Professional Documents
Culture Documents
Chapter 10 - Privacy Inside and Outside The Workplace
Chapter 10 - Privacy Inside and Outside The Workplace
March 6, 2023
9:54 AM
Learning Outcomes:
Understand the growing need for protection for personal information and other privacy
rights
Identify the 10 principles behind PIPEDA
Understand the requirements of Ontario's Personal Health Information Protection Act
Understand how federal privacy legislation affects provincially regulated employers in
Ontario
State the obligations of employers in handling employee's personal information where
privacy legislation applies
Understand employee privacy rights in workplaces not covered by general privacy
legislation, including an employer's ability to legally monitor computers and other
devices that are used for personal, well as work-related purposes
Introduction
Freedom of Information and Protection of Privacy act, enacted in 1991 allows individual
to file a request for information held by the Ontario gov't
o Also provides privacy protection for the personal information of employees in
Ontario's public sector
Personal Information Protection and Electronic Documents Act
Doesn't directly affect general personal employee information
How Wide is PIPEDA'S Application?
Applies to all federally regulated organizations and affects how they collect, use,
disclose, and retain personal information concerning their employees, customers,
patients and suppliers
Also applies in provincially regulated organization in the course of commercial activity
Ontario hasn't yet passed comparable privacy legislation
Should also consider extending PIPEDA'S protections to personal employee information
for the following reasons:
PIPEDA's principles are recognized in Canada and abroad as forming the basis of ethical
personal information practices
Quebec, BC and Alberta have already passed privacy laws related to employment
Ontario will likely pass privacy legislation that is similar to PIPEDA and employers that
follow its requirements now will have a head start with compliance later
To protect the personal information independent contractors but not of employees is
inconsistent
Employees will becomes increasingly aware of how their privacy is protected in many
areas of their lives and will expect their personal information to be treated similarly in
the workplace
Ontario Human Rights Commission treats privacy as an important element of the right
to "equal treatment"
Employee health information is now subject of Ontario's Personal Health Information
Protection Act
Applying PIPEDA principles to the personal information of employees could reduce the
risk of potential liability under the common law
What is Personal Information?
Information about "an identifiable individual"
Protections don't extend to "business contact information"
PIPEDA's Ten Principles
2 fundamental facts
o That individuals have a right to privacy concerning their personal information
o That organizations have a need to collect, use and disclose personal information
for appropriate purposes
Fair information principles
o The ten principles that underlie the PIPEDA for proper collections, use and
disclose of personal information
Be accountable
Identify the purpose of collection
Get consent
Employment Relationship Exception (PIPEDA, s. 73)
Allows employes to collect, use, and disclose employee personal information without
consent if both of the following 2 conditions apply
o Must be necessary to establish, manage or terminate the employment
relationship
o The employer must inform the employee that the personal information will be
or may be collected, use, or disclosed for these purposes
Limit collection
Limit use, disclosure and retention
Be accurate
Provide safeguards
Be open
Give individual access
o Solicitor- client privilege
Provide recourse
o Privacy commissioner - investigate complaints and inquire into information
practices
There must be substantial evidence that the employee breached the employment
contract and that less privacy-invasive ways of obtaining the information have been
exhausted before engaging in covert surveillance
Data Breaches and Mandatory Notification
Effective November, 2018 the supporting regulations require that where there has been
a data security breach that creates a "real risk of significant harm" to any individual, the
organization must keep records of the breach and notify the Privacy Commissioner of
Canada, affected individuals, and potentially other organization that were affected by
the breach
Reports of a breach must be in writing
Privacy Rights in Private Sector Workplaces in Ontario
Use of publicly available social media content for a background check would be
considered an invasion of someone's "private" affairs
An employer who hired a private investigator to investigate suspected malingering may
have to ensure that the private investigator is retained for objectively reasonable
purposes
Unionized Workplaces In Ontario's Private Sector
The collective agreement may restrict the use of video surveillance or other forms of
employee monitoring (rare)
o Notify the union
Employee monitoring that is disclosed to the affected employees is allowed where it is a
reasonable exercise of management rights
Use of Biometric Technology and Video Surveillance
Fingertip-scanning technology was privacy invasive
In cases where the arbitrator applies the “reasonableness” standard, generally the
following factors are considered:
1. Was it reasonable to conduct the surveillance?
2. Was the surveillance conducted in a reasonable manner—for example, by
videotaping an employee in a street or public park rather than in his home?
3. Were there other alternatives open to the employer, such as seeking an
independent medical opinion?
Non-Union Workplaces in Ontario's Private Sector
Common law courts have usually applied a test of relevance in determining the
admissibility of videotaped evidence
Constructive dismissal
o Fundamental breach by an employer of an employment contract that entitles an
employee to consider their selves dismissed and to sue the employer for
wrongful dismissal
Monitoring Computer, Email and Internet Usage
Another area where the employee's right to privacy and the employer's need to manage
the workplace may come into conflict
Employers have an obligation to maintain a workplace free from discrimination and
harassment under the Ontario Human Rights Code
Courts are increasingly willing to protect sensitive personal employee data even where
the data are stored on employer-owned and issued devices
A clear and carefully drafted information technology (IT) policy should do the
following:
• Put employees on notice that they should not have an expectation of privacy when
using employer technology and systems (including computers, cellphones, or other
electronic devices).
• Provide an explanation of the purpose of the policy.
• Provide an explanation of how the policy will apply, including the types of
technology and applications that are covered, and what the information may be used
for.
• Provide guidance on what uses are permitted or not permitted. For example, an
employer might stipulate that email is to be used for business purposes only. If
personal emails are allowed, the policy should state any content restrictions. For
instance, emails containing discriminatory, pornographic, or threatening content
should be prohibited.
• Provide an explanation of the potential consequences for a breach of the policy
(Jakibchuk, 2011, p. 5).