The Changing Landscape of Employee Privacy in Canada

As workplaces become increasingly digital and the capabilities of technology rapidly change, employers regularly face new challenges in balancing organizational interests and employee privacy rights. In Canada, this is further complicated by the fact that only a handful of provinces (i.e., Alberta, British Columbia, and Québec) have privacy legislation that applies to their provincially-regulated employers. As the majority of employers are provincially-regulated, this leaves most employers and employees in most Canadian provinces without a definitive legislative framework setting out the rights and responsibilities that apply to employee privacy.

The Federal Personal Information Protection and Electronic Documents Act ("PIPEDA") is the Canadian legislation that specifically governs employers in federally-regulated industries such as banking, telecommunications, and cross-border transportation. In the absence of workplace privacy legislation, provincial employers may also refer to the privacy principles established in PIPEDA as a source of guidelines and direction for approaching matters of employee privacy. PIPEDA currently sets out 10 “fair information principles” that serve as ground rules for the collection, use and disclosure of personal information. The principles are as follows:

1. Accountability: Organizations are responsible for ensuring compliance with respect to personal information in their control. 

2. Identifying Purposes: The purpose of personal information collection must be identified at or before the time of collection.

3. Consent: Collection, use and disclosure of an individual’s personal information requires consent, subject to limited exceptions in specific cases.

4. Limiting Collection: Personal information should be collected only to the extent necessary. 

5. Limiting Use, Disclosure, and Retention: Personal information should be used, disclosed, and retained only to the extent necessary.

6. Accuracy: The accuracy of personal information must be maintained. 

7. Safeguards: Personal information should be secured according to its level of sensitivity.

8. Openness: Organizations should maintain transparent policies on their collection, use, and disclosure of personal information.

9. Individual Access: Individuals must be provided with appropriate access to their personal information. 

10. Challenging Compliance: Individuals must have recourse to challenge an organization’s compliance with these privacy-related obligations. 

    
    

While these longstanding Canadian privacy laws provide useful guidance, they do not always apply to real-life situations in a straightforward way, and may not be well-formulated to anticipate challenges to workplace privacy arising from recent developments in technology. Consider the following examples of employee privacy issues that may arise in a modern workplace:

• An AI-driven employee monitoring program used to track work by remote employees ‘learns’ that an employee’s close family member is attending medical appointments for a serious condition, but the employee did not consent to disclose this information to the employer.

• Predictive AI technology used to track and review employee performance extrapolates from employee behaviour to predict future employee actions such as the potential for resignation or performance issues.

• Biometric tracking software detects that an employee is exhibiting the early signs of an illness that may become debilitating.

  
  

A recent joint resolution Federal, Provincial and Territorial Privacy Commissioners and Ombuds acknowledged gaps in laws dealing with employee privacy in these contexts, and called on employers to apply “principles of reasonableness, necessity, and proportionality”, to recognize “particularly sensitive nature of biometric information” and to “use electronic monitoring tools and AI technologies only for fair and appropriate purposes and only to the extent they are reasonably necessary to manage the employer-employee relationship”.

So long as technology continues to evolve faster than the law can keep up, these scenarios will continue to lack a clear solution and will call for careful navigation by organizations with support from legal and business advisors.