The Office of the Privacy Commissioner of Canada (the OPC) has updated its Guidance Document on Privacy in the Workplace (the Updated Guidance Document), which was last published in 2004. The Updated Guidance Document is intended to provide all employers with guidelines on privacy issues in the workplace, even though the OPC’s official jurisdiction extends only to certain federal entities and organizations.
Below is a summary of the key takeaways for employers.
Employee Monitoring Must be Reasonable
The most notable guidance relates to employee monitoring. With the advent of remote working, many employers have adopted tools to track and monitor employees for purposes of measuring employee productivity. The OPC expressly supports employee monitoring for legitimate purposes but cautions that it should be reasonable and limited to the purpose for which it is intended.
Where an employer chooses to adopt a monitoring tool, the OPC provides the following guidance:
- Limit employee monitoring to purposes that are specific, targeted, and reasonable, such as measuring productivity or use of company vehicles.
- Tell employees that their activities are being tracked, how it is being tracked, and for what specific purposes it is being tracked.
- Ensure that employee personal information collected through monitoring tools are properly secured and kept confidential.
- If an employee asks to see information relating to their activities, be prepared to provide the information to the employee.
Employees Cannot Waive Privacy Rights
The Updated Guidance Document confirms that employees cannot waive their right to privacy. This means that employers cannot require employees to waive their privacy rights as a condition of their employment. This also means that employees cannot waive their right to provide informed consent before their personal information is collected, used, and disclosed (where applicable). Consent must always be voluntary and based on clear and specific information.
For employers who are subject to privacy legislation that requires consent, we recommend updating employment contracts and privacy policies to ensure that employees are provided with the necessary information to provide informed consent. In particular, privacy policies should be used to confirm the specific purposes for which employee personal information may be collected, used and disclosed, such as payroll and benefits administration.
Key Considerations for Management of Employee Personal Information
The Updated Guidance Document also reaffirms important considerations relating to the management of employee personal information. Most notably, the OPC recommends employment policies to govern the collection, use and disclosure of employee personal information, and recommends that employers be transparent and share these policies with employees. The OPC also cautions that even when consent is not required, employers may still need to provide notice to employees (which is a legal requirement in British Columbia) that their personal information will be collected, used and disclosed, and the purposes for which it will be collected, used and disclosed.
The Updated Guidance Document includes the following eight practical tips for employers to build their workplace privacy policies and procedures:
- Examine all relevant legal obligations and authorities;
- Map out what employee information is being collected, used, and disclosed;
- Conduct Privacy Impact Assessments;
- Test your proposed employee management information practices;
- Limit collection;
- Be transparent and open;
- Respect key privacy principles; and
- Be aware of inappropriate practices/no-go zones.
For a more detailed discussion of each of these tips, please consult the Updated Guidance document here.