New OPC guidance: Privacy in the workplace

On May 29, 2023, the Office of the Privacy Commissioner of Canada (OPC) released new guidance on employee privacy rights in the workplace (the Guidance). The Guidance considers the balance between respecting employee workplace privacy while also recognizing that, under certain circumstances, employers may have a legitimate need to monitor and manage their employees.

Overview

While employers may need to collect certain information about their employees, employees will still have certain privacy rights, even while at work. These rights may be rooted in legislation, collective agreements between employers and unions, human rights laws and tort laws.

This new guidance from the OPC provides meaningful context for employers captured by Canada’s federal privacy laws (PIPEDA and the Privacy Act), and supplements additional OPC guidance on managing personal information, including OPC guidance on obtaining meaningful consent and personal information security safeguards.

Respecting employees’ privacy

The Guidance reinforces cornerstone Canadian privacy-law principles, including those relating to consent, data protection safeguards, data retention programs and employee access rights. In particular, the Guidance provides a list of key privacy considerations for managing employee personal information in the workplace, which includes:

• Limiting collection of employee personal information to only that personal information which is necessary for the purposes identified by the employer.
• Obtaining meaningful consent for the collection, use and disclosure of personal information.
• Using, collecting and disclosing employee personal information only for the purpose for which it was collected and not keeping the personal information for longer than necessary for that purpose without the employee’s consent.
• Providing employees with access to their personal information and the opportunity to challenge and correct the accuracy of their personal information.
• Addressing employee monitoring in the workplace in a way that is reasonable, proportionate and minimally intrusive.
• Deploying physical, organizational and technological safeguards to protect employee personal information from unauthorized access, use or disclosure, including mitigating the risk of employee snooping.

Consent and privacy rights

Employee consent – including the consent to waive certain privacy rights – must be clear, informed and voluntary. Employers should ask employees to consent to explicit, limited and justified collections, uses and disclosures of their personal information. Employers should also inform employees openly and fairly of the result of not providing consent and, where possible, offer alternatives to those employees who do not consent.

Employers should be aware that employee consent to waiving certain privacy rights does not waive the employer’s other legal obligations under privacy laws – including having the legal authority to collect the personal information in the first instance and requirements related to accountability, security safeguards, and limiting collections.

Employee monitoring

The Guidance on employee monitoring mirrors recent legislative requirements in Ontario relating to the electronic monitoring of employees.

• Employers should develop guidelines for how employees will be monitored and how adherence to those guidelines will be enforced.
• Any employee monitoring should be limited to purposes which are specific, targeted and appropriate under the circumstances.
• The means of monitoring should be minimally intrusive while still achieving the overarching goals for monitoring.
• Transparency is “fundamental” – employees should be advised of the purpose, nature, extent and reasons for monitoring, subject to limited and exceptional circumstances.
• Employers should develop guidelines for the retention and disposal of any monitoring data.

Employers should also note that employee access rights extend to information collected for monitoring, meaning appropriate practices should be in place to address access requests, demonstrate compliance and manage complaints.

Tips for employers

1. Be aware of all legal obligations, including collective agreements, privacy laws and other legal areas.
2. Know what information about employees is being collected and used and whether this information is employee personal information.
3. Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks to help protect the information you collect.
4. Consider how you manage employee information:
   • How sensitive is the personal information?
   • Is there a legitimate need or business interest that requires collecting, using and disclosing personal information?
   • Is there a less invasive way of achieving your needs?
   • Does the loss of privacy outweigh the benefits gained?
5. Limit what information you collect to only what is necessary for a stated purpose.
6. Be transparent about what information you collect, use and disclose by developing policies that employees are made aware of before the policies are put into practice.
7. Follow key privacy principles:
   • Accountability
   • Accuracy
   • Limiting collection, use, disclosure and retention
   • Using appropriate safeguards to protect information
   • Being transparent and open about policies and practices
   • Individual access
   • Allowing affected individuals to challenge compliance
8. Don’t ask for more information than you are allowed to collect.

Conclusion

The OPC has used this guidance as an opportunity to reassert and reassure employees that they continue to have privacy rights in the workplace. For advice on privacy rights in the workplace or assistance in developing associated policies – including employee monitoring policies – please reach out to the key contacts below.