Chapter 10 - Privacy Inside and Outside the Workplace

March 6, 2023
9:54 AM
 
Learning Outcomes:
 Understand the growing need for protection for personal information and other privacy
rights
 Identify the 10 principles behind PIPEDA
 Understand the requirements of Ontario's Personal Health Information Protection Act
 Understand how federal privacy legislation affects provincially regulated employers in
Ontario
 State the obligations of employers in handling employee's personal information where
privacy legislation applies
 Understand employee privacy rights in workplaces not covered by general privacy
legislation, including an employer's ability to legally monitor computers and other
devices that are used for personal, well as work-related purposes
Introduction
 Freedom of Information and Protection of Privacy act, enacted in 1991 allows individual
to file a request for information held by the Ontario gov't
o Also provides privacy protection for the personal information of employees in
Ontario's public sector
Personal Information Protection and Electronic Documents Act
 Doesn't directly affect general personal employee information
How Wide is PIPEDA'S Application?
 Applies to all federally regulated organizations and affects how they collect, use,
disclose, and retain personal information concerning their employees, customers,
patients and suppliers
 Also applies in provincially regulated organization in the course of commercial activity
 Ontario hasn't yet passed comparable privacy legislation
 Should also consider extending PIPEDA'S protections to personal employee information
for the following reasons:
 PIPEDA's principles are recognized in Canada and abroad as forming the basis of ethical
personal information practices
 Quebec, BC and Alberta have already passed privacy laws related to employment
 Ontario will likely pass privacy legislation that is similar to PIPEDA and employers that
follow its requirements now will have a head start with compliance later
 To protect the personal information independent contractors but not of employees is
inconsistent
 Employees will becomes increasingly aware of how their privacy is protected in many
areas of their lives and will expect their personal information to be treated similarly in
the workplace
 Ontario Human Rights Commission treats privacy as an important element of the right
to "equal treatment"
 Employee health information is now subject of Ontario's Personal Health Information
Protection Act
 Applying PIPEDA principles to the personal information of employees could reduce the
risk of potential liability under the common law
What is Personal Information?
 Information about "an identifiable individual"
 Protections don't extend to "business contact information"
PIPEDA's Ten Principles
 2 fundamental facts
o That individuals have a right to privacy concerning their personal information
o That organizations have a need to collect, use and disclose personal information
for appropriate purposes
 Fair information principles
o The ten principles that underlie the PIPEDA for proper collections, use and
disclose of personal information
 Be accountable
 Identify the purpose of collection
 Get consent
Employment Relationship Exception (PIPEDA, s. 73)
 Allows employes to collect, use, and disclose employee personal information without
consent if both of the following 2 conditions apply
o Must be necessary to establish, manage or terminate the employment
relationship
o The employer must inform the employee that the personal information will be
or may be collected, use, or disclosed for these purposes
 Limit collection
 Limit use, disclosure and retention
 Be accurate
 Provide safeguards
 Be open
 Give individual access
o Solicitor- client privilege
 Provide recourse
o Privacy commissioner - investigate complaints and inquire into information
practices
 There must be substantial evidence that the employee breached the employment
contract and that less privacy-invasive ways of obtaining the information have been
exhausted before engaging in covert surveillance
Data Breaches and Mandatory Notification
 Effective November, 2018 the supporting regulations require that where there has been
a data security breach that creates a "real risk of significant harm" to any individual, the
organization must keep records of the breach and notify the Privacy Commissioner of
Canada, affected individuals, and potentially other organization that were affected by
the breach
 Reports of a breach must be in writing
Privacy Rights in Private Sector Workplaces in Ontario
 Use of publicly available social media content for a background check would be
considered an invasion of someone's "private" affairs
 An employer who hired a private investigator to investigate suspected malingering may
have to ensure that the private investigator is retained for objectively reasonable
purposes
Unionized Workplaces In Ontario's Private Sector
  The collective agreement may restrict the use of video surveillance or other forms of
employee monitoring (rare)
o Notify the union
 Employee monitoring that is disclosed to the affected employees is allowed where it is a
reasonable exercise of management rights
Use of Biometric Technology and Video Surveillance
 Fingertip-scanning technology was privacy invasive
In cases where the arbitrator applies the “reasonableness” standard, generally the
following factors are considered:
1. Was it reasonable to conduct the surveillance?
2. Was the surveillance conducted in a reasonable manner—for example, by
videotaping an employee in a street or public park rather than in his home?
3. Were there other alternatives open to the employer, such as seeking an
independent medical opinion?
Non-Union Workplaces in Ontario's Private Sector
 Common law courts have usually applied a test of relevance in determining the
admissibility of videotaped evidence
 Constructive dismissal
o Fundamental breach by an employer of an employment contract that entitles an
employee to consider their selves dismissed and to sue the employer for
wrongful dismissal
Monitoring Computer, Email and Internet Usage
 Another area where the employee's right to privacy and the employer's need to manage
the workplace may come into conflict
 Employers have an obligation to maintain a workplace free from discrimination and
harassment under the Ontario Human Rights Code
 Courts are increasingly willing to protect sensitive personal employee data even where
the data are stored on employer-owned and issued devices
A clear and carefully drafted information technology (IT) policy should do the
following:
• Put employees on notice that they should not have an expectation of privacy when
using employer technology and systems (including computers, cellphones, or other
electronic devices).
• Provide an explanation of the purpose of the policy.
• Provide an explanation of how the policy will apply, including the types of
technology and applications that are covered, and what the information may be used
for.
• Provide guidance on what uses are permitted or not permitted. For example, an
employer might stipulate that email is to be used for business purposes only. If
personal emails are allowed, the policy should state any content restrictions. For
instance, emails containing discriminatory, pornographic, or threatening content
should be prohibited.
• Provide an explanation of the potential consequences for a breach of the policy
(Jakibchuk, 2011, p. 5).