Canadian Internet Policy and Public Interest Clinic (CIPPIC)

• 2.1: About Us
• 2.2: CIPPIC Publications
• 2.3: Action Items
• 2.4: CIPPIC News
• 2.5: Hot Links
• 2.6: Events & Presentations
• Projects and Cases
  • 2.7.1: Consumer Protection Online
  • 2.7.2: Copyright law reform
  • 2.7.3: CreativeCommons.ca
  • 2.7.4: File-Sharing Lawsuits
  • 2.7.5: Identity Theft
  • 2.7.6: Lawful Access
  • 2.7.7: On the Identity Trail Project
  • 2.7.8: Other
  • 2.7.9: Privacy
  • 2.7.10: Spyware
  • 2.7.11: Telecom Policy
• 2.8: FAQs & Resources
  • 2.8.1: Access to Information Laws
  • 2.8.2: ACTA
  • 2.8.3: Behavioural targeting
  • 2.8.4: Bill C-60: Copyright Revision
  • 2.8.5: Bill C-61: Copyright Revision
  • 2.8.6: Biometrics
  • 2.8.7: Broadcast Flag
  • 2.8.8: Copyright Law
  • 2.8.9: Defamation and SLAPPs
  • 2.8.10: Digital Rights Management
  • 2.8.11: Domain Name Disputes
  • 2.8.12: Domain Names
  • 2.8.14: File Sharing
  • 2.8.15: Internet Accessibility
  • 2.8.16: Identity Theft
  • 2.8.17: Internet Censorship in Public Libraries
  • 2.8.18: Lawful Access
  • 2.8.19: National ID Cards
  • 2.8.20: Net Neutrality
  • 2.8.21: Online Anonymity and John Doe lawsuits
  • 2.8.22: Open Source
  • 2.8.23: Podcasting Legal Guide
  • 2.8.24: Privacy
  • 2.8.25: Public Video Surveillance
  • 2.8.26: RFIDs
  • 2.8.27: Social Networking
  • 2.8.28: Spam
  • 2.8.29: Spyware
  • 2.8.30: Trusted Computing

  • Current page is 2.8.31: Workplace Privacy

• 2.9: Support CIPPIC
• 2.10: For Students
• 2.11: uOttawa Law & Technology Program
• 2.12: Contact Us
• 2.13: Privacy Policy

Workplace Privacy

The information provided on this webpage is of a general nature and does not constitute legal advice. Moreover, it addresses only some issues in information privacy, labour and employment law. If you have questions about privacy and your workplace, you should consult a lawyer, your union representative, or the human resources department of the organization you work for. For general information on private sector data protection laws, see CIPPIC’s webpage on Privacy. CIPPIC welcomes feedback and comments on this webpage at cippic@uottawa.ca.

The information on this webpage is current as of May 2007.

---

• Introduction
• F.A.Q.
  
• Resources
  

---

Introduction

The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability. Throughout these FAQs, we cite key privacy findings from privacy commissioners, courts and labour arbitrators. Although the findings of privacy commissioners are important in determining legal rights and remedies, they do not always have the same legal consequences as a decision of a court of law. In particular, the federal Privacy Commissioner’s findings under PIPEDA and the federal Privacy Act are not legally binding. In contrast, rulings by the Alberta, B.C., and Quebec Privacy Commissioners do have legal force in those jurisdictions. Privacy commissioner rulings in one jurisdiction are not binding on another. However, findings and decisions by privacy commissioners do carry weight and offer considerable guidance across sectors and jurisdictions when workplace privacy cases arise.

F.A.Q.

•   Do I have a right to privacy in my workplace? 
   ○   What legislation protects public sector workers?
   ○   What legislation protects private sector workers?
   ○   How do I know if my employer is federally regulated?
   ○   How does being unionized affect my privacy rights?
•   What is employee “personal information” under privacy laws?
•   What are my employer’s obligations under privacy statutes?
•   Why does my employer need to collect my personal information?
•   How can my employer collect my information?
•    What information about me can my employer gather?
•   What information about me can my employer disclose?
•   Can I see what personal information my employer has about me?
•   What can I do if my employer has violated my privacy?

 

 

Do I have a right to privacy in my workplace?

Employees have privacy rights vis-a-vis employers, but these rights are not absolute.  Some arbitrators have recognized an inherent right to privacy on the part of individual employees, but this view is not universally accepted.  In any given situation, an employee's right to privacy will be weighed against the employer's legitimate business needs, taking into account such factors as:

• applicable contractual provisions (e.g., in collective agreement or employment contract)
• applicable statutory provisions (varies by jurisdiction)
• reasonableness of the employer's rationale for the activity in question
• reasonableness of the employee's expectation of privacy in the circumstances
• adequacy of notice to employees of general policy that invades privacy
• whether the invasion of privacy is surreptitious (if so, the threshold for justification is higher)
• the nature and extent of privacy loss suffered
• whether there are less invasive means of achieving the employer's goal
• whether the loss of privacy is proportional to the benefit gained thereby.

1. What legislation protects public sector workers?

If you work for the government, a governmental agency, or a public institution such as a school board, university, college, or public library, your personal information is likely protected by public sector privacy legislation. Each government in Canada, federal and provincial, has legislation governing what it can and cannot do with your personal information (see list of legislation below). Municipal employees are regulated by provincial legislation. Saskatchewan, Ontario and Nova Scotia have specific legislation that pertains to municipal workers. These statutes usually list, in a schedule, the agencies and public institutions to which they apply.

Federal Public Sector Privacy Legislation:

Privacy Act, R.S.C., 1985, c. P-21.
Schedule of Federal Government Institutions that are covered by the Privacy Act.

Provincial Public Sector Privacy Legislation:

Alberta: Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25

British Columbia: Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165.

Manitoba: The Freedom of Information and Protection of Privacy Act, C.C.S.M. c. F175.

New Brunswick: Protection of Personal Information Act, S.N.B. 1998, c. P-19.1.

Newfoundland: Access to Information and Protection of Privacy Act,S.N.L. 2002, c. A-1.1.

Northwest Territories: Access to Information and Protection of Privacy Act, S.N.W.T. 1994, c. 20.

Nova Scotia: Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5, and Part XX of the Municipal Government Act.

Nunavut: Access to Information and Protection of Privacy Act,R.S .N.W.T. 1994, c. 20.

Ontario: Freedom of Information and Protection of Privacy Act, R.S.O. 1990, F.31, and Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56.

Prince Edward Island: Freedom of Information and Protection of Privacy Act, R.S.P.E.I. 2001, c. F-15.01.

Quebec: An Act respecting access to documents held by public bodies and the protection of personal information, R.S.Q., c. A-2.1.

Saskatchewan: Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. F-22.01 and The Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1.

Yukon: Access to Information and Protection of Privacy Act, R.S.Y. 2002, c. 1.

Public sector employers are also subject to the Canadian Charter of Rights and Freedoms, which includes guarantees against "unreasonable search and seizure", subject to "such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society".  While there is no right to privacy per se in the Charter, the Supreme Court has found that section 8's freedom from unreasonable search and seizure is based on individual's "reasonable expectations of privacy".Both public and private sector employers are subject to Human Rights legislation, which applies to such privacy issues as mandatory drug and alcohol testing of employees.  Each jurisdiction (federal, provincial, territorial) has its own human rights legislation.

2. What legislation protects private sector employees?

The personal information of private sector workers is not uniformly covered by privacy legislation across Canada. As of March 2007, only those companies that are federally regulated or provincially regulated in Alberta, B.C., or Quebec, are subject to data protection laws in Canada. Federally regulated employers are subject to the Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c.5 (PIPEDA), while employers in Alberta, B.C., and Quebec are subject to those province's data protection laws (see list of legislation below). The private sector privacy legislation in Alberta and B.C. contain specific provisions that define “employee personal information.”

Private sector employers are also subject to Human Rights legislation, which applies to such privacy issues as mandatory drug and alcohol testing of employees.  Each jurisdiction (federal, provincial, territorial) has its own human rights legislation.

As in the case of public sector employees, unionized workers in the private sector may have further protection by way of provisions in their collective agreements. Individual employment contracts may also contain provisions that protect employee privacy.

Private Sector  Privacy Legislation:

Federal: Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c.5 (PIPEDA),

Alberta: Personal Information Protection Act, S.A. 2003, c. P-6.5.

British Columbia: Personal Information Protection Act, S.B.C. 2003, c. 63.

Quebec: Civil Code of Québec, S.Q., 1991, c. 64, articles 35 to 41 and 1525 and An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c.P-39.1.

 

3. How do I know if my employer is federally regulated?

If you work in an industry that is regulated by the federal government, you work for a federally regulated employer. Examples of federally regulated employers are:

•   chartered banks;
•   buses and railway companies that travel between provinces;
•   airline companies;
•   employers involved in maritime navigation and shipping such as port authorities and long shoring companies;
•   TV and radio stations;
•   certain mining companies;
•   the nuclear energy sector;
•   telephone and cable companies;
•   local businesses in the Yukon, Nunavut, and the Northwest Territory. In these areas, all private sector activity is regulated by federal laws.

These particular industries are governed by the federal government and not the provinces. This division of powers between the federal government and the provinces is set out in sections 91 and 92 of the Constitution Act, 1867. PIPEDA also sets out, in section 2(1), a list of “federal works, undertakings and businesses.” For more information, see the Federal Privacy Commissioner’s Fact Sheet on the Application of PIPEDA to Employee Records.

4. How does being unionized affect my privacy rights?

Unionized employees may have an additional measure of privacy protection in the workplace through provisions in the collective agreements govern the terms and conditions of their employment. Some unions have been successful in advancing their members’ privacy interests even where such interests are not explicitly protected in legislation or collective agreements. In a number of cases, unions have been able to prove that an employer encroached on a worker’s privacy by violating the general duty of fairness and the duty to act in good faith. Arbitral jurisprudence has supported employee privacy interests in cases where an employer requested unnecessary personal information, improperly shared personal information within the workplace, or inappropriately disclosed personal information to a third party. Generally, the more sensitive the personal information being handled by an employer, the greater scrutiny it will attract.

Q. What is employee “personal information” under privacy laws?

Privacy legislation in Canada protects “personal information.” “Personal information” is defined in most privacy laws as information about an identifiable individual. Personal information therefore includes your SIN, employee number, date of birth, home/personal telephone number and address, salary, performance appraisals and discipline records, and medical information. However, employment-related information is exempted from the definition of “personal information” in some statutes. Thus, not all information that relates to an employee is necessarily considered that employee’s “personal information” for the purposes of privacy legislation.

For example, under the federal Privacy Act, information that relates to an employee’s position or that is collected, used and shared within a business or professional context is not considered to be “personal information” under the Act and does not, therefore, benefit from the protections granted by the Act. In general, information such as an employee’s work product, materials or other information generated in the course of employment would not constitute employee “personal information.” Nor is an employee’s name, position, business address and business telephone number considered personal information.

Under PIPEDA, an employee's name, title, business address or telephone number are not considered personal information. However, the Federal Privacy Commissioner has found that an employee’s work e-mail address is “personal information” under PIPEDA.

Alberta’s Personal Information Protection Act and B.C.’s Personal Information Protection Act contain definitions of “employee personal information,” which is treated differently from “personal information” outside the employment context. Alberta’s statute contains a comprehensive definition that defines “employee personal information” as personal information about an individual who is an employee or a prospective employee that is “reasonably required by an organization…for the purposes of establishing, managing or terminating an employment relationship or a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to the relationship.”

In some cases, information about the classification, salary range, the provision of discretionary benefits or expense claims and responsibilities of the position held by an individual are routinely disclosed to a Board of Directors or reported to the public. In these circumstances, employers do not normally require employee consent, although it is considered good practice to notify employees beforehand that such a disclosure will take place.

Q. What are my employer’s obligations under privacy statutes?

Privacy legislation in Canada generally provides that employers must collect, use and disclose personal information with employee consent. Consent is usually given expressly, either in writing or verbally. Highly sensitive data, such as health or medical information, normally requires express consent to collect, use, or disclose.

Consent can be implied for certain categories of personal information in order to facilitate the administration of the employer-employee relationship. For example, an employer may have to disclose your SIN, banking information and address to a payroll administrator in order for you to get paid. Some workplace investigations concerning disciplinary issues may not require explicit consent during the investigatory phase.

Data protection legislation provides employees with the right to access personal information held by their employer, and the right to request corrections to those holdings. Employers are obligated to:

•   safeguard employee personal information;
•   appoint a privacy officer within the organization to handle disputes;
•   respond to complaints and requests to access personal information within a certain amount of time; and
•   direct dissatisfied complainants to the appropriate Privacy Commissioner’s Office.

The federal private sector statute, PIPEDA, contains 10 Principles of Personal Information Protection. These principles are generally reflected, in various ways and to varying degrees, in privacy legislation across Canada.

Next Page

---

See more resources

 

This page last updated: October 1st, 2007

This webpage was researched and drafted by Louisa Garib, LL.M., and edited by CIPPIC 2007 summer intern Janet Lo.

 

 

 

Print this page

Home » FAQs & Resources » Workplace Privacy