Privacy issues and trends in labour and employment matters
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
McCarthy Tétrault Labour and Employment Law Conference
October 4, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I've often said that privacy will be the defining issue of this decade. The choices we make today will quite literally determine what kind of world we leave for our children and grandchildren. That most certainly applies in the context of labour and employment law. I can't imagine anywhere that our rights need to be more respected than in the workplace, where we spend so much of our time and where so much of our lives are defined.
Privacy is harder to safeguard and easier to violate nowadays than it has ever been before. The technologies of drug testing, video surveillance, biometric identification, or electronic monitoring of computer use-to mention only a few-give today's employers enormous power to limit and invade privacy, power they may well not want.
And they're under more pressure than ever to reduce privacy in the workplace. Every day someone is telling them that failure to monitor every keystroke on a computer puts them at risk for productivity losses, harassment complaints, and loss of intellectual property. They're continually told to be careful about employing someone whose health status or genetic makeup might affect the employer's insurance premiums. They're urged to do their part in the war on drugs by urine-testing their employees. And, particularly since last year's terrorist attacks, they're under pressure to conduct extensive and intrusive inquiries into their employees' backgrounds.
I've talked to a lot of employers and their representatives over the past couple of years, and I've found that many of them are uncomfortable with all of this.
I know the idea that employees have rights to privacy in the workplace is foreign to some people.
My view is that employees have a fundamental, inherent right to privacy in the workplace.
That right has been affirmed in the Personal Information Protection and Electronic Documents Act.
This Act already applies to some of you, if your businesses are federally regulated. But even if it doesn't apply, you need to look at it carefully. It contains provisions that are common to privacy and data protection laws worldwide. A similar law may well apply to your companies' employment and labour relations down the line.
It makes sense that Parliament would assure a right of privacy in the workplace. We don't hang up our fundamental rights along with our hats and coats when we step through the door of the office or factory.
And privacy-our right to control access to ourselves and to information about ourselves-is as fundamental a right as they come. It's recognized as such in the United Nations' Universal Declaration of Human Rights and in many other international treaties and covenants. It's a basic building block of constitutions of democratic countries worldwide.
That's because there can be no real freedom without privacy. In fact, many have suggested that privacy is the right from which all freedoms flow-freedom of speech, freedom of association, freedom of thought, just about any freedom you can name.
Privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy, because it's a critical element of a free society. A free, open and democratic society in which we all have the autonomy to fulfil ourselves cannot survive unless the right to privacy is respected. As former Supreme Court Justice La Forest put it, "privacy is at the heart of liberty in a modern state. Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual..but it also has profound significance for the public order."
I said earlier that privacy is the defining issue of this decade. That's because we are at a crossroads. We're living in a time when technological, social, and political developments threaten our privacy at every turn. We have to choose how we will respond to these developments. If the choices we make allow privacy to be destroyed, freedom will be destroyed with it.
That brings me to the Personal Information Protection and Electronic Documents Act, or PIPED Act, as we call it.
As far as employment goes, the Act only applies to federal works, undertakings or businesses-primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies.
Most of you, I am sure, will be aware that eventually the Act will apply to personal information collected, used, or disclosed in all commercial transactions in Canada, except where substantially similar provincial laws apply. But this extension of the Act only covers commercial transactions, not employment. The Act won't apply, ever, to personal information about employees in the provincially-regulated private sector.
But, as I said earlier, it's important to understand the Act even if it doesn't apply to employment in companies you represent. The Act is based on international data protection standards, incorporated around the world into voluntary codes and privacy laws. The same principles are found in Quebec's legislation, which applies to provincially-regulated employment. Ontario, Alberta, and British Columbia all appear to be moving in a similar direction. So, whether it's the federal law or a similar provincial statute, this is likely to be the lay of the land for employment in many parts of Canada, and possibly all of Canada. The principles in the Act should serve as the bedrock of your privacy practices in labour and employment matters.
So let me turn now to the PIPED Act's purpose and provisions, and how it affects employment in organizations subject to it.
The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
What the Act says can be summed up as follows:
If an organization covered under the Act wants to collect, use, or disclose information about its employees or prospective employees, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose personal information only for the purpose for which the employees gave consent when the organization collected it.
Even with consent, the organization has to limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that the organization holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
So those are the broad outlines of the Act. Now, what does it mean for employers?
The two central principles of the Act are consent and the reasonable person test.
Consent-the simple notion that if you want to collect, use or disclose information about someone you need his or her permission-is at the heart of privacy, and is the basis of data protection codes and statutes worldwide.
The Act allows the collection, use or disclosure of personal information without consent in certain very limited circumstances-in a life-threatening emergency where consent cannot be obtained, for example, or in the investigation of breaches of agreements or laws. Other than in these narrow circumstances, an employee or potential employee has the right to control his or her personal information by exercising the power of consent.
That means that an employer who wants to collect, use or disclose the personal information of employees or potential employees has to respect their privacy by getting their consent.
At first glance, that might appear to be unworkable. The employer has obvious information needs-an address or post-office box to mail T-4 slips, for instance, and a social insurance number to meet government requirements. To employ someone, an employer has to get information about that person's education and work experience, and verify it. And in an employment relationship, there's an obvious need for an employer to collect and use information about the employee's work performance, attendance, and potential for advancement. Some employers might ask, how can we possibly run a business when we have to be asking permission for these things all the time? And what happens if someone refuses to consent?
Nobody can be forced to consent-"compulsory consent" is clearly an oxymoron. But at the same time, sometimes you have to agree to give up some personal information in order to get something. If you want a magazine subscription, you have to provide information about where to send the magazine. If you want a bank loan, you have to give up some information showing your ability to repay it. And if you want life insurance, you have to give up some personal health information so that your actuarial risk class can be determined.
It's no different in employment. If you want a job, you have to accept that it will entail giving up some information about your education and work experience. If you want to keep the job, you have to accept that some information about your performance and attendance is going to be collected, used, and disclosed. You don't have to consent. But if you want to get and keep a job, you would be foolish not to.
That's only common sense. It's reasonable.
But the employer doesn't have the same obvious need for other sorts of personal information-your religion, for instance, or your sexual orientation, or your personal financial circumstances.
So what's to stop an employer from requiring people to consent to these things? What if people are told to choose between having their privacy and having a job?
This, of course, is where consent becomes complicated-when there is an unequal playing field, where there are imbalances of power. As critical as consent is to the notion of privacy, it's not enough.
That's where the other fundamental principle of the Act comes in: the reasonable person test. That's why the PIPED Act states right at the outset-in section 3, the statement of purpose-the principle that organizations may collect, use, or disclose personal information "only for purposes that a reasonable person would consider appropriate in the circumstances."
This means that an employer can't require consent to something unreasonable as a condition of employment. The request that the employee give up some control of his or her personal information-in other words, give up some of his or her privacy-has to be appropriate under the circumstances.
Obviously, the expression "under the circumstances" is critical.
A person whose work requires free access to highly sensitive, secret information-one of my investigators, for example-may need to get a top-secret security clearance. That's a highly privacy-invasive process that includes thoroughly investigating your past life and your family connections, and even interviewing your friends and past employers.
But it's appropriate to the circumstances of a position like that. An employer could reasonably require consent to this process as a condition of employment in that position.
On the other hand, it wouldn't likely be appropriate for a construction worker or a TV journalist. Maybe a construction worker or TV journalist would be prepared to consent to it anyway. But for an employer to require that they consent to it, as a condition of employment, it would have to be justified.
Similarly, intrusive employee surveillance might be appropriate in workplaces where the risks and temptations are exceptionally great-for instance, in a banknote company that actually manufactures money. They're unlikely to be appropriate in the offices of an average business such as an insurance company, for instance.
What I'm saying is simple enough: in employment, as in other aspects of life, sometimes you have to give up some privacy in order to get what you want. But that doesn't mean that employers are free to say, "You can't work for us unless you consent to give up your privacy rights." Privacy is a fundamental right, and fundamental rights cannot be extorted away, or contracted away under duress.
Let me turn now to a couple of my findings in employment-related complaints under the Act, and suggest some guidance that can be drawn from them.
One complaint arose where a truck driver was required by his employer, an international trucking company, to fill out a registration form for the Canada Customs and Revenue Agency's new Customs Self-Assessment Program, and return it to the company.
The driver didn't want his employer to have access to the personal information that he had to provide on the registration form. He wanted to give the CCRA form directly to the CCRA. So he refused to return the form to the company. The employer told him, return the form to us or we terminate your employment.
I concluded that this complaint was well-founded. The Act requires that collection of information be limited to what's necessary for the organization's purposes. Yes, it was necessary for the driver to complete an application for the program. But it was the CCRA that needed the form, not the employer. So there was no need for the information to be returned to the employer, as long as it was returned to the CCRA.
And the Act requires that information be collected by fair and lawful means. Well, the company threatened the employee with dismissal if he didn't hand the information over. That doesn't meet any kind of fairness test, when the employer has no right to the information in the first place.
This was a case of an employer getting itself into unnecessary trouble. All that was required was a basic respect for the employee, a good hard look at who required what information, and a recognition that the best way to get something is to ask for it and explain why you need it. If the company had taken that approach, it wouldn't have wound up where it did.
Another complaint illustrates some of what I said earlier about the two central principles of the Act, consent and the reasonable person test.
Employees of a nuclear products facility complained to me that the company was requiring them to consent to the collection of personal information-specifically, a security clearance check. They were told that if they did not consent they would lose their jobs or be transferred.
You'll recall what I said about compulsory consent. The Act protects against it, by requiring that an employer only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate. In short, an employer can make consent a condition of employment, but only if it's consent to something reasonable and appropriate.
So in this case, the key question was, would a reasonable person consider it appropriate in the circumstances for the company to collect personal information from employees for the purpose of conducting security clearances?
The company's nuclear products division is licensed by the Canadian Nuclear Safety Commission, or CNSC. Without that licence, it can't produce nuclear fuels.
In November 2001, the CNSC ordered that its licensees not permit any person to enter or remain in a licensed facility without a security clearance.
The company advised its employees of the new requirements, and provided them with consent forms. Their bargaining agent negotiated an agreement whereby any employee who did not pass the security check could transfer to another division, though not necessarily at the same job level.
The complainants argued that their consent to the collection of their personal information was not meaningfully voluntary, since if they did not give consent, they could lose their employment entirely.
My conclusion was that a reasonable person would consider it appropriate in the circumstances for the company to collect this personal information from its employees.
Given concerns about possible acts of terrorism at nuclear facilities, it was reasonable that the CNSC would impose an enhanced security requirement on its licensees.
And it was also reasonable that the company would comply with the CNSC requirement. The alternative would be for it to lose its licence to produce nuclear fuels-which, of course, might have led it to lay-off the complainants.
The employer had made consent a condition of employment, but it was consent to something reasonable-something that, in these particular circumstances, was an unavoidable condition of the employment relationship, like a name or a Social Insurance Number.
I'd like to conclude today with a suggestion for a general approach to employment privacy issues that you may be dealing with-things like electronic surveillance, video surveillance, drug testing, and medical privacy. Don't think of these as advance rulings, because I have to decide complaints on a case-by-case basis. But think of it as guidance. I think that, if you take this approach, you may find you don't have to deal with complaints.
Privacy, in the workplace or anywhere else, is not an absolute right, and there are times when an infringement of privacy is justified. So how do you determine whether it is or not?
I suggest that you adopt the approach that I have used often in assessing the actions of the state. It applies equally well to employment situations.
Any proposal to curtail or limit privacy must in my view meet four tests: it must be demonstrably necessary to meet a specific need, it must be likely to be effective in meeting that need, the loss of privacy must be proportional to the benefit gained, and there must be no less privacy-invasive way of achieving the same end.
I've used these tests to analyze legislative and administrative decisions. They work equally well applied to employment practices.
Take a specific example: monitoring employees' Internet and e-mail use. This is apparently increasing about twice as fast as the number of employees with Internet access, as the cost of the monitoring software drops.
This is an infringement of privacy, no less so than searches of desks, lockers, clothing and personal effects. Just the fact of electronic surveillance is very destructive of the employee's sense of privacy and autonomy.
So, to see if it's justified, you need to ask first if it's demonstrably necessary to meet a specific need.
The usual concerns that employers cite are productivity, release of confidential material, and liability for the content of messages or web material.
These aren't trivial concerns. Employers have to be able to be able to ensure that their employees are not shopping on-line when they're supposed to be working. They have to be able to secure intellectual property. They have to protect themselves against liability for everything from defamation to harassment in the workplace.
If an employer demonstrates specific problems in any of these areas, it may well have met this first test.
But don't be satisfied with speculative risks or generalizations about "the potential for a problem." You need to demonstrate the existence of a real and specific problem.
If that first test is met, the next step is to show that the proposed infringement of privacy is likely to be an effective means of addressing it.
Is electronic monitoring of on-line activities effective? It depends on what you mean by "effective." If your goal is catching people, it's effective. If your goal is a healthy and productive workplace where people can make the best use of the electronic tools available to them, it's less effective.
What about the third test, proportionality? That depends on the magnitude of the problem and the way you've defined the end you're trying to achieve. But often, electronic monitoring is a sledgehammer used to swat a fly.
Remember, we're talking about that complete absence of privacy that results from knowing that your activities and statements may be observed or recorded at any time. People who've lived in prisons, and in police states, tell us that it's this very thing that's most oppressive.
Finally, is there a less privacy-invasive way of achieving the desired ends? There is, if the end is something more than catching people.
Employers should have clear policies on the appropriate use of e-mail and Web use. If some employees are wasting time, there's a whole range of traditional management techniques at the employer's disposal. An effective harassment policy and appropriate training are the best means to prevent harassment.
And if some electronic monitoring and surveillance is necessary, employers should try to do it without infringing privacy more than absolutely necessary. They should choose the least privacy-invasive alternative first, and only move to something more privacy-invasive if the first doesn't work.
Whatever the privacy infringement-drug testing, background checks, video surveillance, or physical searches-employers need to ask these questions.
Respecting privacy in the workplace imposes requirements on employers. They have to focus on who really needs to know what. They have to know what personal information they collect and what they do with it. They have to be honest with themselves about what they need to know, and restrain their curiosity sometimes.
That's a challenge. But it's also, quite simply, good business practice. A workplace staffed by satisfied employees whose privacy rights are respected by the employer is a productive workplace. Your companies will gain competitive advantage from that. And we'll all be better off for it, because you will have helped to protect a fundamental right at the heart of our freedoms-the right to privacy.
- Date modified: