Privacy in the Workplace
Employers and employees are often subject to privacy laws. The Privacy Act, for example, applies to employee information in federal government institutions. The Personal Information Protection and Electronic Documents Act applies to employee information in federal works, undertakings, and businesses. See our fact sheet entitled Application of the PIPEDA to Employee Records. Several provinces have privacy legislation applying to employee information. In addition, employers often make a commitment in collective agreements to observe privacy practices.
But whether or not privacy is protected by law or contract, respecting privacy in the workplace makes good business sense.
People expect to have some privacy at work, even if they are on their employer's premises and using the employer's equipment. At the same time, it's normal that working for someone will mean giving up some privacy. Employers need basic information about their employees for things like pay and benefits, and they have to be able to ensure that work is being done efficiently and safely.
But the possibilities for infringing on privacy are greater than ever before. Psychological tests, web-browsing records, video surveillance, keystroke monitoring, genetic testing: the information an employer can have about employees is limitless.
Employers can balance their "need to know" with their employees' right to privacy, if they ensure that they collect, use, and disclose personal information about their employees for appropriate purposes only.
Respecting employees' privacy
An employer's need for information should be balanced with an employee's right to privacy. For almost all personal information — including pay and benefit records, formal and informal personnel files, video or audio tapes, and records of web-browsing, electronic mail, and keystrokes — the following basic rules help to establish and maintain that balance:
- The employer should say what personal information it collects from employees, why it collects it, and what it does with it.
- Collection, use, or disclosure of personal information should normally be done only with an employee's knowledge and consent.
- The employer should only collect personal information that's necessary for its stated purpose, and collect it by fair and lawful means.
- The employer should normally use or disclose personal information only for the purposes that it collected it for, and keep it only as long as it's needed for those purposes, unless it has the employee's consent to do something else with it, or is legally required to use or disclose it for other purposes.
- Employees' personal information needs to be accurate, complete, and up-to-date.
- Employees should be able to access their personal information, and be able to challenge the accuracy and completeness of it.
Do employees' privacy rights conflict with an employer's right to manage?
Employers have legitimate requirements for personal information about their employees. They need to know who they're hiring. They need to address performance issues and ensure the physical security of their workplace. And they may see electronic monitoring and other surveillance as necessary to ensure productivity, stop leaks of confidential information, and prevent workplace harassment.
So sometimes employers have to delve into private matters. But they can keep those instances to a minimum, and limit the impact on personal privacy. The possibility that an individual employee might do something harmful doesn't justify treating all employees as suspects. The questionable benefit of knowing what every employee is doing on company time and equipment, at all times, needs to be weighed against the cost — including the cost to staff morale and trust. Preventing workplace harassment is an important goal, but it's best achieved through workforce training and sensitization, explicit anti-harassment policies, and appropriate remedial measures when harassment is reported or reasonably suspected, rather than by depriving everyone of their privacy rights.
Clear policies and clear expectations
At a minimum, employers should tell their employees what personal information will be collected, used, and disclosed. They should inform employees of their policies on Web, e-mail, and telephone use, for example. If employees are subject to random or continuous surveillance, they need to be told so.
Employers should also ensure that information they collect for one purpose isn't used for an unrelated purpose without the employee's consent.
Even if they're not required to do so by law, employers should give employees access to the personal information held about them, so that they can verify, and if necessary challenge, its accuracy and completeness.
What about employees who waive their privacy rights?
Employers may be tempted to advise employees or prospective employees that they have no expectations of privacy in the workplace — that the loss of privacy is a condition of employment. Someone who agrees to work under these conditions, it could be argued, has consented to unlimited collection, use, and disclosure of their personal information.
Whether this is really consent — clear, informed, voluntary consent — is questionable. And the general principle of collecting only the personal information that's required for appropriate purposes gets lost with this approach. A better alternative is to specifically ask employees to consent to explicit, limited, and justified collections, uses, and disclosures of their personal information.
A "privacy culture"
In many workplaces, practices like the ones outlined above are required by law, and employees have legal means to assert their rights. Employees may also have enforceable rights to privacy under collective agreements.
But good privacy practice is not just about avoiding complaints, grievances, or lawsuits. Whether or not privacy is protected by law or contract, fostering a workplace culture where privacy is valued and respected contributes to morale and mutual trust, and makes good business sense.