Canada: Employers and the Privacy Culture

A Brave New World: Responding to New Privacy Regimes

Privacy Culture and the Law

This paper is based on earlier work by my colleagues Nancy Trott and Rosalie Cress.

The privacy culture continues to develop. Concerns about protecting personal information percolated in the 1990’s and most jurisdictions legislated to protect personal information as collected and used by the public sector. For some time, Québec stood alone in imposing obligations on the private sector. Things started to heat up quickly when the federal Personal Information Protection and Electronic Documents Act ("PIPEDA")1 came into effect in 2001.

More recently, other provinces have legislated to protect personal information in the private sector.2 The result – even where there is no provincial private sector legislation and only limited application of PIPEDA – is a growing privacy culture and increasing demands for the protection of personal information.

This paper concentrates on the impact of the privacy culture on employers. There will be many references to British Columbia’s Personal Information Protection Act ("PIPA"). While it only applies to operations in British Columbia, it is instructive for all provincially regulated organizations. It is very similar to the Alberta legislation and it may be seen as a code of conduct that is coming to be expected in our developing privacy culture.

While the privacy legislation contains detailed requirements and exceptions, the key to compliance is understanding the privacy principles and a large body of case law relevant to employee personal information.

The effect of the privacy principles and the application of existing employment law to human resources practice can be seen in the following areas:

  • surveillance;
  • medical information about employees; and
  • employment references.

Privacy Principles

The ten "privacy principles" apply to most personal information, subject to only limited exceptions:

  1. Accountability: Organizations are responsible for all personal information within their control and must implement policies and procedures and train employees to protect personal information.
  2. Identifying purposes: Organizations must identify the purposes for which they will collect, use and disclose personal information, including the use and disclosure of previously collected information for a new purpose.
  3. Consent: Knowledge and consent are generally required for the collection, use and disclosure of personal information.
  4. Limiting collection: The amount and type of information collected must be limited to what is necessary for the identified purposes.
  5. Limiting use, disclosure and retention: Personal information can only be used or disclosed for purposes for which it was collected, except with the consent of the individual or as permitted or required by law, and retained only as long as necessary.
  6. Accuracy: Personal information used by organizations must be complete, up-to-date and accurate as necessary for the required purposes.
  7. Safeguards: Personal information must be protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, with safeguards appropriate to its sensitivity.
  8. Openness: Organizations must provide information on their information protection policies and practices.
  9. Individual access: Individuals have a right of access to their personal information and to challenge its accuracy.
  10. Challenging compliance: Individuals have the right to challenge an organization’s compliance with the principles.

In developing policies and implementing procedures and handling personal information on a day-to-day basis, these principles should always be kept in mind.

Personal Information About Employees

Section 1 of PIPA defines "personal information" as information about an identifiable individual and includes employee personal information but does not include contact information or work product information.

PIPA recognizes the special nature of the employment relationship and defines "employee personal information" as personal information about an individual that is collected, used or disclosed solely for purposes which are reasonably required to establish, manage or terminate the employment relationship between the organization and the individual, including a volunteer relationship. It is important to note that the definition of "employee personal information" does not include personal information that is not about an individual’s employment.

Under PIPA, an employer may collect, use and disclose employee personal information without the consent of an individual as long as it is reasonable for the purpose of establishing, managing or terminating the employment relationship with that individual. However, the organization must:

  1. notify the employee that it will be collecting, using or disclosing employee personal information; and
  2. identify the purposes for which the information will be collected, used or disclosed.3

In applying the privacy principles and interpreting personal information and privacy legislation, the concept of reasonableness is key. For example, PIPA states that personal information may be collected, used or disclosed by organizations only for purposes that a reasonable person would consider appropriate in the circumstances.4

There are two key questions in the balancing of the privacy interests of employees and the needs of organizations to collect, use and disclose personal information about employees in the course of their operations:

  1. Is the purpose reasonable?
  2. Is the scope of the collection, use or disclosure reasonable?

The importance of these questions are evident in the consideration of the "when, what, why, how and who" involved in the collection, use and disclosure of personal information about employees.

Surveillance in the Workplace

The law on surveillance of employees, both disclosed and surreptitious, illustrates how the concept of reasonableness is applied.

The Reasonableness Test

The law on surveillance of employees remains largely the same as previously developed with respect to video surveillance but the principles are also being applied to the gathering of personal information from computer, email and internet use in the workplace.

Arbitrators and privacy commissioners have considered four factors in their analysis of the reasonableness of surveillance:

  1. Is the surveillance necessary for a legitimate or reasonable business interest? Legitimate business interests often include loss prevention and safety or security risks.
  2. Is the information collected only that which is necessary to achieve the intended purpose?
  3. To what extent is employee privacy affected? Surveillance in production areas or where employees have a reasonable expectation of privacy is usually held to be unreasonable, unless there is a serious, significant business interest at stake. Where employees have a low expectation of privacy, video surveillance may be reasonable for less pressing business purposes.
  4. Were alternatives considered and would they be effective? If there are less privacy-intrusive ways of effectively achieving the same purpose, then it may be unreasonable to use video surveillance.

The 2004 decision of the Federal Court in Eastmond v. Canadian Pacific Railway5 is a good example of this analysis.

Canadian Pacific Railway installed six digital video surveillance cameras at various locations in its Toronto railyard to reduce vandalism and theft and minimize threats to staff safety. The cameras were fixed, did not zoom and only recorded 48-hour periods. Employees were aware of the cameras, their purpose and locations. Productivity was not monitored.

The Federal Court looked at the why, how, when and where collection takes place and held:

  1. Canadian Pacific established that there was a history of vandalism, theft and other security issues in the railyard and preventing it was a reasonable purpose.
  2. Surveillance was effective at preventing vandalism, theft and security risks.
  3. The loss of privacy was held to be low and proportional to the benefit gained by Canadian Pacific. The images recorded were viewed only upon a reported incident. Information was kept secure and viewed only by the manager or the Canadian Pacific police. The images were recorded in places where the individuals were held to have a low expectation of privacy.
  4. Canadian Pacific considered alternatives and demonstrated that, given its extensive operations over a wide area, fencing and security guards were not cost-effective and would be disruptive.6

Canadian Pacific’s use of video surveillance was found to be reasonable because its purpose was appropriate and its use reasonably addressed that purpose.

Monitoring Employee Performance

There can be different results when the purpose is different.

In R.J. Hoffman Holdings Ltd.7, the Alberta Information and Privacy Commissioner considered whether disclosed surveillance was reasonable for two different purposes under Alberta’s Personal Information Protection Act. The oilfield maintenance company installed eight video surveillance cameras in its truckyard, mechanical shop area and front counter. Their purposes were both safety and security and monitoring employee performance. The cameras had no zoom or pan capability and did not record audio. Only the Operations Manager had access to the video recording.

The video surveillance was found to be justified for the purpose of safety and security but not for the purpose of monitoring employee performance.

The company was able to show that there had been several instances of theft of property and two instances of fire and that since the cameras were in place, there had been no theft or property damage. It was also noted that female employees who typically worked alone at the front counter were usually the only employees in the building. The Commissioner accepted that the cameras were necessary and effective at addressing issues of safety and security.

In determining whether the surveillance was conducted in a reasonable manner, the Alberta Commissioner also referred to arbitral decisions and considered the following facts:

  1. the cameras were visible and in plain view;
  2. employees were aware of their presence;
  3. the cameras were only operational in common areas of the shop and office and not in any employee rest area;
  4. the video recording was only accessible by the Operations Manager;
  5. the video footage was deleted after 30 days, if no investigation was initiated; and
  6. the images were not watched constantly.

But the video surveillance was held not to be reasonable for monitoring employee performance. The Commissioner stated that video surveillance is not usually reasonably required for managing employees and that video surveillance of work productivity has been condemned as diminishing a person’s dignity or privacy. The Commissioner held that it would be difficult for the company to demonstrate that the cameras would be more effective at monitoring employee performance than a well-timed visit from a supervisor.

Monitoring Production Areas

Federal Privacy Commissioner and arbitral decisions indicate how difficult it can be to justify video surveillance of production areas.

In PIPEDA Case Summary #2798, the Assistant Privacy Commissioner considered the reasonableness of using video surveillance to monitor the productivity of employees. An internet service company installed two web cameras which monitored separate employee workspaces. The cameras had no pan or zoom capability, but monitored audio as well as visual images. Notices were posted on the cameras and all employees signed a statement acknowledging they had read and understood the company’s privacy policy which outlined the purposes of the cameras. Most employees were not continuously visible as they worked behind cubicle walls, but approximately half of the technical support staff were in the view of one camera continuously. The video feed was only accessed by managers when they were off-site.

The company relied on the fact that productivity was lower at nights and weekends as one reason to justify the surveillance. The Assistant Commissioner found that the company did not appear open to less privacy-intrusive options to monitor productivity other than by video surveillance, such as appointing other staff members to a supervisory role or modifying the schedules of existing managers. The Assistant Commissioner found that a reasonable person would be unlikely to consider employee productivity as an appropriate reason to use video and audio surveillance in the circumstances and recommended the company remove its cameras from employee workspaces.

In a case from British Columbia, Pope & Talbot Ltd. Harmac Pulp Operations9, the arbitrator determined that limited video surveillance of a production area was reasonable. In that case, a camera monitored the unloading of barges at a dock. There were no supervisors at the dock, which was separated from the main operations, and the employees communicated with management by radio. Any delay in unloading the barges resulted in high costs, and the employer suspected that employees may have been deliberately failing to give supervisors advance notice that unloading was to complete, in order to have extra "downtime".

The camera’s use was limited: it was fixed and could not zoom, the employees knew the camera’s field of view and could avoid it on breaks. Only the responsible supervisor could view the images, which were monitored but not recorded. The arbitrator acknowledged the enactment of PIPA, but stated that the Act did not alter the substance of the issues in surveillance cases. Although he held that the camera was used, at least in part, to monitor productivity of employees, the arbitrator found the video surveillance justifiable. The cost of delay, lack of on-site supervision and effective communication with employees made the use of surveillance reasonable to ensure efficient unloading. He held, however, that 24 hour monitoring was not necessary to achieve that purpose. Instead, the arbitrator determined that the camera could be used during emergencies, for 20-minutes at shift changes and periodically during a shift for up to five minutes.10

Email, Internet and other Electronic Surveillance

Employers can have access to large amounts of personal information about their employees and others from the phones, computers, computer networks, security access cards and other workplace tools provided for business purposes. Active monitoring of the information provided by such tools will be considered a form of surveillance. Similarly, searching through such information may be considered an invasion of privacy by employees and will likely involve the collection, use or disclosure of personal information within the meaning of privacy legislation.

Keystroke Logging Software

The Alberta Office of the Information and Privacy Commissioner considered a case where the employer secretly installed keystroke logging software on the computer of an information technology employee.11 The employer had concerns about the employee’s productivity and argued that collection of the information was necessary to manage the employee.

The Commissioner determined that, even though almost all the information collected was work-related, it had a personal component because it was used to determine how and how much he worked. The Commissioner was critical of the employer’s failure to take other measures to assess and manage the employee’s productivity, for example by simply asking the employee to account for his time. Then the Commissioner stated that the surreptitious use of keystroke logging software was a form of surveillance and could only be justified if necessary. And to be considered necessary, the employer would have to show that the information needed for managing the employee could not be acquired by a less intrusive method.

Expectation of Privacy

A key issue in considering email and internet and other forms of electronic surveillance or information collection is the employee’s expectation of privacy.

In Milsom v. Corporate Computers Inc.12, the Court held that because there was no email policy in the workplace, an employee had no reasonable expectation of privacy in his work email and the employer was entitled to introduce it as evidence of poor performance.13 The Court, referring to decisions of American courts, stated that even where an email policy outlines some employee privacy rights, there may be no reasonable expectation of privacy when the content of emails is unprofessional, offensive or where access by the employer is part of an investigation of illegal activity.14 An employee may also have no reasonable expectation of privacy, regardless of a policy, if the email is sent and received using corporate assets.15

In Camosun College16, the arbitrator also found that the employee had no reasonable expectation of privacy in work email or a chat group for Union members on the employer’s computer network. The arbitrator reasoned that there could be no reasonable expectation of privacy if it was well-known that the message could be easily copied by any subscriber to the email group and forwarded without the knowledge of the sender.

Importance of an Email Policy

In other cases, such as Owens-Corning Canada Inc.17 and Briar v. Canada (Treasury Board),18 it was held that there was no reasonable expectation of privacy in work email because the employees were warned that inappropriate emails were not tolerated and could be subject to monitoring and that discipline might follow a breach of the company standards.

In Briar, several correctional officers working at a prison were given warnings, financial penalties or dismissal for their inappropriate use of work email. The supervisor had received a complaint from another employee about the emails sent by the employees. The employer entered the employees’ email accounts and took note of the emails currently in the Inbox and Outbox. The officers had received and forwarded a number of inappropriate, mostly pornographic emails. The employees claimed that their rights of privacy had been violated.

The Court found that, in the circumstances, the employees had no reasonable expectation of privacy in their work email19. The prison had repeated its internet policy prohibiting inappropriate email at least five times in six months. The employees were further given a pop-up warning on their screen each time they logged on, informing them of the policy. The judge also found that, at some point, "common sense must prevail"20. Due to the nature of the emails and the fact that the employer is legally required to provide a safe workplace free from harassment, the employees had no reasonable expectation of privacy in their work email.

Content of an Email Policy

Under personal information protection legislation, the focus is on the collection, use and disclosure of personal information, not simply private information. While judicial and arbitral decisions are helpful to determine reasonableness by discussing the extent to which employee privacy is affected, the decisions do not generally address the collection of personal information and the obligation of employers to limit their collection and use of personal information. Specifically, case law and arbitral analysis may not address questions of whether the monitoring is reasonably necessary, whether there are alternatives available to the monitoring and the reasonable scope of investigation in the circumstances. All these considerations are key issues under privacy legislation.

Reasonable monitoring under personal information protection legislation should only collect and use information that is necessary to achieve a reasonable business purpose. Reasonableness will also depend on the extent to which the monitoring affects employee privacy rights. While an employee’s reasonable expectation of privacy will likely be diminished at work and using work email, there may remain a reasonable expectation of some privacy in employee email21.

The main goal of an email policy is to manage the employees’ expectation of privacy. For example, and email policy should stipulate:

  • email, internet and other electronic tools are for business not personal use
  • what is considered appropriate business use and inappropriate personal use
  • the employer’s ability and occasional need to monitor and the scope of such monitoring.

Further, the policy should be well communicated and regularly publicized (see Briar22)and its connection with other relevant policies – such as a code of conduct, confidentiality and harassment – should be emphasized.

Unless it is limited by the employer’s express policy, an employee’s reasonable expectation of privacy will likely increase for emails the employee writes during "off-work" hours (for example, during breaks and lunch) and for emails written from a private ISP account. In Owens-Corning, it was not reasonable for the employer to review the employee’s personal webmail account while investigating improper use of work email23.

Under personal information protection legislation, and like video surveillance, the scope of monitoring must be closely tied to the purpose of monitoring. The employer should collect and use only information necessary to achieve the employer’s purpose. The employer may also have to consider whether there are any reasonable or effective alternatives to surveillance.

Surreptitious Surveillance

Video surveillance of employees at work without consent or notification is permitted under PIPA only if it falls under a "no consent" exception.24 The "investigation exception" provides that personal information may be collected, used or disclosed without consent if it is reasonable for an investigation and it is also reasonable to expect that the accuracy or availability of the information or the investigation itself would be compromised if the individual knew of the surveillance. PIPA contains a specific definition of "investigation" which includes an investigation related to a breach of an agreement.

Most decisions of arbitrators and the Federal Privacy Commissioner focus on surreptitious surveillance in the course of investigations. Such surveillance has been considered reasonable if:

  1. There is a substantial problem;
  2. There is a strong possibility that surveillance will be effective; and
  3. There is no reasonable alternative to surreptitious surveillance.

It is important to note that while these factors are similar to those used to assess disclosed surveillance, a higher threshold must be met when surveillance is surreptitious.

The Effect of Privacy Legislation

Both the Federal Privacy Commissioner and labour arbitrators in British Columbia have taken a strict approach to surreptitious surveillance and have generally had to be satisfied that there was no other way to ascertain the truth. The circumstances must strongly support the employer’s suspicion and other investigative tools must be unrealistic or unreasonable.

Like many surveillance cases, Case Summary #26925 dealt with an absenteeism problem. The employee reported a number of work-related injuries. The employee continued to work in positions consistent with his reported physical limitations but the employer became suspicious. He was frequently absent and failed to provide the company with updated medical assessments, despite verbal and written requests. An independent medical assessment indicated "non-physical barriers" to returning to work.

The employer commenced surreptitious surveillance. After reviewing videotape showing the employee performing activities that contradicted his claims of incapacity, the employer concluded that the employee was not being truthful. Emphasizing that video surveillance should only be used as a last resort in an employee investigation, the Assistant Privacy Commissioner found that the employer had substantial evidence that the relationship of trust had been broken prior to engaging in surveillance. The employer had "reasonable and probable cause" to believe the employee was violating the employment contract. The employee was uncooperative and the employer was unable to get the information it required in a less privacy-invasive manner. The Assistant Commissioner held that the video surveillance was reasonable but noted that the decision to engage in surreptitious video surveillance of an employee should be made by senior management.

In another case, the Federal Commissioner took a more prescriptive approach.26 The employer had surreptitiously placed an audio recording device in a room as part of an investigation of improper conduct by a particular employee. The room was used by several different people, including the employee under investigation. The Commissioner suggested that such surveillance is only justified where there is substantial evidence of wrongdoing or that the relationship of trust has been broken, where all other investigative means have been exhausted, and where the collection of personal information was limited to the greatest extent possible.

Arbitrators tend to take a more pragmatic approach to reasonableness. In Ebco Metal Finishing27 the employer was not able to have video surveillance evidence admitted in a grievance arbitration. The employees had been fired for theft of time, specifically for not working diligently at the end of their shift when there was no direct supervision.

The arbitrator stated:

PIPA has had little if any altering effect on the arbitral common law in the province regarding surreptitious video surveillance, and indeed seems to amount to a codification of the arbitral experience in British Columbia.28

Nevertheless, the arbitrator found that the surveillance had been carried out without reasonable warrant and was thus in contravention of PIPA.

In analyzing both the arbitral principles and the reasonableness standard of PIPA, the arbitrator held that reasonableness had to include a consideration of the "sensible presence of other less-intrusive means" to assess productivity. (The arbitrator noted that the employer did not closely examine its own Daily Productivity Sheets, it did not collect other information at its disposal, it did not monitor the employees or have management stay late, and it did not have any constructive discussion with the employees.)

A Common Law Right to Privacy?

While arbitrators in BC are saying that PIPA has not changed the arbitral law already developed in this area, does the absence of privacy legislation in other jurisdictions have an influence?

The La-Z-Boy Canada Ltd. case 29 is an Ontario arbitration decision about the admission of surreptitious video surveillance evidence of drug use at the workplace. The employer had heard that its employees may have been smoking marijuana at the rear of the building. There were persistent rumours of drug use but it was thought the issue was resolved after various communications and meetings about drug use on company property being unacceptable. Subsequently, the employer’s Human Resources Manager detected the odour of marijuana or hashish in the upholstery area of the plant. It was decided there was still a problem and that surveillance was necessary to determine the culprits. Soon after, the video surveillance detected three employees smoking marijuana on company property.

The arbitrator noted the lack of privacy legislation affecting the employment relationship in Ontario and reviewed the arbitral debate about whether there is a common law right to privacy in Ontario. He decided "there is some right to privacy in Ontario [but] the question of reasonableness of surveillance by an employer only requires an assessment of the nature and extent of the right to privacy in the particular circumstances."

The surveillance evidence was admitted after the arbitrator applied the familiar tests for establishing reasonableness: was the particular surveillance reasonably required in the circumstances and was it carried out in a reasonable and responsible manner with a view to achieving a legitimate management purpose?

In jurisdictions without private sector privacy legislation there is still room for debate about the extent of privacy rights in the workplace. But the La-Z-Boy case appears to be a harbinger that the privacy culture, and the legal principles that go with it, will prevail with or without legislative foundation.

The message for employers across Canada is that surreptitious surveillance should be a last resort in an investigation, where the employer has substantial evidence that the relationship of trust has been broken. Where the employee is uncooperative and the employer cannot obtain information it legitimately requires in a less privacy-invasive manner, surveillance may be reasonable.

Surreptitious Email and Internet Monitoring

An employer may monitor email and Internet use of an employee without notification or consent if it is reasonable for an investigation or falls under another "no consent" exception.30 As with video surveillance, an investigation of an employee’s email or Internet use under PIPA will be reasonable if:

  1. there is evidence of wrongdoing on the part of the employee prior to initiating the investigation. Independent evidence in the arbitral jurisprudence commonly takes the form of complaints or observations by coworkers, supervisors or customers;
  2. the monitoring is restricted to what is necessary to achieve the employer’s purpose; and
  3. there is no reasonable or equally effective alternatives to the surreptitious monitoring.

In Owens-Corning, prior to initiating surveillance, the employer had reason to suspect both a widespread problem within the company of inappropriate email and Internet use by employees, and evidence that the specific employee was using his email and Internet privileges inappropriately31.

Owens-Corning also illustrates how an excessive scope of investigation can result in monitoring being held to be unreasonable. In that case, an employee received numerous personal emails into his work email account each day. However, he usually forwarded the personal emails to a personal webmail account and did not send them to anyone inside or outside the company. After learning that the employee had been accessing the Internet using another employee’s ID, the employer began looking at "computer reports" which stated which computer operator visited what internet sites, and for how long.

The employer’s concern was initially one of security. However, the employer had also recently implemented a non-harassment policy in response to a widespread problem of inappropriate emails being sent by employees. After looking at the computer reports, the employer suspected the employee of visiting inappropriate websites. The employer reviewed the employee’s work email and accessed his personal webmail account without his consent. The arbitrator found that while the employee had no reasonable expectation of privacy in his work email, the investigation of his personal webmail account was unreasonable.32 The employee had a reasonable expectation of privacy in his personal email account, which was not connected to his employment.33

Finally, while there has been little discussion in the jurisprudence of the need to consider alternatives to surreptitious email and internet use monitoring, the analysis is likely to be similar to that for video surveillance, just as it was in the Parkland Regional Library keystroke logging software case.34 The employer should consider alternatives to surreptitious email monitoring and electronic surveillance before beginning such an investigation.

The Criminal Code

Before monitoring the email use of employees, employers should consider the Criminal Code provisions regarding the interception of private communications. Section 184(1) of the Criminal Code provides that:

every one who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offense and liable to imprisonment for a term not exceeding five years.35

A "private communication" is:

any oral communication or any telecommunication…made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it…"36

Section 184(1) does not apply to a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it.37 An employer must carefully consider whether it has the appropriate consent.

Email sent at work or from a work email account is likely not "private". Verbal pager messages, for example, have been held not to be private communications because the pager may play the message so that anyone in the vicinity of the recipient can hear it.38

However, even if an employee has no reasonable expectation of privacy in work email, a third party whose personal information is contained in the email or who sends or receives an email from an employee may have a reasonable expectation of privacy in the email message. Any monitoring of computer systems and emails should be reviewed in light of the Criminal Code provisions and relevant case law.39

Employee Medical Information

The handling of employee medical information has always presented challenges for employers. Medical information is considered perhaps the most sensitive personal information in the employment context. Again, arbitral and tribunal case law guides the application of privacy legislation requirements for the collection, use and disclosure of medical information about employees. Reasonableness is a key consideration in determining the scope of employee medical information to which an employer is entitled.

The extent of an employer’s right to medical information about an employee depends on any contractual terms which may provide a right to the employer to require medical information and the purpose for which the employer requires medical information. An employee does not have an absolute right to privacy. An employer can generally require medical information to determine:

  • whether an absence from work is justified on the basis of illness or injury;
  • whether the employee’s absence meets the eligibility requirements for a particular benefit administered by the employer, such as sick leave or disability benefits;
  • the estimated duration of an employee’s absence from work;
  • whether there is a disability within the meaning of the Human Rights Code which requires accommodation, and if so, the type of accommodation and the duration of the accommodation; and
  • if an employee is fit to be at work (where the employer has reasonable grounds for questioning fitness.)

An employer should consider whether it is necessary to receive medical information directly or whether the information should be sent to the insurer or other benefit administrator. Where an employee requires accommodation, the employee may be required to provide medical information to identify how disability affects the employee’s employment and the nature and extent the accommodation required. In most cases, a diagnosis need not be provided.

Medical Certificates / Medical Diagnosis

Case Summary #25740 considered the information required from employees in high risk, safety-sensitive positions. In that case, the employer cited two reasons for requiring a medical diagnosis: the safety-sensitive nature of the complainants’ work and their "at risk" positions.

The employer’s sick leave policy required an employee requesting sick leave to provide medical certificates that included a medical diagnosis, a list of treatments received, including prescribed medications that might affect the employee’s ability to work safely, and information about functional limitations. The employer stated that a medical diagnosis was required since the employees often worked long shifts in isolation and undertook duties demanding a combination of strength, agility and attention. It argued that the employer’s occupational health nurse was often in a better position than the employee’s physician to judge whether it was safe for the employee to return to regular duties.

The second reason the employer offered for requiring a medical diagnosis concerned "suspicious absences". The employer reserved the right to require a medical certificate which included diagnosis from any employee taking sick leave immediately prior to or following vacation leave or during a period when the company had refused a request for time off.

The Commissioner held that while a requirement for medical certificates was appropriate, a physician’s statement that the employee was ill should be sufficient and the employer had not demonstrated to the Commissioner’s satisfaction that it needed to inquire into the nature of the complainant’s illness in order to ensure fitness to resume regular duties. The Commissioner stated that although diagnostic information may be appropriate in some circumstances, it was unnecessary and inappropriate to demand medical diagnosis in this particular case.

Return to Work Certification

In Case Summary #28741 the Assistant Privacy Commissioner held that an employer was entitled to obtain information updating the employee’s medical condition before a return to work in a safety-sensitive position. While the case summary does not set out the specific information requested, the Assistant Commissioner held that the information collected was appropriate in the circumstances. The employer’s purpose was to ensure the safety of the complainant and other workers and that some follow-up information was reasonable, given the health problems the complainant had suffered and the fact that he occupied a safety-sensitive position. The Assistant Commissioner held, however, that the manner in which some of the information had been collected (directly from the doctor rather than through the employee) did not comply with the Act.

What is reasonable depends primarily on the purpose for which the employer requires the medical information. Where an employer simply requires verification that an employee was away ill, a doctor’s note is likely sufficient. Where an employee is returning to work and may require accommodation, an employer may be entitled to a full functional assessment and detailed information regarding the expected duration of any functional limitation.

In all cases, medical information must be kept confidential and in a secure location.

Employment References

The reference process involves the collection, use and disclosure of personal information about candidates from third parties.

Obtaining References

Under PIPA, employee personal information includes personal information about an individual that is collected, used or disclosed solely for purposes which are reasonably required to establish the employment relationship. However, the prospective employer must notify the individual that it will be collecting, using and disclosing the personal information and identify the purposes for which the personal information will be collected, used and disclosed.

The Office of the Information and Privacy Commissioner for British Columbia has published "PIPA and the Hiring Process" which includes "Frequently Asked Questions" ("FAQ").42 On the subject of references, the FAQ suggests:

  • at a minimum, a prospective employer is required to notify the applicant that it intends to contact previous employers or conduct background checks;
  • an employer is required to tell the applicant the purpose for which the information will be collected, used and, if relevant, disclosed;
  • the prospective employer must ensure that the information is "reasonably required" for the establishment of the employment relationship; and
  • an employer may assume that an applicant who has listed a reference in a job application or resume has implicitly consented to a prospective employer collecting personal information from the referee which is reasonably related to the job requirements.43

As a further precaution, when notifying the applicant of its intention to collect and use personal information in its reference process, a prospective employer may wish to obtain written consent or include a procedure to note consent in its own records.

Giving References

Giving references is more complicated than obtaining them. A former employer who is asked for a reference is not entitled to disclose personal information without the individual’s consent. The disclosure cannot be made without consent since it is not reasonable for the establishment, management or termination of the employment relationship, which has already ended.

Where a former employer is contacted to provide a reference, it should first confirm with the former employee that the individual consents to a reference being provided. A former employer should not assume that the individual has consented, simply because a prospective employer is seeking a reference. The potential "referee" should either contact the former employee directly or ask the prospective employer to have the applicant make direct contact.

Former employers may also wish to confirm the extent of the consent. An individual may indicate that the referee is free to answer any question posed by the prospective employer or may restrict the referee to providing as little information as dates of employment. Consent to provide a reference may also be sought at the time the employment relationship is terminated. Referees should obtain written consent to provide a reference or note verbal consent in their own records.

Handling the Reference Information

Once the personal information has been collected, used or disclosed in the hiring process, all other requirements of PIPA apply to that information, including:

  • making reasonable efforts to ensure the personal information collected is accurate and complete and making reasonable security arrangements; and
  • retaining information used to make a decision for at least one year after the use so that the individual has a reasonable opportunity to obtain access.

It is important to note that the PIPA provisions concerning access also apply to personal information collected in references. An individual is entitled to:

  • access to the individual’s personal information under the control of the organization;
  • information about the ways in which the individual’s personal information has been and is being used by the organization; and
  • the names of individuals and organizations to whom the personal information has been disclosed.

There are exceptions to the access requirements. An organization must not disclose personal information and other information if:

  • the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
  • the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
  • the disclosure would reveal personal information about another individual; or
  • the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.

If an organization is able to remove the information from a document that contains personal information about the individual who requested it, the organization must provide the individual with access to the personal information after the information is removed.

A reference may be the personal information of both the individual and the referee. The disclosure of the content of a reference may identify referee, in which case, the referee’s consent would be required before disclosure.

Prospective employers need to consider on what terms they will seek references and former employers need to consider on what terms they will give references. Organizations should also adopt a reference policy which includes direction as to who is permitted to give references and ensure those referees understand the requirements of the legislation.

Adapting to the Privacy Culture

Adapting to the new privacy culture requires employers to carefully consider both old and new law and the expectations of employees. The employment and labour law principles that seek to balance employee privacy with operational needs continue to have significant influence and application. But employers also need to overlay the privacy principles enshrined in the privacy legislation that either directly applies to or influences their actions and the expectations of their employees.

Policies and procedures can lead the way in adapting to the new privacy culture. But it takes time, thought and repetition for any organization to develop the reflexes and responses demanded by the law and by our society’s increasing concern with protection of personal information.


1. S.C. 2000, c. 5.

2. See British Columbia’s Personal Information Protection Act, S.B.C. 2003, c. 63 and Alberta’s Personal Information Protection Act S.A. 2003, c. P-6.5. Saskatchewan’s Health Information Protection Act, c. H-0.021 Stats.Sask. 1999, has limited application to private sector businesses which are "health information trustees".

3. PIPA, ss. 13, 16, and 19

4. PIPA, ss. 11, 14, and 17.

5. Eastmond v. Canadian Pacific Railway 2004 FC 852 ["Eastmond"].

6. Eastmond at paras. 177 to 182.

7. R.J. Hoffman Holdings Ltd. (Alberta Information and Privacy Commissioner Investigation Report P2005-IR-004, May 13, 2005). Online: Alberta Information and Privacy Commissioner, ["R.J. Hoffman"].

8. PIPEDA Case Summary #279 "Surveillance of employees at work", [2004] C.P.C.S.F. No. 24 (QL) (Assistant Privacy Commissioner, July 26, 2004). Online: Office of the Privacy Commissioner of Canada (last modified: 29 September 2004).

9. (2003), 123 L.A.C. (4th) 115 (Munroe) ["Pope & Talbot"].

10. Pope & Talbot at para. 35.

11. Parkland Regional Library, Order F2005-003

12. [2003] A.J. No.516, 2003 ABQB 296 ["Milsom"].

13. Milsom: The Court held that poor performance is rarely cause for dismissal and despite the email evidence, Milsom should have only received a warning (at paras. 38, 50).

14. Milsom, at para. 40.

15. Milsom, at para. 46.

16. unreported (November 15, 1999), Doc A-321/99 (B.C. Arb. Bd) (Germaine) at para. 12 ["Camosun"].

17. (2002), 113 L.A.C. (4th) 97 (Price) ["Owens-Corning"].

18. (2003), 116 L.A.C. (4th) 418 (Taylor) ["Briar"].

19. Briar, at para. 59.

20. Briar, at para. 51.

21. Briar. The adjudicator held that the employees had no reasonable expectation of privacy in their work email where the prison had a clear policy against use of the email system for unacceptable purposes and the employees received a warning each time they logged in that the system was monitored in accordance with the policies.

22. Owens-Corning, at para. 78.

23. PIPA, ss. 12, 15, and 18.

24. PIPEDA Case Summary #269 "Employer hires private investigator to conduct video surveillance on employee" [2004] C.P.C.S.F. No. 14 (QL) (Assistant Privacy Commissioner, April 23, 2004). Online: Office of the Privacy Commissioner of Canada, (last modified: 16 June 2004) ["Case Summary #269"].

25. Morgan v. Alta Flight (Charters) Inc. [2005] F.C.J. No. 523 which includes the Commissioner’s finding.

26. (2004), 134 L.A.C. (4th) 372 (Blasina) ["Ebco"]

27. Ebco, p. 9

28. (2005), 143 L.A.C. (4th) 88 (Surdykowski)

29. Alberta PIPA, ss. 14, 17, and 20; B.C. PIPA, ss. 12, 15, and 18.

30. Owens-Corning, at paras. 24, 34-36.

31. Owens-Corning, at para. 77.

32. Owens-Corning, at para. 78.

33. Supra note 11.

34. Criminal Code, R.S.C. 1985, c. C-46, s. 184(1); see also s. 193 which makes it an offence to use or disclose information from intercepted private communications, subject to certain exceptions.

35. Criminal Code, s. 183.

36. Criminal Code, s.184(2)(a).

37. R. v. Lubovac (1989) 101 A.R. 119 (Alta. C.A.).

38. For an extensive discussion of email and Internet monitoring in the workplace, see Charles Morgan (1999) "Employer Monitoring of Employee Electronic Mail and Internet Use", (1999) 44 McGill L.J. 849.

39. PIPEDA Case Summary #257 "Employees objected to corporation’s requirement for medical diagnosis on sick leave certificates" (Privacy Commissioner, Fall, 2003). Online: Office of the Privacy Commissioner of Canada, (last modified: 07 June 2004) ["Case Summary #233"].

40. PIPEDA Case Summary #287 "Reques for medical information deemed reasonable, but consent procedures not properly followed" (Privacy Commissioner, January 5, 2005). Online: Office of the Privacy Commissioner of Canada, (last modified: 07 March 2005) ["Case Summary #287"].

41. "PIPA and the Hiring Process" (April 10, 2006). Online: Office of the Information and Privacy Commissioner for British Columbia,

42. FAQ, p. 4.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions