Workplace privacy in the age of the Internet

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PIPSC Regional Steward Council of Ontario

October 4, 2002
Toronto, Ontario

George Radwanski
Privacy Commissioner of Canada

(Check Against Delivery)


I've often said that privacy will be the defining issue of this decade. That most certainly applies in the workplace. I can't imagine anywhere that our rights need to be more respected than in the workplace, where we spend so much of our time and where so much of our lives are defined.

Workplace privacy is harder to safeguard and easier to violate nowadays than it has ever been before. The technologies of drug testing, video surveillance, biometric identification, or electronic monitoring of computer use-to mention only a few-offer enormous power to reduce or even virtually wipe out privacy.

This may well be power that employers don't want. Among the many groups I've met with since becoming Privacy Commissioner, there have been a lot of employer representatives and management-side lawyers. I can tell you that many of them are uneasy with the idea of eradicating privacy in the workplace.

But they're under continual pressure to do pretty much that. Every day someone is telling them that they should monitor every keystroke on their computers or else risk productivity losses, harassment complaints, and loss of intellectual property. They're cautioned about employees whose health status or genetic makeup might affect their insurance costs. They're urged to do their part in the war on drugs by urine-testing their employees. And, particularly since last year's terrorist attacks, they're under pressure to conduct extensive and intrusive inquiries into their employees' backgrounds.

What I want to do today is give you my view of what an employer's obligations are with respect to the privacy of employees. For you, as employee representatives, this is an important issue. You will, I am sure, have occasion to represent employees who believe that their right to privacy has been infringed. You will often counsel employees on what privacy they can expect in a workplace. And you may on occasion find yourself trying to mediate between an employer and your member, trying to find that middle ground between the employer's need to ensure a safe and productive workplace and the employee's right to privacy.

The relevant privacy protection legislation for you as public service employees is the Privacy Act, so I'll talk about how it protects employee privacy. I'll also make reference to the federal privacy law for the private sector, the Personal Information Protection and Electronic Documents Act, or PIPED Act, as we call it. Since it's a more recent statute, and its drafters were able to draw lessons from 15 years of the Privacy Act, it's in some ways more advanced. Finally, I'll use the example of electronic surveillance of computer use to suggest a general approach to issues of workplace privacy.

The idea that employees have rights to privacy in the workplace is, unfortunately, still foreign to some people. There are still some people who argue that, if you're using the employer's equipment on the employer's time and premises, you have no reasonable expectation of privacy. And some people still think that if there is any reasonable expectation of privacy, it can be eliminated-the employer just tells you not to expect any privacy, and that's that.

My view is that employees have a fundamental, inherent right to privacy in the workplace. That's also the view of judges and arbitrators who have long recognized that employees have specific, defensible rights to privacy-privacy of their personal communications, privacy of their lockers and desk drawers, privacy of their personal effects.

It's also a view that is supported by both the Privacy Act and the Personal Information Protection and Electronic Documents Act.

It makes sense that Parliament would pass laws to secure privacy in the workplace. We don't hang up our fundamental rights along with our coats when we step through the door of the office or factory.

And privacy-our right to control access to ourselves and to information about ourselves-is as fundamental a right as they come. It's recognized as such in the United Nations' Universal Declaration of Human Rights and in many other international treaties and covenants. It's a basic building block of constitutions of democratic countries worldwide.

That's because there can be no real freedom without privacy. In fact, many have suggested that privacy is the right from which all freedoms flow-freedom of speech, freedom of association, freedom of thought, just about any freedom you can name.

I said earlier that privacy will be the defining issue of this decade. That's because we are at a crossroads. Technological, social, and political developments threaten our privacy at every turn. We have to choose how we will respond to these developments. If the choices we make allow privacy to be destroyed, freedom will be destroyed with it.

So what does the Privacy Act have to say about the right of privacy in the workplace?

Like privacy and data protection statutes worldwide, it deals with the collection, use, and disclosure of personal information. And it says what they all say, in one way or another. Except in specific and limited circumstances, a government institution must collect an individual's personal information directly from that individual. And except in specific and limited circumstances, it needs the individual's consent to use or disclose personal information. It can generally use or disclose personal information only for the purpose for which it collected the information in the first place, or for a consistent purpose. And individuals have the right to see the personal information that the government institution holds about them, and to correct any inaccuracies.

As with any good privacy and data protection scheme, there's oversight to ensure that the law is respected. That's the role I and my Office play.

Fundamentally, the Privacy Act ensures that personal information-handling practices in the workplace are lawful, transparent, and reasonable. So an employee or potential employee has basic rights to control his or her personal information-basic rights to privacy.

That doesn't mean that the Act makes it impossible for government institutions to manage. As an employer, a government institution has obvious information needs-an address or post-office box for T-4 slips, for instance, and a social insurance number to meet the requirements of the tax and social benefits systems. To employ someone, an organization has to get information about that person's education and work experience, and verify it. And there's an obvious need for an employer to collect and use information about its employees' work performance, attendance, and potential for advancement.

So if these are all necessary to employing someone, does the organization have to be asking permission from the employee all the time? And what happens if someone refuses?

Most of the time common sense prevails. It's easy enough to see and to accept that sometimes you have to give up some personal information in order to get something.

If you want a magazine subscription, you have to provide information about where to send the magazine. If you want a bank loan, you have to give up some information showing your ability to repay it.

It's no different in employment. If you want a job, you have to accept that it will entail giving up some information about your education and work experience. If you want to keep the job, you have to accept that some information about your performance and attendance is going to be collected, used, and disclosed.

That's only common sense. It's reasonable.

But the employer doesn't have the same obvious need for other sorts of personal information-your religion, for instance, or your sexual orientation, or your personal financial circumstances.

So what's to stop an employer from collecting information like this? What if people who object to it are told to choose between having their privacy and having a job?

As always, things becomes complicated when there's an unequal playing field, a power imbalance.

That's where a fundamental principle of privacy protection comes in: purpose limitation. In the private sector law, the Personal Information Protection and Electronic Documents Act, it's known as "the reasonable person test." That Act is based on the principle that organizations may collect, use, or disclose personal information "for purposes that a reasonable person would consider appropriate in the circumstances."

The language of the Privacy Act is a little different. The Privacy Act says that personal information collected by a government institution has to relate directly to an operating program or activity of the institution. Interpreted literally and ungenerously, that's a lot less than what the private sector law requires. Fortunately, Treasury Board, which is responsible for the administration of the Act, stipulates in its policy guidance that no more information be collected than is necessary to carry out a program or activity. That's also the way I interpret the Act.

This means that an employing department can't require something unreasonable as a condition of employment. The request that the employee give up some control of his or her personal information-in other words, give up some of his or her privacy-has to be appropriate under the circumstances.

Obviously, the expression "under the circumstances" is critical.

A person whose work requires free access to highly sensitive, secret information-one of my investigators, for example-may need to get a top-secret security clearance. That's a highly privacy-invasive process that includes thoroughly investigating your past life and your family connections, and even interviewing your friends and past employers.

But it's appropriate to the circumstances of a position like that. An employer could reasonably require that an individual go through this process as a condition of employment in that position.

On the other hand, it wouldn't likely be appropriate for a maintenance worker or a manager of a regional HRDC office. Maybe a maintenance worker or an HRDC manager would be prepared to undergo it anyway. But for a department to require that they undergo it, as a condition of employment, it would have to be justified.

Similarly, intrusive employee surveillance might be appropriate in workplaces where the risks and temptations are exceptionally great-for instance, in the Royal Canadian Mint. They're unlikely to be appropriate in other offices where there aren't those exceptional temptations.

What I'm saying is simple enough: in employment, as in other aspects of life, sometimes you have to give up some privacy in order to get what you want. But that doesn't mean that employers are free to say, "You can't work for us unless you give up your privacy rights." Privacy is a fundamental right, and fundamental rights cannot be extorted away, or contracted away under duress.

So, when can you be required to give up privacy? I'd like to suggest a general approach to this question, one that I hope will help you in addressing difficult employment privacy issues like electronic surveillance, video surveillance, drug testing, and medical privacy. This is guidance, not an advance ruling-I decide complaints on a case-by-case basis. But I think that this approach is a good one.

I'm going to focus specifically on the issue of monitoring and surveillance of employees' Internet and e-mail use. The issue is one that I'm sure you're familiar with, which is why I chose it. But I want to stress that the approach I'm suggesting applies to any infringement of privacy, not just to this kind of surveillance.

Monitoring and surveillance of Internet and e-mail is a very significant privacy issue, if only by virtue of its prevalence. Some of you may know about the study, released just over a year ago by the Privacy Foundation, of electronic surveillance of the on-line workforce-employees who regularly use Internet or e-mail at work. In the U.S., that's about 30% of the workforce, and it's estimated to be about the same in Canada.

In the U.S., 14 million employees-35% of the on-line workforce-have their Internet or e-mail use under continuous, generalized surveillance. The number has been increasing about twice as fast as the number of employees with Internet access, as the cost of the monitoring software drops.

This is an infringement of privacy, no less so than searches of desks, lockers, clothing and personal effects. Monitoring and surveillance of employees' e-mails and web browsing is collection and use of employees' personal information. Not all of the information will be personal, but some of it will be. The personal information collected can be sensitive-especially if, as is usually the case, the employer allows some personal use of the e-mail system and some personal Web browsing, on lunch breaks for example. Even where that's not the case, just the fact of electronic surveillance, either random or continuous, is very destructive of the employee's sense of privacy and autonomy.

But privacy in the workplace or anywhere else is not an absolute right, and there are times when an infringement of privacy is justified. So how do we determine whether it is or not?

My approach is the same as the one that I have used often in assessing the actions of the state with respect to public security issues like video surveillance, mail-opening, and collection of information about air travellers.

Any proposal to curtail or limit privacy must meet four tests: it must be demonstrably necessary to meet a specific need, it must be likely to be effective in meeting that need, the loss of privacy must be proportional to the benefit gained, and there must be no less privacy-invasive way of achieving the same end.

I've used these tests to analyze legislative and administrative decisions of government. They work equally well applied to employment practices.

So, to see if electronic surveillance of employees' Internet and e-mail use is justified, I would ask first if it's demonstrably necessary to meet a specific need.

The usual concerns that employers cite are productivity, release of confidential material, and liability for the content of messages or web material.

These aren't trivial concerns. Employers have to be able to ensure that their employees are not shopping on-line when they're supposed to be working. They have to be able to secure intellectual property. They have to protect themselves against liability for everything from defamation to harassment in the workplace.

If an employer demonstrates specific problems in any of these areas, it may well have met this first test.

But I always urge employers not to rely on speculative risks or generalizations about "the potential for a problem." I think you should reasonably expect an employer to demonstrate the existence of a real and specific problem.

If that first test is met, the next step is to show that the proposed infringement of privacy is likely to be an effective means of addressing it.

Is electronic monitoring of on-line activities effective? It depends on what you mean by "effective." If the goal is catching people, it's effective. If the goal is a healthy and productive workplace where people can make the best use of the electronic tools available to them, it's less effective.

What about the third test, proportionality? That depends on the magnitude of the problem and what the surveillance is intended to achieve. But often, electronic monitoring is a sledgehammer used to swat a fly.

I don't want to overstate my point. Monitoring and surveillance can be limited and targeted, and usually are. But I think we have to be very cautious about the tendency to monitor everything that moves. People who've lived in prisons, and in police states, tell us that it's this very thing that's most oppressive.

Finally, is there a less privacy-invasive way of achieving the desired ends? There is, if the end is something more than catching people.

I think you should expect employers to have clear policies on the appropriate use of e-mail and Web use. If some employees are wasting time, there's a whole range of traditional management techniques at the employer's disposal. As for liability for harassment, an effective harassment policy and appropriate training are the best means to prevent that.

And if some electronic monitoring and surveillance is necessary, employers should try to do it without infringing privacy more than absolutely necessary. They should choose the least privacy-invasive alternative first, and only move to something more privacy-invasive if the first doesn't work. For example, generalized surveillance shouldn't be contemplated unless targeted investigation, based on a reasonable suspicion of wrongdoing, has been tried and found wanting.

My view is that whatever the privacy infringement-drug testing, background checks, video surveillance, or physical searches-employers need to ask these questions. As employee representatives, you can help both employers and employees to understand and address these issues.

Respecting privacy in the workplace imposes requirements on employers. They have to focus on who really needs to know what. They have to know what personal information they collect and what they do with it. They have to be honest with themselves about what they need to know, and sometimes they have to restrain their curiosity.

That's a challenge for employers. But I think it's equally a challenge for bargaining agents and employee representatives. After all, they are frequently called upon to counsel and advise employees on what's proper and what's improper conduct. A workplace staffed by satisfied employees whose privacy rights are respected by the employer can best be achieved through both management and employees having a commitment to these principles.

I think that if you can work with your employers to encourage this approach, they'll be grateful to you for it. And we'll all be better off for it, because you will have helped to protect a fundamental right at the heart of our freedoms-the right to privacy.

Date modified: