to verify and report on compliance with the on-site presence requirement, including work arrangement and attendance and leave information, access card data (turnstile data), and electronic network logs (IP login data).^{Footnote 34}
As explained above, under the current policy framework, institutions may need to rely on existing data sources to support their administration of the Direction mandate. In this case, we confirmed that TBS relies on turnstile data, work arrangement information, and data from MyGCHR and the Salary Forecasting Tool to generate the high-level departmental aggregate dashboard. The original purposes for which this data is collected by TBS include general human resources management activities (e.g., managing work arrangements, payroll, etc.), and physical security measures (e.g. managing the security of government facilities and employees (e.g., building access)).
The OPC reviewed the specific purpose(s) for which TBS uses each of these data elements to assess organizational compliance. We confirmed that i) turnstile data is used to verify the number of days employees are on-site; ii) work arrangements data is used to validate the total number of employees on full-time telework (exceptions) and the total number of employees working under the hybrid model; iii) MyGCHR data is used to calculate and verify the number of employees on leave to exclude that number from the dashboard, and to identify employees’ sectors; iv) the salary forecasting tool is used to validate the number of active TBS employees and leave information from MyGCHR. We found that TBS’s use of these data elements for verifying and reporting on organizational compliance with the Direction, as outlined herein, is reasonable.
With respect to the use of employees’ network connectivity (IP addresses) to assess organizational compliance with the Direction, we confirmed that IP aggregated data is relied on by TBS’s HR Analytics team solely to validate turnstile data (e.g., to ensure accuracy and address potential data discrepancies that are inherent to turnstile data).^{Footnote 35} This information, while aggregated, is not used to generate the monthly dashboards. The OPC also confirmed that TBS does not rely on electronic network monitoring logs for its on-site presence reporting.^{Footnote 36}
To determine whether TBS’s use of this data to verify and report on compliance with the Direction mandate is a “consistent use”, there must be a reasonable and direct connection between this new purpose and the original purpose for which the personal information was collected. A key test for consistent use is whether an individual would reasonably expect their information to be used in that manner.
For instance, information about work arrangements (e.g., hybrid work agreements) is collected to manage the employment relationship and to define work locations. Using this same data to ensure that employees are attending the workplace as required (e.g., 3 days per week) is considered a logical extension of managing the employment relationship and operational requirements. As employees are informed that Deputy Heads have the exclusive management right to designate work locations, it is reasonable for an employee to expect that the data they provide regarding their work schedule could be used to verify that they are following that schedule.
Similarly, it is reasonable for an employee to expect that turnstile data, which is originally collected to enhance the security of government institutions, could be used to support the employer’s management rights to designate the location of work and to ensure compliance with employment conditions, including compliance with any policy requirements to report to the designated workplace.
Following our review, we are satisfied that TBS’s use of the data elements described at paragraph 34 above to administer the Direction mandate is a consistent use of employees’ personal information that does not require employees’ consent and is therefore authorized under subsection 7(a) of the Act. We therefore find this aspect not well-founded.
As the personal information used to generate the dashboard is identifiable during the pre-aggregation phase, we also sought information from TBS regarding the administrative and organizational controls implemented to protect this information, including the measures to restrict access to the data and limit the purposes for which it can be used (e.g., to mitigate against risks such as unauthorized access).
The OPC’s investigation confirmed that TBS has implemented the following measures:

strictly limiting access to the data to authorized members of the HR Analytics team who require the data to fulfill their reporting responsibilities;
implementing strict controls to secure the data (e.g., a dedicated Sharepoint folder with restricted access to the HR Analytics team only);
prohibiting the sharing or repurposing of the data for compliance enforcement, inquiries, or investigation purposes;
permanently disposing of the raw personal information [that is used to generate the dashboards] within 3 months of its use to mitigate risks related to unauthorized access, use or disclosure.

Additionally, the OPC’s review of the process undertaken by the HR Analytics team to aggregate the personal information confirmed that TBS replaces direct identifiers with numbers and prepares a completely pseudonymized source document which is relied on to produce the dashboard statistics.^{Footnote 37}
TBS developed an internal guidance document to ensure the responsible handling of employee personal information that is collected from the various data sources for the creation of the monthly dashboards.^{Footnote 38} TBS’s Privacy Protocol outlines the personal information elements, where it is collected from and how it is used by TBS to verify and report on compliance with the Direction. It also outlines the safeguards that are implemented to protect this information (e.g., access controls, storage), the approved uses of the information (e.g., for non-administrative purposes only to generate the aggregated departmental data), the established retention and disposal schedule for the personal information, and TBS’s privacy breach protocol. Additionally, TBS reported that the HR Analytics team has undergone specific training to ensure the responsible handling of employee personal information, including guidance on how to handle, aggregate, and anonymize the raw data to minimize privacy risks.

iv) TBS’s disclosure of aggregated information falls outside the scope of the Act

When reporting on compliance with the Direction, institutions must report information in such a way that identifying individuals is not possible. The Direction states that institutions can measure on-site presence using personal information to collect aggregated departmental data. Disclosure of aggregate data where there is no reasonable possibility of reidentification does not constitute a disclosure of personal information, and consequently, is not subject to the disclosure limitations under section 8 of the Act.^{Footnote 39}
In this case, TBS relies on personal information to prepare a departmental dashboard that contains only aggregate data (i.e., numbers and percentages).^{Footnote 40} According to TBS, the dashboard cannot be traced back to any individual employee and is only used as a data point for senior management to identify trends in the department. Our investigation therefore considered the degree to which the data presented in the aggregate dashboard can be linked to identifiable individuals either directly or indirectly.
Data aggregation is a privacy enhancing technique that is useful for privacy protection, allowing for the analysis of trends without exposing individuals’ personal information.^{Footnote 41} However, aggregation alone may not eliminate all privacy risks if it does not reduce the risk of re-identification of individuals below an acceptable threshold. Re-identification risk can be expressed as the probability of correctly matching the identity of a data subject to their record.^{Footnote 42}
Institutions must determine the acceptable level of residual risk based on the nature of the personal information (the data itself, context surrounding its use or disclosure, and the impacts of re‑identification on individuals) and implement proportionate privacy protections to reduce the risk of re-identification.^{Footnote 43} For instance, when releasing aggregate data about a small number of individuals (e.g., a small sector), it is important to mitigate the risk of re-identification in the dataset (e.g. singling out individuals), which could occur through the information in the dataset alone or in combination with other sources of information.^{Footnote 44} If there is a serious possibility that one or more individuals could be identified through the information, that information may constitute personal information as defined in section 3 of the Act.
The aggregation process and managing the minimum cell size^{Footnote 45} are key measures when generating aggregate data to allow individual employees to remain anonymous. While TBS policies do not specify a mandatory minimum sample size for datasets, they recommend standard best practices based on data sensitivity. For instance, a minimum cell size of 10 is often cited as a best practice for data that is less sensitive.^{Footnote 46}
We confirmed that the TBS dashboards are only created for sectors where there are 10 or more employees to reduce the risk of re-identification in the dataset. TBS shared the list of sectors with the number of employees in each one, as well as the list of sectors reported in the aggregate dashboard. We confirmed that sectors with less than 10 employees are omitted from the dashboard.
Using a minimum cell size of 10 suggests that TBS has assessed the employee personal information that is used to generate the aggregate dashboard as “less sensitive” and has determined that the risk of re-identification is acceptable.^{Footnote 47} Given the specific employee personal information that is used to generate the aggregate dashboard, we found TBS’s assessment reasonable. In contrast, we would expect a higher minimum cell size (such as 20 or more) for data that is more sensitive (e.g., health or financial information).
Following our review, we are satisfied that the dashboard is used only as a data point to identify general trends that may indicate non-compliance in the organization and that it does not contain identifiable personal information. TBS’s implementation of privacy protection measures (data aggregation), recognized best practices (minimum cell size), and administrative controls (limiting access to the raw data), sufficiently reduces the risk of employee re-identification such that we find that there is no serious possibility that the information can be used to identify an employee. We therefore consider the information in the dashboard to be non-personal.
In light of the above, we find that TBS’s disclosure of the dashboard falls outside the scope of the Act and this aspect is not well-founded.
Notwithstanding the above, we take this opportunity to highlight that there is no standard, minimum cell size that eliminates re-identification risk when deriving aggregated data from personal information. While a minimum cell size of 10 is a best practice for data that is less sensitive, it should only be used as a starting point for a case-by-case analysis.^{Footnote 48} Institutions’ risk analysis related to the probability of re-identification should consider factors such as the sensitivity of the data and the potential harm that could result from re-identification, among other things.^{Footnote 49} These important factors are addressed in TBS’s published guidance relating to de-identification.^{Footnote 50}

Issue 2: Monitoring individual compliance with the Direction mandate

The Direction mandate did not change managers’ pre-existing authority to ensure that employees abide by their terms and conditions of employment. As the employer has the exclusive management right to designate the location of work and to require employees to report to their designated workplace, managers have a duty to ensure that their employees comply with established workplace requirements, including hybrid work arrangements.
The Direction states that managers should proactively discuss barriers related to the on-site presence requirements with employees and define solutions to address those barriers. It also states that managers should ensure that individual circumstances are considered on a case-by-case basis. As the Direction does not include any other prescriptive or detailed information relating to privacy obligations, TBS developed internal guidance and resources to contextualize privacy obligations within its specific operating environment and to support managers in their role. Additionally, in its policy role, TBS has developed guidance to support government institutions during the implementation of the updated hybrid work model.^{Footnote 51}
In line with this guidance, managers at all levels are expected to rely primarily on observation or employee self-reporting to verify individual compliance with the Direction. If aggregate reporting at the organizational level identifies a potential compliance issue, or a manager has concerns regarding suspected non-compliance by an employee, managers are expected to consider how to address the issue directly with the employee before taking additional steps to investigate. Only in a formal investigation process can employee personal information (including building access logs, turnstile data, or electronic network logs), be used to support compliance with the Direction.^{Footnote 52}
The OPC met with managers across several sectors at TBS to better understand personal information handling practices related to on-site presence monitoring, as well as the steps taken by TBS to support managers in their role and to communicate the expectations for privacy protection.
Overall, we found that managers carry out their responsibilities with an awareness of privacy obligations and the requirements under the Act. Managers that we interviewed confirmed that they do not use any privacy invasive means to monitor employees and rely primarily on observation and employee self-reporting to verify individual compliance (e.g., self-reported schedules entered on team calendars, employee work arrangements), in compliance with TBS guidance.
In cases of suspected non-compliance with the on-site presence requirement, managers noted that they consider how to address the issue with the employee first and engage with Labour Relations when needed for guidance (e.g., to discuss challenges or to address individual circumstances). For issues that may require detailed reviews of employee personal information, managers reported following established Labour Relations processes to ensure privacy compliance (e.g., for issues that result in a formal investigation related to non-compliance).
Additionally, managers referenced the departmental guidance that supports their administration of the Direction mandate through procedures and hybrid best practices. For instance, the Toolkit for managers outlines the expectations for the responsible collection and use of personal information related to on-site presence monitoring, guidelines for managing situations of non-compliance,^{Footnote 53} and covers other topics such as the duty to accommodate, handling requests for exceptions, and hybrid best practices (e.g., shared calendars).
TBS also developed departmental resources such as FAQs, and a recourse mechanism for questions and feedback relating to the implementation of the Direction.^{Footnote 54} According to TBS, it has not otherwise mandated or prescribed any official template or approach for managers related to monitoring compliance with the Direction mandate. TBS pursued an approach that supports management discretion and flexibility – i.e., where managers can determine the approach that best aligns with their operational needs.
With respect to training, TBS noted that it leverages existing internal course offerings and that no new course related to the implementation of the Direction specifically has been added to its mandatory training list. Managers are expected to take the appropriate privacy training to ensure they understand requirements when handling employee personal information, and to apply privacy best practices in their day-to-day responsibilities.
In this case, TBS has implemented several measures to mitigate against privacy risks associated with the flexibility afforded to managers under the Direction mandate. Notably, TBS has supported managers through the development of departmental guidance that explicitly outlines the acceptable and responsible collection and use of personal information for monitoring on-site compliance. We found that these measures have helped to create a general management philosophy at TBS that emphasizes communication, individual circumstances, and privacy protection in the hybrid work environment.^{Footnote 55}
Following our investigation, we found no evidence to suggest that employees’ personal information was collected, used or disclosed by TBS managers in contravention of the Act.

Other

Openness and Transparency

Openness and transparency about an institution’s personal information management practices related to the implementation of the Direction are fundamental to the success of the common hybrid work model. Clear communication about employee on-site requirements and expectations for compliance, including what personal information will be collected, used and disclosed, is essential to manage expectations, build trust, ensure fairness and consistency, and foster accountability.
PIBs are the minimum vehicle for legal compliance and transparency, and through which government institutions inform individuals about the personal information that they collect.^{Footnote 56} PIBs must be established for any program or activity that uses personal information for an administrative purpose, or that uses personal information that is organized and retrievable by the name of an individual, identifying number, symbol or other particular assigned to an individual.^{Footnote 57} Institutions must also ensure that a class of personal information is established for any personal information that is under the institution’s control that is not intended to be used for an administrative purpose.^{Footnote 58} An institution’s transparency obligations are captured under sections 10 and 11 of the Act.^{Footnote 59}
While PIBs provide the necessary standard for legal compliance, they are merely one transparency tool. Institutions should strive to proactively use a range of communication strategies to make information accessible and to explain how personal information is handled so that individuals are fully informed and aware of an institution’s practices.
The OPC’s review therefore considered the relevant PIBs that reflect the collection and use of employees’ personal information for the purpose of administering a common hybrid work model, as well as TBS’s openness and transparency through communications and guidance shared with employees regarding its privacy practices related to the implementation of the Direction.

Personal Information Banks

A government institution can only use personal information for the purpose for which it was obtained or compiled, or for a use that is consistent with that original purpose. These uses are described in the relevant PIBs. Any new use of personal information (i.e., uses or consistent uses that are not captured under the PIB) would require the institution to register a specific PIB to comply with section 10 of the Act.^{Footnote 60}
The OPC’s investigation confirmed that TBS updated several standard PIBs to account for the new consistent use of employee personal information to verify and report on compliance with the Direction, including: i) Attendance and Leave (PSE 903), ii) Electronic Network Monitoring Logs (PSU 905), iii) Employee Personnel Record (PSE 901), and iv) Physical Access Controls (PSU 907).^{Footnote 61}
In this case, TBS relies on the above-noted standard PIBs to collect turnstile data, work arrangements data, and data from MyGCHR and the salary forecasting tool, for the purpose of verifying and reporting on compliance with the Direction. The use of these data elements for that purpose is captured as a consistent use of the information in the PIBs.
We note that this personal information may also be used for compliance enforcement or investigative purposes to determine whether there has been any inappropriate employee behaviour and/or misconduct related to compliance with the Direction. The use of personal information for investigations related to non-compliance with telework agreements should be handled in accordance with established Labour Relations processes and the relevant PIBs should reflect that, in instances of suspected non-compliance, the information may be shared for further investigation or disciplinary purposes.^{Footnote 62}
Following our review of the PIBs, the OPC sought clarification regarding the PIB description for PSU 907 (Physical Access Controls), which we found does not explicitly reflect the potential use and disclosure of access logs in formal investigations related to compliance with the Direction.
According to the description for PIB PSU 907, the main purpose for the collection of the personal information is security (i.e., “to enhance the security of government institutions facilities and of individuals and assets present in such facilities”). While the PIB states that the information “may be used to support compliance with other relevant Treasury Board policy instruments and policy directions”, it does not explicitly state that entry data (building access logs) may be used or disclosed for the purpose of investigating employee compliance with the policy requirement or for disciplinary purposes.^{Footnote 63}
According to TBS, the primary purpose of building access logs remains security (as reflected in PIB PSU 907). TBS interprets the reference to supporting “compliance with other relevant Treasury Board policy instruments and policy directions” in the PIB as encompassing the use of access logs in formal investigations related to compliance with the Direction, where necessary and appropriate. In this context, TBS stated that Labour Relations could request to obtain an employee’s building access data (or any other data point required) to verify allegations during an investigation, should a manager’s observations raise sufficient concern regarding an employee’s adherence to their telework agreement or on-site presence.
Describing consistent uses informs individuals about how their personal information may be used or disclosed, allowing them to make informed decisions and exercise their rights under the Act. Consequently, PIB descriptions need to be sufficiently explicit, and must clearly detail the information collected, its purpose and how it is used and/or disclosed. We encourage TBS to review its description accordingly.

TBS Communications

The OPC’s investigation confirmed that TBS communicated its implementation of the requirements of the Direction through various channels in order to support employees and managers during the transition to the updated hybrid work model. Emails from senior management, the creation of FAQs, and a network of change ambassadors, reflect TBS’s commitment to openness, transparency and privacy compliance.^{Footnote 64}
As noted at paragraph 61, TBS also developed a Manager’s Toolkit for guidance on applying the Direction. The Toolkit was created to support managers in the transition to the three-day hybrid model and describes the privacy expectations related to compliance reporting.^{Footnote 65}
TBS noted during the investigation that it has only communicated to its employees the potential use of building access logs in the context of aggregate reporting related to the administration of the Direction. From a transparency perspective, TBS has an obligation to ensure that employees are notified regarding new consistent uses or disclosures of personal information (e.g., clear privacy notice statements).^{Footnote 66} To this end, TBS should ensure that its potential use of building access logs for formal investigations related to compliance with the Direction is clearly communicated to employees.

Necessity and Proportionality

The introduction of the hybrid work approach underscores the need to carefully balance important interests. On the one hand, the employer has the exclusive management right to designate the location of work and to verify that employees are reporting to their designated workplace; on the other hand, monitoring compliance with the hybrid work model and on-site presence must be done in a privacy-friendly manner and limited to purposes that are specific, targeted and appropriate in the circumstances. If adequate safeguards are not in place to manage how employee personal information is used for the administration of the Direction, this can create risks for privacy (e.g., intrusive tracking).
An institution’s approach to monitoring compliance with the Direction should align with the principles of necessity and proportionality and use the least privacy-invasive means of verifying compliance with the Direction mandate.
To guide institutions in considering necessity and proportionality, the OPC promotes a 4-part test that calls for institutions to ask themselves specific questions when establishing potentially privacy-intrusive programs and services.^{Footnote 67} The OPC’s investigation revealed that TBS has considered these important principles in its on-site compliance monitoring approach.
To fulfill the Direction requirement to establish a verification regime, TBS adopted a privacy-friendly approach to assess organizational compliance. In developing the high-level dashboard, TBS evaluated the personal information under its control to determine what is necessary for, and directly tied to, the objectives of verifying and reporting on organizational compliance with the hybrid work model.
TBS reported that its assessment considered i) the purpose of each data element collected and its relevance to the development of the dashboard; ii) whether the collection of the personal information is directly tied and necessary to the objectives of monitoring and reporting on hybrid work arrangements; and iii) the sensitivity of the data and the measures in place to safeguard employee privacy.
Additionally, TBS implemented privacy protection measures (data aggregation), recognized best practices (minimum cell size), and strict controls to protect and limit access to employees’ personal information, and to mitigate risks to employee privacy. TBS indicated that it remains committed to ensuring that employee privacy is respected while supporting senior management in monitoring hybrid work arrangements in a manner that is proportionate, transparent, and aligned with applicable privacy obligations.
Overall, the OPC found that TBS’s consideration of key privacy principles were a contributing factor to its use of a minimally privacy intrusive tool to assess organizational compliance (aggregate level dashboard) and to meet the objectives of the Direction mandate. From a necessity and proportionality perspective, we find that TBS maintained a reasonable balance between operational needs and respect for individual privacy rights at the organizational level.
At the management level, the OPC found that compliance with the Direction mandate is primarily managed through direct manager observation and employee self-reported information, which we consider to be the least privacy invasive methods. Per TBS guidance, detailed reviews of employee personal information are triggered only when a specific issue is identified and Labour Relations has been engaged. The OPC is satisfied that TBS managers have implemented a proportional, privacy-first approach, ensuring that the Direction is enforced effectively and responsibly while respecting employees’ right to privacy.

Privacy Impact Assessment (PIA)

A PIA is the most comprehensive process currently in place to evaluate the effects of a specific initiative on individuals’ privacy and represents a core component of an institution’s privacy compliance framework. When done properly and approved before an initiative is launched, PIAs can help ensure that legal requirements are met and that privacy risks are either addressed or mitigated. PIAs are a proven way to minimize privacy risks.^{Footnote 68}
A PIA is mandatory for new or substantially modified programs or activities that involve personal information used for administrative purposes or that involve new technologies or special risks. A PIA can be used as an "early warning system" to identify, assess, and mitigate privacy risks associated with the administration of the Direction mandate and the monitoring of on-site presence to ensure that data handling practices are compliant with legal and privacy obligations. Methods for monitoring on-site presence, especially if they involve systemic or proactive tracking of individual data or the use of potentially invasive tools, would constitute a change in how personal information is handled and require the completion of a PIA.^{Footnote 69}
TBS’s current approach for on-site presence monitoring relies on existing data sources to generate aggregate dashboards for senior management and uses only the minimum amount of personal information for verification and compliance reporting. TBS notes that it has not conducted a PIA in relation to its verification regime because its approach is aligned with the Direction and supporting privacy guidance and does not result in the collection or use of personal information beyond those permitted under the current policy framework.
The OPC’s review found that TBS’s current framework is privacy-friendly and strikes the right balance between TBS’s operational goals and employee privacy and therefore does not require a PIA.

Findings and Conclusions

The OPC’s investigation assessed whether TBS is compliant with the requirements of the Act in relation to its implementation of the Direction mandate. This included an assessment of TBS’s compliance with section 4 (collection), 6 (retention and disposal), 7 and 8 (use and disclosure) of the Act. Our review also considered key privacy principles and the policy requirement to conduct a PIA. We made the following key findings:
Organizational compliance
1. To generate a high-level, aggregate dashboard for senior management which is used to assess organizational compliance with the on-site presence requirement, TBS relies on i) turnstile data, ii) work arrangement information, iii) MyGCHR data, and iv) data from the Salary Forecasting Tool. TBS’s collection of these data elements already occurs and is authorized by existing statutory provisions, including sections 7 and 11 of the Financial Administration Act. These collections relate directly to TBS’s operating programs or activities, including security and human resources management, for the purposes of section 4 of the Act.
2. TBS’s collection of these data elements is for statistical purposes only (aggregate reporting) and the information is not used to make decisions that affect individual employees. Personal information that is used for non-administrative purposes does not trigger retention obligations under subsection 6(1) of the Act. TBS disposes of this personal information when it is no longer required for compliance reporting purposes (within 3 months of its use), in accordance with TBS’s established retention and disposal schedule, and its obligations under subsection 6(3).
3. TBS’s use of these data elements to verify and report on organizational compliance with the Direction is a use consistent with the original purpose for which the information was initially collected and therefore authorized under subsection 7(a) of the Act – that is, the information can be used without the consent of the individuals.
4. With respect to the disclosure of the dashboard to senior management, TBS’s implementation of privacy protection measures, including data aggregation, sufficiently reduces the risk of re-identification. We find that there is no serious possibility that the dashboard information could be used to identify individual employees. As such, we consider this information to be non-personal information that falls outside the scope of the Act.
Monitoring individual compliance
1. Overall, we found that managers carry out their responsibilities with an awareness of privacy obligations, relying primarily on observation and employee self-reporting to verify individual compliance (e.g., self-reported work arrangements). In cases of suspected non-compliance with the on-site presence requirement, managers consider how to address the issue with the employee first and engage with Labour Relations for guidance when needed. For issues that require detailed reviews of employee personal information (e.g., in the context of a formal investigation), managers follow established Labour Relations processes to ensure privacy compliance. TBS also mitigates privacy risks associated with manager flexibility and discretion under the Direction mandate through departmental resources (FAQs) and guidance that outlines the acceptable and responsible collection and use of personal information for monitoring on-site compliance. We found no evidence during the investigation that personal information was collected, used or disclosed by managers in contravention of the Act.
Key privacy principles and policy requirements
1. With respect to openness and transparency, TBS communicated its implementation of the requirements of the Direction, as well as the changes that were made to the standard PIBs that it relies on for the administration of the Direction, through various channels during the transition to the updated hybrid work model (e.g., emails from senior management). However, our review found that the description for PIB PSU 907 (Physical Access Controls) does not explicitly reflect the potential use of access logs in formal investigations related to compliance with the Direction and that TBS did not clearly communicate this potential use to employees. We encourage TBS to update its description accordingly.
2. From a necessity and proportionality perspective, TBS’s approach for assessing organizational compliance (i.e., aggregate dashboard) is effective in meeting the objectives of the Direction mandate without creating an unnecessary risk to employees’ privacy. Overall, we found that TBS’s consideration of several privacy-friendly measures has helped TBS maintain a reasonable balance between operational needs to comply with the Direction, and respect for employees’ privacy rights. We are also satisfied that TBS managers have implemented a proportional, privacy-first approach, ensuring that the Direction is enforced effectively and responsibly while respecting employees’ privacy rights.
3. TBS did not conduct a PIA for its verification regime because its approach is aligned with the Direction and supporting privacy guidance and does not result in the collection or use of personal information beyond those permitted under the current policy framework. TBS relies on existing data sources to generate the aggregate dashboards for senior management and uses only the minimum amount of personal information for verification and compliance reporting.

In light of the above, the OPC found that TBS’s collection, retention, disposal, use and disclosure of personal information related to the administration of the Direction mandate are compliant with the requirements of the Act. We therefore find the complaint to be not well-founded.

Footnotes

Footnote 1

Aggregated information is information collected from multiple sources and grouped into a summary/statistics for high-level analysis.

Return to footnote 1

Footnote 2

PIBs are defined in section 3 of the Act as “a collection or grouping of personal information described in section 10”, which includes all personal information under the control of a government institution that has been used, is being used, or is available for use for an administrative purpose; or is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.

Return to footnote 2

Footnote 3

A PIA is a risk management process that helps institutions ensure that they meet legislative requirements and identify the impacts that their programs and activities will have on individuals’ privacy. PIAs are required under the TBS Directive on Privacy Practices.

Return to footnote 3

Footnote 4

i) Turnstile data is information collected from physical or digital turnstiles to control access and record entries or exits in office buildings. ii) Work arrangements are used to manage on-site, telework and hybrid working arrangements, including compliance requirements under the Directive on Telework. iii) MyGCHR (My Government of Canada Human Resources) is a HR management system used by many federal government departments to manage employee information, including personal details, leave requests, and work schedules. iv) The Salary Forecasting Tool is a software application that helps organizations manage their employee salary expenditures.

Return to footnote 4

Footnote 5

Subsection 6(1) of the Act triggers obligations for institutions to retain personal information that has been used for an administrative purpose (i.e., used in a decision-making process that directly affects an individual). Personal information that is not used for an administrative purpose is not subject to any minimum retention requirement and should be disposed of once its specific purpose is met.

Return to footnote 5

Footnote 6

A “consistent use” is the use of personal information for a secondary purpose that is directly and reasonably related to the original purpose for which the information was obtained or compiled.

Return to footnote 6

Footnote 7

TBS relies on the following standard PIBs: i) Attendance and Leave (PSE 903); ii) Electronic Network Monitoring logs (PSU 905); iii) Employee Personnel Record (PSE 901); and iv) Physical Access Controls (PSU 907). The PIBs were updated by Treasury Board to reflect the new consistent use of personal information for verifying and reporting on compliance with the Direction.

Return to footnote 7

Footnote 8

Including measures to limit collection and administrative controls and safeguards to protect and limit access to employees’ personal information (e.g., aggregation).

Return to footnote 8

Footnote 9

A designated worksite is a physical location under the organization’s control. It is not a virtual location or a residential address. The employer determines the location of the designated worksite associated with each position.

Return to footnote 9

Footnote 10

Health Canada is tasked with the administration of the Public Service Occupational Health Program (PSOHP). Under the program, Health Canada provides occupational health medical advice, guidance and services to departments listed in Schedules I and IV of the Financial Administration Act.

Return to footnote 10

Footnote 11

The core public administration refers to the departments and other portions of the federal public administration named in Schedules I and IV of the Financial Administration Act. The Direction applies to all employees (indeterminate, full time, part time, term), students and casual workers.

Return to footnote 11

Footnote 12

See Message to Deputy Ministers: Updates to the hybrid work model in the public service (May 1, 2024). The OPC notes that TBS recently announced that the Government intends to increase the on-site presence of executives and employees who are eligible for hybrid work. As of May 4, 2026, executives will be required to work on-site 5 days per week. For all other employees, the intention is to have them work on-site 4 days per week as of July 6, 2026. See the Message to Deputy Heads: Increasing on-site presence in the public service. According to that Message, all provisions in the Direction continue to apply and no changes are needed to employees’ existing telework agreements.

Return to footnote 12

Footnote 13

See Updates to the hybrid work model in the public service. Also, the transition for IT employees who had been granted an exception under the Direction on hybrid work exceptions for Digital Talent began in September 2024 and was to be fully implemented by September 2025. See message from the Chief Information Officer of Canada regarding the Rescission of Direction on IT Exceptions.

Return to footnote 13

Footnote 14

Examples include employees hired to work remotely prior to March 16, 2020, or employees who, with the permission of their ADM, are working remotely 125 km or more from their designated worksite.

Return to footnote 14

Footnote 15

The Directive on the Duty to Accommodate continues to apply in the hybrid work environment. The duty to accommodate refers to removing barriers to enable an employee to carry out their duties and contribute fully to the organization. This includes ensuring that measures are in place to prevent discrimination under the prohibited grounds set out in the Canadian Human Rights Act (CHRA) and creating a barrier-free accessible workplace.

Return to footnote 15

Footnote 16

Telework under the hybrid work model is managed through telework agreements, which must be completed in accordance with the Standard on Telework Agreements (see Appendix A of the Directive on Telework). Participation in telework is voluntary, and all telework requests must be considered on a case-by-case basis, and in accordance with the employer’s Duty to Accommodate process.

Return to footnote 16

Footnote 17

The Public Service Alliance of Canada (PSAC), the Professional Institute of the Public Service of Canada (PIPSC), the Canadian Association of Professional Employees (CAPE) and the Association of Canadian Financial Officers (ACFO) have been united in their opposition to the government’s mandate since it was announced May 1, 2024. Source: CAPE Media Release.

Return to footnote 17

Footnote 18

The OPC’s Government Advisory Directorate provides advice to federal institutions regarding specific programs and activities involving personal information through consultations, reviewing PIA reports, and conducting advisory engagements. See the OPC’s Guide to the Privacy Impact Assessment Process.

Return to footnote 18

Footnote 19

An IP (Internet Protocol) address is a unique identifying number assigned to every device connected to the Internet.

Return to footnote 19

Footnote 20

Policy instruments include policies and directives that contain mandatory requirements. These instruments are approved by Treasury Board and administered by TBS. See About the TB Policy Suite.

Return to footnote 20

Footnote 21

We note that any detailed review of an employee’s personal information for this purpose should only occur after it has been determined by the employee’s manager that there is a need for an investigation and Labour Relations has been engaged.

Return to footnote 21

Footnote 22

The OPC met with six managers across several sectors at TBS to better understand personal information handling practices related to on-site presence monitoring and overall compliance with privacy obligations.

Return to footnote 22

Footnote 23

The Direction states that institutions could measure on-site presence using turnstile data, existing attendance reports and/or Internet Protocol (IP) login data to collect aggregated departmental data.

Return to footnote 23

Footnote 24

See footnote 21.

Return to footnote 24

Footnote 25

Section 4 does not include a necessity test, but a less onerous test of establishing a direct, immediate Relationship with no intermediary between the information collected and the operating programs or activities of the government. See Union of Canadian Correctional Officers v. Canada (Attorney General), 2016 FC 1289 and 2019 FCA 212 (CanLII).

Return to footnote 25

Footnote 26

Under subsection 5(1) of the Act, institutions shall, wherever possible, collect personal information that is intended to be used for an administrative purpose (e.g., to address concerns related to suspected non-compliance with the Direction) directly from the individual to whom it relates, except where the individual authorizes otherwise or where the personal information may be disclosed to the institution under subsection 8(2).

Return to footnote 26

Footnote 27

Monthly dashboards are provided to Assistant Deputy Ministers (ADMs) and Deputy Ministers for the sectors under their purview.

Return to footnote 27

Footnote 28

See footnote 4.

Return to footnote 28

Footnote 29

Subsection 6(1) of the Act requires an institution to retain personal information that has been used for an administrative purpose for such period of time after it is so used as may be prescribed by regulation in order to allow individuals to exercise their right of access under the Privacy Act. Subsection 6(3) requires an institution to dispose of personal information under its control in accordance with the regulations and any directives or guidelines issued by the designated minister in relation to the disposal of that information.

Return to footnote 29

Footnote 30

See Privacy Implementation Notice 2023-03 (section 5.1.3). See also the OPC’s Guide to the Privacy Impact Assessment Process for guidance related to the retention and disposal of personal information.

Return to footnote 30

Footnote 31

Access to this personal information is limited to those individuals on the HR Analytics team who have a genuine need to know to perform the activities (i.e., to generate the dashboards), and to dispose of (delete) the personal information, in accordance with the procedures established by TBS which are outlined in its Privacy Protocol.

Return to footnote 31

Footnote 32

TBS’s Privacy Protocol is an internal guidance document to ensure the responsible handling of employee personal information that is collected from the various data sources for the creation of the monthly dashboards. The Directive on Privacy Practices requires institutions to prepare a privacy protocol when personal information is to be used for a non-administrative purpose (section 4.2.16).

Return to footnote 32

Footnote 33

Section 7 limits institutions from using personal information without the consent of the individual except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose, or for a purpose for which the information may be disclosed to the institution under subsection 8(2).

Return to footnote 33

Footnote 34

See the Openness and Transparency section of this report for additional information on the standard PIBs.

Return to footnote 34

Footnote 35

The reliance on turnstile data alone can introduce counting inaccuracies (e.g., two people passing through the turnstile at once, employees that enter using a visitor’s pass, technical malfunctions, etc.).

Return to footnote 35

Footnote 36

Logs containing details of network use by individuals. The original purpose for which institutions collect IP login data (electronic network logs) is to ensure the acceptable and efficient use of Government of Canada electronic networks and devices.

Return to footnote 36

Footnote 37

Pseudonymized data is data where direct identifiers (like names or Personal Record Identifiers (PRI)) are replaced with artificial identifiers (e.g., numbers or codes) to obscure a person’s identity. This process is a security measure that lowers privacy risks by making data less directly attributable to individuals.

Return to footnote 37

Footnote 38

The Directive on Privacy Practices requires institutions to prepare a privacy protocol when personal information is to be used for a non-administrative purpose (section 4.2.16).

Return to footnote 38

Footnote 39

Section 8 of the Act states that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.

Return to footnote 39

Footnote 40

For instance, the dashboard shows the total number of employees in the sector, the number of employees with exemptions (e.g., approved accommodation measures), and the number of employees eligible (employees who follow the hybrid work model). It also provides the percentage of compliant and non-compliant employees for each sector every month.

Return to footnote 40

Footnote 41

Aggregation is a de-identification method that can be used to reduce the risk of re-identification. De-identification is a privacy‑preserving technique that can be applied to personal information to support deriving additional value from information, while also protecting individual privacy. Source: TBS Privacy Implementation Notice 2023-01: De-identification.

Return to footnote 41

Footnote 42

See TBS Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals.

Return to footnote 42

Footnote 43

Program and privacy officials should work with statistical and data experts to determine the acceptable level of residual risk given the nature of the information, the proposed use case and the kinds of de‑identification methods possible based on the institution’s data infrastructure.

Return to footnote 43

Footnote 44

For instance, an individual with personal knowledge of an employee within a small group (e.g., a co-worker or acquaintance) could more easily cross-reference the aggregated data to confirm details about that employee’s specific circumstances.

Return to footnote 44

Footnote 45

A cell refers to data, usually presented in a summary table, about a group of individuals who share common attributes. A cell size (or count) is the number of individuals that share that unique attribute or combination of attributes.

Return to footnote 45

Footnote 46

See TBS Privacy Implementation Notice 2020-03.

Return to footnote 46

Footnote 47

A cell size of 10 carries a calculated re-identification risk of 0.1 (1 in 10), and determining whether this risk is acceptable depends on the potential harm of disclosure. See TBS Privacy Implementation Notice 2020-03.

Return to footnote 47

Footnote 48

A minimum cell size of 10 is often cited as a best practice for public data releases of data that is less sensitive, while a minimum cell size of 20 is cited for more sensitive data. This range is consistent with precedents identified in other published guidance documents, such as the Information and Privacy Commissioner of Ontario’s De-Identification Guidelines for Structured Data.

Return to footnote 48

Footnote 49

For additional guidance, see the OPC’s Interpretation Bulletin: Sensitive Information.

Return to footnote 49

Footnote 50

See TBS Privacy Implementation Notice 2020-03 for a list of factors that should be considered when determining minimum cell size. See also TBS Privacy Implementation Notice 2023-01: De-identification.

Return to footnote 50

Footnote 51

The TBS “e-binder for Heads of Human Resources” (May 2024) provides reminders and guidance to support institutions’ implementation of the Direction mandate through a series of privacy bulletins. The “Privacy Guidance” bulletin provides specific guidance related to the protection and management of personal information for verification activities. The “Monitoring Compliance” bulletin provides guiding principles that institutions are encouraged to follow when measuring and reporting on their compliance with the on-site presence requirement set out in the Direction. The “Labour Relations Guidance” bulletin provides guidance related to Labour Relations and the expectations for managers related to administrative and disciplinary actions associated with the Direction mandate.

Return to footnote 51

Footnote 52

Any detailed review of an employee’s personal information for this purpose should only occur after it has been determined by the employee’s manager that there is a need for an investigation and Labour Relations has been engaged.

Return to footnote 52

Footnote 53

Managers should handle situations of non-compliance with the Direction like other Labour Relations issues. We note that the integrity of Labour Relations’ processes depends on privacy protection to ensure that employee personal information is handled confidentially and in accordance with the Act and relevant supporting policy instruments.

Return to footnote 53

Footnote 54

As TBS implemented the updated hybrid model, employees were invited to connect with the department’s Optimized Hybrid Workplace Secretariat to share feedback or concerns relating to in-person experiences.

Return to footnote 54

Footnote 55

The OPC found that managers consistently highlighted that their management approach focuses on understanding employees’ needs and challenges, clearly communicating the rules, expectations, and consequences of non-compliance, establishing a team approach that builds on trust and accountability, and considering individual employee circumstances on a case-by-case basis (e.g., valid reasons for absence).

Return to footnote 55

Footnote 56

Through PIB descriptions, individuals can also learn how their personal information is used and for how long it is being retained. Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act.

Return to footnote 56

Footnote 57

In accordance with the Directive on Privacy Practices (see section 4.1.7).

Return to footnote 57

Footnote 58

A class of records is a description of records and information created, captured and maintained by a government institution as evidence of the administration of a particular program or activity specific to the institution (e.g., records relating to human resources management). Standard classes of records are created by the Treasury Board of Canada Secretariat.

Return to footnote 58

Footnote 59

The Act requires heads of government institutions to ensure that all personal information under their control that has been used, is being used, or is available for use for an administrative purpose or that is organized or retrievable by the name of the individual, identifying number or symbol etc., is included in PIBs. The President of the Treasury Board, as designated Minister, holds general responsibility for registering all PIBs and is responsible for reviewing and approving new or substantially modified PIBs, as required under subsection 71(4) of the Act, and in line with the requirements of the Directive on Privacy Practices.

Return to footnote 59

Footnote 60

In accordance with the Standard on Privacy Impact Assessment (Appendix C of the Directive on Privacy Practices),
institutions must draft new PIBs or propose modifications to existing PIBs, get them approved by the delegated head of privacy for their institution and submit them to TBS for approval before implementing any new or substantially modified programs or activities.

Return to footnote 60

Footnote 61

Physical Access Controls (PSU 907) was formerly two separate PIBs: Identification Cards and Access Badges (PSE 917), and Security Video Surveillance and Temporary Visitor Access Control logs and Access Badges (PSU 907).

Return to footnote 61

Footnote 62

As outlined in the TBS guidance to institutions (e-binder for the Heads of Human Resources), using personal information to proactively monitor employee compliance with the Direction is not captured as an acceptable use under the current PIBs. Detailed reviews of personal information to verify compliance with on-site presence requirements should only occur after an employee’s manager has considered how to address the issue directly with the employee, and after it has been determined that there is a need for an investigation and Labour Relations has been engaged. We note that the integrity of Labour Relations processes depends on privacy protection to ensure that employee personal information is handled confidentially and in accordance with the Act and relevant supporting policy instruments.

Return to footnote 62

Footnote 63

In contrast, we noted that the other PIBs were updated to reflect the consistent use of the personal information to “verify policy compliance” and that the information “may be shared for disciplinary purposes”. For instance, PIB PSU 905 (Employee Personnel Record) was updated to explicitly reflect that personal information may be consistently used for general human resource management purposes, “including to verify and report on policy compliance”. It also states that, “In instances of suspected non-compliance, information may be disclosed to the institution’s security and/or staff Relations officials for further investigations or disciplinary actions.” Additionally, the purpose of PIB PSU 905 (Electronic Network Monitoring Logs) was updated to explicitly reflect the use of the information to “support the investigation of policy compliance”.

Return to footnote 63

Footnote 64

For instance, designated ‘sector coordinators’ at TBS facilitated questions or issues concerning their respective sector’s workspace (including floor plans, workstations, technology, and storage). Additionally, a ‘change ambassadors’ community’ supported employees in adapting to the hybrid work model, with on-the-ground representatives to cultivate positive work habits and attitudes, provide solution-oriented approaches to common challenges, and identify and report potential barriers to change.

Return to footnote 64

Footnote 65

These expectations include relying primarily on observation and information obtained directly from employees, being mindful of privacy considerations when documenting observations about employees, and presenting information in an aggregate manner without sharing individual personal information.

Return to footnote 65

Footnote 66

In accordance with the Directive on Privacy Practices (see s.4.2.20), individuals must be notified of any uses or disclosures that are consistent with the original purpose for collection.

Return to footnote 66

Footnote 67

These questions include: i) Is the measure demonstrably necessary to meet a specific need? ii) Is it likely to be effective in meeting that need? iii) Is there a less privacy-intrusive way of achieving the same end? iv) Is the loss of privacy proportional to the need?

Return to footnote 67

Footnote 68

The Standard on Privacy Impact Assessment (see Appendix C of the TBS Directive on Privacy Practices) provides details on the requirements set out in section 4 of the Directive on Privacy Practices for completing PIAs.

Return to footnote 68

Footnote 69

In the event that institutions plan to engage in proactive monitoring of employees to verify compliance with the Direction, this would be a new use of personal information and would require the institution to conduct a PIA and register an institution specific PIB. PIAs should include a detailed justification of the necessity for proactive monitoring, and a thorough assessment of the risks to privacy. We encourage institutions to consult the OPC’s Guide to the PIA Process for guidance on how to comply with the Act and to manage privacy risks.

Return to footnote 69

Date modified:: 2026-06-04

Language selection

Search and menus

Search

Investigation into the Treasury Board of Canada Secretariat’s implementation of the Direction on Prescribed Presence in the Workplace

Complaint under the Privacy Act (the “Act”)

Overview

Organizational compliance

Monitoring individual compliance

Key privacy principles and policy requirements

Background

Complaint

Scope and Methodology

Analysis

Issue 1: TBS’s verification regime

i) TBS’s collection of personal information to fulfill the requirements of the Direction is compliant with section 4 of the Act

ii) The personal information collected by TBS for compliance reporting purposes does not trigger retention obligations under section 6 of the Act

iii) TBS’s use of personal information for compliance reporting is compliant with section 7 of the Act

iv) TBS’s disclosure of aggregated information falls outside the scope of the Act

Issue 2: Monitoring individual compliance with the Direction mandate

Other

Openness and Transparency

Personal Information Banks

TBS Communications

Necessity and Proportionality

Privacy Impact Assessment (PIA)

Findings and Conclusions

Organizational compliance

Monitoring individual compliance

Key privacy principles and policy requirements