Employee privacy top of mind in new government guidelines

Earlier this month, the Office of the Privacy Commissioner of Canada published new guidelines on workplace privacy in organizations – taking aim at federally regulated workplaces.

The new guidelines, which look to protect worker privacy, revolve around the Privacy Act (for federal government institutions) and the Personal Information and Protection of Electronic Documents Act (PIPEDA) (for businesses governed by federal legislation).

But what exactly spurred on these new rules? What are they here to accomplish?

“The Office of the Privacy Commissioner of Canada has always had its eye on workplace privacy issues,” says Mike MacLellan, partner at CCPartners.

“Even though guidance does not say so specifically, I’m sure that the emphasis on remote work arrangements and the inherent protections of competing privacy interests that entails played a large part in the latest update to the Office of the Privacy Commissioner’s guidance.”

Don’t collect more information than necessary

According to the first paragraph of the new guidelines, the rules are there to protect and maintain employee privacy – even when using employer-owned tech such as company laptops and cell phones.

“At the same time,” the guidelines read, “employers need certain pieces of information about employees for activities like payroll, staffing and to ensure employee performance management and workplace safety.”

For federally-regulated workplaces, employers must consult the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) to determine what information employers can and cannot collect.

“However, the Office of the Privacy Commissioner is also careful to point out that there may be other relevant legal obligations and authorities, such as collective agreements, federal and provincial privacy legislation, and other legal areas including tort - civil liability- human rights, and employment and labour law more generally,” says MacLellan. “And, in fact, if employers are collecting more information than reasonable, there could be breaches of workplace health and safety legislation as well.”

What information can and cannot be collected by an employer will vary from organization to organization, and federal legislation provides broad definitions for compliance, MacLellan tells HRD.

Overarching principles for employee privacy

But all this new guidance shouldn’t really come as much of a surprise to employers. Last year saw the implementation of the Working for Workers Act, designed in part to protect employee privacy online. The electronic monitoring portion of the bill remained frustratingly vague, however these guidelines do seem to add some bulk to the rules.

And, while what is and isn’t monitored or collected will change from company to company, certain principles are reliable - such as the following with respect to PIPEDA:

• Employers cannot engage in collection, use, or disclosure that is otherwise unlawful;
• Employers cannot gather information for purposes of profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law;
• Employers cannot engage in collection, use, or disclosure for purposes that are known are likely to cause significant harm to the individual;
• Employers cannot publish personal information with the intended purpose of charging individuals for its removal;
• Employers cannot require employees (or job candidates) to provide their passwords to social media accounts for purposes of employee screening and monitoring;
• Employers cannot engage in surveillance through audio or video functionality of the worker’s own device.

These guidelines aren’t ‘rules’ in the strictest sense – rather they’re guidelines to help inform future internal practices. For HR, it’s about using these points to improve processes – it’s not about punishments and lawsuits. 

As MacLellan tells HRD, the guidance document doesn’t impose requirements on employers. 

“It should rather be seen as a document that informs employers on how to remain privacy compliant in a new work environment,” he says. “The guidance itself does not make anything illegal - that would take an act of legislature. However, the guidance provides interpretation and some practical considerations on how to remain compliant.”

How to roll out new privacy guidelines

 So, how should employers and HR departments go about rolling out these new guidelines? Well, to begin with, organizations need to look at existing procedures and policies – measuring them on their own merits and pitfalls.

“The Office of the Privacy Commissioner lists eight practical tips as a “good starting point” for employers to build into their privacy policies and procedures,” says MacLellan:

1. Examine all relevant legal obligations and authorities
2. Map out what employee information is being collected, used, and disclosed
3. Conduct Privacy Impact Assessments
4. Test your proposed employee management information practices, and whether purposes are “appropriate in the circumstances”
5. Limit collection
6. Be transparent and open
7. Respect key privacy principles
8. Be aware of inappropriate practices/no-go zones