March 16, 2020
Privacy in the workplace has long been of interest to trade unions. Grievances and complaints have been advanced in response to various employer practices and policies that infringe on private information including the use of digital surveillance, drug and alcohol testing and the use of biometric data in the workplace. Of growing concern to unions is compliance with their own privacy obligations and legislation. Advancing technologies and changing legislation requires unions to understand their own privacy obligations and the manner in which privacy legislation applies to them.
One of the first pieces of privacy legislation enacted in Canada is the Personal Information Protection and Electronic Documents Act or “PIPEDA”. The Federal Government enacted PIPEDA in 2000 to govern the use of personal data in the private sector. The legislation applies to every organization (including a trade union) that collects, uses or discloses personal information in the course of “commercial activities”. Commercial activity is defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. Can the functions carried out by unions can ever be caught in the definition “of commercial activity”?
The issue of the application of PIPEDA to union activity was touched on in the context of a complaint against an employer. In PIPEDA Case Summary No. 251, an employee complained that his manager inappropriately collected his personal information by intercepting and reading a fax, which contained a confidential letter that the complainant’s union representative had faxed to another party on his behalf.
A complaint against the employer who read the fax was made to the Privacy Commission. The Privacy Commissioner found jurisdiction to inquire into this complaint because the employer was a transportation company which was a federal work, undertaking or business as defined in PIPEDA. The fax machine in question was located in a common area and the union representative did not use a cover sheet or remain at the fax machine to collect a receipt. When the union representative returned to the machine, he found a manager reading the documents. The manager refused to stop reading despite the union representative’s requests. The Assistant Privacy Commissioner agreed with the employer that some responsibility lay with the union as the union representative should have taken greater care to protect personal information. Given that the union representative did not take full precautions, the Commissioner did not make a finding against the company. Although this complaint was not brought against the Union directly, the case stands as a warning to take precaution when handling sensitive grievor information.
The Privacy Commissioner has not yet ruled on the strict application of PIPEDA to union activity. In PSAC v Bank of Canada, a case concerning an unfair labour practice against the employer for a failure to provide the union with employee information prior to bargaining, the employer actually requested that the Canada Industrial Relations Board rule as to whether the union was subject to PIPEDA. The Board deferred to the Privacy Commission to determine the question of whether representation from a union constituted “commercial activity” within the meaning if PIPEDA. The Board noted that the Privacy Commission could answer this question in the future in the context of a complaint made before that commission by an individual against a union.
Although the application of PIPEDA to trade union activity remains unsettled, PIPEDA sets out privacy principles that should govern the use of sensitive personal information by unions. These principles set out best practices that unions should consider adopting when handling and collecting personal information of their members.
Trade Unions, like other organizations, are also assessing how Canadian Anti-Spam Legislation or “CASL” applies to their activities. Although the legislation was first enacted on July 1, 2014 it ignited new interest when the private right of action came into force on July 1, 2017. CASL has been described as the most sweeping anti-spam legislation in the world. It was enacted to target the senders of damaging types of messages including malware. Administrative penalties are breathtakingly high: up to $1 million for individuals and up to $10 million for organizations. The language used in the legislation is very broad and without clarifying decisions it is as yet unclear if the legislation captures the activities of trade unions either directly or indirectly.
CASL applies to “commercial electronic messages” that contain language that “encourages participation” in a “commercial activity”. We return to the same question: can unions ever be engaged in “commercial activity”? CASL interprets “commercial activity” broadly to mean anything with a “commercial character”. Does this broad definition capture a union’s organizing activities or servicing duties? Although it remains unlikely that these activities are captured by CASL the question has not yet been answered by any adjudicators. A union would rightly argue that any interference with organizing or servicing duties infringes freedom of expression, or arguably, freedom of association and the union’s own legal rights and duties.
Regardless of whether privacy related legislation strictly applies to trade union activities, best practices have emerged which can and should be implemented in regards to communication with members and the collection, retention and disclosure of personal information.
PIPEDA sets out privacy principles that should be adopted to protect personal information including:
Accountability: appointing someone who is responsible for personal information under the union’s control
Identifying Purposes: the purpose of collection and use of personal information should be identified at or before the time of its collection
Consent: consent of the person is required for the use or disclosure of their personal information
Limiting Collection: collection must be limited to what is needed
Limiting Use, Disclosure and Retention: personal information can only be used for the purposes for which it was collected
Accuracy: information must be accurate to satisfy purposes for which it was obtained
Safeguards: information must be protected with security measures adequate for the sensitivity of information
Openness: policies related to information must be readily available
Individual Access: an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information
Challenging Compliance: an individual should be able to challenge an organization’s compliance with the principles
To enact best practices for compliance with CASL, unions should consider whether the message sender has express or implied consent before the message is sent and make sure accurate records are kept to prove consent. Unions should also send electronic messages in the proper form which includes the name of the person sending the message, proper contact information and an unsubscribe button.
Although the application of PIPEDA and CASL is unsettled, enacting best practices is always wise policy. As always, if you have questions about privacy legislation and any obligations that arise under this legislation or best practices, please contact Koskie Minsky’s Privacy Law Group.
Privacy and Compliance