Says workplace culture where employees' privacy is respected 'is good for business'
The Office of the Privacy Commissioner of Canada has published new guidance on workplace privacy for employers that are subject to federal privacy legislation.
“Creating a workplace culture where employees’ privacy is respected is good for business,” says Philippe Dufresne, privacy commissioner of Canada. “It builds morale and mutual trust when employees feel that their privacy is valued.”
To create that culture, employers need to be aware of how the Privacy Act (for federal government institutions) and the Personal Information and Protection of Electronic Documents Act (PIPEDA) (for businesses governed by federal legislation) apply. They must also apply them and should ensure that employees know their rights under those laws.
Respecting employees’ privacy
The guidance calls for employers to respect the privacy of workers and former employees alike.
Under the Privacy Act, federal government employers are allowed to collect personal information, including employee information, only if it relates directly to an operating program or activity of the government institution.
While federal privacy laws provide employers authority for the collection, use and disclosure of workers’ personal information, they also set out specific requirements, such as rules concerning consent, safeguards, retention, and access rights, according to the commissioner.
Dufresne notes the following key consideration for employers:
- Employers must limit collection of employee information to only that which is necessary for the purposes identified by the organization.
- Employers must obtain meaningful consent for the collection, use and disclosure of personal information, unless an exception to consent applies.
- Employers may still be required to be transparent, provide employees with meaningful notice and outline their practices in organizational policies even in cases where consent is not required by law.
- Employers must only use or disclose personal information for the purposes that it was originally collected for, and keep it only as long as necessary for those purposes.
- Employers must limit access to employee information on a need-to-know basis.
- Employees' personal information needs to be kept accurate, complete, and up-to-date.
- Employers should have policies and procedures in place regarding the collection, use and disclosure of employees’ personal information.
- Employers’ privacy policies and procedures must address employee monitoring in a way that is reasonable, proportionate and minimally intrusive.
- Policies and procedures should be made readily available to employees such as through signage and direct emails.
- There should be physical, organizational and technological safeguards put in place to protect employees’ personal information from inappropriate access or disclosure, and to prevent “employee snooping”.
Tips for employee privacy
Dufresne shares the following tips for employers to build into their privacy policies and procedures:
- Examine all relevant legal obligations and authorities.
- Map out what employee information is being collected, used, and disclosed.
- Conduct Privacy Impact Assessments (PIAs).
- Test your proposed employee management information practices.
- Only collect the personal information that is necessary for a stated purpose, and collect it by fair and lawful means.
- Be transparent and open.
- Respect key privacy principles.
- Be aware of inappropriate practices/no-go zones.