OPC Updates Workplace Privacy Guidance
July 31, 2023
On May 29, 2023, for the first time in 19 years, the Office of the Privacy Commissioner of Canada (“OPC”) updated their guidance concerning privacy in the workplace and the application of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The guidance clarifies employee privacy rights, constrains employee monitoring and clarifies practical tips for employers to manage personal information.
Generally, PIPEDA applies to federal works, undertakings or businesses. The federal statute applies to the collection, use and disclosure of personal information in the course of commercial activity and across borders. The updated OPC guidance focuses on employers subject to PIPEDA as well as best practices for all employers.
The updated guidance mirrors recent legislative updates in Ontario to the Employment Standards Act concerning electronic monitoring. Employers should develop guidelines for how employees will be monitored and how the policies will be enforced. In accordance with PIPEDA principles, employee monitoring should be limited to purposes which are specific, targeted and appropriate in the circumstances.
The OPC has clarified that although it may be tempting to advise employees or prospective employees that they have no privacy in the workplace, or that the loss of their privacy is a condition of employment, there can be no blanket waiver of privacy rights. Consent must be clear, informed and voluntary. Employees should be asked to consent to explicit, limited, and justified collections, uses, and disclosures of their personal information, while informing them openly and fairly of the impact of not providing the information. Where possible, alternatives should be made available to employees who do not wish to consent.
The guidance provides the following tips for employers:
- Be aware of all legal obligations, including collective agreements and federal and provincial privacy laws
- Map out what employee information is being collected and used and whether this information is employee personal information.
- Conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks
- Test employee management information practices
- Limit what information collected to only what is necessary for a stated purpose.
- Be transparent about what information you collect, use and disclose by developing open and accessible policies
- Follow key privacy principles:
- Limiting collection, use, disclosure and retention
- Using appropriate safeguards to protect information
- Being transparent and open about policies and practices
- Individual access
- Allowing affected individuals to challenge compliance
- Be aware of inappropriate practices
Given the unequal positions of power between employers and employees (or potential employees), there is a risk that employers may ask for more information than they are allowed to collect, and that individuals may feel unduly pressured to provide such information. In general employers should not ask for more information than they are allowed to collect.