Canada: Balancing Technology And Privacy At Work

Article by Andrea York & Lisa Carty, © 2006, Blake, Cassels & Graydon LLP

Originally published in Blakes Bulletin on Privacy Law, August 2006

The use of biometric technology in the workplace is gaining the interest of many as technology improves and security concerns escalate. However, employers attempting to collect biometric information from employees have been faced with complaints and grievances. Employees and unions may oppose the use of biometrics because of privacy concerns. The recent court and arbitral decisions discussed in this article make it clear that courts and arbitrators find it challenging to balance the privacy rights of employees and the legitimate business needs of employers in applying privacy laws to the employment relationship.

Biometric technology uses an individual’s unique physical attributes, such as a fingerprint or voice, to identify that individual. In most cases, the technology involves scanning the physical attribute, reducing it to digital form and storing it on a system so that it can be used for comparison purposes. Each time the individual wishes to gain access to the place or system protected by the biometric technology, the physical attribute is again scanned and the new scan is compared against the stored sample. If the two match within a preset threshold, the individual is granted access. Among other things, biometrics can now be used in time clocks to verify employee work hours, for security purposes in door locks, and in computer and telephone systems.

In Turner v. Telus Communications Inc. (Telus), four employees launched a complaint under the Personal Information Protection and Electronic Documents Act (PIPEDA) against their employer, Telus. They alleged that Telus had breached PIPEDA by implementing a speech recognition security program. The program required each employee to provide biometric information in the form of a voice print, which would be stored in a digital form and then compared to the employee’s voice when he or she was attempting to access Telus’ systems from a remote location. The speech recognition program was set up for the purpose of protecting customer personal information and other confidential information from unauthorized access by third parties. Since a voice print is unique to an individual, only the employee would be granted access. The program was believed to be more secure than the password system that had previously been in place.

Under PIPEDA, organizations must obtain an individual’s voluntary consent to collect, use and disclose their personal information, except in limited circumstances. The four employees initially complained to the Privacy Commissioner’s office claiming, among other things, that Telus was forcing them to consent to the collection of biometric information contrary to PIPEDA. When that part of the complaint was unsuccessful, the employees applied to the Federal Court for relief. In its decision, the court took into consideration:

ONE. The low degree of sensitivity associated with an individual’s voice and, consequently his or her voice print, as personal information.

TWO. The security measures implemented by Telus to protect the voice print information.

THREE. The bona fide business interests of Telus to protect customer information.

FOUR. The effectiveness of the use of voice prints to meet those objectives.

FIVE. The reasonableness of the collection of voice prints against alternative methods of achieving the same levels of security at comparable cost and with comparable operational benefits.

SIX. The proportionality of the loss of privacy versus the costs and operational benefits in the light of the security that Telus provides.

The court concluded that the collection of the voice print information would be seen by a reasonable person to be appropriate in the circumstances. Turning to the issue of whether Telus had obtained proper consent to collect the biometric information from its employees, the court found that the collection of information fell within an exception to the consent requirement set out in section 7(1)(a) of PIPEDA which states that an organization may collect personal information without the knowledge or consent of the individual if: (a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.

Somewhat surprisingly, the court held that the employees’ continued refusal to consent meant that Telus was unable to obtain consent in a timely way. There was no analysis with respect to why or how the collection of the voice print was clearly in the interests of the employees. The court found that, if the employees continued to withhold their consent to the collection of the voice print information, it was acceptable for Telus to institute disciplinary steps short of termination of employment.

The court was clearly troubled by the fact that the vast majority of Telus employees had already consented to the collection of the voice print information. Despite the plain wording of PIPEDA, the court was loathe to find that Parliament had intended that a small minority of employees should be able to paralyse action by the employer given its business interests in protecting customer information. This decision has been appealed and it will be interesting to see how the Federal Court of Appeal deals with these same issues.

In IKO Industries Ltd. and U.S.W.A., Loc. 8580, a union grieved the planned implementation of finger recognition technology that tracked payroll and attendance information. IKO is a provincially-regulated employer in Ontario. Neither PIPEDA nor any other provincial statute applied to IKO’s attempt to collect fingerprint information from its employees. Nonetheless, the arbitral jurisprudence has long recognized a right to workplace privacy, although this right is not absolute.

In this decision, the arbitrator attempted to balance the business interests of the company against the privacy rights of its employees. The company wished to implement the technology for the purposes of improving the efficiency and accuracy of the time-keeping and payroll systems and to improve security. In evaluating the reasonableness of this purpose, the arbitrator noted that the old swipe card system was equally efficient and accurate. The distinction between the two systems was the "verification" feature of the biometric system, allowing only the appropriate employee to access the system. The evidence clearly proved that the biometric system can rid employers of problems such as "buddy punching" (where one employee punches in or out for another employee who is not at work). However, the arbitrator noted that the company failed to establish the existence of this or other similar problems in its workplace.

In the result, the invasion of privacy was found to be unjustified and the arbitrator held that the biometric technology was not essential to the articulated purposes. Although the court made it clear that this decision should not be read as a general prohibition against biometrics in the workplace, it does indicate that if employers provide insufficient evidence supporting the stated purpose for using the technology, the employees’ privacy interests are likely to prevail in a unionized environment, even when PIPEDA does not apply.

In Canada Safeway Ltd. and United Food and Commercial Workers, Local 401, the union filed a grievance alleging that a hand scanning system, implemented for the purposes of collecting payroll and attendance information, invaded the personal privacy of employees. In this case, the arbitrator held that while employees have a right to privacy in the workplace, this right is limited by considerable business interests and the principle of proportionality must be applied. The more intrusive the impact on employee privacy, the stronger the proposed business rationale must be to justify it. The arbitrator found that the hand scanner collected personal information, but it was only a low level of intrusion as the information was used for verification purposes only and could not be used to identify persons individually.

The employer’s purpose for implementing the technology was to improve its time-keeping and attendance systems. Specific and detailed evidence was presented that the former system of time-card punching was defective because it allowed employee abuse, including evidence of: (i) "buddy punching"; (ii) multiple time-card punching that obscures late entries, and (iii) the use of tape to purposefully deceive the system. The arbitrator accepted the employer’s purposes for implementing the hand scan technology, and concluded that the employer met its onus of justifying the use of the technology, notwithstanding that such a system involves some limited intrusion in employee privacy.

One of the primary objectives of PIPEDA is to protect personal information, and many of its provisions were no doubt prepared with that objective in mind. However, PIPEDA does not differentiate between consumer and employee personal information in the federally-regulated sphere. Telus demonstrates the difficulty that courts have in applying the strict terms of PIPEDA to the employment relationship. In the end, it would appear that the Trial Division decision weakens the consent requirement under PIPEDA and provides a broad interpretation of the exception under s. 7(1)(a). Although the court’s findings certainly have merit in the context of an employment relationship, they might very well be problematic if applied to consumer personal information. It remains to be seen how the Federal Court of Appeal will deal with these issues.

Even where an employer has a legitimate business purpose to implement biometric technology in the workplace, it would be prudent to collect evidence in support of that purpose, and to share information about the biometric technology with employees before implementation. Explaining how information will be secured, and the specific and limited uses of that information, may make employees more likely to accept the new technology without complaint.

In the end, the current state of the law in Canada appears to accept biometric technology in the workplace, so long as it is implemented for a clear business purpose and its necessity is supported by objective evidence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.