Respect for privacy: essential for a healthy workplace
Address given to the Union of National Public Employees’ All Presidents’ Conference
April 22, 2016
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Thank you for the invitation.
It is rare that I have the opportunity to discuss privacy issues as they affect unions.
In my time with you today, I will share observations on privacy trends we see within federal workplaces.
And I will discuss my recommendations for overhauling the Privacy Act, the federal law dealing with public sector privacy, some of which would have a direct impact on workplace issues.
Balancing the need to know and privacy rights
This conference is happening at a time when workplace wellness issues are very much top of mind. Moreover, respect for privacy, in addition to being necessary for a healthy society and democracy, is essential to a healthy workplace. In any case, however, it is clear that violating privacy can easily undermine a healthy workplace.
This does not mean that employers do not have the right to gather personal information about their employees, for example, to administer pay and benefits, manage performance and uphold security.
But, employees have a right to privacy in the workplace and employers are responsible for ensuring that what they collect is not only necessary for the institution’s activities, but that they also protect it accordingly.
In the modern workplace, just as across our economy and society, particularly because of technological developments, it’s become possible to very easily collect vast amounts of personal information about individuals, be it through the use of questionnaires, web-browser monitoring, video surveillance or viewing social media feeds.
Such new, emerging technologies pose novel issues for both employers along with employees and, therefore, you—their representatives.
Workplace matters account for many complaints
Over the last few years, our Office has noticed that a good number of Privacy Act complaints relate to federal employee-employer relationships. These generally fall within three broad categories: staffing (and, in particular, reference checks); recourse (including grievances); and workplace well-being.
Looking at the kinds of workplace complaints we receive, we have noticed many relate to the oversharing of employee information.
In many cases, it’s medical history information that, for example, ends up being shared indiscriminately with parties involved in processes, such as internal investigations, fitness to work evaluations—including return to work action plans—and even reference checks.
Recognizing that human resources professionals are often involved in the types of processes I have mentioned, our Office has made a series of presentations in the last few years aimed at this group to raise privacy awareness with specific emphasis on the “need to know” principle. And we are looking for opportunities to expand our outreach to federal public servants, through certain professional groups as well as individual departments.
Employer surveillance and employee snooping
My Office also continues to see issues related to video surveillance. For example, a few years ago, we dealt with a case where employees were not informed about video cameras being installed in their workplace. More recently, we conducted an investigation into the Canadian Border Services Agency (CBSA).
During our investigation, the CBSA pointed to its Policy on the Overt Use of Audio-Video Monitoring and Recording Technology which stated that, along with security, video surveillance may be used to help ensure the quality of services offered by its programs.
We recognized that a broad range of activities can fall under "quality assurance," including recording how many travelers are processed by a facility in an hour, and when to open more kiosks, for example.
Our Office also accepted that in certain areas, video surveillance is necessary for safety and security. We even accept that footage could be used when there are serious code of conduct or criminality concerns.
We also saw the possibility that the Agency could use video for individual performance management.
While CBSA did not intend for this, the policy’s wording was unclear, bringing the issue into question.
In response, CBSA updated its policy to clarify its intended use for video surveillance, clarifying that it will not be used to monitor individual employee performance.
We also continue to see incidents of employees accessing the personal information of their colleagues or clients without authorization—or in other words, snooping. There have been cases in the past where we have seen instances of employees accessing files when embroiled in disputes with someone, or, simply out of sheer curiosity.
Such situations should not occur within a respectful workplace, but unfortunately, unauthorized accesses do occur, and federal institutions need to adopt appropriate safeguards to protect personal information from less scrupulous individuals. To do so, our Office has called on departments to implement system controls that limit access to sensitive information to those with a need to know and to keep a log recording what files were accessed, when and by whom.
We have also called on institutions to become more proactive in guarding against data breaches.
Both within federal workplaces and across the country, privacy is a serious concern for individuals who must provide highly sensitive personal information to federal institutions.
It is incumbent on departments and agencies to ensure proper procedures are in place to protect that information.
Privacy Act reform
In addition to calling on departments to adopt proper procedures, we are also suggesting changes to the law itself.
The Privacy Act came into force in the 1980’s—when information was collected and shared in paper form and federal offices were filled with filing cabinets—decades before email, mobile devices and social media.
After standing still for more than three decades, the Act must be amended as it is out of step with today’s existing and emerging privacy risks.
I recently appeared before Parliament and submitted sixteen recommendations for amending the Privacy Act. My recommendations fall into three broad categories:
- Technological change;
- Enhancing transparency; and
- Legislative modernization.
The full text is on our website, and I encourage you to read it. Today though, I will focus on a few key recommendations, with emphasis on some that relate to workplace issues.
Many of the issues I discussed earlier hinge on safeguards. And, as written, the Privacy Act lacks any explicit requirement for adequately safeguarding personal information.
Today’s portable storage technology enables anyone to carry a filing-room’s worth of personal information on a key chain or in a pocket. In 2012, federal institutions learned just how easy it is now to misplace vast amounts of personal information, when a portable drive was reported lost at the former Human Resources and Social Development Canada, holding files on more than 500,000 student loan recipients and some 800 employees.
Despite the absence of express wording about safeguards in the Act, Treasury Board Secretariat guidelines exist for departments and most do take their responsibilities seriously. But it is time to elevate these protections from the level of administrative internal policy to that of law.
The same goes for data breach reporting. Without question, the change to mandatory reporting through administrative directive has led to improvement. But there are still some federal institutions not submitting breach reports.
Placing a specific legal obligation for reporting “material” privacy breaches would provide our Office with a clearer picture of the situation across federal institutions, and better position us to work with organizations to help mitigate the risks and impacts.
And given there will soon be new regulations requiring private sector organization to report breaches with a real risk of significant harm; it would be odd for federal institutions to not be held to the same standard.
We have also made recommendations to enhance transparency under the Act.
By providing individuals with access to their personal information held by federal institutions, privacy is an important enabler of transparency and open government.
And we have recommended limiting exemptions and maximizing disclosure, as appropriate, when individuals seek access to their own personal information.
Turning now to legislative modernization, we have recommended provisions to help prevent problems before they occur.
Privacy Impact Assessments (PIA) are an effective tool for institutions to consider new or significantly modified initiatives through a privacy lens. When done properly, and ahead of a program being implemented, they identify privacy risks and help organizations evaluate the impact changes may have on privacy and develop mitigation strategies. Now required by administrative directive, they are to be submitted to our Office for review and advice.
The problem, however, is that there are times when the PIA directive is either not followed or interpreted narrowly, resulting in some privacy-sensitive issues not being examined at an early stage.
There is also a need for greater clarity in the Privacy Act on the question of when an institution is allowed to collect personal information. On this point, section 4 of the Act currently reads “no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.”
Our Office has interpreted this to mean that the collection of information must be necessary to operate programs or activities. However, if taken literally, the words “relates directly” could be interpreted by some to allow departments to collect any information useful to a program or activity, even when it is not truly required.
In fact, our Office has sought and obtained leave to intervene in the court challenge to the new federal standard on security screening launched by the Union of Correctional Officers of Canada. Our intervention will be as a neutral party, to help the court in its interpretation of this particular section of the Privacy Act. We are also currently reviewing Treasury Board’s Secretariat’s “privacy assessment” of the new Standard on top of investigating a number of related complaints.
This matter is one among many in our society today—where vast amounts of personal information can be collected efficiently and effortlessly compared to the 1980’s—exemplifying our recommendation for adding an explicit necessity requirement to the Privacy Act.
We have also recommended broadening federal court review to cover all matters for which an individual can make a complaint to my Office.
Today, this is only available when individuals are denied access to their personal information.
We suggest broadening this to include, for example, matters relating to an institution’s collection, use or disclosure of personal information.
In closing, I hope my remarks have given you a sense of the issues we are facing.
As I noted, today is a time where improving workplace wellness is a deservedly high priority for businesses and public policy thinkers alike.
And greater awareness of privacy issues and adopting proper procedures, and hopefully at some point modernized laws, to respect employee privacy and protect personal information can contribute to achieving this objective.
I hope I have also been able to highlight some relevant examples showing how today’s workplace has changed greatly during the last thirty years ago. And, in doing so, I hope you see how reforming the Privacy Act would help us fulfill our mandate of protecting the privacy of public servants and all Canadians.
- Date modified: