The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
44 J U N E / J U LY 2 0 1 9 w w w . c a n a d i a n l a w y e r m a g . c o m January 2012, "would provide protection to any citizen in Ontario, including in the workplace context." The Personal Information Protection and Electronic Documents Act, or PIPEDA, is federal legislation enacted in 2000 to protect personal data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of their business, but it applies only to employers in federally regulated sec- tors such as airports and airlines, banks and telecommunications. British Columbia, Alberta and Quebec have enacted privacy leg- islation for provincially regulated, private sector employers. British Columbia and Alberta each has a Personal Information Protection Act, which is underpinned by the principles of PIPEDA but applies to provincially regulated organizations. British Columbia's PIPA came into effect in January 2004 and is modelled on PIPEDA's 10 fair information principles, says Ken- nedy: accountability; identifying purposes; consent; limiting collec- tion; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance. "For workplaces, we limit to collecting what's reasonably necessary under the circumstances. Employers must justify why they need that information," she says, adding that "these are common principles throughout Canada." Alberta's PIPA, along with other privacy legislation, "achieves the right balance, erring on the right side of personal information protection and allowing for use of information without consent in express circumstances," says Timothy Mitchell, a labour and employment lawyer at McLennan Ross LLP in Calgary. Even in express circumstances, "those exceptions are pref- aced in terms of whether the deviation considered reasonableness," he says. "The reasonableness test underpins all the legislation; it balances the rights of employer and employees." In Ontario, Bill 14, the Personal Informa- tion Protection Act was introduced and passed second reading in 2018, but it died on the order paper with the change in government. With more Conservative governments across Canada, which are employer-protective, it is unlikely that more restrictions will be placed on employers through provincial pri- vacy workplace legislation, says Stuart Rudner, principal of Rudner Law in Markham, Ont., who practises on both the employer and employee side. We may hear about the massive data breaches, he says, but not the less significant ones, including those of small employers who have "incredible amounts of personal information on their employees." "We fall back on common law," says Rudner. Now that the tort of intrusion upon seclusion exists, an employee might sue for breach of privacy if their private information is disclosed. Yet that doesn't eliminate the need for provincial legislation, says Rudner, although "it's unlikely we'll see that in Ontario in the next three to four years." But even without provincial legislation in place, employees are not without recourse, both in the context of civil suits and labour arbitration, says Brown. "Adjudicators have held employers accountable where they've acted unreasonably or unethically. So, it's not a free-for-all, even without that provincial legislation in place." The Office of the Privacy Commissioner of Canada's guidelines on privacy at work indicate that an employer's need for information should be balanced with an employee's right to privacy. For personal information including pay and benefit records, personnel files, video or audio tapes and records of web browsing, electronic mail and keystrokes, the privacy commissioner outlines what is needed to establish and maintain that balance: • The employer should say what personal information it collects from employees, why it collects it and what it does with it. • Collection, use or disclosure of personal information should normally be done only with an employee's knowledge and consent. • The employer should only collect personal information that's necessary for its stated purpose and collect it by fair and lawful means. • The employer should normally use or disclose personal infor- mation only for the purposes for which it is collected and keep it only as long as it's needed for those purposes, unless it has the employee's consent to do something else with it or is legally required to use or disclose it for other purposes. • Employees' personal information must be accurate, complete and up to date. • Employees should be able to access their personal information and be able to challenge the accuracy and completeness of it. In Alberta, "I think there is a good body of case law flowing out of [the Office of the Privacy and Information Commissioner] regarding the application of the legislation to biometrics to video surveillance in the workplace to surreptitious monitoring of emails and the test that OPIC adheres to is this reasonableness test," says Mitchell. And if a new technology is created to monitor employ- ees' whereabouts in a building? From a privacy perspective, is the legislation robust enough to address this? Mitchell says he believes it is. "It's quite a flexible test." Brave new hiring Privacy issues can also arise before an employee is even hired. According to one U.S. survey conducted in 2017, 70 per cent of employers used social media to screen candidates before hiring, up from 60 per cent in 2016; and three in 10 employers have an employee dedicated to researching candidates' online personae. "Privacy commissioners across the country have commented about the practice of employers looking to social media [accounts] when they're hiring," says Kennedy. Concerns arising from a privacy perspective are a) does the candidate know their account is being monitored, "and have you given them notice you're collecting," information; b) "are you really collecting information that you need in order to make a decision about hiring?" And c) is what an employer sees even reliable? Employers may also start to monitor social media accounts "You don't need to have dates of birth, drivers' licence numbers stored on a hard drive." Stuart Rudner, Rudner Law