By Esther Shainblum

OPC Announces Guidance on Workplace Privacy

As privacy in the workplace continues to be a significant topic in the sphere of privacy law, the Office of the Privacy Commissioner of Canada (OPC) has released a guidance on Privacy in the Workplace (Guidance) of interest to employers governed by the federal Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Employers who are not governed by federal privacy legislation can also refer to the Guidance as reflecting privacy best practices in the workplace. The Guidance is summarized briefly below.

Employee information can encompass various types of data, including pay and benefit records, attendance reports, personnel files, and electronic records. Privacy obligations extend to current, prospective, and former employees.

Employers have legitimate needs to collect, use, and disclose personal information about their employees, including information necessary for hiring decisions, addressing performance issues, ensuring workplace security, and implementing electronic monitoring and surveillance measures. These needs of employers must be balanced against the privacy interests of employees. In general, among other principles, employers must limit the collection of employee information to what is necessary, obtain meaningful consent when required, and provide transparent notice and policies. Personal information should only be collected, used and disclosed for the purposes for which it was originally collected, and employees have the right to access their personal information, challenge its accuracy, and receive information about its use. Access to employee information should be restricted to those with a legitimate need, and it should be safeguarded with physical, organizational and technological safeguards to protect it from inappropriate access or disclosure, such as “employee snooping”. Measures should be implemented to ensure data accuracy, completeness, and security. Employers should have comprehensive policies and procedures in place, addressing employee monitoring reasonably and proportionately.

Employers should not mislead employees by suggesting that they have no privacy rights in the workplace, as this contradicts the need for clear and voluntary consent. Instead, employers should seek explicit consent from employees for limited and justified collection, use, and disclosure of personal information, while transparently explaining the consequences of not providing such information. It is important to remember that consent does not override an organization’s other privacy obligations, and individuals cannot consent to their personal information being handled in violation of legal requirements.

When considering employee monitoring, employers must respect privacy rights and ensure that monitoring is limited to specific and appropriate purposes. Privacy risks should be assessed, and measures should be taken to mitigate those risks, such as collecting only necessary information and using the least invasive methods available. Employers should carefully choose monitoring technologies that are effective and suitable for the intended purpose, and establish measures to enforce compliance and monitor adherence to monitoring practices. Transparency is crucial, and employees should be informed about the nature, extent, and reasons for monitoring, as well as any potential consequences. Employers should also establish procedures for addressing employee access requests, privacy compliance challenges, and potential complaints related to monitoring practices.

Here are 8 practical tips for employers to consider when managing employee information:

1. Understand relevant legal obligations and authorities, including privacy laws, collective agreements, and other applicable laws.
2. Identify and evaluate the employee information being collected, used, and disclosed, considering its sensitivity and potential privacy risks.
3. Conduct Privacy Impact Assessments (PIAs) to assess privacy risks and develop risk management strategies.
4. Test proposed employee management information practices, ensuring that the collection, use, and disclosure of personal information are appropriate and proportional to the purposes.
5. Limit the collection of personal information to what is necessary and collect it by fair and lawful means.
6. Be transparent and open with employees about the personal information being collected, used, and disclosed, and develop clear policies to communicate privacy practices.
7. Respect key privacy principles, including accountability, accuracy of personal information, limiting collection and retention, implementing security safeguards, and providing individuals with access and the ability to challenge compliance.
8. Be aware of inappropriate practices and “no-go zones” that may infringe on employee privacy, such as requesting access to password-protected social media accounts or engaging in unfair profiling or discriminatory treatment.

Following these tips can help employers navigate privacy obligations and foster a respectful and compliant approach to managing employee information.

Even though charities and not-for-profits may not be subject to PIPEDA or other privacy legislation, they should look to the Guidance as reflecting privacy best practices.

Strict Privacy Provisions Come into Effect in Quebec this September

Law 25, previously Bill 64 “An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information” was sanctioned (akin to Royal Assent) by the Quebec legislature on September 21, 2021. While some provisions came into effect in September of last year, the bulk of the new law will come become active on September 22, 2023. Unlike the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which only applies to charities and not for profits to the extent that they are engaged in “commercial activities”, Law 25 applies to governments, for-profit and non-for-profit entities.  Law 25 will impact not only Quebec based organizations, but any organization that processes the personal information of Quebec residents.

Law 25 will impose a series of new obligations on organizations processing the personal information of people in Quebec, including obligatory personal information policies, mandatory privacy impact assessments when personal information  is communicated outside of Quebec,  required provisions within outsourcing agreements and other changes that charities and not for profits that accept donations from Quebec residents, communicate with or provide services to stakeholders in Quebec will need to comply with or face potentially severe financial penalties.  

The upcoming second wave of Law 25 are the most stringent privacy laws in Canada, and charities and not-for-profits that operate in Quebec should be reviewing and revising their privacy practices and privacy policies to ensure that they are compliant with Law 25 in order to avoid the risks of incurring substantial monetary penalties.

​Read the June 2023 Charity & NFP Law Update