A New Act, A New Era
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Address to the University of Toronto and Lancaster House Conference
on New Developments in Workplace Privacy
April 6, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
Privacy in the workplace-is one of the most important privacy issues facing our society.
And privacy itself will, I believe, be the defining issue of this new decade.
I know the idea that employees have rights to privacy in the workplace might seem odd to some people-though hopefully not to anyone in this room.
Some people think that employees have no right to privacy. It's the employer's property and the employer's time.
And some people think that if you simply tell employees not to expect any privacy, they don't have any.
As you might expect, I think otherwise. Employees have a fundamental, inherent right to privacy in the workplace.
And now that right has been affirmed in the federal government's new private sector privacy law-the Personal Information Protection and Electronic Documents Act.
This act already applies to some of you, if your businesses are federally regulated. But even if it doesn't apply to you, you need to look at it carefully-because, one way or another, some law like it will almost certainly apply to you down the line.
As I've said, I believe that privacy will be the defining issue of this decade. That's because we are at a crossroads.
Privacy is a critical element of a free society-it's "at the heart of liberty in a modern state," as Justice LaForest of the Supreme Court has said.
But privacy is under attack as never before, threatened in all sorts of new ways, particularly by advances in technology. I'm confident that we can protect privacy, if we put our minds to it, but i'm also certain that if we don't, it will slip away.
Privacy is a fundamental human right, recognized in the United Nations Declaration of Human Rights.
That's because there can be no real freedom without privacy. In fact, many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
None of us wants to go through life feeling that at any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
We cannot remain the kind of society we want to be-a free, open and democratic society in which we all have the autonomy to fulfil ourselves-unless the right to privacy is respected.
Two points flow from this:
First, the widespread idea of "the privacy of the individual" being "balanced" against "the interests of society" needs to be turned around. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it, but society is the real loser.
That doesn't mean that privacy is an absolute right. Sometimes some of it has to be sacrificed to advance other crucial social objectives.
But it does mean that we should be reluctant to infringe or limit privacy. Any limitation has to be justified.
When someone proposes such a limitation, we need to very carefully scrutinize what they're proposing. Is there really a need for it that clearly outweighs the loss? Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way of doing it?
That's the first point. The second point is this:
If privacy is a fundamental human right and a social good, that right does not disappear when we pass through the door of the workplace.
In fact, I cannot imagine a place where our rights need to be more respected than in the workplace, where we spend so much of our time and where so much of our life is defined.
We as a society don't tolerate discrimination in the workplace, or harassment. Why would we tolerate invasion of privacy?
Well, we don't. And that brings me to the new federal private sector privacy legislation.
As of last january 1, the law applies to the federally regulated private sector-that is, primarily to banks, broadcasters, telecommunications and transportation companies, and to personal information that is sold across provincial or national borders, for instance by credit reporting agencies. It also applies to all private sector businesses in the territories.
The law applies to all collection, use and disclosure of personal information by the organizations that fall under its jurisdiction-specifically including the personal information of employees. The only exception is personal health information, which isn't covered until next January.
As of January 1. 2004, the act will apply to all commercial transactions within Canada, except in provinces that have by then enacted substantially similar legislation of their own.
There's been some misunderstanding about this. It will only apply to commercial transactions, not to employment. The act won't apply to employee information in the provincially-regulated sector.
Then why did I say earlier that you should pay close attention to the Act even if you're not covered by it?
Well, because the principles in the Act are not something peculiar to Canada, or to the federal government. They're international data protection standards.
They were developed by the OECD, the European Union, and various private sector and advocacy organizations. They've been incorporated around the world into voluntary codes and privacy laws. We're actually just catching up with most of the rest of the world.
I should also add that the federal government, as an employer, has for decades been bound by very similar rules regarding the privacy rights of its employees, under the Privacy Act that governs the federal public sector. And those rules have not proven to be unduly onerous or caused any unmanageable problems.
Since the private sector act's model is so widely accepted, I think provincial legislation will probably look a lot like it. In other words, whether it's the federal law or a "substantially similar" provincial statute, this is likely to be the lay of the land. You would do yourselves no favour by ignoring it.
The principles in the act should serve as the bedrock of your privacy practices.
What the new law says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization covered under the law can collect, use or disclose personal information about you without your consent.
It can collect, use or disclose that information only for the purpose for which you gave consent.
You have the right to see the personal information that is held about you, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if your rights are violated.
Exactly the same rules apply to the collection, use or disclosure of information about your organization's clients-and about your employees.
Of course, the circumstances are different. A customer consenting to be put on a mailing list by a store is a different situation than a potential employee consenting to provide you with the information you need.
But the principles are the same.
No one has to consent to anything. That's what having a choice means. But obviously in the case of commercial transactions, choosing not to provide the personal information needed for a transaction means foregoing the transaction.
You can't subscribe to a magazine if you're unwilling to give them a mailing address. If you want to apply for a loan, the potential lender obviously needs to know your income and hence your ability to repay, whether you have a good record of repaying your loans in the past and so on-otherwise, the transaction is impossible.
The same is true in the workplace. The employer has obvious information needs-for instance, the employee's address, social insurance number to meet government requirements, education and work experience, and so on. There's also a legitimate need to collect and use information about the employee's work performance, attendance, and potential for advancement.
An individual who doesn't want to surrender that sort of personal information has a choice. Don't take the job-there's always self-employment.
That's only common sense. It's reasonable.
But the employer doesn't have the same obvious need for other sorts of personal information-an employee's marital status, for instance, or sexual orientation, or personal financial circumstances.
You might want to ask for the name of next of kin to contact in case the employee has an accident or falls sick. But the employee should have the right to say, "that's okay, thanks-I'll take my chances."
And much as you need to do performance assessments, you certainly wouldn't need to post the assessment-or a letter of reprimand-on the bulletin board, or leave it lying around where the employee's colleagues could easily see it.
But that's where the issue of consent becomes a little more complicated. It's not always an equal playing field. There are imbalances of power.
If every airline operating in canada said you can't fly with us unless you consent that we can disclose all your travel information to anyone we want, what kind of consent would that be? You can say no, but then what do you do-hitchhike to London or Vancouver?
The same is true if every employer were to say, "you can't work for us unless you consent to give up your privacy rights."
Fundamental rights cannot be extorted away, or contracted away under duress.
That's why the new private sector act states right at the outset-in section 3, the statement of purpose-the principle that organizations may collect, use, or disclose personal information "only for purposes that a reasonable person would consider appropriate in the circumstances."
This means that consent alone is not enough. Even if consent is being sought, the proposed invasion of privacy has to be appropriate under the circumstances.
And, in the workplace, those circumstances do vary.
A person whose work requires free access to highly sensitive, secret information - like myself as privacy commissioner, for example-may need to get a security clearance. That's a highly privacy-invasive process that includes thoroughly investigating your past life and your family connections, and even interviewing your friends and past employers.
But it's appropriate to the circumstances of a position like mine. It wouldn't be appropriate for a bank manager or a tv journalist.
Similarly, a different standard of employee surveillance might be appropriate in workplaces where the risks and temptations are exceptionally great-for instance, in a banknote company that actually manufactures money-than in the offices of an average business.
Take a specific example: video surveillance.
If an organization decides to conduct video surveillance of its employees, what does respect for privacy rights under the act require?
Well, there has to be consent. The organization has to notify its employees. It has to specify why it is videotaping. It has to limit the videotaping to what's necessary to achieve its purpose. It can only use the videotapes for that purpose. It has to allow employees, if they want, to view the videotapes of themselves. And if the employees choose to remain employed under those conditions, they have effectively consented.
But maybe they need the job. Maybe all the other organizations in their field of work are trying to introduce the same kind of video surveillance. And maybe there's no obvious need for it.
That's why the new private sector law goes further. That's why it requires that collection and use of personal information be for purposes that a reasonable person would consider appropriate.
By now you're probably wondering who that "reasonable person" is.
Well, we're all reasonable people. And what we're talking about here is really common sense.
But if otherwise reasonable people can't agree-if it comes down to a crunch and there's a complaint-in the case of private sector organizations that fall under the Act, the law makes me as Privacy Commissioner the proxy for the reasonable person.
I'm an ombudsman.
In both the public sector and now the private sector cases that come under my jurisdiction, I try to resolve the complaints I investigate in as amicable and cooperative a way as possible, through mediation and conciliation.
I, and through me my office, have considerable investigative powers, including the power to enter and search premises, and the power to issue subpoenas. But my office has never had to use those powers in the case of the public sector law, because voluntary cooperation was always forthcoming.
I very much hope that will be the case with the private sector as well.
I also have powers at my disposal for those instances-which I hope will be rare-where I find that an organization is, in fact, violating privacy rights and it refuses to do the right thing.
First of all, I have the power of disclosure. I can make public-whether in a report to parliament, in a press release or in any way I choose-that I find an organization to be in violation of the law.
I don't think many businesses would like to read in their newspaper that the Privacy Commissioner says they are violating the rights of their employees or their customers, so this is a powerful deterrent.
I also have the power to go to the Federal Court and ask it to order an organization to do, or cease and desist from doing, whatever is necessary to come into compliance with the law. I can also ask the court to award damages, including damages for such things as humiliation, to anyone whose privacy rights have been violated.
But I don't like to dwell on the enforcement end of things. What's much more important is to foster an understanding of, and respect for, privacy rights.
Some people deny that employees have a right of privacy in the workplace.
Why should they expect privacy? They're on the employer's premises and using the employer's equipment. They've sold their time to the employer. They've surrendered their privacy as a condition of working there. They're free to work elsewhere.
I don't accept this. I don't accept that employees give up their rights and sell their entire being when they enter the workplace. I don't accept that we lose our right to privacy simply because someone tells us not to expect any.
I define privacy as the right to control access to oneself and to information about oneself.
We can agree to relinquish some of that information and allow some access, in exchange for some things we want that require it. But we don't give up everything and abandon that right, simply as a condition of participating in social life or work.
I'm not alone in thinking this way.
A lot of labour arbitrators have recognized that workers have reasonable expectations of privacy when it comes to things like physical searches or video surveillance.
Employers have good reasons for seeking information about their employees.
They need to ensure that the work is being done-honestly and efficiently, without damage to their investment, without danger to other employees, and without risk of liability.
And they need to know some things about their employees, beyond just knowing who they are, particularly where they have responsibilities for health and safety.
But you can make the argument that any information is relevant to these purposes. There's no real limit.
Henry Ford had his "sociological department" check up on his employees' homes and personal lives, to see if Ford's employees were wasting their wages on alcohol and tobacco and other vices.
Most of us see that as excessive. But I bet that they could have made a case that these things were legitimately the employer's concern.
Because anything can be the employer's concern.
We've seen that.
Polygraphs and psychological tests that delve into employees' thoughts. Drug tests that show what employees might have done on their own time in the last month. Private investigators looking into employees' home lives. Software that tracks their computer use. Seizure of home computers. Genetic testing.
The only limit is the limit of technology, and a sort of law of diminishing returns. At a certain point, the cost of obtaining, storing, or analyzing yet more personal information isn't justified by the marginal value of the information.
In other words, as I've often said, our privacy has been protected by default. And that default point slips away as technology advances.
Take the example of video surveillance.
Until recently no sane manager would propose monitoring employees all the time, without justification or reasonable suspicion, without any focus for the monitoring. No one could possibly have a use for it. Who was going to wade through all those miles of videotape? What would they do, watch tapes all day on the off chance that they might spot something useful?
Technology has changed that. Look at the way video is used in public security. There's been a revolution in the volume of data that can be managed.
Computers scan video images for crimes being committed-that's a huge enough task in itself. But there are programs now that can analyze movement, looking for body language that's been correlated with the commission of crimes.
Computers scan faces, analyze them, and match them to digitized records of targeted people. That happened at the Super Bowl this year, where 100,000 people were put through a sort of electronic line-up. And it's reported to be happening here in Ontario, in casinos.
You've heard about data mining, I'm sure, where computers are used to examine vast collections of data and uncover new correlations and associations. It's a technique that has revolutionized the use of personal information in marketing.
It's also revolutionized scientific research. You don't need a hypothesis to direct your research. Now you can use brute computing power to search for correlations.
Well, the same thing applies to surveillance. You don't need to direct your surveillance, or ask your cameras and computers to answer specific questions anymore. You just monitor everything that moves.
And video surveillance-or web cam surveillance, which is the latest wrinkle-is only one element.
You can add monitoring of computer, e-mail, and web use to the mix. You can add location-tracking technology, wearable computers, biometrics. You can add drug testing. Genetic testing.
It's all arguably relevant to an employer's interest. It's all collectible. And it can all be managed.
So the default protection is gone now. Technological limits won't preserve the core of privacy much longer.
It's up to us now. We have to articulate and defend our right to control access to our persons and information about ourselves-our right to privacy.
Let me reassure you. I'm not arguing against management's right, and responsibility, to control the workplace. I'm not attacking the importance of contract, or the concept of property.
Of course, the employer owns the premises and the equipment. Of course, the employer pays employees to work, not to do anything else. Those are facts.
But those facts have always had a kind of imperfect reality. The real world hasn't divided up as neatly as our concepts do. And that's been the saving grace of the whole system.
The social chat at the water cooler, the little pause for solitary reflection, the phone call from home or the note from a friend - these are things that don't actually fit in with the model of the employee working on the employer's premises, using the employer's equipment, on the employer's time.
But they've been accepted as part of the cost of doing business. Generations of managers learned and accepted that if you can account for seventy-five percent of the available time, you're doing well.
That acceptance of a particular reality meant that work, for most people, was liveable even when it was dreary, social even when it was solitary, human even when it was mechanical. It meant that that core of privacy they carried with them was intact.
The benign limit that technical imperfection gave us is just about a thing of the past.
A lot of employers seem to think that they need this technology that eliminates employees' privacy.
They want to monitor employees' e-mail and web use because they're concerned about the potential for time-wasting.
I don't think potential justifies this.
If there's a real problem, if there's a reason to suspect abuse, that's different. You can address that in a less privacy-invasive manner than monitoring everyone. A directed inquiry based on a reasonable suspicion should do the trick.
But just the potential for problems doesn't justify wholesale monitoring.
Most of us would agree that an employer would have no business randomly or routinely pawing through the desk drawers of employees, and examining whatever happens to be there. What makes the contents of a computer any different? Sure, you own it-but you own the desks, too.
Needlessly invading the privacy of employees isn't even good business, in my opinion.
Few of us would be able to do our best work if the employer was standing right in front of us, doing nothing but staring at us, observing us, all day, every day. What makes you think the effect of a surveillance camera is much different?
And, frankly, if you need to monitor to see whether your employees are wasting time, then maybe your problem isn't your employees. Chances are, you're either producing nothing, or you don't know how to measure what you produce.
Some employers think that they have to monitor to protect against liability in harassment claims.
My response to that is, look at the law. Employers are liable for harassment if they haven't exercised due diligence to prevent it.
Due diligence, to my knowledge, has never been interpreted as extending to wholesale monitoring of the workforce. You're not going to be dinged for liability because you refused to treat all your employees like suspects and install computer monitoring software.
Preventing harassment is a lot more common-sense and a lot less technologically wondrous than that. Get yourself a decent harassment policy, and make sure that your employees are trained and sensitized on harassment and discrimination issues.
When I see employers so ready to chuck employees' privacy rights out the window, I want to ask them, have you lost confidence in your judgment?
Do you really believe that employees will cheat you and harass each other unless you treat them like unruly prisoners? Do you really need to treat all your employees as suspects, just to catch some and dissuade the rest? Yes, you can monitor people, but should you?
It's not too late to preserve privacy in the workplace, but we are at a crossroads. We have to decide what kind of world we want to live in and leave for our children and our grandchildren.
Technology isn't going to limit our ability to invade privacy any more. We have to impose our own limits.
I think we've made an important decision as a society. We've decided to impose those limits. We've enacted legislation that requires employers to justify their collection, use, and disclosure of personal information.
The standard for justification, the "reasonable person" standard, is going to give us all some interesting challenges as we interpret it. But, to my mind, it's the key to the Act. It's what makes it more than just a data protection statute. It's what establishes, not just fair information practices, but a right of privacy in the workplace.
It's a right that I believe will serve us all well-as individuals, as employers, and as a society. And together, we can make its recognition in practice work smoothly, effectively and painlessly.
- Date modified: