OPC Updates Workplace Privacy Guidelines: What Employers Need To Know

Robins Appleby LLP


Robins Appleby LLP is a trusted and highly regarded law firm focused on helping clients resolve important issues. This is why we take a client-centric approach, striving to gain an intimate understanding of your business, industry and company culture and your personal goals. No matter how complex the issue, our personalized approach, responsive service, strong interpersonal skills and sophisticated legal expertise translate into favourable results in both the boardroom and in the courtroom. The relationship of trust we enjoy with our clients, along with our depth of legal experience and nearly 70 years of acknowledged leadership, experience and integrity leads our clients to rely on us as their businesses develop and expand. We provide a wide range of legal services including: Business Law; Estate & Succession Planning; Litigation; Real Estate; and Tax. Legal services are provided across Canada and internationally through our membership in the Legal Netlink Alliance.
The Office of the Privacy Commissioner of Canada ("OPC") updated its guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act ("PIPEDA").
Canada Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

The Office of the Privacy Commissioner of Canada ("OPC") updated its guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). PIPEDA applies to federal works, undertakings or businesses. It applies to the collection, use and disclosure of personal information in the course of commercial activity and across borders.


  • Removed "balancing" language. The changes removed wording that discussed the need for "balance" between the employer's need for information and the employee's right to privacy. The new guidelines emphasize the specific legal requirements set out under PIPEDA. There are two primary exceptions to PIPEDA's consent requirement applicable to the employment relationship:
    1. Consent is not required where the collection, use or disclosure of employee personal information is necessary in order to establish, manage, or terminate the employment relationship (though the employee must still be notified in accordance with PIPEDA);
    2. Knowledge or consent is not required if the personal information was produced by an individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
  • No blanket waiver of privacy rights Employers are prohibited from making a loss of privacy a condition of employment. It is crucial for employers to obtain consent in a clear, informed and voluntary manner.
  • Employee monitoring. Employee monitoring should be specific, targeted, and appropriate in the circumstances. Employers should only undertake employee monitoring after an assessment of the privacy risks and any mitigating measures. Such an assessment should establish the necessity of the practice, and consider whether any less intrusive methods would achieve the same purposes.

The guidance also provides the following tips for employers:

  1. Be aware of all legal obligations, including collective agreements and federal and provincial privacy laws.
  2. Assess how the employee information being collected is used and whether this information is employee personal information.
  3. Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks.
  4. Assess the purposes of processing employee information. An assessment should take into account:
    1. the sensitivity of the personal information;
    2. whether the organization's purpose represents a legitimate need or bona fide business interest;
    3. whether the collection, use or disclosure would be effective in meeting the need;
    4. whether there are less privacy-invasive means of achieving the same ends at com
    5. whether the loss of privacy is proportional to the benefits gained.
  5. Limit the information being collected to only what is necessary for a stated purpose.
  6. Be transparent about what information you collect, use and disclose by developing open and accessible policies. Employee privacy policies should identify:
    1. what personal information is being collected from employees;
    2. the purpose for which the personal information is being collected;
    3. how the personal information will be collected;
    4. how the information will be used, including potential consequences for employees; and
    5. how long the personal information may be retained
  7. Follow key privacy principles:
    1. Accountability;
    2. Accuracy;
    3. Limiting collection, use, disclosure and retention;
    4. Using appropriate safeguards to protect information;
    5. Being transparent and open about policies
    6. and practices;
    7. Individual access; and
    8. Allowing affected individuals to challenge compliance.
  8. Be aware of inappropriate practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More