The Office of the Privacy Commissioner of Canada ("OPC") updated its guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). PIPEDA applies to federal works, undertakings or businesses. It applies to the collection, use and disclosure of personal information in the course of commercial activity and across borders.
CHANGES TO THE GUIDELINES:
- Removed "balancing" language. The
changes removed wording that discussed the need for
"balance" between the employer's need for information
and the employee's right to privacy. The new guidelines
emphasize the specific legal requirements set out under PIPEDA.
There are two primary exceptions to PIPEDA's consent
requirement applicable to the employment relationship:
- Consent is not required where the collection, use or disclosure of employee personal information is necessary in order to establish, manage, or terminate the employment relationship (though the employee must still be notified in accordance with PIPEDA);
- Knowledge or consent is not required if the personal information was produced by an individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
- No blanket waiver of privacy rights Employers are prohibited from making a loss of privacy a condition of employment. It is crucial for employers to obtain consent in a clear, informed and voluntary manner.
- Employee monitoring. Employee monitoring should be specific, targeted, and appropriate in the circumstances. Employers should only undertake employee monitoring after an assessment of the privacy risks and any mitigating measures. Such an assessment should establish the necessity of the practice, and consider whether any less intrusive methods would achieve the same purposes.
The guidance also provides the following tips for employers:
- Be aware of all legal obligations, including collective agreements and federal and provincial privacy laws.
- Assess how the employee information being collected is used and whether this information is employee personal information.
- Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks.
- Assess the purposes of processing employee information. An
assessment should take into account:
- the sensitivity of the personal information;
- whether the organization's purpose represents a legitimate need or bona fide business interest;
- whether the collection, use or disclosure would be effective in meeting the need;
- whether there are less privacy-invasive means of achieving the same ends at com
- whether the loss of privacy is proportional to the benefits gained.
- Limit the information being collected to only what is necessary for a stated purpose.
- Be transparent about what information you collect, use and
disclose by developing open and accessible policies. Employee
privacy policies should identify:
- what personal information is being collected from employees;
- the purpose for which the personal information is being collected;
- how the personal information will be collected;
- how the information will be used, including potential consequences for employees; and
- how long the personal information may be retained
- Follow key privacy principles:
- Accountability;
- Accuracy;
- Limiting collection, use, disclosure and retention;
- Using appropriate safeguards to protect information;
- Being transparent and open about policies
- and practices;
- Individual access; and
- Allowing affected individuals to challenge compliance.
- Be aware of inappropriate practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.