Canada: Employers and the Privacy Culture
A Brave New World: Responding to New Privacy Regimes

The privacy culture continues to develop. Concerns about protecting personal information percolated in the 1990’s and most jurisdictions legislated to protect personal information as collected and used by the public sector. For some time, Québec stood alone in imposing obligations on the private sector. Things started to heat up quickly when the federal Personal Information Protection and Electronic Documents Act ("PIPEDA")¹ came into effect in 2001.

More recently, other provinces have legislated to protect personal information in the private sector.² The result – even where there is no provincial private sector legislation and only limited application of PIPEDA – is a growing privacy culture and increasing demands for the protection of personal information.

This paper concentrates on the impact of the privacy culture on employers. There will be many references to British Columbia’s Personal Information Protection Act ("PIPA"). While it only applies to operations in British Columbia, it is instructive for all provincially regulated organizations. It is very similar to the Alberta legislation and it may be seen as a code of conduct that is coming to be expected in our developing privacy culture.

While the privacy legislation contains detailed requirements and exceptions, the key to compliance is understanding the privacy principles and a large body of case law relevant to employee personal information.

The effect of the privacy principles and the application of existing employment law to human resources practice can be seen in the following areas:

• surveillance;

• medical information about employees; and

• employment references.

The ten "privacy principles" apply to most personal information, subject to only limited exceptions:

1. Accountability: Organizations are responsible for all personal information within their control and must implement policies and procedures and train employees to protect personal information.
2. Identifying purposes: Organizations must identify the purposes for which they will collect, use and disclose personal information, including the use and disclosure of previously collected information for a new purpose.
3. Consent: Knowledge and consent are generally required for the collection, use and disclosure of personal information.
4. Limiting collection: The amount and type of information collected must be limited to what is necessary for the identified purposes.
5. Limiting use, disclosure and retention: Personal information can only be used or disclosed for purposes for which it was collected, except with the consent of the individual or as permitted or required by law, and retained only as long as necessary.
6. Accuracy: Personal information used by organizations must be complete, up-to-date and accurate as necessary for the required purposes.
7. Safeguards: Personal information must be protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, with safeguards appropriate to its sensitivity.
8. Openness: Organizations must provide information on their information protection policies and practices.
9. Individual access: Individuals have a right of access to their personal information and to challenge its accuracy.
10. Challenging compliance: Individuals have the right to challenge an organization’s compliance with the principles.

In developing policies and implementing procedures and handling personal information on a day-to-day basis, these principles should always be kept in mind.

Section 1 of PIPA defines "personal information" as information about an identifiable individual and includes employee personal information but does not include contact information or work product information.

PIPA recognizes the special nature of the employment relationship and defines "employee personal information" as personal information about an individual that is collected, used or disclosed solely for purposes which are reasonably required to establish, manage or terminate the employment relationship between the organization and the individual, including a volunteer relationship. It is important to note that the definition of "employee personal information" does not include personal information that is not about an individual’s employment.

Under PIPA, an employer may collect, use and disclose employee personal information without the consent of an individual as long as it is reasonable for the purpose of establishing, managing or terminating the employment relationship with that individual. However, the organization must:

1. notify the employee that it will be collecting, using or disclosing employee personal information; and
2. identify the purposes for which the information will be collected, used or disclosed.³

In applying the privacy principles and interpreting personal information and privacy legislation, the concept of reasonableness is key. For example, PIPA states that personal information may be collected, used or disclosed by organizations only for purposes that a reasonable person would consider appropriate in the circumstances.⁴

There are two key questions in the balancing of the privacy interests of employees and the needs of organizations to collect, use and disclose personal information about employees in the course of their operations:

1. Is the purpose reasonable?
2. Is the scope of the collection, use or disclosure reasonable?

The importance of these questions are evident in the consideration of the "when, what, why, how and who" involved in the collection, use and disclosure of personal information about employees.

The law on surveillance of employees, both disclosed and surreptitious, illustrates how the concept of reasonableness is applied.

The law on surveillance of employees remains largely the same as previously developed with respect to video surveillance but the principles are also being applied to the gathering of personal information from computer, email and internet use in the workplace.

Arbitrators and privacy commissioners have considered four factors in their analysis of the reasonableness of surveillance:

1. Is the surveillance necessary for a legitimate or reasonable business interest? Legitimate business interests often include loss prevention and safety or security risks.
2. Is the information collected only that which is necessary to achieve the intended purpose?
3. To what extent is employee privacy affected? Surveillance in production areas or where employees have a reasonable expectation of privacy is usually held to be unreasonable, unless there is a serious, significant business interest at stake. Where employees have a low expectation of privacy, video surveillance may be reasonable for less pressing business purposes.
4. Were alternatives considered and would they be effective? If there are less privacy-intrusive ways of effectively achieving the same purpose, then it may be unreasonable to use video surveillance.

The 2004 decision of the Federal Court in Eastmond v. Canadian Pacific Railway⁵ is a good example of this analysis.

Canadian Pacific Railway installed six digital video surveillance cameras at various locations in its Toronto railyard to reduce vandalism and theft and minimize threats to staff safety. The cameras were fixed, did not zoom and only recorded 48-hour periods. Employees were aware of the cameras, their purpose and locations. Productivity was not monitored.

The Federal Court looked at the why, how, when and where collection takes place and held:

1. Canadian Pacific established that there was a history of vandalism, theft and other security issues in the railyard and preventing it was a reasonable purpose.
2. Surveillance was effective at preventing vandalism, theft and security risks.
3. The loss of privacy was held to be low and proportional to the benefit gained by Canadian Pacific. The images recorded were viewed only upon a reported incident. Information was kept secure and viewed only by the manager or the Canadian Pacific police. The images were recorded in places where the individuals were held to have a low expectation of privacy.
4. Canadian Pacific considered alternatives and demonstrated that, given its extensive operations over a wide area, fencing and security guards were not cost-effective and would be disruptive.⁶

Canadian Pacific’s use of video surveillance was found to be reasonable because its purpose was appropriate and its use reasonably addressed that purpose.

There can be different results when the purpose is different.

In R.J. Hoffman Holdings Ltd.⁷, the Alberta Information and Privacy Commissioner considered whether disclosed surveillance was reasonable for two different purposes under Alberta’s Personal Information Protection Act. The oilfield maintenance company installed eight video surveillance cameras in its truckyard, mechanical shop area and front counter. Their purposes were both safety and security and monitoring employee performance. The cameras had no zoom or pan capability and did not record audio. Only the Operations Manager had access to the video recording.

The video surveillance was found to be justified for the purpose of safety and security but not for the purpose of monitoring employee performance.

The company was able to show that there had been several instances of theft of property and two instances of fire and that since the cameras were in place, there had been no theft or property damage. It was also noted that female employees who typically worked alone at the front counter were usually the only employees in the building. The Commissioner accepted that the cameras were necessary and effective at addressing issues of safety and security.

In determining whether the surveillance was conducted in a reasonable manner, the Alberta Commissioner also referred to arbitral decisions and considered the following facts:

1. the cameras were visible and in plain view;
2. employees were aware of their presence;
3. the cameras were only operational in common areas of the shop and office and not in any employee rest area;
4. the video recording was only accessible by the Operations Manager;
5. the video footage was deleted after 30 days, if no investigation was initiated; and
6. the images were not watched constantly.

But the video surveillance was held not to be reasonable for monitoring employee performance. The Commissioner stated that video surveillance is not usually reasonably required for managing employees and that video surveillance of work productivity has been condemned as diminishing a person’s dignity or privacy. The Commissioner held that it would be difficult for the company to demonstrate that the cameras would be more effective at monitoring employee performance than a well-timed visit from a supervisor.

Federal Privacy Commissioner and arbitral decisions indicate how difficult it can be to justify video surveillance of production areas.

In PIPEDA Case Summary #279⁸, the Assistant Privacy Commissioner considered the reasonableness of using video surveillance to monitor the productivity of employees. An internet service company installed two web cameras which monitored separate employee workspaces. The cameras had no pan or zoom capability, but monitored audio as well as visual images. Notices were posted on the cameras and all employees signed a statement acknowledging they had read and understood the company’s privacy policy which outlined the purposes of the cameras. Most employees were not continuously visible as they worked behind cubicle walls, but approximately half of the technical support staff were in the view of one camera continuously. The video feed was only accessed by managers when they were off-site.

The company relied on the fact that productivity was lower at nights and weekends as one reason to justify the surveillance. The Assistant Commissioner found that the company did not appear open to less privacy-intrusive options to monitor productivity other than by video surveillance, such as appointing other staff members to a supervisory role or modifying the schedules of existing managers. The Assistant Commissioner found that a reasonable person would be unlikely to consider employee productivity as an appropriate reason to use video and audio surveillance in the circumstances and recommended the company remove its cameras from employee workspaces.

In a case from British Columbia, Pope & Talbot Ltd. Harmac Pulp Operations⁹, the arbitrator determined that limited video surveillance of a production area was reasonable. In that case, a camera monitored the unloading of barges at a dock. There were no supervisors at the dock, which was separated from the main operations, and the employees communicated with management by radio. Any delay in unloading the barges resulted in high costs, and the employer suspected that employees may have been deliberately failing to give supervisors advance notice that unloading was to complete, in order to have extra "downtime".

The camera’s use was limited: it was fixed and could not zoom, the employees knew the camera’s field of view and could avoid it on breaks. Only the responsible supervisor could view the images, which were monitored but not recorded. The arbitrator acknowledged the enactment of PIPA, but stated that the Act did not alter the substance of the issues in surveillance cases. Although he held that the camera was used, at least in part, to monitor productivity of employees, the arbitrator found the video surveillance justifiable. The cost of delay, lack of on-site supervision and effective communication with employees made the use of surveillance reasonable to ensure efficient unloading. He held, however, that 24 hour monitoring was not necessary to achieve that purpose. Instead, the arbitrator determined that the camera could be used during emergencies, for 20-minutes at shift changes and periodically during a shift for up to five minutes.¹⁰

Employers can have access to large amounts of personal information about their employees and others from the phones, computers, computer networks, security access cards and other workplace tools provided for business purposes. Active monitoring of the information provided by such tools will be considered a form of surveillance. Similarly, searching through such information may be considered an invasion of privacy by employees and will likely involve the collection, use or disclosure of personal information within the meaning of privacy legislation.

The Alberta Office of the Information and Privacy Commissioner considered a case where the employer secretly installed keystroke logging software on the computer of an information technology employee.¹¹ The employer had concerns about the employee’s productivity and argued that collection of the information was necessary to manage the employee.

The Commissioner determined that, even though almost all the information collected was work-related, it had a personal component because it was used to determine how and how much he worked. The Commissioner was critical of the employer’s failure to take other measures to assess and manage the employee’s productivity, for example by simply asking the employee to account for his time. Then the Commissioner stated that the surreptitious use of keystroke logging software was a form of surveillance and could only be justified if necessary. And to be considered necessary, the employer would have to show that the information needed for managing the employee could not be acquired by a less intrusive method.

A key issue in considering email and internet and other forms of electronic surveillance or information collection is the employee’s expectation of privacy.

In Milsom v. Corporate Computers Inc.¹², the Court held that because there was no email policy in the workplace, an employee had no reasonable expectation of privacy in his work email and the employer was entitled to introduce it as evidence of poor performance.¹³ The Court, referring to decisions of American courts, stated that even where an email policy outlines some employee privacy rights, there may be no reasonable expectation of privacy when the content of emails is unprofessional, offensive or where access by the employer is part of an investigation of illegal activity.¹⁴ An employee may also have no reasonable expectation of privacy, regardless of a policy, if the email is sent and received using corporate assets.¹⁵

In Camosun College¹⁶, the arbitrator also found that the employee had no reasonable expectation of privacy in work email or a chat group for Union members on the employer’s computer network. The arbitrator reasoned that there could be no reasonable expectation of privacy if it was well-known that the message could be easily copied by any subscriber to the email group and forwarded without the knowledge of the sender.

In other cases, such as Owens-Corning Canada Inc.¹⁷ and Briar v. Canada (Treasury Board),¹⁸ it was held that there was no reasonable expectation of privacy in work email because the employees were warned that inappropriate emails were not tolerated and could be subject to monitoring and that discipline might follow a breach of the company standards.

In Briar, several correctional officers working at a prison were given warnings, financial penalties or dismissal for their inappropriate use of work email. The supervisor had received a complaint from another employee about the emails sent by the employees. The employer entered the employees’ email accounts and took note of the emails currently in the Inbox and Outbox. The officers had received and forwarded a number of inappropriate, mostly pornographic emails. The employees claimed that their rights of privacy had been violated.

The Court found that, in the circumstances, the employees had no reasonable expectation of privacy in their work email¹⁹. The prison had repeated its internet policy prohibiting inappropriate email at least five times in six months. The employees were further given a pop-up warning on their screen each time they logged on, informing them of the policy. The judge also found that, at some point, "common sense must prevail"²⁰. Due to the nature of the emails and the fact that the employer is legally required to provide a safe workplace free from harassment, the employees had no reasonable expectation of privacy in their work email.

Under personal information protection legislation, the focus is on the collection, use and disclosure of personal information, not simply private information. While judicial and arbitral decisions are helpful to determine reasonableness by discussing the extent to which employee privacy is affected, the decisions do not generally address the collection of personal information and the obligation of employers to limit their collection and use of personal information. Specifically, case law and arbitral analysis may not address questions of whether the monitoring is reasonably necessary, whether there are alternatives available to the monitoring and the reasonable scope of investigation in the circumstances. All these considerations are key issues under privacy legislation.

Reasonable monitoring under personal information protection legislation should only collect and use information that is necessary to achieve a reasonable business purpose. Reasonableness will also depend on the extent to which the monitoring affects employee privacy rights. While an employee’s reasonable expectation of privacy will likely be diminished at work and using work email, there may remain a reasonable expectation of some privacy in employee email²¹.

The main goal of an email policy is to manage the employees’ expectation of privacy. For example, and email policy should stipulate:

• email, internet and other electronic tools are for business not personal use

• what is considered appropriate business use and inappropriate personal use

• the employer’s ability and occasional need to monitor and the scope of such monitoring.

Further, the policy should be well communicated and regularly publicized (see Briar²²)and its connection with other relevant policies – such as a code of conduct, confidentiality and harassment – should be emphasized.

Unless it is limited by the employer’s express policy, an employee’s reasonable expectation of privacy will likely increase for emails the employee writes during "off-work" hours (for example, during breaks and lunch) and for emails written from a private ISP account. In Owens-Corning, it was not reasonable for the employer to review the employee’s personal webmail account while investigating improper use of work email²³.

Under personal information protection legislation, and like video surveillance, the scope of monitoring must be closely tied to the purpose of monitoring. The employer should collect and use only information necessary to achieve the employer’s purpose. The employer may also have to consider whether there are any reasonable or effective alternatives to surveillance.

Video surveillance of employees at work without consent or notification is permitted under PIPA only if it falls under a "no consent" exception.²⁴ The "investigation exception" provides that personal information may be collected, used or disclosed without consent if it is reasonable for an investigation and it is also reasonable to expect that the accuracy or availability of the information or the investigation itself would be compromised if the individual knew of the surveillance. PIPA contains a specific definition of "investigation" which includes an investigation related to a breach of an agreement.

Most decisions of arbitrators and the Federal Privacy Commissioner focus on surreptitious surveillance in the course of investigations. Such surveillance has been considered reasonable if:

1. There is a substantial problem;
2. There is a strong possibility that surveillance will be effective; and
3. There is no reasonable alternative to surreptitious surveillance.

It is important to note that while these factors are similar to those used to assess disclosed surveillance, a higher threshold must be met when surveillance is surreptitious.

Both the Federal Privacy Commissioner and labour arbitrators in British Columbia have taken a strict approach to surreptitious surveillance and have generally had to be satisfied that there was no other way to ascertain the truth. The circumstances must strongly support the employer’s suspicion and other investigative tools must be unrealistic or unreasonable.

Like many surveillance cases, Case Summary #269²⁵ dealt with an absenteeism problem. The employee reported a number of work-related injuries. The employee continued to work in positions consistent with his reported physical limitations but the employer became suspicious. He was frequently absent and failed to provide the company with updated medical assessments, despite verbal and written requests. An independent medical assessment indicated "non-physical barriers" to returning to work.

The employer commenced surreptitious surveillance. After reviewing videotape showing the employee performing activities that contradicted his claims of incapacity, the employer concluded that the employee was not being truthful. Emphasizing that video surveillance should only be used as a last resort in an employee investigation, the Assistant Privacy Commissioner found that the employer had substantial evidence that the relationship of trust had been broken prior to engaging in surveillance. The employer had "reasonable and probable cause" to believe the employee was violating the employment contract. The employee was uncooperative and the employer was unable to get the information it required in a less privacy-invasive manner. The Assistant Commissioner held that the video surveillance was reasonable but noted that the decision to engage in surreptitious video surveillance of an employee should be made by senior management.

In another case, the Federal Commissioner took a more prescriptive approach.²⁶ The employer had surreptitiously placed an audio recording device in a room as part of an investigation of improper conduct by a particular employee. The room was used by several different people, including the employee under investigation. The Commissioner suggested that such surveillance is only justified where there is substantial evidence of wrongdoing or that the relationship of trust has been broken, where all other investigative means have been exhausted, and where the collection of personal information was limited to the greatest extent possible.

Arbitrators tend to take a more pragmatic approach to reasonableness. In Ebco Metal Finishing²⁷ the employer was not able to have video surveillance evidence admitted in a grievance arbitration. The employees had been fired for theft of time, specifically for not working diligently at the end of their shift when there was no direct supervision.

The arbitrator stated:

Nevertheless, the arbitrator found that the surveillance had been carried out without reasonable warrant and was thus in contravention of PIPA.

In analyzing both the arbitral principles and the reasonableness standard of PIPA, the arbitrator held that reasonableness had to include a consideration of the "sensible presence of other less-intrusive means" to assess productivity. (The arbitrator noted that the employer did not closely examine its own Daily Productivity Sheets, it did not collect other information at its disposal, it did not monitor the employees or have management stay late, and it did not have any constructive discussion with the employees.)

While arbitrators in BC are saying that PIPA has not changed the arbitral law already developed in this area, does the absence of privacy legislation in other jurisdictions have an influence?

The La-Z-Boy Canada Ltd. case ²⁹ is an Ontario arbitration decision about the admission of surreptitious video surveillance evidence of drug use at the workplace. The employer had heard that its employees may have been smoking marijuana at the rear of the building. There were persistent rumours of drug use but it was thought the issue was resolved after various communications and meetings about drug use on company property being unacceptable. Subsequently, the employer’s Human Resources Manager detected the odour of marijuana or hashish in the upholstery area of the plant. It was decided there was still a problem and that surveillance was necessary to determine the culprits. Soon after, the video surveillance detected three employees smoking marijuana on company property.

The arbitrator noted the lack of privacy legislation affecting the employment relationship in Ontario and reviewed the arbitral debate about whether there is a common law right to privacy in Ontario. He decided "there is some right to privacy in Ontario [but] the question of reasonableness of surveillance by an employer only requires an assessment of the nature and extent of the right to privacy in the particular circumstances."

The surveillance evidence was admitted after the arbitrator applied the familiar tests for establishing reasonableness: was the particular surveillance reasonably required in the circumstances and was it carried out in a reasonable and responsible manner with a view to achieving a legitimate management purpose?

In jurisdictions without private sector privacy legislation there is still room for debate about the extent of privacy rights in the workplace. But the La-Z-Boy case appears to be a harbinger that the privacy culture, and the legal principles that go with it, will prevail with or without legislative foundation.

The message for employers across Canada is that surreptitious surveillance should be a last resort in an investigation, where the employer has substantial evidence that the relationship of trust has been broken. Where the employee is uncooperative and the employer cannot obtain information it legitimately requires in a less privacy-invasive manner, surveillance may be reasonable.

An employer may monitor email and Internet use of an employee without notification or consent if it is reasonable for an investigation or falls under another "no consent" exception.³⁰ As with video surveillance, an investigation of an employee’s email or Internet use under PIPA will be reasonable if:

1. there is evidence of wrongdoing on the part of the employee prior to initiating the investigation. Independent evidence in the arbitral jurisprudence commonly takes the form of complaints or observations by coworkers, supervisors or customers;
2. the monitoring is restricted to what is necessary to achieve the employer’s purpose; and
3. there is no reasonable or equally effective alternatives to the surreptitious monitoring.

In Owens-Corning, prior to initiating surveillance, the employer had reason to suspect both a widespread problem within the company of inappropriate email and Internet use by employees, and evidence that the specific employee was using his email and Internet privileges inappropriately³¹.

Owens-Corning also illustrates how an excessive scope of investigation can result in monitoring being held to be unreasonable. In that case, an employee received numerous personal emails into his work email account each day. However, he usually forwarded the personal emails to a personal webmail account and did not send them to anyone inside or outside the company. After learning that the employee had been accessing the Internet using another employee’s ID, the employer began looking at "computer reports" which stated which computer operator visited what internet sites, and for how long.

The employer’s concern was initially one of security. However, the employer had also recently implemented a non-harassment policy in response to a widespread problem of inappropriate emails being sent by employees. After looking at the computer reports, the employer suspected the employee of visiting inappropriate websites. The employer reviewed the employee’s work email and accessed his personal webmail account without his consent. The arbitrator found that while the employee had no reasonable expectation of privacy in his work email, the investigation of his personal webmail account was unreasonable.³² The employee had a reasonable expectation of privacy in his personal email account, which was not connected to his employment.³³

Finally, while there has been little discussion in the jurisprudence of the need to consider alternatives to surreptitious email and internet use monitoring, the analysis is likely to be similar to that for video surveillance, just as it was in the Parkland Regional Library keystroke logging software case.³⁴ The employer should consider alternatives to surreptitious email monitoring and electronic surveillance before beginning such an investigation.

Before monitoring the email use of employees, employers should consider the Criminal Code provisions regarding the interception of private communications. Section 184(1) of the Criminal Code provides that:

A "private communication" is:

Section 184(1) does not apply to a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it.³⁷ An employer must carefully consider whether it has the appropriate consent.

Email sent at work or from a work email account is likely not "private". Verbal pager messages, for example, have been held not to be private communications because the pager may play the message so that anyone in the vicinity of the recipient can hear it.³⁸

However, even if an employee has no reasonable expectation of privacy in work email, a third party whose personal information is contained in the email or who sends or receives an email from an employee may have a reasonable expectation of privacy in the email message. Any monitoring of computer systems and emails should be reviewed in light of the Criminal Code provisions and relevant case law.³⁹

The handling of employee medical information has always presented challenges for employers. Medical information is considered perhaps the most sensitive personal information in the employment context. Again, arbitral and tribunal case law guides the application of privacy legislation requirements for the collection, use and disclosure of medical information about employees. Reasonableness is a key consideration in determining the scope of employee medical information to which an employer is entitled.

The extent of an employer’s right to medical information about an employee depends on any contractual terms which may provide a right to the employer to require medical information and the purpose for which the employer requires medical information. An employee does not have an absolute right to privacy. An employer can generally require medical information to determine:

• whether an absence from work is justified on the basis of illness or injury;

• whether the employee’s absence meets the eligibility requirements for a particular benefit administered by the employer, such as sick leave or disability benefits;

• the estimated duration of an employee’s absence from work;

• whether there is a disability within the meaning of the Human Rights Code which requires accommodation, and if so, the type of accommodation and the duration of the accommodation; and

• if an employee is fit to be at work (where the employer has reasonable grounds for questioning fitness.)

An employer should consider whether it is necessary to receive medical information directly or whether the information should be sent to the insurer or other benefit administrator. Where an employee requires accommodation, the employee may be required to provide medical information to identify how disability affects the employee’s employment and the nature and extent the accommodation required. In most cases, a diagnosis need not be provided.

Case Summary #257⁴⁰ considered the information required from employees in high risk, safety-sensitive positions. In that case, the employer cited two reasons for requiring a medical diagnosis: the safety-sensitive nature of the complainants’ work and their "at risk" positions.

The employer’s sick leave policy required an employee requesting sick leave to provide medical certificates that included a medical diagnosis, a list of treatments received, including prescribed medications that might affect the employee’s ability to work safely, and information about functional limitations. The employer stated that a medical diagnosis was required since the employees often worked long shifts in isolation and undertook duties demanding a combination of strength, agility and attention. It argued that the employer’s occupational health nurse was often in a better position than the employee’s physician to judge whether it was safe for the employee to return to regular duties.

The second reason the employer offered for requiring a medical diagnosis concerned "suspicious absences". The employer reserved the right to require a medical certificate which included diagnosis from any employee taking sick leave immediately prior to or following vacation leave or during a period when the company had refused a request for time off.

The Commissioner held that while a requirement for medical certificates was appropriate, a physician’s statement that the employee was ill should be sufficient and the employer had not demonstrated to the Commissioner’s satisfaction that it needed to inquire into the nature of the complainant’s illness in order to ensure fitness to resume regular duties. The Commissioner stated that although diagnostic information may be appropriate in some circumstances, it was unnecessary and inappropriate to demand medical diagnosis in this particular case.

In Case Summary #287⁴¹ the Assistant Privacy Commissioner held that an employer was entitled to obtain information updating the employee’s medical condition before a return to work in a safety-sensitive position. While the case summary does not set out the specific information requested, the Assistant Commissioner held that the information collected was appropriate in the circumstances. The employer’s purpose was to ensure the safety of the complainant and other workers and that some follow-up information was reasonable, given the health problems the complainant had suffered and the fact that he occupied a safety-sensitive position. The Assistant Commissioner held, however, that the manner in which some of the information had been collected (directly from the doctor rather than through the employee) did not comply with the Act.

What is reasonable depends primarily on the purpose for which the employer requires the medical information. Where an employer simply requires verification that an employee was away ill, a doctor’s note is likely sufficient. Where an employee is returning to work and may require accommodation, an employer may be entitled to a full functional assessment and detailed information regarding the expected duration of any functional limitation.

In all cases, medical information must be kept confidential and in a secure location.

The reference process involves the collection, use and disclosure of personal information about candidates from third parties.

Under PIPA, employee personal information includes personal information about an individual that is collected, used or disclosed solely for purposes which are reasonably required to establish the employment relationship. However, the prospective employer must notify the individual that it will be collecting, using and disclosing the personal information and identify the purposes for which the personal information will be collected, used and disclosed.

The Office of the Information and Privacy Commissioner for British Columbia has published "PIPA and the Hiring Process" which includes "Frequently Asked Questions" ("FAQ").⁴² On the subject of references, the FAQ suggests:

• at a minimum, a prospective employer is required to notify the applicant that it intends to contact previous employers or conduct background checks;

• an employer is required to tell the applicant the purpose for which the information will be collected, used and, if relevant, disclosed;

• the prospective employer must ensure that the information is "reasonably required" for the establishment of the employment relationship; and

• an employer may assume that an applicant who has listed a reference in a job application or resume has implicitly consented to a prospective employer collecting personal information from the referee which is reasonably related to the job requirements.⁴³

As a further precaution, when notifying the applicant of its intention to collect and use personal information in its reference process, a prospective employer may wish to obtain written consent or include a procedure to note consent in its own records.

Giving references is more complicated than obtaining them. A former employer who is asked for a reference is not entitled to disclose personal information without the individual’s consent. The disclosure cannot be made without consent since it is not reasonable for the establishment, management or termination of the employment relationship, which has already ended.

Where a former employer is contacted to provide a reference, it should first confirm with the former employee that the individual consents to a reference being provided. A former employer should not assume that the individual has consented, simply because a prospective employer is seeking a reference. The potential "referee" should either contact the former employee directly or ask the prospective employer to have the applicant make direct contact.

Former employers may also wish to confirm the extent of the consent. An individual may indicate that the referee is free to answer any question posed by the prospective employer or may restrict the referee to providing as little information as dates of employment. Consent to provide a reference may also be sought at the time the employment relationship is terminated. Referees should obtain written consent to provide a reference or note verbal consent in their own records.

Once the personal information has been collected, used or disclosed in the hiring process, all other requirements of PIPA apply to that information, including:

• making reasonable efforts to ensure the personal information collected is accurate and complete and making reasonable security arrangements; and

• retaining information used to make a decision for at least one year after the use so that the individual has a reasonable opportunity to obtain access.

It is important to note that the PIPA provisions concerning access also apply to personal information collected in references. An individual is entitled to:

• access to the individual’s personal information under the control of the organization;

• information about the ways in which the individual’s personal information has been and is being used by the organization; and

• the names of individuals and organizations to whom the personal information has been disclosed.

There are exceptions to the access requirements. An organization must not disclose personal information and other information if:

• the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;

• the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;

• the disclosure would reveal personal information about another individual; or

• the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.

If an organization is able to remove the information from a document that contains personal information about the individual who requested it, the organization must provide the individual with access to the personal information after the information is removed.

A reference may be the personal information of both the individual and the referee. The disclosure of the content of a reference may identify referee, in which case, the referee’s consent would be required before disclosure.

Prospective employers need to consider on what terms they will seek references and former employers need to consider on what terms they will give references. Organizations should also adopt a reference policy which includes direction as to who is permitted to give references and ensure those referees understand the requirements of the legislation.

Adapting to the new privacy culture requires employers to carefully consider both old and new law and the expectations of employees. The employment and labour law principles that seek to balance employee privacy with operational needs continue to have significant influence and application. But employers also need to overlay the privacy principles enshrined in the privacy legislation that either directly applies to or influences their actions and the expectations of their employees.

Policies and procedures can lead the way in adapting to the new privacy culture. But it takes time, thought and repetition for any organization to develop the reflexes and responses demanded by the law and by our society’s increasing concern with protection of personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.