Recent Decisions and Emerging Issues under New Privacy Legislation
Annual Conference on Human Rights
and Workplace Privacy
May 3, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
It's a great pleasure for me to address a conference on privacy and human rights, because privacy is one of the most fundamental of human rights.
Privacy is what lets us live as free individuals-free to read what we please, think as we please, associate with whom we please. It lets us be who we are. It means that we don't have to go through life with someone watching over our shoulders-watching our every move, every purchase, every human interaction; someone analyzing patterns in our behaviour; interpreting, and maybe misinterpreting, our actions; judging, and maybe misjudging, our intentions.
Freedom of thought, association, conscience, and speech, to name just a few, are all grounded in our right to privacy.
We don't surrender those rights and freedoms when we walk through the doors of the office or factory. Sure, some people claim that employees lose all their rights when they are on the employer's time and property and using the employer's equipment. But I don't believe that, arbitrators and judges don't believe that, and I'm sure you don't believe that. Employees have had established, recognized rights to privacy in the workplace for a long time.
The passage of the Personal Information Protection and Electronic Documents Act, or the PIPED Act as it's known, has significantly advanced those rights. It codifies, in a very clear way, a fundamental right of privacy in the workplaces that it covers. It firmly establishes the primacy of consent-the central concept of privacy-in any collection, use, or disclosure of personal information. And it puts an important limit on consent: Even with consent, an organization may only collect, use, or disclose information about its employees for purposes that a reasonable person would consider appropriate under the circumstances. That means that people don't have to consent to losing all their privacy just so that they can have a job.
What I'd like to do is outline a couple of the decisions I've reached in employment cases under the PIPED Act. I'll talk about the what cases like this tell us about the Act, and then turn to the question of when and how infringements of privacy in the workplace may be justified.
First, though, let me give you a brief synopsis of the Act.
The Act strikes a balance between individual privacy rights and the needs of organizations to collect, use, and disclose personal information. The basic outlines, from an employment perspective, look like this:
If an organization covered under the Act wants to collect, use, or disclose personal information about its employees, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose its employees' personal information only for the purpose for which they gave consent when it collected the information.
Even with consent, the organization must limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Employees have the right to see the personal information that the employer holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if employees' rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities and employment by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
While the application of the Act will expand in 2004 to commercial activities that normally fall under provincial jurisdiction, except where provinces have passed substantially similar legislation, the only place the Act applies to employment is in federal works, undertakings, or businesses.
Some people might take that to mean that employers in provincially regulated industries can ignore it. That would be a mistake.
The Act incorporates international data protection standards. These were developed by the OECD, the European Union, and various private sector and advocacy organizations. They've been incorporated around the world into voluntary codes and privacy laws.
Most provinces will be enacting privacy legislation in the near future. Ontario, as you know, has already begun that process. One reason that provinces will be legislating is to ease exchanges of personal information with jurisdictions, such as the EU, that insist on privacy protection for the personal information of their citizens. Provincial legislation will only achieve its objective of easing those exchanges of personal information if it extends to personal information in employment. The upshot is that provincial privacy legislation will probably apply to employment, and look a lot like the PIPED Act.
So, even for organizations not subject to it, there are lessons to be drawn from the Act. Let me turn now to a couple of my findings in complaints under the Act, and suggest some things you can learn from them.
One complaint arose where a truck driver was required by his employer, an international trucking company, to fill out a registration form for the Canada Customs and Revenue Agency's new Customs Self-Assessment Program, and return it to the company.
The driver didn't want his employer to have access to the personal information that he had to provide on the registration form. He wanted to give the CCRA form directly to CCRA. So he refused to return the form to the company. The employer told him, return the form to us or we terminate your employment. And that's how it ended up, with the company terminating his employment.
I concluded that this complaint was well-founded. The Act requires that collection of information be limited to what's necessary for the organization's purposes. Yes, it was necessary for the driver to complete an application for the program. But it was CCRA that needed the form, not the employer. So there was no need for the information to be returned to the employer, as long as it was returned to the CCRA.
And the Act requires that information be collected by fair and lawful means. Well, the company threatened the employee with dismissal if he didn't hand the information over. That doesn't meet any kind of fairness test, especially when the employer has no right to the information in the first place.
The lesson of this is that a lot of the time, compliance with privacy law is simply common sense. This was a case of an employer getting itself into unnecessary trouble. All that was required was a basic respect for the employee, a good hard look at who required what information, and a recognition that the best way to get something is to ask for it and explain why you need it. If the company had taken that approach, it wouldn't have wound up where it did.
In another case, an employee made a number of requests for information about her that was held by her employer. The employer refused her requests, and sent copies of its response to two union representatives and its coordinator of employee relations. The employee had not sent them copies of her access requests, and had not consented to having copies of the response sent to them. So she complained to my office.
The union representatives had attended the meeting at which the issue of access to the complainant's personal information had first been raised. And the employee relations coordinator had in his possession documents to which the complainant had requested access. The employer argued that, given their involvement, the complainant had implicitly consented to the disclosures.
I concluded that, for the disclosure of the information to the union representatives, there had been no such implicit consent. They had attended the first meeting. But the complainant had submitted the access requests personally, without union intervention. It was her right to request access without union intervention, and it was not necessary for the employer to inform the union of its response.
So this aspect of the complaint was well-founded.
But the disclosure to the employee relations coordinator was a different matter. Documents that the complainant was seeking were in his possession. Given his direct involvement in the access request, it was appropriate for the employer to inform him of its decision to refuse the complainant access to the documents. I concluded that this aspect of the complaint was not well-founded.
So what does this tell us? The Act states that organizations, when determining the form of consent to use, must consider the sensitivity of the information and the reasonable expectations of the individual. What was required here was simply for the employer to look at the situation and evaluate what was reasonable. Since the complainant had made her access requests independently of the union, and had not copied them on her correspondence, nothing that she did implied consent to sharing of the responses with them. But it's reasonable to expect that someone who has control of the information that is sought-the employee relations coordinator-should be advised of a decision about access to it.
Again, this is not difficult. In general, don't assume consent, and if you're in doubt, ask. It's largely a matter of common sense-and, I might add, good management practice.
While sometimes, as with the employee relations coordinator, it makes perfect sense to send third parties copies of responses, as a general rule it's preferable not to. It's better to allow the individual to judge whether or not to share a response with others after receiving it. That's something that we advised the employer to do in this case, and I'm pleased to note that it has followed this advice in dealing with subsequent access requests.
If there is a general lesson to be drawn from these decisions, it is that good privacy practice is less rocket science than it is common sense.
I want to turn now to a more general issue involving privacy in the workplace and the application of the PIPED Act, and that is the question of balancing an organization's legitimate needs for personal information with the employees' right of privacy.
This is not really very different from the reasonable person test-the question of whether personal information is being collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances. But it involves a kind of analysis that is a little more challenging and complex than the common-sense approach I discussed in the preceding cases.
Let's take as an example the issue of monitoring and surveillance of employees' Internet and e-mail use. The example is appropriate for a gathering like this, because it's often suggested that Internet and e-mail monitoring is a necessary part of an employer's obligation to prevent harassment in the workplace. I don't agree, and I'll come back to that in a moment.
Some of you may know about the study, released last July by the Privacy Foundation, of electronic surveillance of the on-line workforce-employees who regularly use Internet or e-mail at work. In the U.S., that's about 30% of the workforce, and it's estimated to be about the same in Canada.
In the U.S., 14 million employees-35% of the on-line workforce-have their Internet or e-mail use under continuous, generalized surveillance. The number has been increasing about twice as fast as the number of employees with Internet access, as the cost of the monitoring software drops.
This is an infringement of privacy, no less so than searches of desks, lockers, clothing and personal effects. Monitoring and surveillance of employees' e-mails and web browsing is collection and use of employees' personal information. Not all of the information will be personal, but some of it will be. The personal information collected can be sensitive-especially if, as is usually the case, the employer allows some personal use of the e-mail system and some personal Web browsing, on lunch breaks for example. Even where that's not the case, just the fact of electronic surveillance, either random or continuous, is very destructive of the employee's sense of privacy and autonomy.
But privacy in the workplace or anywhere else is not an absolute right, and there are times when an infringement of privacy is justified. So how do we determine whether it is or not?
Let me preface what I'm going to say with a caution: I haven't yet dealt with a complaint about this under the PIPED Act, and I don't make advance rulings on cases. But I can give you some idea of how I think the principles of the Act should be applied.
Any proposal to curtail or limit privacy must, in my view, meet four tests: it must be demonstrably necessary to meet a specific need, it must be likely to be effective in meeting that need, it must be proportional to the magnitude and importance of the problem, and there must be no less privacy-invasive way of achieving the same end.
These tests need to be applied whether privacy is infringed through legislative and regulatory initiatives, administrative decisions such as police video surveillance of public places, or management practices like drug testing.
Let's look at how they might apply to monitoring and surveillance of employees' on-line activities.
Is it demonstrably necessary to meet a specific need? This critically important first step. is too often overlooked. That's especially so when the pressure for adopting monitoring and surveillance is coming from the manufacturers of the software.
The usual reason that employers cite for generalized electronic monitoring and surveillance is that they're concerned about employees wasting time, about release of confidential material, and about liability for the content of messages or web material.
These are not trivial concerns. Employers have to be able to be able to ensure that their employees are not shopping on-line when they're supposed to be working. They have to be able to secure intellectual property. They have to protect themselves against liability for everything from defamation to harassment in the workplace. No one questions any of that. And if an employer demonstrates specific problems in any of these areas, it may well have met this first test.
But just expressed in the abstract, they won't usually be enough. There may be situations where, for example, the risk of release of confidential material is so great and so obvious that it doesn't need to be explained in any detail. It may be that there are workplaces dealing in matters so sensitive that a speculative risk, the potential for a problem, or something that might happen is enough. But normally I wouldn't be satisfied with speculation or generalizations. I would expect an employer to demonstrate the existence of a real and specific problem.
If that first test is met, the next step is to show that the proposed infringement of privacy is likely to be an effective means of addressing it.
Is electronic monitoring of on-line activities effective? The answer to that, of course, depends on what you mean by "effective." It's a means to an end, and whether it's effective depends on how you define the end. If you define it narrowly as catching people, it's usually effective. I would argue that it only catches a symptom of a problem, not the problem itself. If the end is a healthy and productive workplace where people can make the best use of the electronic tools available to them, it's less effective.
What about the third test, proportionality? That, of course, depends on the magnitude of the problem and the way you've defined the end you're trying to achieve. But in most of the cases I've read about, electronic monitoring is a sledgehammer used to swat a fly.
There may well be environments of extraordinary sensitivity, where the consequences of e-mail or Internet misuse would be so severe that they'd justify wholesale monitoring. I'm sceptical any time this is claimed, and I would always scrutinize any such claim closely. You should, too. Remember, we're talking about that complete absence of privacy that results from knowing that your activities and statements may be observed or recorded at any time. People who've lived in prisons, and in police states, tell us that it's this very thing that's most oppressive. As an aside, that's why I am so opposed to police video surveillance of public places, something I've spoken up against repeatedly across the country.
Finally, is there a less privacy-invasive way of achieving the desired ends? There is, if the end is something more than catching people.
Let me be clear: I strongly believe that employers should have clear policies on the appropriate use of e-mail and Web use. Communicating that policy to employees will go a long way towards ensuring that these tools are not abused.
If the employer is concerned that employees might be wasting time, there are better ways to determine that than wholesale monitoring-like looking at what's produced in the course of a day. If some employees are wasting time, there's a whole range of traditional management techniques at the employer's disposal.
An employer's obligation to prevent harassment means taking all reasonable steps to prevent harassment, and dealing with it effectively if it occurs. It means having an effective harassment policy and providing employees with appropriate training. But it doesn't have to mean wholesale monitoring.
And if some electronic monitoring and surveillance is necessary, the employer should try to achieve its ends without infringing privacy more than absolutely necessary. Some kinds of surveillance are more privacy-invasive than others. Whatever method is chosen, directed inquiry on the basis of reasonable suspicion is preferable to indiscriminate monitoring. Employers should choose the least privacy-invasive alternative first, and only move to something more privacy-invasive if the first doesn't work.
This analysis is the best way to deal with the complex question of balancing privacy rights with an organization's need for personal information. Whether it's drug testing, background checks, video surveillance on or off the job, or physical searches, employers need to ask these questions. Is the privacy infringement aimed at a specific and demonstrable problem? Is it demonstrably effective in addressing the problem? Is it proportional? And is there a less privacy-invasive way of doing it?
Respecting privacy in the workplace imposes certain requirements on employers. They have to focus on who really needs to know what. They have to know what personal information they collect and what they do with it. They have to be honest with themselves about what they need to know, and restrain their curiosity when it runs up against employees' privacy.
That's a challenge, of course. But it's also, quite simply, good business practice. A workplace staffed by happy employees whose privacy rights are respected by the employer is a productive workplace. And that brings a competitive advantage to the firm that respects privacy.