Workplace Privacy in the Age of the Internet
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
University of Toronto Centre for Industrial Relations and Lancaster House Publishing
5th Annual Labour Arbitration Conference
November 2, 2001
Privacy Commissioner of Canada
Excerpt of Address
(Check Against Delivery)
Let me turn to the question of privacy in the workplace, because, like privacy in society as a whole, it's going to be radically challenged as a result of the attacks of September 11.
In any workplace, employers have obvious and legitimate needs for personal information about their employees. The needs include knowing your employees and knowing what they do.
Employers need to know their employees. That means things like knowing the education and work experience of the people they are thinking of hiring, or knowing enough about their employees to pay them and comply with legislation-their social insurance numbers, for example.
And employers need to know what their employees do. Obviously, that includes things like their employees' work performance and attendance, but it also includes work-related activities of employees that might be, or might be imagined to be, illicit, dangerous, or a threat to the employer.
The limit on both these information needs is employee privacy.
Employees don't renounce their right to privacy when they enter the workplace. Privacy doesn't disappear when we leave our private homes and go into public space or someone else's private space. My definition of privacy is the right to control access to one's person and to information about oneself. You carry a core of privacy with you, wherever you are. Your privacy can be violated when someone listens in on your telephone conversation. Or when your employer looks into things that are no one's business but your own.
Just as employees have a right to be free of unjustified searches of their desks, lockers, clothing or personal effects, so they have a right to a reasonable level of privacy with respect to things like private communications or the expression of their thoughts. Yes, they are on the employer's premises, using the employer's equipment, on the employer's time. And, yes, they have to be accountable. But they do not renounce their right to a certain core of privacy that they carry with them at all times.
Privacy in the workplace is not an absolute right, any more than in the rest of society. And that's especially the case since the September 11 attacks.
One of the results of September 11th is going to be that we're all going to be more suspicious of each other. And naturally that means that more employers are going to be more suspicious of their employees.
There's going to be an increased emphasis on security in workplaces in response to the threat of terrorism. That will entail some limitations on privacy. A lot of employers are going to feel that they need to know more about their employees, and about what they do.
Knowing the employees may start to extend to things like detailed information about an employee's background, biometrics, and genetic information.
We're likely to see more emphasis on background checks for new hires, and reinvestigation of the backgrounds of existing employees. It's an obviously intrusive, privacy-invasive process that in some cases is more justified than others.
Don't succumb to hysteria. Not every workplace is a great target for terrorists. Certainly in some industries this heightened level of scrutiny is going to be justified. Things like airlines and airports, nuclear power plants, and shipping of hazardous materials are obvious examples.
But don't assume the worst and treat every employee as a potential terrorist. Companies need to apply tests I have mentioned: is there a problem, will violating privacy fix it, is the problem sufficiently grave that it justifies the level of privacy violation, and is there a less privacy-invasive way?
I'm not denying the possibility that terrorism can come from an unlikely source or direction. We know that that's the nature of terrorism.
But life can't be risk-free, and you've got to accept that. All we can do is manage risk. You have a limited amount of resources to put into background checks. You have to focus on the degree of risk: the likelihood of something happening, and the damage caused if it does. An example of high risk in today's circumstances, for example, would be airline or airport employees. But clerks in Walmart? They're probably low-risk.
And while you may have determined that you need to do a background investigation of someone, make sure that what you are looking at is genuinely related to your security concerns. The term "background check" can include anything from a person's driving record, to their history of bill payments, to the details of their divorce. Don't look for things that you don't need to know. Make sure that you can defend your decision.
Another aspect of knowing more about your employees is the various schemes for employee identification and access control-the means that an employer uses to ensure that only authorized employees get into the workplace or certain sections of it.
Traditionally, that's done with identification cards and keys. There's a widespread sentiment that that's not secure enough. Some people argue that to be really sure that the person gaining access to the workplace is really who he or she claims to be, we need a biometric-a retinal or iris scan, a thumbprint, a facial analysis.
There are a lot of privacy problems with biometrics. I've opposed them in all kinds of situations, primarily when they're proposed for national identification cards or health insurance smart cards.
In the context of employee identification and access control, I think that biometrics can cause all kinds of obvious problems. You've got to guard against the use of the biometric information for purposes other than you collected it for. You've got to make sure that it's stored securely. You've got to keep it from being merged with other information and used by other agencies.
The more widespread the use of biometrics became in the workplace, the more likely it would be that there would be breaches of privacy in one or more of these regards. That being said, there are instances where security has to take precedence over privacy.
This means that the use of biometrics has to be subject to rigorous justification. Does it make sense for controlling access to a nuclear power plant? Sure. Do you need it to identify employees in an insurance office? I would take a lot of persuading.
"Knowing your employees" takes us into even more dangerous territory when we talk about employers collecting genetic information.
Most of the focus on this has been on the possible use of genetic information to discriminate. I and many other privacy advocates have spoken out against employers or insurers having access to genetic information. No one should be denied insurance or employment opportunities simply on the basis of some genetic trait.
But an equally important area is the use of genetic information for identification purposes.
That's something that is used by the criminal justice system in Canada. Its use in that context is strictly limited, because it's recognized that this is very intimate, powerful personal information.
But in the U.S., security concerns have led to private investigators conducting DNA testing of large numbers of workers-"genetic dragnets"-in at least a half dozen private firms. In one such case, it was done to identify who had sent a threatening letter. If we see more anthrax letters, the temptations may become great for firms to undertake this.
This is such a potentially explosive issue that I recommend you not even consider it. Leave it, in the very rare circumstances where it may appear appropriate, to law enforcement authorities.
So those are questions about knowing your employees, and some of the tensions around them that we can see coming up as a result of the threat of terrorism. What about the question of what employees do?
Obviously, employers have a legitimate interest in knowing what their employees are doing. They pay their employees to work, they've got responsibilities for their employees' health and safety, they've got liability for what their employees do on the job.
But what we see too often is the assumption that any information can be collected and used because it might be helpful, now or at some point in the future.
It used to be that curiosity was contained by the limits of technology: there was no point in an employer collecting more information than could be analyzed.
But that technological limitation is rapidly vanishing. Information technology has revolutionized our ability to sort, collate, analyze, and draw conclusions from vast amounts of disparate data.
This has led to an explosion of random and generalized surveillance in workplaces. That can be things like video surveillance, and I'll talk about that in a moment. But the most striking is electronic surveillance of computer, e-mail, and Internet use.
Some of you may know about the study of electronic workplace surveillance released last July by the Privacy Foundation, a non-profit organization based in Colorado.
The study looked at surveillance of the so called on-line workforce, employees who regularly use Internet or e-mail at work. In the U.S., that's about 30% of the workforce, a figure that's estimated to be roughly the same here.
They found that in the U.S., 14 million employees-35% of the on-line workforce-have their Internet or e-mail use under continuous surveillance.
These are not spot checks or directed examinations of employee activities, based on actual suspicion. This is continuous, generalized monitoring of all employees-a dragnet of Orwellian scale.
The most chilling finding of the study was that this kind of employee monitoring has been increasing about twice as fast as the number of employees with Internet access. And what seems to be behind that is that the cost of the monitoring software is dropping like a stone.
Now, there are two complications of this that I see coming up in the post-September 11 environment.
First, there is quite simply going to be more pressure for surveillance-certainly in sensitive industries and positions, but maybe anywhere that employees have Internet access.
There's a widespread sentiment that Internet communications have to be monitored.
The usual reason that employers cite for generalized electronic monitoring and surveillance is that they're concerned about employees wasting time, about release of confidential material, and about liability for the content of messages or web material. Now, that's going to be buttressed, in some employers' minds, with the need to monitor for security purposes.
My response to this is the same as it's always been. Directed, suspicion-based inquiry is preferable to wholesale monitoring and violation of privacy. A targeted investigation based on reasonable suspicion is not only less privacy-invasive, it's more effective.
But the complication, and the second aspect of the problem, is this: Targeted investigation based on reasonable suspicion can too easily be misunderstood to mean racial, ethnic, or religious profiling of employees.
And while you might be tempted to achieve your profiling by asking questions, be aware that just finding out people's ethnic origins and religion is a privacy minefield, involving you in questions you can ask only with the strongest justification.
Employers also need to guard against unauthorized privacy violations by employees themselves.
Your employees might think that they can alleviate their security concern by inquiring into the private lives of their co-workers.
It's important that they know that they don't have the right to do so. Employers have a responsibility to protect their employees from the snooping and undue scrutiny of co-workers. Your employees have a right to privacy, and it applies across the board-it has to be respected by the employees themselves, as well as by management. If your employees perceive something suspicious, they should report it - not turn themselves into self-appointed members of CSIS.
Another way of knowing what your employees are doing, one I mentioned a moment ago, is video surveillance.
I think it's likely that we'll see increased video surveillance of private property-parking garages, lobbies, elevators, and common areas of workplaces, for example-as a response to increased security concerns.
Video surveillance is extremely privacy-intrusive. It's the very opposite of a directed, suspicion-based search. It sweeps everything in. Anyone under the watchful eye of the video camera knows that everything they are doing-effectively, their whole being-is being recorded and scrutinized.
The tests that I mentioned-necessity, effectiveness, proportionality-have to be rigorously applied. If you have a real problem that you can address through video surveillance of your employees, and only through video surveillance, then you may be justified. Otherwise, don't do it.
The issue of knowing what your employees are doing becomes especially tricky when the employees work from their own homes. This has potentially great privacy implications.
Some of you will remember the uproar in the U.S. a couple of years ago when the federal government tried to impose the occupational health and safety standards that applied in offices to people working at home. In the end the plan was abandoned. Whatever you think of that-and it meant that teleworkers are denied protections that they would have in the office-it highlights the problem of distinguishing work from home.
Since the attack on the World Trade Center, a lot of employers are rethinking whether they want their workforces massed in large, centrally located buildings. A lot of them are saying that security will necessarily entail more decentralization of work. If that happens, some of it will be accomplished through "satellite" offices, but a lot will probably be telework.
Telework blurs the line between work and home. That gives it the potential to bring into the home a level of surveillance that we might consider normal at work, but would consider excessive and intrusive in our private lives.
By its very nature, telework probably demands more monitoring and surveillance than centralized work. That's because an employer doesn't have the normal means of knowing whether an employee puts in time for the hours he or she's paid-there's no timeclock or equivalent. And the employer can't rely on "management by walking around" to ensure that the employee is actually working when he or she is at work.
And because there's often no clear separation in the home of work and private space, any scrutiny of the workplace, through video cameras or Webcams, will almost certainly capture private space and activities.
I know a lot of you represent unions. If decentralized work through telework really makes your members safer than working in a central office, you may be more supportive of telework than unions have been in the past. But both labour and management should be aware of the possibility of it leading to significant privacy violations.
So what does the Personal Information Protection and Electronic Documents Act say about workplace privacy, especially in the current context of the war on terrorism?
The fundamental principle of the act is that organizations may only collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate.
This is the essence of privacy in the workplace, the place where we spend most of our lives. We need to protect and preserve privacy there as we do in every aspect of our lives
We're living now in a world where our most basic rights, freedoms, and values have been attacked. Privacy is at the heart of those freedoms and values. The challenge for us, as a society and as individuals, is to reaffirm privacy and our freedoms, and fortify them.
- Date modified: