On June 8, 2023, the Office of the Privacy Commissioner of Canada (OPC) released its practical tips for private sector employers regarding privacy in the workplace.
The OPC noted that while employers’ privacy obligations in the workplace may vary from province to province, and even from workplace to workplace (depending on their operations and whether there is a collective agreement is in place), there are some common practical tips that every employer can use to create an organizational culture of privacy.
The following are some of the main tips recommended by the OPC:
- Know the applicable legal obligations: be aware of legal obligations under federal or provincial privacy laws, as well as human rights and workplace laws, and any commitments that might apply under collective agreements.
- Map out the information that is collected from employees: ensure that you are aware of whether the pieces of information, either alone or in combination, amount to personal information about the employee. It is important to note that privacy risks and obligations are linked to the sensitivity of the personal information that your organization collects, uses and discloses.
- Conduct a privacy impact assessment (PIA): conduct a PIA to help identify applicable legal requirements and the potential impact your programs and activities will have on employee privacy.
- Test your proposed information management practices: identify all purposes for which you plan to collect, use or disclose personal information. Then consider whether you need the information for a legitimate purpose, and whether there might be a less privacy-invasive way of achieving the same ends.
- Limit collection: collect only the information that you need for a stated purpose, be transparent about how you will use it, and collect it by fair and lawful means. It is important to keep in mind that employee files should only contain necessary information.
- Be transparent and open: employers are recommended to create clear policies on practices such as monitoring employee attendance and activities in the workplace, and communicate the policies to employees before implementing them. These policies should explain why and how the information is being collected and how it will be used, including any potential consequences for employees. In addition, the policy should also state how long the information might be retained.
- Respect key privacy principles: even though it might not be necessary to obtain an employee’s consent to collect certain personal information, other obligations to protect privacy continue to apply such as accountability, accuracy, and individual access. Further, employers are recommended to have security safeguards in place that correspond to the sensitivity of the information.
- Be aware of inappropriate practices/no-go zones: in light of the unequal positions of power between employers and employees, there is a risk that employers could ask for more information than they are allowed to collect, and that individuals may feel unduly pressured to provide it. One example would be pressuring employees (or job applicants) to provide you with access to password-protected areas of their social media accounts—this would likely be going too far.
The OPC stated:
“Fostering a workplace culture of respect for employees’ privacy is good for business, because it contributes to morale and mutual trust.”
For further information, view the OPC’s Interpretation Bulletin: Personal Information here, the OPC Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) here, and the OPC guidance on inappropriate data practices here.
- The problem with deepfakes, and British Columbia’s solution - February 23, 2024
- Bill 149: a focus on hiring employees and employers’ use of AI - January 19, 2024
- Music publishers are not happy with Anthropic: “In layman’s terms, it’s theft” - December 21, 2023