Employee Privacy

Employee privacy in private sector organizations other than those that qualify as “federal works” is governed by privacy laws in three provinces (Quebec, Alberta, B.C.) (link).  There are no private sector privacy laws applicable to such employees in the other seven provinces.  Privacy of employees of “federal works” (e.g. banks, telecoms, railways, airlines) is governed by the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  Employee privacy also may be protected under collective bargaining agreements, the Canadian Charter of Rights and Freedoms and in certain cases by employment contracts.

Public sector employee privacy is governed by the public sector privacy and access legislation, typically in most provinces the Freedom of Information and Protection of Privacy Act and at the federal level, the Privacy Act.

The private sector privacy laws applicable to employees contain substantially the same provisions relating to collection, use and disclosure of employee information as exist for individuals generally under those laws.  Therefore, consent is a required condition for any such handling of the employee information.  However two statutes – the Alberta and British Columbia Personal Information Protection Acts (PIPA) (link) –have special stipulations which permit employee information to be reasonably collected, used or disclosed without consent for purposes of managing an employment (or volunteer) relationship provided that notice is given to the employee.

Under the Quebec private sector privacy law (link), express consent to collection, use and disclosure of employee personal information is required.  Under the federal law, PIPEDA, consent may be express or implied.  In such cases consent typically is found in documents constituting an employee’s employment contract.  However in the case of uses not contemplated by such contracts, separate, new consent documentation may be required.

An employee privacy policy is mandated by the Alberta and B.C.  PIPAs as well as by PIPEDA.  An important utility of an employee privacy policy is to capture an employee’s consent to the collection, use and disclosure of their personal information (as noted, relevant for Quebec employers and federal works) and for uses of personal information that might not otherwise be within the exemption provisions of the Alberta and B.C. PIPAs.  As well, specific uses of employee personal information that may not be covered in any implied or express consent can be addressed in such a policy; examples might be GPS tracking of company vehicles, or an acknowledgement that the employer may access employee mail systems for security and maintenance purposes.  The employee privacy policy also can be used to document an employee’s acknowledgement to comply with an internal policies and procedures relating to personal information held by the organization (e.g. of customers, other employees) and to stipulate disciplinary measures that may be taken in the event of any breach of such rules.  The employee privacy policy also will acknowledge an employee’s right to access to their employment records – subject to any permitted limitations such as confidential information or personal information of other employees.  Finally, it should include contact information/procedures for employees having questions or concerns regarding their information or the organizations policies and procedures.  It is recommended that organizations carrying on business across Canada adopt a uniform employee privacy policy in all provinces whether or not they are subject to provincial privacy legislation.

 Surveillance is a significant issue for employee privacy.  Principles for both overt and covert surveillance have been articulated by privacy commissioners at both the federal and provincial levels, in respect of their applicable legislation, as well as by arbitrators and the courts under collective bargaining agreements.  These principles are the following:

  1. there must be a demonstrable and legitimate need for the surveillance;
  2. the information collected must serve that purpose and have a strong likelihood that it will achieve that purpose;
  3. the loss of privacy resulting from the surveillance must be proportionate to the benefit gained;
  4. an organization must be able to show that it has considered less privacy-invasive measures prior to conducting the covert surveillance;
  5. the information collected must be limited to that necessary for fulfilling the stated purposes.

Collection of employee personal information by surveillance also has been considered by the courts under the Charter’s right to freedom from unreasonable search and seizure.  Collection of such information has been found to be a breach of the Charter right unless clearly recognized (by the employee through relevant employer communications) as related to an activity of which the employee had notice.  An example of such an activity would be employer maintenance of an employee’s computer/email systems.  Where a Charter breach has been found, the relevant information is excluded from evidence unless it admitting does not bring the criminal justice system into dispute (R. v. Cole; B.C. case).