Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Employee Privacy in Alberta

 

 

Frank Work , Information and Privacy Commissioner of Alberta recently spoke at Nymity's Employee Privacy Conference on Employee Privacy in Alberta.  The following is his speech.  If you are interested in learning about Employee Privacy in Canada, Nymity is making available the conference binders.  Learn more.

 

May 17th, 2004


The workplace in the Information Age. Congratulations on the new job! After being thoroughly investigated, background checks, security clearances, including criminal record check, credit bureau report, maybe even medical records, you get a job. You show up for work. Your employer and maybe co-workers may have “googled” you. Your workspace may be under surveillance by closed circuit TV cameras. Your computer, which is constantly presenting you with little email gems, may have software that records keystrokes, what you type, or don’t type. Your telephone may be monitored (for quality assurance purposes of course). Perhaps you carry a positioning device that allows your employer to know your whereabouts at all times. You might have a cell phone that enables your employer to get hold of you wherever, whenever (Hello, Frank, where are you? What do you mean you’re in post op? How long does it take to have a kidney transplant anyway?)

 

Your employer has wealth of information about you. In addition to the background check stuff and all the ongoing monitoring information, they have medical information and family information. You may be required to tell you employer if you charged with or convicted of, an offence. If you are having marital or psychological problems and are using a company benefit plan, that information may reside somewhere in the company database.


And after all this personal information is collected, how is it going to be used? To whom will it be disclosed?


Employers know a lot about their employees. In the Information Age, the individual is at a serious disadvantage.


What follows are my rambling thoughts on the Personal Information Protection Act as it pertains to employees, some social philosophy and some management theory. I am only really qualified to speak authoritatively on one of these topics. I’ll let you decide which one that is.


The Personal Information Protection Act (PIPA) became law in Alberta on January 1, 2004. It will likely supplant the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) in Alberta when it is found to be substantially similar. As such, it will govern the collection, use and disclosure of personal information in the private sector. It will also govern the collection, use and disclosure of “employee personal information”, by Alberta employers, something PIPEDA cannot do, given the constitutional division of powers.


What follow are some general remarks on how PIPA deals with employee information. The usual disclaimer that I am not giving you legal advice pertains. You may also take the scheme of the Act as being similar to the BC PIPA, although there are some minor differences. You will hear from Mary Carlson from BC this afternoon.


As far as employee information is concerned, the Act works like this.

 

“Personal employee information is defined as:

in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating


(i) an employment relationship, or


(ii) a volunteer work relationship

between the organization and the individual but does not include personal information
about the individual that is unrelated to that relationship;

“Personal employee information” is a subset of “personal information” so the general rules respecting personal information apply to employees except where specified. The key section in that respect is section 7:

7(1) Except where this Act provides otherwise, an organization shall not, with respect to personal information about an individual,


(a) collect that information unless the individual consents to the collection of that information,


(b) collect that information from a source other than the individual unless the individual consents to the collection of that information from the other source,

 

(c) use that information unless the individual consents to the use of that information, or

 

(d) disclose that information unless the individual consents to the disclosure of that
information.

PIPA prohibits the collection, use and disclosure of “personal information” in the absence of consent from the person about whom the information is collected-with specific exceptions. Consent can be express or implied. Express consent is required for the collection of personal information unless PIPA provides otherwise.


“Personal employee information” (section 1) is “personal information that is reasonably required by an organization for the purpose of establishing, managing or terminating an employment relationship or volunteer work relationship. Personal employee information excludes information about an individual that is not related to his or her employment.
Personal employee information includes the address and home phone number of the employee, SIN number, employee health number, formal and informal evaluations, resumes, video surveillance, reference letters and checks.

 

So, for example, in the employment context, consent is not required:

 

  • where collection, use and disclosure of personal information relates to the employment relationship or is required for recruitment purposes and is reasonable for the purpose of establishing, managing or terminating the employment relationship; (section 15, 18, 210) or

  • where the collection, use and disclosure is reasonable for an investigation or legal proceeding; (sections 14, 17, 20) or

  • where the collection, use and disclosure is authorized by law (sections 14, 17, 20).

 

The Act then creates the “envelope” in which “personal employee information” is placed.
Italicized words are added.


15(1) Notwithstanding anything in this Act other than subsection (2), an organization may collect (use, disclose) personal employee information about an individual without the consent of the individual if

(a) the individual is an employee of the organization, or

 

(b) the collection of the information is for the purpose of recruiting a potential employee.

(2) An organization shall not collect (use, disclose) personal information about an individual under subsection (1) without the consent of the individual unless

(a) the collection (use, disclosure) is reasonable for the purposes for which the information is being collected (used disclosed),

 

(b) the information consists only of information that is related to the employment or volunteer work relationship of the individual, and

 

(c) in the case of an individual who is an employee of the organization, the organization has, before collecting (using, disclosing) the information, provided the individual with reasonable notification that the information is going to be collected (used, disclosed) and of the purposes for which the information is going to be collected (used, disclosed).

This “employment envelope” in which consent is not required, is a departure from PIPEDA, where consent is required.


Employers are concerned about how they can continue to deal with workplace investigations for theft and fraud or handle emergencies and so on. In this regard, it must be remembered that “personal employee information” is a subset of “personal information” and the rules respecting personal information also apply except where it is
stated otherwise.

 


14 An organization may collect personal information about an individual without the consent of that individual but only if one or more of the following are applicable:

(a) a reasonable person would consider that the collection of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;


(b) the collection of the information is pursuant to a statute or regulation of Alberta or Canada that authorizes or requires the collection;

 

(c) the collection of the information is from a public body and that public body is authorized or required by an enactment of Alberta or Canada to disclose the information to the organization;


(d) the collection of the information is reasonable for the purposes of an investigation or a legal proceeding;


(e) the information is publicly available;

 

(f) the collection of the information is necessary to determine the individual’s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary;


(g) the information is collected by a credit reporting organization to create a credit report where the individual consented to the disclosure to the credit reporting organization by the organization that originally collected the information;

 

(h) the information may be disclosed to the organization without the consent of the individual under section 20;


(i) the collection of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization;


(j) the organization collecting the information is an archival institution and the collection of the information is reasonable for archival purposes or research;

 

(k) the collection of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about.

On the face of it, does PIPA introduce any radically new concepts into the employment arena? Courts and arbitrators have consistently held that there must be compelling reasons for an employer to be entitled to infringe upon an employee’s fundamental right to privacy. For example, in order to justify searching an employee, an employer must demonstrate:

 

  • an overriding business need to search its employees,

  • that the searches themselves are reasonable, and

  • searching for employees is the least intrusive method available to obtain the desired business objective

 

Similarly, in balancing the employee rights to privacy and the restrictions imposed by an employer on the use of the internet/e-mails, the primary consideration for Courts and arbitrators is whether there is a “reasonable expectation of privacy”. This is determined by the employer’s policy respecting acceptable use of computers, email and the internet in place at the workplace. In the absence of a clear policy, the right of an employer to restrict e-mail and internet access will be governed by the same rules for visual surveillance:

 

  • The employer must have reasonable grounds for believing its interests are adversely affected; and

  • The employer may monitor employees only to the extent necessary to protect its interests.

On the face of it, this is consistent with the ability under PIPA for an employer to collect, use and disclose employee personal information which is reasonably required to establish, maintain or terminate the employment relationship. So, the scope does exist under PIPA for employers to be able to continue to conduct workplace surveillance without their employees’ consent so long as the surveillance can be justified as being reasonably required for the purpose of establishing, managing or terminating the employment relationship.

 

Similarly, under PIPA, monitoring for strictly employment-related purposes, i.e., measuring employee productivity, may be permissible in the absence of explicit consent from employees. Again the test will be reasonableness in the employment context. However, there is potential for employers to inadvertently gather information beyond what is permitted under the “personal employee information” under PIPA. Certain types of monitoring and internet-use tracking may disclose elements of the personal lifestyles and habits of employees that may not fall within the scope of information that is reasonably required for the purposes of establishing, managing or terminating the employment relationship. It is to be remembered that the definition of personal employee information specifically excludes personal information that is unrelated to the employee relationship. Employers have an obligation to obtain consent for collection, use and disclosure of generic personal information.

 

With respect to drug and alcohol testing, the case law to date has established that in the absence of an express statutory or contractual authority, there must, once again, be a compelling employer interest in administering drug and alcohol tests (i.e. objective evidence of alcohol and drug impairment in the workplace), an significant connection between the test results sought and the employee’s work duties (i.e. a safety concern), and a no less intrusive alternative, before workplace drug and alcohol testing polices have been condoned by the Courts and arbitrators. Even where there is a statutory or contractual authority to conduct testing, such testing must be performed in a reasonable and non-discriminatory fashion, and the employer must demonstrate a reasonable likelihood that the testing will be effective in reducing or eliminating impairment in the workplace.

 

In the most general of terms then, the existing body of human rights, labour arbitration and common law jurisprudence has established a standard of reasonableness that is likely to be considered as consistent with the privacy obligations of PIPA. In the course of this conference, you will be hearing from some real experts on these topics in much more detail.

 

The examples I have given relate primarily to the collection of personal employee information. It must not be forgotten that the other verbs in the PIPA sentence are “use” and “disclosure”. Employers will have to ensure that personal employee information, even if legitimately collected for the purposes of the employment relationship, must also be used and disclosed only for the purposes of the employment relationship, in the absence of consent. This may well require a review of an organization’s information management practices with an eye to what the personal employee information is used for and who in the organization needs to have access to it.

 

I think PIPA tries to recognize the realities of the modern workplace. I think it pushes employers towards talking more with employees. It does this because:

 

  • it requires employer decisions as to what is “reasonable” collection, use and disclosure (ss. 15, 18, 21)

  • it requires notification of the purpose of the collection fo the information (s. 15(2)(c).

  • as a first recourse, it pushes disputes under the Act into established grievance procedures (s. 46(3)), and

  • OIPC procedures are such that when we do get a complaint we try to resolve it between the parties.


Information is control. We collect, use and disclose information in order to exert control. Organizations need to control the things they do so they can marshal resources to achieve objectives. Organizations want to manage their customers: you have heard of CRM customer relationship management. Organizations also want to control their “human resources” in order to achieve objectives. Control is not necessarily a bad thing. But information technologies and surveillance technologies afford organizations the means to exert a great deal of control. Uncontrolled control can be a bad thing. The uncontrolled control exerted by the soldiers in Abu Ghraib prison in Iraq appalled us. We anadians cannot be too smug: we had our shame in Somalia.


Wade Rowland, in Ockham’s Razor, wrote this:

In the world in which terminology such as downsizing and human resources and outplacement is created and used without irony, human values are banished. Not monetary values of course, but human values, the kind that are not subject to quantification, the kind you can’t measure. There is simply no place for them: how can you run a business, let alone an economy, if you are having to deal with “values” that are unquantifiable? Where in your Microsoft spreadsheet is the cell for loyalty or integrity, let alone for something as ridiculously subjective as dignity?

Radical stuff. “What’s the point?”, you may be asking yourself.

 

Sections 15, 18 and 21 of PIPA read in part:

An organization shall not collect (use, or disclose) personal information about an individual without the consent of the individual unless the collection (use or disclosure) is reasonable for the purposes for which the information is being collected (used or disclosed).

“Reasonable” figures as a pretty big word in those sections. In fact, the word “reasonable” appears over 60 times in the Act. What is reasonable is what an average person, knowing the facts, would say “Yeah, that makes sense.” Reasonableness may be evidenced by common practice across an industry or sector. Reasonableness could be found in the decisions of labour boards and arbitrators.

 

“Reasonable” is the cell for loyalty, integrity, dignity: human values.

 

Aside from finding reasonableness, what are the challenges in implementing PIPA?

 

  • To recognize and, as far as legally possible, incorporate the wealth of decisions in the area of labour law and arbitration;

  • To seek harmony and consistency between the decisions of the various Commissioners involved.

  • Developing guidelines respecting the relationship between the Federal and Provincial laws in consultation with the Federal Commissioner.

  • How will the Courts view this new area of law which will overlap the huge and well-developed body of labour law? Will they afford Information and Privacy Commissioners the same deference they afford labour relations boards?


Incidently, I hear from time to time that Ontario may bring in private sector privacy legislation at some point. I don’t know. But, if that comes to pass, any Ontario law must recognize the laws in Alberta and BC. It would be a very bad thing for business and for employees in Canada if the rules in Alberta, BC and Ontario are different.

 

How is implementation proceeding in Alberta? There was a tremendous groundswell of support for this legislation in Alberta. Chambers of Commerce, petroleum industry associations, and others strongly supported the Bill. Small business expressed some concerns, but it is not clear if they understood that, either Federally or provincially, they were going to be subject to a privacy law on January 1, 2004. Large industry associations like the Canadian Petroleum Association and the Petroleum Services Association put a great deal of effort into preparing for the law, as did the Chambers of Commerce of Alberta. The Office of the Information and Privacy Commissioner, in conjunction with the Government of Alberta prepared materials and put on a large number of workshops throughout the Province. I think there is a great willingness on the part of the private sector to implement this law. To date, we have had about 600 queries and have opened about 30 complaint files.

 

Goodwill aside, the Act contains strong legal inducements for organizations to comply. Upon complaint, the Commissioner can review the acts or failures to act but organizations under PIPA (section 46). The Act allows the Commissioner to encourage the parties to resolve their issues between themselves or using exiting dispute resolution processes (section 46(3) for example. Some groups are considering offering their members alternate dispute resolution processes to that end. When the parties are unable to find their own solution, the Office of the Information and Privacy Commissioner will try to mediate the dispute (section 49). Under the Freedom of Information and Protection of Privacy Act and the Health Information Act, we have found that 90% of complaints can be resolved during mediation. Where that is not successful, an inquiry will be held (section 50).


Inquiries raise the stakes considerably for organizations. First, subject to judicial review, organizations must obey orders issued by the Commissioner (section 54). Second, there are penalties of up to $100,000 for organizations which willfully collect, use or disclose personal information in contravention of Part 2 (section 59). Third, section 60 states:

If the Commissioner has made an order under this Act against an organization and the order has become final as a result of there being no further right of appeal, an individual affected by the order has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization of obligations under this Act or the regulations. Not only would an organization have to face the adverse publicity of having an order go against them, they might also face a lawsuit for damages resulting from the breach of the Act.

If that is not enough, I think there is a third inducement: privacy is good for business. I read a very good column by Harvey Schachter in the Globe and Mail (Friday, April 30, 2004). The column was about employee retention. Mr. Schachter writes:

Developing a motivating culture is also generally thought to boost retention. … In Executive Excellence, Florida-based consultant Jim Harris offers these six steps:
...

  1. Ask your team what motivates them, rather than trying to guess.
  2. Ask your team what demotivates them. “This is particularly important if you wish to retain your top talent, for it takes only a few burrs in the saddle before your employees decide to ride another horse!” he stresses.
  3. Simplify processes. Work with your employees to reduce sign-offs and other time wasters.
  4. Listen – just listen. “Few things motivate employees more than to know that their boss really listens to their needs, ideas, dreams and complaints,” he says.
  5. Eliminate fear. Even if you are a kind and generous boss, its likely employees fear your reaction to their efforts, particularly failures. Permit them the freedom to fail and try again.
  6. Allow your team to arrange the workplace to best meet their needs.

....

In the context of collecting, using and disclosing personal employee information, I think these suggest the following:

 

  • There are a lot of cool, high tech, surveillance gadgets out there. Do not be seduced by the technology. Ask yourself whether you need the technology and the information it enables you to collect. Will it serve a business/employment purpose?

  • Workplaces that look like prisons will not be regarded as good places to work. Employees who are under heavy surveillance will not feel trusted. They will be fearful and resentful. This has to do with those human values, like dignity.

  • Therefore, let employees know what personal information is being collected, what it will be used for, who it will be disclosed to and what the employment purpose for each of these is. If there is a problem with theft or misuse of the internet in the office which requires some form of surveillance, let employees know: talk to
    them first. (I realize that this may not always be practical.)

  • For example, and again according to Harvey Schachter, Suncor requires all employees from the president down to “sign off” on standards of business conduct, confirming their understanding of those principles for ethics, confidentiality and accountability.

  • By involving employees in information issues, the employer may not only get understanding and acceptance, but the employees may even solve the problem which gave rise to the need for the surveillance in the first place. At the least, they may inform the employer as to how much surveillance is too much surveillance. Employees can be a good sounding board for what is “reasonable”.

  • Be proactive. Solve problems. The biggest single thing an employer can do to comply with the Act, is to deal with employee issues up front, effectively and efficiently. I know not every problem can be solved between the parties and that’s why my Office exists, but, we have learned under the FOIP and HI Acts that 90% of problems can be solved if the parties are willing and open.


It may sound like an odd thing for a Privacy Commissioner to say but organizations subject to PIPA may want to be just as concerned with good management practices as with the letter of the law. You may arrive at the same place in terms of compliance.


We produced a book “A Guide to PIPA”. This and other resources are available on our website at www.oipc.ab.ca

You might also check out the BC Commissioner’s website www.oipc.bc.ca


The Government of Alberta has produced some FAQ’s and other materials, some specifically for small business. There is a link to their website on ours.

 

Thank you for your kind attention. I think we have time for questions or comments.

  

 

 

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY