Emond Publishing Employment Law for Business and Human Resources Professionals 4 e.

CHAPTER 10
Privacy Inside and Outside the Workplace

Copyright © 2019 Emond Montgomery Publications. All rights reserved.

Emond Publishing

LEARNING OUTCOMES

1. Discuss the factors that influence employee privacy

protection.
2. Explain the ten principles behind the Personal
Information Protection and Electronic Documents Act;
3. State the obligations of employers in handling
employees' personal information where privacy
legislation applies
4. Describe the requirements of Ontario’s Personal Health
Information Protection Act
5. Analyze the application of privacy monitoring
requirements for instances both inside and outside the
workplace.
 Emond Publishing 3

KEY TERMS & CASES

• Intrusion upon seclusion
• Standard of reasonableness
• Jones v. Tighe

Copyright © 2019 Emond Montgomery Publications. All rights reserved.

 Emond Publishing

Privacy
What is it?
• The right to control access to one’s
personal information
• The electronic transmission of
documents has made privacy a
greater concern and has led to
legislation intended to protect the
privacy of personal information
 Emond Publishing 5

Introduction
• Historically, the right to privacy has not been recognized as a separate right
under Canadian law, but the electronic transmission of information has made
privacy a greater concern and has led to legislation intended to protect the
privacy of personal information
• Ontario’s Freedom of Information and Protection of Privacy Act allows
individuals to file a request for information held by the Ontario government and
provides privacy protection for the personal information of employees in
Ontario’s public sector
• The federal government has passed legislation that covers personal
information held by organizations in the private sector
• The federal law is called the Personal Information Protection and Electronic
Documents Act (PIPEDA)
 Emond Publishing 6

BACKGROUND
• Ontario’s Freedom of Information and Protection of Privacy Act allows
individuals to file a request for information held by the Ontario government
and provides privacy protection for the personal information of employees
in Ontario’s public sector.
• However, Ontario does have privacy legislation related to health
information through the Health Information Protection Act (HIPA) (2003).

• HIPA applies to organizations that directly and indirectly collect, use and
disclose personal health information.
 Emond Publishing 7

BACKGROUND

• The federal government’s Personal Information Protection and

Electronic Documents Act (PIPEDA) covers personal information
held by organizations in the private sector.

• Important for Ontario employers to be aware of the

expectations/principles established in PIPEDA because of social
expectations and due to the common law establishment of intrusion
upon seclusion.
 Emond Publishing 8

INTRUSION UPON SECLUSION 3 ELEMENTS

• A plaintiff must prove three elements to receive damages for this tort:

• the defendant’s conduct must be intentional (including reckless

conduct);

• the defendant must have invaded, without lawful justification, the

plaintiff’s private affairs or concerns; and

• a reasonable person would regard the invasion as highly offensive,

causing distress, humiliation, or anguish
Emond Publishing

What Do You Think?

Larry was on paid suspension from work while ER
investigated allegations of harassment against
him
ER heard rumours that Larry had taken another
job while on suspension; it hired a PI to check
this out
When ER offered to bring Larry back to work as a
kitchen helper, Larry refused, saying he was
allergic to water
At completion of his investigation, the PI
indicated he found no evidence of Larry working
elsewhere – in fact all he seemed to do all day
was wash his car and water his lawn
ER confronted Larry with this contradiction and
then terminated him for dishonesty. Larry filed a
 Emond Publishing

What the Adjudicator Decided

Held: Against ER

The initial reason for conducting the surveillance

was not reasonable (EE was not breaking any ER
rules in having a second job) so evidence was
inadmissible.
 Emond Publishing

Video Surveillance of EEs

If PIPEDA does not apply to EEs, (Ontario,

private sector) and there is a union:
Collective agreement may restrict video
surveillance
Three main arbitral tests for admissibility of
video evidence:

Was it reasonable to conduct it?

Was it conducted in a reasonable manner?

Were there less intrusive alternatives?
 Emond Publishing 12

KEY FEATURES OF PIPEDA

• It balances individual privacy rights with an organization’s need to collect, use,
and disclose personal information
• It applies to all organizations that collect, use, or disclose personal
information in the course of commercial activities
• As federal legislation, PIPEDA does not apply to personal employee
information in provincially regulated workplaces
• The term “personal information” is broadly defined as information about “an
identifiable individual”
• PIPEDA generally requires consent before an individual’s information is
collected, used, or disclosed
• Organizations must safeguard personal information in their possession

• For the most part, individuals have a right to gain access to their personal
information
• The Office of the Privacy Commissioner handles complaints related to
PIPEDA
 Emond Publishing

What is “Personal Information” under PIPEDA?

• “Factual or subjective information, recorded or not,
about an identifiable individual.”
• Age, home address, and identification numbers

• Residential telephone numbers and personal email address

• Sex, religion, race, colour, ethnicity, social status, age, marital status,
education, and employment history
• Employee files, performance appraisals, disciplinary actions, and
evaluations
• Photographs, opinions, and income

• Relevant dates, such as birth date

• Credit records, loan records, and purchasing and spending habits

• Blood type, fingerprints, genetic information, and medical records

• Intentions (e.g., to purchase goods or services or to change jobs)

DOES NOT INCLUDE business title, business address or phone

number*
 Emond Publishing

PIPEDA’S STANDARD OF “REASONABLENESS”

Section 5(3) states that:

“an organization may collect, use or disclose

personal information only for purposes that a
reasonable person would consider are
appropriate in the circumstances.”
 Emond Publishing

WHAT IS THIS?

BANKRUPTCY NOTICE
Jean Jones
126 Any St.
Anytown, ON N0P 1L0
 Emond Publishing

PIPEDA PRIVACY ISSUE

• A client complained that her bank had improperly
disclosed her personal information, by stating bankruptcy,
in the address window of her bank statement.
• The complainant had received by regular mail a statement
of account from the bank in question. She was upset to
see, through the address window of the unopened
envelope, a notation to the effect that she was bankrupt
as of a certain date.
 Emond Publishing

PIPEDA PRIVACY ISSUE

• Owing to the closeness of the small community in which
she resided, the complainant was concerned that others
of her acquaintance, notably the postmaster, might have
noticed the reference to the private financial matter of her
recent bankruptcy.
• She filed a complaint based on a violation under PIPEDA
• She won.
Emond Publishing 18

PIPEDA AND DATA BREACH NOTIFICATION

• Effective November 1, 2018, supporting regulations require that where there
has been a data security breach that carries a “real risk of significant harm”
to any individual, the organization must keep records of the breach and notify
the Privacy Commissioner of Canada, affected individuals, and any other
potentially affected organizations
• For data breaches that do not meet the “significant harm” threshold, records
must still be kept and reported to the privacy commissioner upon request
• An organization that knowingly fails to report or record a breach will be guilty
of an offence punishable by fines of up to $100,000
• Reports of a breach must be in writing and include a description of the
circumstances of the breach, its cause if known, and the steps taken to
reduce the risk of harm and to notify each individual affected by it
• Records of every breach of security safeguards must be kept for at least 24
months
https://www.ctvnews.ca/video/c2834735-cyberatt
acks-plagued-2023-in-canada--experts
 Emond Publishing 19

PIPEDA’S 10 PRINCIPLES
1. Be accountable: Organizations should have a person to oversee
compliance
• - Appoint a senior-level privacy officer, develop a privacy policy

2. Identify the purpose of collection: Let individuals know why their

information is being collected
- Must be communicated to individuals before or at time of collection

3. Get consent: Consent should be obtained at the time of collection

• - Three forms of consent: 1.Express permission (opt-in) AKA Do you
agree click box, 2. Negative option (opt-out) - Whenever personal
information is transferred to a third-party, 3. Implied

4. Limit collection: Collect only what is necessary for stated purposes

AKA Need to Know Privacy principle
Emond Publishing

PRIVACY ISSUE

What service does Equifax provide?

 Emond Publishing

PRIVACY ISSUE
• The breach occurred when hackers gained access to one
of Equifax Inc.'s systems on May 13, 2017 through a
vulnerability in the software platform the company had
known about for more than two months, but had not fixed.
• The attackers operated undetected for about 77 days,
ultimately gaining access to Canadian personal
information.
• Equifax Inc. detected the attack on July 29, 2017 and
contained it the following day.
 Emond Publishing

PIPEDA PRIVACY ISSUE

• Over 19,000 Canadians personal information was
breached.
• They were notified Oct. 23, but letters sent to them
included inaccurate information, including inviting them to
use a portal that wasn't accessible from Canada.
• Equifax Canada offered free credit monitoring to breach
victims for at least four years
• Not much perhaps but impact on their business…..
Emond Publishing

PERSONAL INFORMATION DISCLOSURE

Excerpt from Privacy Code

We may disclose a customer's personal information to:

• A company or individual employed by TELUS to perform
functions on its behalf, such as research or data processing;
Any such disclosure of a customer's personal information
outside of TELUS is made on a confidential basis with the
information to be used only for the purpose for which it
was disclosed.
 Emond Publishing 24

PIPEDA’S 10 PRINCIPLES cont’d

5. Limit use, disclosure, and retention: Use only what is needed for the
stated purpose and dispose of information when it is no longer needed
- Bionaire warranty card a violation of this principle, why?
6. Be accurate: Watch for out-of-date, erroneous, or incomplete information
7. Provide safeguards: Protect against loss, theft, or unauthorized access
• Three types of security: Physical, Organizational, Electronic

8. Be open: Make privacy policies and procedures clear and available i.e.
communicate policies and procedures to customers, suppliers and employees.

9. Give individuals access: Ensure that individuals can gain access to their
information. Describe procedure to do this. Must respond to written requests
within 30 days.

10. Provide recourse: Communicate a complaints procedure including

directing complaints to firm’s privacy officer and/or Federal Privacy
Commissioner.
Emond Publishing

Warranty cards illustrate

how information can be
collected indiscriminately.

Much of the information

collected here has
nothing to do with the
identified purpose.
 Emond Publishing

PIPEDA CASE
EE on short-term disability was applying for long-term
disability benefits
• To facilitate her application to the insurance
provider, the ER wrote EE asking her to forward
information, via fax, to ER, including medical details
• EE filed a complaint under PIPEDA
Issue: Did ER’s actions violate PIPEDA?
Yes, based on two principles:
1. Collection and use of personal information
necessary AKA need to know
2. Ensure information is properly secured
Decision: 1. Employer needs to inform employees that
they have the right to send the information directly to
health care provider. 2. Do not use unsecured fax
machine.
 Emond Publishing

PIPEDA
• Provide accountability
• Identify reason for collecting information
• Gain consent
• Collect only necessary information
• Use information for intended purpose
 Emond Publishing 28

LET’S CHAT

• In federally regulated workplaces, how might PIPEDA’s

requirements affect the following:
• a. recruitment
• b. checking references and retaining the information,
• c. taking witness statements for internal investigations,
and
• d. conducting performance evaluations
 Emond Publishing 29

PIPEDA ENFORCEMENT
• The privacy commissioner has broad powers to investigate complaints
and may apply to the Federal Court for an order of compliance or for
damages
• After conducting an investigation, the Commissioner may issue an
order
 To provide access to, or correction of, personal health information
 To cease collecting, using or disclosing personal health information
in contravention of the Act
 To dispose of records collected in contravention of the Act
 To change, cease or implement an information practice

It is a criminal offence to obstruct the privacy commissioner, to

knowingly dispose of personal information that could be requested, or
to retaliate against employees for asserting their PIPEDA rights
Fines can reach a maximum of $50,000 for an individual and $500,00
for a corporation.
 Emond Publishing 30

Privacy Rights in Ontario Workplaces

• Labour arbitrators have recognized a right to workplace privacy

in unionized workplaces in Ontario
• Collective agreements may restrict forms of employee monitoring

• In non-unionized workplaces, when employee monitoring takes

a particularly intrusive form, courts may be willing to provide a
common law remedy
• Covert video surveillance may constitute constructive dismissal

• Employees who are allowed to use employer property for

personal purposes may have a reasonable expectation of
privacy
• This expectation may be displaced by a clear policy stating otherwise
 Emond Publishing

Employee Privacy Rights - Surveillance

• Camera Surveillance
 Employees can legally be watched if policy in place and is
not placed in partial clothed areas such as washrooms,
change rooms, etc.
• Phone Conversations and Text Communications
 In general, employers have the right to monitor calls and text
messages sent from their telecommunications devices,
provided they do so for compelling business reasons and
employees have been informed that their communications
will be monitored.
• E-Mail, Internet, and Computer Use
 Employers can monitor what employees do online and fire or
discipline them based on that information
 Emond Publishing

What Do You Think?

Concerned about EE’s low productivity and his use of computer
for personal tasks, the ER (a local library in Ontario) installed
keystroke logging software on the EE’s computer

When EE found out about it, he brought a complaint under

Ontario’s Privacy Act (similar to PIPEDA)
Issue: Did ER breach PIPEDA-type legislation?
• Was the data collected “personal information”?
• Yes, because it revealed how much work EE did and how he
did it; it also showed personal data

• Was collection without consent reasonable?

• No –ER could have simply asked EE to explain his low
productivity
 Emond Publishing 33

Privacy Rights in Private Sector Workplaces in Ontario

• Labour arbitrators have recognized a right to workplace privacy in

unionized workplaces in Ontario
• Collective agreements may restrict forms of employee monitoring
• In non-unionized workplaces, when employee monitoring takes a
particularly intrusive form, courts may be willing to provide a common
law remedy
• Covert video surveillance may constitute constructive dismissal
• Employees who are allowed to use employer property for personal
purposes may have a reasonable expectation of privacy
• This expectation may be displaced by a clear policy stating
otherwise

Copyright © 2019 Emond Montgomery Publications. All rights reserved.

 Emond Publishing 34

Privacy Rights in Private Sector Workplaces in Ontario

• Currently, provincially regulated private sector employers in Ontario are not required to
follow PIPEDA when handling non-health-related personal employee information
• However, in Jones v Tsige, has had a significant impact on privacy
practices/expectations
 Emond Publishing 35

PRIVACY POLICES FOR ONTARIO

EMPLOYERS
• A clear and carefully drafted information technology policy
should:
• Notify employees that they should not have an expectation of privacy
when using employer technology and systems
• Provide an explanation of the purpose of the policy

• Provide an explanation of how the policy will apply

• Provide guidance on what uses are permitted and not permitted

• Provide an explanation of the potential consequences for a breach of

the policy
• As with all workplace policies, the IT policy must be
effectively communicated and consistently enforced
 Emond Publishing 36

PIPEDA IMPACT
• While PIPEDA does not apply to personal information used in the
course of employment by Ontario private sector employers, there are
compelling reasons for employers to consider extending this protection,
including:
• PIPEDA’s principles are broadly recognized as forming the basis of ethical
personal information practices
• Ontario is likely to pass privacy laws in time; complying now will make the
transition easier at that time
• Employees may expect their personal information to be protected

• The Ontario Human Rights Commission treats privacy as an important

element of the right to equal treatment
• Applying PIPEDA principles could reduce “intrusion upon seclusion” liability

Copyright © 2019 Emond Montgomery Publications. All rights reserved.

 Emond Publishing 37

PIPEDA ENFORCEMENT
• The privacy commissioner has broad powers to investigate complaints
and may apply to the Federal Court for an order of compliance or for
damages
• After conducting an investigation, the Commissioner may issue an
order
 To provide access to, or correction of, personal health information
 To cease collecting, using or disclosing personal health information
in contravention of the Act
 To dispose of records collected in contravention of the Act
 To change, cease or implement an information practice

It is a criminal offence to obstruct the privacy commissioner, to

knowingly dispose of personal information that could be requested, or
to retaliate against employees for asserting their PIPEDA rights
Fines can reach a maximum of $50,000 for an individual and $500,00
for a corporation.