Workplace Privacy Conference
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
May 29, 2003
Vancouver, British Columbia
Privacy Commissioner of Canada
(Check against delivery)
I'd like to talk to you today about the meaning and importance of privacy, and about the challenge of protecting privacy in the workplace. I'll explain how the federal Personal Information Protection and Electronic Documents Act protects privacy, and contrast it with Bill 38, the B.C. government's proposed Personal Information Protection Act.
The fundamental human right of privacy is crucial to the freedoms that define our society. It is often said that privacy is "the right from which all freedoms flow." The right to a private sphere of thought and action is the basis of freedom of speech, freedom of conscience, freedom of association, just about any freedom you can name.
I have often said that privacy will be the defining issue of this decade. I've believed that for a long time, since well before I was appointed Privacy Commissioner. But I believe it to be the case now more than ever.
What initially convinced me was technology. Our privacy used to be protected more or less by default. When information about us was in paper records, scattered around various locations, it took a lot of work to gather information about an individual. The result was that no one was likely to compile detailed information about you unless you were famous or had done something really bad.
Information technology changed all that, eliminating the default protection. Now a stranger sitting at a computer can compile a detailed dossier about you literally in minutes.
That was the situation when I first became Privacy Commissioner of Canada, in 2000. Not long after that, the attacks on the U.S. of September 11, 2001, introduced a new element into the dynamic-and made privacy, more than ever, the defining issue of the decade.
The double shock of a direct strike on U.S. soil and a staggering number of victims gave the public and their governments a sense of extraordinary vulnerability, and a determination to not let it happen again.
That led to a potent mix-and for privacy, a potentially dangerous mix-of a fearful public, anxious governments, and zealous law enforcement and security agencies, looking for ways to prevent further terrorist attacks.
They have at their disposal a technological arsenal with the potential to destroy privacy as we know it-video surveillance, biometrics, technology for eavesdropping on Internet and other communications, and computerized data bases of everything from our purchases to our reading habits to where we travel and with whom.
That's our present situation; that's what our privacy is faced with-the technological capacity available to both the state and private sector companies to invade privacy beyond anyone's wildest imaginings.
The workplace has not been isolated from these developments.
Technologies like keystroke monitoring, drug and alcohol testing, and surveillance of telephone, e-mail and Web communications have been whittling away at privacy in the workplace for years.
But September 11 accelerated those trends and gave new justifications for the technology. To some people, it seemed imperative that employers, and ultimately law enforcement and security agencies, should know as much as possible about who employees are, where they come from, and what they do at work and away from work. Surveillance was not just fashionable, it was patriotic. There was a lot of pressure for background checks and security clearances, which had previously been limited in scope and only required for sensitive positions, to go deeper and wider than ever before.
In the workplace as in other aspects of our society, our response to this unprecedented threat to privacy will determine, not just what kind of world we live in, but what kind of world we leave behind for our children and grandchildren.
Fortunately, we already have, at the federal level, a robust system of privacy protection. It got its start twenty years ago, with the Privacy Act, which governs the personal information practices of government institutions. It has really come into its own with the Personal Information Protection and Electronic Documents Act, which was passed by Parliament in 2000 and began coming into force on January 1, 2001.
This system of privacy protection was solidly in place when the September 11 attacks drastically altered the privacy landscape. Since then, it has served as a bulwark against needless and unjustified intrusions on privacy in the name of security.
The PIPED Act, as we call it, strikes a balance between individual privacy rights and the needs of organizations to collect, use, and disclose personal information. The basic outlines, from an employment perspective, look like this:
If an organization covered under the Act wants to collect, use, or disclose personal information about its employees, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose its employees' personal information only for the purpose for which they gave consent when it collected the information.
Even with consent, the organization must limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Employees have the right to see the personal information that the employer holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if employees' rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities and employment by federal works, undertakings, and businesses. Those are primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
As of January 1, 2004, the application of the Act will expand to commercial activities that normally fall under provincial jurisdiction, except where provinces have passed substantially similar legislation. That extension won't apply to employment, however. The only place the Act applies to employment is in federal works, undertakings, or businesses, and that won't change in 2004, regardless of what the provinces do or don't do.
One of the very important points about the Act is the reasonable person test-the requirement that an organization limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
This makes the Act a significant improvement over a lot of other privacy laws and codes of practice-including the Canadian Standards Association's Model Code for the Protection of Personal Information, which is incorporated into the Act.
The Model Code was a great step forward for privacy in Canada, and it's a good basis for the PIPED Act. But there's a circularity in it. Organizations have to define their purposes for collection, use and disclosure, and they have to handle the information consistently with those defined purposes. But there's no limit on what those purposes can be.
One of the real accomplishments of the Act is that it moved privacy protection out of that circular model. It's not enough that organizations define and communicate their purposes, or that they limit themselves to staying within their stated purposes. The purposes themselves have to be reasonable.
This is particularly important for the issue of workplace privacy, where consent is problematic. As a general rule, consent is the heart of privacy protection. It's by exercising the right of consent that individuals control personal information about themselves.
In an employment setting, consent is tricky, because the parties are not on an equal footing. People's relationships with their employers are not like their relationships with their bankers or their favourite magazines. An employer can make consent to collection, use or disclosure of personal information a condition of someone becoming or staying employed. That turns consent into a mere formality.
That's why the reasonable person test in the PIPED Act is so important. Consent to a reasonable collection, use, or disclosure of your personal information can legitimately be made a condition of your employment. An employer has certain needs for information, without which the employment relationship isn't going to work. A reasonable person would consider it appropriate that the employer know someone's Social Insurance Number, their age for pension purposes, their family status for benefits purposes, and so on. A reasonable person wouldn't consider it appropriate, in most circumstances, for the employer to have an interest in their religion or sexual orientation, for instance.
A couple of examples from my findings under the Act will illustrate what I mean about the limits of consent and the value of the reasonable person test.
Employees of a nuclear products facility complained to me that the company was requiring them to consent to the collection of personal information-specifically, a security clearance check. They were told that if they didn't consent they'd lose their jobs or be transferred.
In other words, compulsory consent. As I said, an employer can legitimately make consent a condition of employment, but only if it's consent to something reasonable and appropriate.
So the question was, would a reasonable person consider it appropriate in the circumstances for the company to collect personal information from employees for the purpose of conducting security clearances?
The company is licensed by the Canadian Nuclear Safety Commission, or CNSC. Without that licence, it can't produce nuclear fuels.
In November 2001, the CNSC ordered that its licensees not permit any person to enter or remain in a licensed facility without a security clearance.
The company advised its employees of this, and provided them with consent forms. The bargaining agent negotiated an agreement whereby any employee who did not pass the security check could transfer to another division, though not necessarily at the same job level.
The complainants argued that their consent to the collection of their personal information was not truly voluntary, since if they did not give consent, they could lose their employment.
My conclusion was that a reasonable person would consider it appropriate in the circumstances for the company to collect this personal information from its employees.
Given concerns about possible acts of terrorism at nuclear facilities, it was reasonable that the CNSC would impose an enhanced security requirement on its licensees.
And it was also reasonable that the company would comply with the CNSC requirement. The alternative would be for it to lose its licence to produce nuclear fuels-which, of course, might have led it to lay-off the complainants.
The employer had made consent a condition of employment, but it was consent to something reasonable-something that, in these particular circumstances, was an unavoidable condition of the employment relationship, like a name or a Social Insurance Number.
Another complaint had a similar background, but a different outcome.
A commercial airline pilot was required to take training on aircraft simulators in the United States. He complained to me about an authorization form his employer asked him to sign in order to take the training.
The complainant's employer had a contract with a flight simulator school in the United States.
In response to the September 11 attacks, the U.S. government instructed all U.S. flight simulator companies to have non-U.S. students sign a form authorizing the Department of Justice to obtain any information relevant to their requests for flight training. The information could come from any relevant source, and could include biographical, financial, law enforcement, and intelligence information. It could be disclosed to any other individuals or entities potentially having information related to the request.
This form was deeply troubling. It didn't provide adequate information on the purposes for the collection and disclosure of personal information. Nor did it place limits on the collection or disclosure. Quite simply, it failed the test of fair information principles.
Was it reasonable and appropriate for a Canadian airline to require its pilots to sign such a form or risk losing their job?
The airline could have made alternative training arrangements, but it chose not to do so, because of problems of cost and logistics. Those problems, in fact, weren't excessive or insurmountable. But in order to provide training at minimal cost and inconvenience, the airline was requiring its pilots to consent to collection and disclosure practices that were clearly in contravention of Canadian law. And that left the complainant with the prospect of either consenting to something that he knew was a violation of his privacy rights, or losing his professional certification.
This was all the more unacceptable in that the purpose of the form-namely, enhancing U.S. security-could have been met without contravening Canadian law.
Canadian pilots are subject to security clearance measures in Canada. There's no reason, if they are security-cleared here, that they should have to consent to unacceptable collection and disclosure practices at the request of a foreign government. A reasonable person would not find that appropriate. I recommended that the airline make whatever arrangement necessary to ensure that the complainant receive his training without his privacy rights being violated.
I want now to contrast the PIPED Act's application to employee information with Bill 38, the Personal Information Protection Act, the B.C. government's proposed privacy law for the private sector.
I'm glad to see that the B.C. government is taking privacy seriously. But if they want this law to be considered substantially similar to the PIPED Act, they are going to have to make some serious modifications.
The Bill as presently drafted is significantly weaker than the PIPED Act. One area where this is particularly apparent is the provisions dealing with privacy in employment.
Bill 38 specifically allows the collection, use and disclosure of employee personal information without consent-completely depriving an employee or a prospective employee of any control over his or her information.
As I've said, consent is problematic in an employment context. But problematic doesn't mean dispensable. And while the reasonable person test in the PIPED Act is a workable solution to the problems of consent in the workplace, you should be extremely wary of the claims of imitators.
Bill 38 requires that the collection, use or disclosure of employee personal information be reasonable for the purposes of establishing, managing or terminating an employment relationship. On the surface, that sounds close to the reasonable person test. You might be tempted to say, okay, employee personal information can be collected, used or disclosed without consent, but it has to be reasonable, so what's the problem?
The problem is that this is a lot weaker than the system we've developed federally.
It's always possible to argue that any intrusion on employee privacy is "reasonable" for establishing, managing or terminating an employment relationship. No employer would argue otherwise-and in fact no sensible employer would bother collecting information that it didn't genuinely think was reasonable. But of course what's reasonable to one person is not reasonable to another.
An employer might think it reasonable to collect and disclose information about an employee's health or religion or sexual orientation. Bill 38 would allow that, without consent. Sure, the employee could complain after the fact that this wasn't reasonable-but this very sensitive information would have already been collected and disclosed. And once privacy has been violated, it can't be unviolated. The damage has been done.
The PIPED Act, in contrast, would require an employer to seek consent to collect and disclose that kind of information.
Suppose the employee refused consent. The employer might be prepared to make the consent a condition of continued employment. The employee might resist that, maybe through a grievance procedure, maybe through a complaint to my office.
The issue of whether or not the employer's request was reasonable would be decided one way or another, but the point is that the information would not be collected or disclosed unless the employee consented to it. The employee would retain control over his or her personal information. If personal information about a health condition or a religious conviction or a sexual orientation was something the employee was prepared to lose a job over, that choice would be respected-and the information would remain private.
In short, the protection afforded employees covered by Bill 38 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.
It's worth noting that the PIPED Act has applied for more than two years to employers in some 15,000 federal works, undertakings and businesses. That hasn't in any way prevented them from effectively managing their workforces.
The provisions of Bill 38, on the other hand, are likely to make management a nightmare, because they eliminate the employer-employee dialogue that's inherent in a consent model. Disagreements between management and employees over personal information would inevitably be confrontational, involving after-the-fact grievances or complaints. When the first step is for management to seek consent, there's a built-in framework for consultation.
There are other problems with the Bill. I don't have time to go into all of them, but I'll mention one of the most egregious.
The Bill's protections don't apply to personal information that was collected before it comes into force. In other words, there's no need for consent to use or disclose information that has already been collected.
This is a very serious weakness. In contrast, the PIPED Act doesn't distinguish between personal information collected before and after its coming into effect. To use or disclose information collected before the Act came into force, organizations require consent-it's as simple as that.
So the Bill is welcome, but it falls short. Privacy in the workplace and in commercial activity deserves better protection than this. The "right from which all freedoms flow" has to be accorded the highest priority and given the strongest protection. That has not happened with this Bill.
Nonetheless, it's not only through legislation that privacy is protected. Regardless of what legislation they're subject to in the workplace, employers, employees, and bargaining agents should think broadly and purposively about privacy. Workplaces can be privacy-friendly. Management of employment records can reflect the principles of fair information practices. Policies on employee surveillance can be carefully crafted and limited. Employment and labour relations can be based on a respect for individual freedom and autonomy.
What they will find as a result is that respect for the fundamental human right of privacy is the key to building a strong, healthy and competitive organization.
- Date modified: