By Melissa Campeau
In 2008, Colleen Colwell discovered a camera hidden in the ceiling of her private office at Cornerstone Properties Inc. in London, Ont. Her boss claimed he installed it because he suspected maintenance staff of theft. Colwell sued the company – and won, but not on the grounds you might think.
The judge noted that Colwell didn’t have a legal right to expect privacy in the workplace (a more recent ruling on another case took a different stand, however), so her boss hadn’t done anything illegal by installing a camera. However, the judge noted that employees could reasonably expect their employers to treat them in good faith.
The secret camera, placed without consent or a particularly good reason, contributed to a poisoned workplace, so the court awarded Colwell damages for constructive dismissal.
While placing a hidden camera in an employee’s office is extreme, the case illustrates just how much there is to know about privacy law in Canada. And there are also some serious consequences for organizations that don’t do their homework.
The rule of many laws
Since the 2008 Colwell case, the privacy landscape in Canada has evolved. What an employer can and can’t do with respect to employee surveillance depends, at least in part, on what kind of business you’re in and where you’re located. Many employers are subject to specific privacy laws that regulate and restrict how and if employers deal with their employees’ personal information, but in Canada, there’s no one privacy law that applies to every organization. Instead, there’s a complex network of regulations.
Federal government institutions are subject to the Privacy Act. Nationally, there’s the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to federally regulated private sector businesses, except in Alberta, B.C. and Quebec, where substantially similar provincial privacy laws apply instead. Ontario, New Brunswick and Newfoundland and Labrador each have provincial privacy legislation that applies to health care information. And then there are all the businesses that don’t fall under any of those umbrellas.
“In the gap space, we’re in an interesting environment because that’s where other legislation might fall into play,” said Patrizia Piccolo, partner at Rubin Thomlinson LLP in Toronto, “such as Human Rights legislation and the common law and case law.” The Criminal Code of Canada can become an important element as well, when dealing with such privacy-related offences as intercepting a private communication without consent.
Every organization should investigate which, if any, privacy acts it falls under. Beyond that, common sense and smart business practices should rule.
“It’s important to realize that even if PIPEDA doesn’t strictly apply to employee records held by your organization, employers should still be taking steps to respect privacy,” said Lisa Bolton, a lawyer with Sherrard Kuzz LLP in Toronto.
Common sense should rule, in other words – no one is going to open up their payroll info just because there’s no legislation specifying that they can’t.
Can employers collect employee info?
Amid all of those privacy regulations, there are some common basics that apply to any employer. For starters, “information” includes such things as birth date, income, address, medical history, religion, political affiliations, education, others’ opinions about the employee and visual images including photographs and videos where the employee is identifiable. Typically, web history and email content would be included in this list as well.
According to the Office of the Privacy Commissioner of Canada, PIPEDA and the provincial privacy laws in B.C. and Alberta share an important principal: “An organization may collect, use or disclose information for a purpose that a reasonable person would consider appropriate in the circumstances.” The Privacy Commissioner also proposes the following questions to help assess whether the monitoring is legitimate: Is it necessary? Will it be effective? Is the loss of privacy proportional to the benefit gained? Is there a less invasive way of achieving the same end?
Employers also need employee consent to gather and disclose the information (with some exceptions) and they need to make the “why” of the collection clear, ahead of time. The data should be kept on hand only as long as necessary and be kept safe during that time. Most important, corporate privacy policies need to be accessible and understood by all employees.
The balancing act
Despite all of this, employees are still legally entitled to at least some degree of privacy. In 2012, a Supreme Court of Canada decision stated, “Canadians can reasonably expect privacy in the information contained on [company] computers, where personal use is permitted or reasonably expected.”
It comes down to a careful give and take. While employees can expect some confidentiality when it comes to what they do while they’re at work, employers still have a right to make sure their laptops, cell phones and office hours aren’t being misused. The middle ground can be found where organizations clearly map out their expectations.
“For employers, this underscores the importance of a direct and understood privacy policy,” said Piccolo. “Companies who wish to monitor their employees’ use of technology will want to spell this out explicitly and state it publicly.”
An organization might advise employees that their emails and web history will be routinely monitored to ensure productivity. Or staff members might be told that the organization allows web browsing for personal use only during lunch breaks, for example.
To ensure employees have either a very low expectation – or no expectation at all – of privacy when it comes to information stored on a work device, Piccolo points out that some organizations implement an absolute prohibition on non-work related Internet use, blocking access to certain websites used mainly for personal reasons and creating network architecture that prevents employees from saving information in non-public folders. In addition to managing expectations, this also reduces the need to constantly monitor employees’ web use.
Physical privacy
Policy and prohibition measures, as well as PIPEDA and other privacy acts, deal with the safeguarding of information, but there’s also the issue of privacy of physical spaces and documents. If an employer decides it’s necessary to conduct a search of a particular workspace, for example, some guidelines should be followed.
“For searches of this nature, you’ve got to be careful because the Criminal Code comes into play. What you’re doing could be an unauthorized search,” said Piccolo. “To counter this, you can create a policy that makes it very clear that these physical searches will be conducted from time to time, with reasonable cause.”
No-fly zones
Despite an employer’s right to basic information about an employee, some details will always remain off limits.
“Things like marital status, race, religion sexual orientation – those are good examples of information an employer doesn’t need,” said Bolton. When an employer has knowledge of this kind of information, it can lay the groundwork for a human rights complaint in the future if an employee feels any of those details have been the cause of unfair treatment.
An excess of information about an employee’s medical condition, too, can be a problem for an organization.
“An employer can ask about medical information in the context of returning someone to work following illness or injury or to substantiate an illness for someone off work,” said Bolton. “But this should be limited to information about the prognosis or any restrictions necessary to perform work when they come back.”
A manager doesn’t need to know, for example, that an employee has a specific mental illness. She only needs to know how the employee’s condition will affect his ability to perform his work and whether any accommodations need to be made. Steering clear of unnecessary detail means a less complicated path for everyone if decisions about promotions, layoffs or reorganization are made down the road.
Social media
Social media can be another danger zone for employers. While it’s now fairly common practice for an organization to review a candidate’s online presence before hiring or offering a promotion, legal experts recommend caution. While some might argue there’s nothing private about a person’s public Facebook page or Twitter feed, an employer may unintentionally discover personal information that’s not relevant, but could be problematic.
“It’s okay to research social media,” said Bolton, “but you want to create a screen.” She suggests managers assign someone else – a person with no hiring authority – to collect only the relevant information from the social media sites. “Otherwise you may have a very difficult time proving that inappropriate personal information didn’t come into play.”
Challenges of BYOD
“One of the biggest blurry areas we’re seeing now, with respect to privacy issues, is the use of cell phones and other personal devices,” said Bolton, who notes a large number of companies are either giving in to employee requests to use personal cell phones for work or, in an effort to save on costs, asking employees to use their own mobile devices. This makes monitoring information significantly more difficult for an employer.
“If an organization is going to go that route, they need a bring-your-own-device (BYOD) policy,” said Bolton, although this still doesn’t get around the fact that it’s potentially more difficult to compel an employee to surrender his own device for review or to have company information removed at the end of an employment period. “With BYOD, the employer is definitely at a disadvantage when it comes to protecting information.”
Take the time to audit
Whether you’re dealing with BYOD technology, social media or medical information, there are a lot moving pieces to consider when establishing a corporate privacy policy. To ensure your policy is relevant and up to date, or to begin developing one in the first place, Bolton suggests a periodic self-audit. When looking at how your organization manages employee information, consider how you establish consent, identify purpose and choose your method of collection. Once you have the information, how do you keep it secure and destroy it safely when you’re done with it?
“If you’ve done a self audit, then you can determine where the weaknesses and vulnerabilities are and plot the steps required to fix them,” said Bolton.
SUBHEAD: How to handle a complaint
Part of that planning should also include preparing for the worst. If you assume a breach will happen, then you can outline exactly what needs to be done well in advance of an actual emergency.
“Privacy complaints should be taken seriously, regardless of whether PIPEDA applies or not,” said Piccolo. “The organization should first conduct an investigation to determine if there has been a breach of privacy and then establish what should be done in response.” The Office of the Privacy Commissioner of Canada’s website offers protocols to follow in the case of a breach, including containment, evaluation of risk, notification and prevention of future breaches.
Culture of respect
Establishing a company’s privacy policies and protocols is a careful balance between the expectations of the employee and the needs of the employer. They’re both necessary in a healthy work environment, and both are supported by law, to a reasonable degree.
How an organization treats its employees’ information is a reflection of values and culture.
“What happens in the workplace – including whether privacy is respected – can have a profound effect on employees’ sense of dignity, their sense of freedom and their sense of autonomy,” said Jennifer Stoddart, during her term as Canada’s Privacy Commissioner from 2003 to 2013.
Clearly, excessive measures like hidden cameras in employees’ offices are a big step in the wrong direction when it comes to privacy in the workplace. But a reasoned and well-communicated privacy policy – designed to protect employees’ interests as much as employers’ – can go a long way to supporting a corporate culture that’s built on trust and respect.