Printer Friendly

français

The new rules of workplace privacy

By Sheldon Gordon

Privacy legislation is coming to the private sector, whether enacted provincially or under the federal umbrella. Employers will soon face an entire legal regime intended to protect employee information — and many companies don’t even know what’s about to hit them.

• A railway worker says his employer installed digital video cameras in the railyard to record employees’ actions without their consent.

• A courier complains that her employer placed employees’ SIN numbers on United Way pledge forms — a purpose to which they had not consented.

• Two airport employees maintain that the airport authority refused to disclose its evaluations of how they scored in a job competition they lost.

All these complaints were lodged in the past two years with the Privacy Commissioner of Canada — and all were upheld, under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Welcome to the new world of workplace privacy.

“Privacy legislation has a retroactive aspect — there’s no ‘grandfathering’ of legacy information.” Susan Dumont, Privacy Matters Consulting, Calgary

Until now, PIPEDA has applied only to federally regulated organizations such as banks, railways, airlines and telecom carriers. As of January 1, 2004, however, the federal Act will also apply to provincially regulated organizations in provinces that don’t have privacy legislation "substantially similar" to PIPEDA.

Quebec, which in 1994 passed La Loi sur la protection des renseignements personnels dans le secteur privé (An Act Respecting the Protection of Personal Information in the Private Sector), is the only province that currently has such legislation. British Columbia and Alberta have just introduced privacy laws as well. Ontario has drafted a privacy bill twice in the past two years, but has withdrawn it both times.

Where there is no provincial privacy law, PIPEDA will occupy the field, says British Columbia Privacy Commissioner David Loukidelis. "But it will only cover provincially regulated firms to the extent that they are selling their employees’ information as part of a commercial transaction."

If provinces do adopt their own privacy laws, the statutes will have to emulate PIPEDA, which means the following obligations would be imposed upon the private sector:

• employers can only gather and record employee information required for "legitimate purposes" (that is, "purposes that a reasonable person would consider are appropriate in the circumstances";

• employees must give informed consent to the use of such information where the need for employee information is not driven by a legal requirement (e.g., the SIN number for statutory deduction of income at source);

• "informed consent" means employees must be told the purpose for which the employer is recording, using and distributing the information;

• if employee consent is required, employers may only collect, use and disclose the information for the purposes to which employees have consented; and

• employees have a right of access to the personal information in their files.

Steps to compliance
Provincially regulated companies will soon face the same challenge that has confronted federally regulated firms in adapting to privacy legislation. Most large corporations either have, or will appoint, a privacy manager (sometimes called Chief Privacy Officer) to oversee compliance.

In those companies that don’t have such an official in place, responsibility will be "all over the map," says Susan Dumont, a Calgary-based lawyer who runs the consultancy Privacy Matters. "It’s generally lodged with Human Resources, or it can be Legal or the IT Group, usually at a fairly senior level," she says.

Dumont, who was formerly privacy manager at Canadian Pacific Railway, describes how privacy bosses responded to PIPEDA: "What they did was examine the current personal information systems within their corporations, determine where personal information was stored, and determined who used the information, who had access. Around that ‘gap analysis,’ you would develop policy and procedures."

Making a company compliant with privacy law is a time-intensive process, warns Dumont. "Each time you have a project that involves personal information, you have to analyze the project and determine what are the purposes for which you’re collecting information," she says. "You then have to inform the individuals why you’re collecting it. So it’s an ongoing effort."

Companies that have a large workforce with much historical data face a special predicament. "Privacy legislation is different than most legislation, in that it has a retroactive aspect," Dumont observes. "There’s no ‘grandfathering’ of ‘legacy information.’" Therefore, a firm with employee files that are 10 or 15 years old must make sure those, too, comply with the new legislation.

Not surprisingly, small and medium-sized businesses are least aware of, and least equipped to meet, the new privacy requirements. Consider, for example, employee health data.

Large companies have medical departments that segregate such data from the human-resource or payroll files on employees. Managers are entitled to know, for example, when a disabled employee is fit to return to work — but not the diagnosis or prognosis; that has to be kept separate. The smaller the company, the more difficult that becomes.

Although no organizations are likely to be exempt from privacy legislation, regardless of their size, Dumont believes that provincial privacy commissioners will consider size when they investigate complaints. "A small company will be expected to protect personal information, but it will probably not be put to the same rigours [as a large one] by the ‘reasonableness’ or ‘appropriateness’ test that a provincial privacy commissioner applies," she says.

Monitoring employees
To date, the issue of workplace privacy has mostly come to the fore in cases involving the Internet. Office workers have found themselves reprimanded or even fired after employers have monitored the e-mails they’ve sent or the Websites they’ve surfed at the office.

David Young, a partner with Lang Michener in Toronto, says that before privacy legislation, an employer had the legal right to monitor a worker’s e-mail use and Internet viewing — without consent or even giving notice — because the worker was using the employer’s equipment.

"The employer has the right to protect the business from liabilities that could be created through misuse of the equipment," explains Young. "The domain name on an e-mail represents the company to the world, so what is said in those communications could bring liability on the company through, say, libelous statements or entry into contracts that are unauthorized."

Under the emerging privacy laws, however, "personal information" includes the content of an employee’s online communications. Thus, monitoring such communications will require the employee’s consent. This should present no problem, Young says. "Employers may require an employee’s consent as a condition of employment, provided that such policies are ‘reasonable in the circumstances.’"

If an employer doesn’t already have such a policy, Young recommends that the employer adopt one, provide copies to their employees, and notify them that "your continued employment will be taken as consenting to this policy."

However, he acknowledges that the federal Privacy Commissioner has "limited tolerance" for employee surveillance. "He basically says you’ve got to have some real suspicion or concern, or that it must be the nature of the business."

When it comes to video surveillance, "PIPEDA imposes additional obligations on employers," says Laura Williams, a partner at Crawford, Chondon & Andree in Toronto. "Previously, arbitrators determined whether videotape recordings were admissible evidence upon which an employer could rely to discipline an employee, or whether management was exceeding the scope of its authority under the management rights clause of a collective agreement."

Now, under PIPEDA, the issue is not whether an employer can use the fruits of video surveillance, but whether the employer is entitled to conduct surveillance at all, says Williams. The employer now must show it has obtained the consent of the employee for such surveillance — with certain exceptions provided under the Act.

"You could be exempt from the requirement for consent," she suggests, "if you need to use video surveillance to investigate whether there has been a breach of a collective agreement or an employment agreement."

In the case of the railway accused of conducting video surveillance without employee consent, the employer contended that the surveillance was needed to prevent incidents of vandalism at the railyard. But the Privacy Commissioner found that the incidents of vandalism were relatively minor, with the most significant damage occurring to the cameras themselves. He ruled that the railway "had not demonstrated a real, specific problem, only the potential for one."

Even if the Commissioner had confirmed a "real, specific problem," he might still have concluded that less intrusive means were available to address it, says Williams. The Commissioner, she notes, has devised a four-point test:

• Is the measure demonstrably necessary to meet a specific need?

• Is it likely to be effective in meeting that need?

• Is the loss of privacy proportional to the benefit gained?

• Is there a less privacy-invasive way of achieving the same end?

Medical data
Issues of consent and disclosure can be especially problematic with regard to employee health data. A good rule of thumb: the more sensitive the information, the more explicit the consent required.

If an employee gives his bank-account number to the employer for direct-deposit of his wages, says David Loukidelis, "you’re not going to go back to the employee every week to say you need that information and why. It’s implicit. But if the employee is making a disability claim, it should be clearly stated on the form that this will go to the medical department, but not to the manager."

Loukidelis says the company must ask: "‘To whom can we properly disclose this employee’s medical information, and for what purposes?’ It’s often assumed that the person at the top of the pyramid gets to see everything for whatever purpose, but it’s not necessarily so. It doesn’t follow that the CEO needs to know all of that stuff if Human Resources can handle it."

Similarly, a company’s occupational health and safety department may want employees’ medical data in order to determine how widespread an illness becomes within the company. But the data should be provided in aggregate form, so that it doesn’t identify individual employees.

Right to request
What might surprise employers most about forthcoming privacy legislation is employees’ right to request personal information. The federal Act requires an organization to respond to such a request with due diligence and within 30 days.

B.C.’s Loukidelis doesn’t expect a torrent of employee requests for disclosure. Judging by the kinds of complaints made to the federal Privacy Commissioner, he anticipates that employees will account for only a minority of the requests. "A lot of consumers will be asking to see their files too," he says.

Especially sensitive may be employees’ requests to see their results on psychological tests that the company administered during the hiring process. "The default answer is yes, they get to see that. It’s his or her personal information," says Loukidelis. But certain exceptions apply to the right of access under PIPEDA: proprietary information, third-party information and lawyer-client privilege, among others. For example, an employer can legitimately refuse to disclose the legal opinion it obtained prior to dismissing an employee for cause. An employer can also deny access to personal information generated in the course of a formal dispute resolution process.

In Quebec, the privacy statute allows employers to reveal personal information about employees where necessary to the enforcement of a collective agreement. "The objective is to facilitate the execution of the collective agreement without the union necessarily having to go seek the consent of the individual," says Yves Saint-André, a labour lawyer with Trudel Nadeau in Montreal.

But Saint-André notes that the key provision (s. 18.4) says the employer "may" ("peut") provide the information — wording that has been interpreted to mean that disclosure is discretionary rather than mandatory. "Often, employers refuse to communicate information to unions that they previously provided, and they invoke the privacy law for this refusal," he says. "One often has the impression that employers are hiding behind the law."

But he adds that the discretionary provision has not played havoc with labour-management relations, because within the framework of arbitration, the unions are still able to subpoena the information they need for grievance proceedings and other litigation. Their disappointment, Saint-André observes, is that they expected s. 18.4 would give them access to the information they wanted before becoming caught up in a legal battle.

In the early days of the Quebec privacy law, the unions were quick to make requests for employee information, but as the results proved disappointing, they brought fewer and fewer complaints to La Commission d’accès à l’information, the Quebec counterpart to the federal Privacy Commissioner. "There was initial enthusiasm, but now [there’s] a more realistic approach," says Saint-André.

In other provinces, too, the adoption of privacy legislation is likely to result in an initial burst of test cases. Employees will try to determine whether, individually or collectively, they are able to redress the balance of power between themselves and their employers.

In most cases, the driving force will be less a desire to bolster privacy rights per se, but rather to exploit those rights in order to gain greater leverage in the workplace.

Sheldon Gordon is a Toronto-based freelance writer specializing in business and law. He is the author of "Silence by decree" in the May 2003 issue of National.

Photo: Jazhart Studios

english Les nouvelles règles de vie privée Au Canada, le secteur privé sera bientôt soumis aux dispositions de nouvelles lois provinciales — ou d’une loi fédérale en l’absence de législation provinciale — sur la protection de la vie privée. Au cours des deux dernières années, le Commissaire à la protection de la vie privée du Canada a favorablement accueilli une variété de plaintes en vertu de la Loi fédérale sur la protection des renseignements personnels et les documents électroniques (LPRPDE), dont les suivantes : • Un travailleur des chemins de fer s’est plaint que son employeur avait installé des caméras numériques dans le dépôt ferroviaire sans le consentement du personnel. • Un messager a dénoncé son employeur pour avoir utilisé les NIP des employés sur les formulaires de dons de Centraide — un usage auquel les employés n’avaient pas consenti. • Deux employés d’aéroport ont affirmé que la direction aéroportuaire avait refusé de divulguer ses évaluations après qu’ils eurent participé sans succès à un concours d’emploi. Jusqu’à maintenant, seules les organisations sous juridiction fédérale — banques, chemins de fer, transporteurs aériens et entreprises de télécommunications — ont été soumises aux dispositions de la LPRPDE. À compter de janvier 2004, cependant, la Loi fédérale s’appliquera également aux organisations de juridiction provinciale dans les provinces n’ayant pas de loi « substantiellement similaire »  à la LPRPDE fédérale. Le Québec a adopté sa Loi sur la protection des renseignements personnels dans le secteur privé en 1994 et reste la seule province à avoir légiféré. La Colombie-Britannique et l’Alberta semblent disposées à présenter des projets de loi bientôt, et font des efforts pour les harmoniser. L’Ontario a préparé un projet de loi à deux reprises, mais l’a retiré à chaque fois. Si les provinces adoptent leur propre loi, elles devront se calquer sur la LPRPDE, imposant au secteur privé les obligations suivantes : • un employeur ne pourra « recueillir, utiliser ou communiquer des renseignements personnels qu’à des fins qu’une personne raisonnable estimerait acceptables dans les circonstances » . (art. 5[3] de la Loi); • les employés doivent donner un consentement éclairé à l’emploi de tels renseignements sauf quand leur usage n’est pas requis légalement (p. ex. le NIP pour la retenue de l’impôt à la source); • le « consentement éclairé »  implique que les employés doivent être informés de la raison pour laquelle l’employeur « recueille, utilise et communique »  les renseignements; • si le consentement des employés est requis, les employeurs ne peuvent « recueillir, utiliser ou communiquer »  les renseignements pour un motif autre que celui consenti par les employés; et • les employés ont on droit d’accès aux renseignements personnels dans leur dossier. Ainsi, les entreprises sous juridiction provinciale devront donc, comme les entreprises sous juridiction fédérale, les défis associés à la mise en oeuvre de la Loi. La plupart des grandes entreprises devront, si ce n’est pas déjà fait, nommer un directeur à la vie privée responsable du respect des dispositions législatives. Jusqu’à maintenant, la question de la protection de la vie privée en milieu de travail a surtout tourné autour de l’utilisation de l’Internet. Des employés de bureau ont souvent été réprimandés, voire congédiés, à cause des sites Web qu’ils ont visités à l’ouvrage ou des courriels qu’ils ont reçus ou envoyés. Avant l’adoption de la nouvelle loi, l’employeur avait le droit de surveiller l’utilisation du Web par les employés, étant légalement responsables de tout abus commis avec les équipements de l’entreprise. En vertu de la nouvelle loi, cependant, les communications électroniques d’un employé font partie des renseignements personnels protégés. Pour surveiller ces communications, il faudra obtenir le consentement des employés. « Les employeurs pourront exiger un consentement de l’employé comme condition de’emploi, à condition que de telles politiques soient "raisonnables" dans les circonstances » , dit David Young, associé au cabinet Lang Michener, à Toronto. Le Commissaire à la vie privée a cependant une « tolérance limitée »  envers la surveillance des employés, poursuit Me Young. L’employeur doit avoir de véritables préoccupations ou soupçons, ou des motifs liés à la nature même de l’entreprise. Quant à la surveillance vidéo, sous le régime de la LPRPDE, il ne s’agit pas tant de savoir si l’employeur peut utiliser des renseignements ainsi recueillis, mais s’il a le droit de le faire au départ. Sauf exception, il faut obtenir le consentement des employés. La question de la divulgation de renseignements médicaux est particulièrement délicate. La règle typique sera la suivante : plus l’information est sensible, plus le consentement est requis de manière explicite.