Privacy and Human Rights at the Crossroads of Personal and Professional Life

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the National Human Rights Conference

June 14, 2011
Calgary, Alberta

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for inviting me to join you today in a discussion that is gaining more and more relevance: privacy rights in the workplace.

With the rise of social media and online activities where the professional and personal spheres are increasingly blurred, we need to rethink where we draw the line around employee privacy.

Let me start by getting one view out of the way. While some companies’ CEOs like to say “you have zero privacy anyway, get over it” our research and the activities of our Office responding to Canadians makes it clear: Privacy is not dead.

On the contrary, research shows that people do value their privacy as a fundamental right and, if anything, are more and more concerned about the power of new information technology to intrude upon it.

The workplace is one area of highest concern:

  • There are trucking companies that use GPS to monitor their employees’ movements, supposedly to track the handling of equipment;
  • There are federally regulated institutions that require the medical information of sick relatives of their employees when an employee asks for special leave to care for that person;
  • Since 9/11, several government agencies, particularly those around transport infrastructure, have been urged to enhance background checks, seeking an unprecedented level of personal information from prospective employees;
  • Media reports tell of insurance companies who monitor the Facebook pages of employees on sick leave from the companies they insure, to check whether the employee is really sick — you may have read over a year ago about the woman whose disability payments were cut after the insurer, and then the employer, found photographs of her at the beach on her Facebook page. I suppose you can’t be sick and go to the beach.
  • More recently, the Ontario Court of Appeal ruled that a school employee had an expectation of privacy in the personal use of a work-issued laptop computer — prompting employers to implement clear policies to define employees’ expectations of privacy in the use of work-issued electronic devices.
  • Finally, as employers across the country, governments and businesses alike, are rushing to take their place on social networks , the challenge is to develop policies to clarify employer privacy practices and employee privacy interests in that context.

The right to privacy at work is both a matter of privacy law and labour law in unionized settings.

Of course I will focus on privacy law but in light of the fact that the employer–employee relationship is defined by rights and obligations; that these rights and obligations have an impact on the extent of employee privacy, both online and offline, in the physical workplace and off duty.

In general, people expect to have some privacy at work, even if they are on their employer’s premises and using the employer’s equipment. The principles haven’t changed; rather, the modalities must change to respect the principles.

For example, generally speaking, an employer who is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), or the Privacy Act could not install video cameras at work merely to check that employees do their work.

Generally speaking, this would not be sufficient justification. Moreover, there will be less privacy-intrusive and likely more effective ways for an employer to manage their workforce than automatically turning to surveillance technology.

However, our Office does recognize that, in some instances, an employer may be justified in monitoring, for example, employee workplace email and Internet use for inappropriate activity, such as visiting gaming or pornographic websites using office computers or disseminating materials that are offensive or that could potentially cause harm to their networks via viruses or other malware.

It is normal that working for someone will mean giving up some personal information. Employers need basic information about their employees for things like pay and benefits, and they have to be able to ensure that work is being done efficiently and safely.

The new challenge in defining privacy rights in the workplace comes from mainly two developments.

First, the expansion of technological means for infringing privacy in general makes the possibilities for intrusion in the workplace greater and more invasive. Consider psychometric testing in recruitment or promotions, web-browsing records, video surveillance, keystroke monitoring, biometrics and genetic testing.

Second, the use of social media in the workplace where, in a friendly context, employees communicate widely, with both significant benefits and serious pitfalls. Employers must manage these communications in relation to organisational objectives, without intruding upon employees’ privacy. So the means by which an employer can have information about employees are unprecedented and the means by which an employee can disseminate information are unprecedented. Both call for a modernized definition of privacy in the workplace.

So what would that definition look like? I will try to answer these questions in three parts:

  • First, I will give you an overview of the federal privacy legislation overseen by the Office of the Privacy Commissioner, and of the extent to which it applies to the employee/employer relationship.
  • Second, I will go into further detail on the legal provisions contained in the federal acts as they apply to the issue, and
  • Finally, I will address the fundamental privacy principles that form the basis of our guidance to employers and employees concerned about protecting their privacy in the workplace.

OPC’s role and mandate

To start, then, a few words about the OPC and the two acts we are charged with overseeing.

The OPC is an independent Agent of the federal Parliament, meaning it does not report to a Minister but rather advises Parliament directly. We oversee compliance with two federal acts, first, the Privacy Act, which regulates the collection, use and disclosure of personal information by 250 federal departments and agencies.

Besides governing the public’s personal information handled by the federal government, the Privacy Act also applies to the personal information of public service employees.

We also administer the Personal Information Protection and Electronic Documents Act or PIPEDA, which applies across Canada to federal works, undertakings and businesses, such as banks, and private-sector organizations in the course of commercial activity in the provinces that do not have their own provincial legislation over the private sector. That means that we have jurisdiction over the private sector in the Atlantic provinces, Ontario, Manitoba, Saskatchewan, and the Territories.

However, because the employer–employee relationship is, constitutionally, a matter of provincial jurisdiction, PIPEDA only applies to federally regulated workplaces such as banks or telecommunications companies.

So how does federal privacy legislation apply to the employer–employee relationship? As I mentioned, federal public servants are covered by the Privacy Act.

The fact is that our private sector act, PIPEDA applies to a relatively small proportion of employees employed by private enterprise. Only employees of federal works, undertakings or businesses (what we call FWUBS) such as airlines, telecommunications companies, banks, and the like — in other words, the federally-regulated private sector — are governed by PIPEDA.

What privacy law says

In very general terms, Canadian privacy legislation is based on a few overarching principles:

  • Consent: employers must obtain their employees’ consent before collecting, using and disclosing their personal information. Consent can be express or implied.
  • Reasonable purpose: employers should only collect, use or disclose their employees personal information if it is reasonably required for the purposes of managing the employment relationship.
  • Proportionality: the personal information employers collect must be proportionate to the purpose for which it is requested – whether for occupational health and safety requirements, payroll administration, reference checks, performance assessment, etc.
  • Finally, the employer must demonstrate that here is no less privacy invasive alternatives available to fulfil their objective.

Let me give you a concrete example based on our work:

  • In our last Privacy Act Annual Report to Parliament, we expressed concern about a program considered by the Public Service Commission to monitor the political activities of public servants online to ensure compliance with the obligation of impartiality — without the consent of the employees. We felt the invasion of privacy could not be justified by necessity or proportionality — there was no evidence of a problem of impartiality and inappropriate political activity among public servants that could warrant such a measure. To its credit, the PSC acted swiftly and disavowed the proposal.

But even when the collection, use or disclosure of employees’ personal information is justified — for example, the employer can certainly ask for a bank account number to send the salary a direct payment — that information has to be protected in a secure fashion.

This protection is governed by the 10 internationally recognized fair information principles that include accountability, transparency, accuracy, safeguards, access and the remedies to ensure compliance. An example of a breakdown in that regard in that a of a recent incident where, through human error, the competency evaluation of a manager in a federal department was inadvertently sent, electronically, to 375 employees of that department.

So how do these general principles apply to employees’ privacy online? Let me turn to the guidance we issue to both employers and employees in this context.

What we recommend to employers

Whether they are subject to privacy legislation or not, employers can balance their “need to know” with their employees’ right to privacy if they ensure that they collect, use and disclose personal information about their employees for appropriate purposes only.

In our guidance documents, we recommend the following basic rules to establish and maintain that balance whether online or offline:

  • Transparency. The employer should say what personal information it collects from employees, why it collects it, and what it does with it. That means that if there is monitoring of employees activities online, it should be open, and the rationale, explained.
  • Collection, use or disclosure of personal information should normally be done only with an employee’s knowledge and consent. Having employees sign a policy that specifically explains the employer’s monitoring and data-handling practices. This ensures employee knowledge and consent, and promotes trust and transparency.
  • The employer should only collect personal information that’s necessary for its stated purpose. A policy that defines the employers monitoring activities on line would have to state these purposes.
  • Whether the employer has collected the employee’s personal information online or offline, it should use or disclose that information only for the purposes that it collected it for, and keep it only as long as it’s needed for those purposes, or is legally required.
  • Again, whether collected online or offline, employees’ personal information needs to be accurate, complete and up to date. Employees who are covered by privacy legislation should be able to access their personal information and be able to challenge its accuracy and completeness.

Employers have legitimate requirements for personal information about their employees. They need to know who they’re hiring. Does that include Googling employees? Does that include going on their Facebook page? While we have never issued findings on this issue, it would strike me that while a Google search may be wide open and easily performed, the Facebook scenario seems different to me — on a social networking site, users have at least some control over who has access to their personal information.

With respect to Facebook, a study by Avner Levin, of Ryerson University, funded by our Office, found a disconnect between youth and their potential employers: youth consider that the information they post on Facebook is private since it is only meant for their friends — employers consider it is public since it is posted. That study was done before our Facebook investigation which caused Facebook to tighten its privacy settings.

Arguably, an employer who only accessed information open to “everyone” may not be considered as invading privacy. In contrast, it could be argued that where an employer would, surreptitiously, get around the privacy settings of a candidate, would breach privacy. Again, we have never issued a finding on this issue and the outcome of any future case would be subject to the particular facts at hand and applicable legislation.

Employers also need to address performance issues, ensure the physical security of their workplace, stop leaks of confidential information, or prevent workplace harassment. These legitimate business needs may justify monitoring of online activity but strictly within these parameters: to pursue a valid objective in a manner proportionate to that objective. That means there can be no more monitoring that is strictly necessary to the workplace objectives and in accordance with the online monitoring policy that would have been clearly communicated to staff.

We understand that employers may, in certain circumstances, have to delve into private matters, and that they may need to monitor online activities for the good of the organisation. But the benefit of knowing what every employee is doing on company time and equipment is fundamentally questionable, and good employers don’t abdicate management of their human resources — their people — to technology.

For example, rather than through online monitoring, preventing workplace harassment is ultimately best achieved through workforce training and sensitization; respect for values and ethics is ensured by employee engagement, discussion and free exchanges; impartiality and professionalism is ensured by fair and regular performance assessment, rather than by intruding on the privacy of everyone in the workplace.

Even if they’re not required to do so by law, it is our office’s view that all employers should, as a best practice, tell their employees what personal information will be collected, used, and disclosed. They should inform employees of their policies on Web, e-mail and telephone use, for example. If employees are subject to random or continuous surveillance, they need to be told so.

Employers should also ensure that information they collect for one purpose isn’t used for an unrelated purpose without the employee’s consent.

Similarly, all employers should give employees access to the personal information held about them. This would ensure employees can verify, and if necessary challenge, its accuracy and completeness.

Employers may be tempted to advise employees or prospective employees that they have no expectations of privacy in the workplace — that the loss of privacy is a condition of employment.

It could be argued that someone who agrees to work under these conditions has consented to unlimited collection, use, and disclosure of their personal information.

Whether this is really consent — clear, informed, voluntary consent — is questionable. And the general principle of collecting only the personal information that’s required for appropriate purposes gets lost with this approach. A better alternative is to specifically ask employees to consent to explicit, limited, and justified collections, uses and disclosures of their personal information — particularly with respect to highly sensitive personal information such as health, pension or payroll information.

In many workplaces, practices like the ones outlined above are required by privacy legislation and employees have legal means to resolve any disputes with their employer and assert their rights. Unionized employees may also have recourse to enforce their privacy interests in the workplace under collective agreements.

But good privacy practice is not just about avoiding complaints, grievances, or lawsuits. Whether or not privacy is protected by law or contract, fostering a workplace culture where privacy is valued and respected contributes to employee morale and mutual trust, and makes good business sense.

In our own Office, we are committed to balancing our need as an employer to collect, retain, use, disclose and dispose of personal information about our employees with the right to privacy of those employees. We aim to ensure that all employees are aware of the circumstances under which their personal information will be collected, retained, used, disclosed and disposed. And of course, we have addressed the issue of employees activities in social media. Let me conclude on our experience.

Some of our own employees use social media as part of their official duties — we host official blogs, we have an account on a popular microblogging site, and we have a channel on a video sharing site. We remind our employees who use social media in that capacity to simply apply the values and ethics of the Public Service in that context:

  • they should be mindful that they are speaking on behalf of the OPC; and
  • they should not post material or be drawn into discussions that would bring into question the organization’s impartiality or integrity.
  • We ask that they be professional, respectful, impartial and accountable, and that they maintain confidentiality about work-in-progress such as ongoing investigations and audits.

Some of our employees choose to use social media for personal reasons, either at home using their own equipment, or at work using the OPC’s electronic resources (and this is explicitly allowed in our policy on Acceptable Use of Electronic Networks).

At the OPC, we remind our employees that when using social media in an unofficial capacity about work-related issues, the rules of professional conduct and confidentiality always apply. Employees who use social media to discuss work-related matters must exercise personal responsibility and behave in a manner that is consistent with the Values and Ethics code for the Public Service.

We encourage anyone using social media outside of work for strictly personal to keep in mind some basic facts:

  • Subject to existing workplace policies and rules, some organizations do monitor their employees’ social networking activities.
  • Information posted on social networking sites may seem transitory and informal, but once personal information is posted online, it gains permanence — and can be circulated and searched by others. In other words, if you don’t want your boss to see something, don’t post it online.

This advice comes from a popular fact sheet issued by our Office, entitled Privacy and Social Networking in the Workplace. In the same fact sheet, which is available on our website, we ask employers to remember a few things as well:

  • They should be aware that social networking sites can contain inaccurate, distorted or out-of-date personal information about job applicants. They should therefore be cautious about relying on that information.
  • They should also guard against using personal information gathered from social networking sites — or any other online source — in a discriminatory manner against a job candidate or an existing employee.

Conclusion

To summarize, you do have a right to privacy in the workplace, but that right is not absolute. It will always be weighed against the needs of the organization.

The employer has legitimate business interests, and the employees have fundamental privacy rights.

In a 2009 article, former Assistant Privacy Commissioner Heather Black reflected on the very issue of employers collecting and using personal information from social networking sites.

She stated that in the normal course of managing their relationship with existing employees, employers would generally need to obtain consent before resorting to such collection and use.

As for looking up prospective employees, she reminded us that employers need the same information they always needed: they need to know about their candidate’s education, qualifications, experience, knowledge and personal suitability for the job. Employers already have very good ways to obtain this critical information: checks with former employers, references, official documentation, and interviews. Just because a new sort of intrusion into people’s lives is now possible doesn’t make it a right. People are still entitled to a private life.

Our message is that any intrusion in physical workplace that would be considered a breach of trust between employer and employee remains a breach of trust in the virtual world.

The right to privacy exists in the modalities of its respect, because it is not absolute. This is a truth that should be heeded by both employers and employees.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: