Volume 9 • Number 8 July 2012
PRIVACY PROTECTION IN THE DIGITAL WORKPLACE In This Issue:
Privacy Protection in the Digital Workplace Pat Flaherty and Sarah Whitmore...... 73
Pat Flaherty Sarah Whitmore Partner Associate Torys LLP Torys LLP
We as a society don’t tolerate discrimination in the workplace, or harassment. Why would we tolerate invasion of privacy?1 Privacy has been described by the Supreme Court of Canada as “an essen- tial component of what it means to be ‘free.’”2 Protection of an individual’s right to privacy is “predicated on the assumption that all information about a person is in a fundamental way his own, for him to communicate or re- tain.”3 The importance of privacy has been acknowledged as a fundamental human right; but just as no other recognized human rights or Charter rights are absolute, the right to privacy must also yield to competing rights in cer- tain circumstances. In the workplace, the employer’s rights to monitor quality control and employee productivity as well as to ensure a safe and harassment-free workplace often warrant an incursion on employees’ rights to privacy. Governing the appropriate balance to be struck between employers’ rights and employees’ privacy interests is a patchwork of privacy legislation, in- dividual employment contracts, Charter rights, and the newly recognized tort of intrusion upon seclusion.4
CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8
As technology has advanced and facilitated the spread of in- Canadian Privacy formation and the ease with which organizations can com- Law Review municate and store personal information, the need for The Canadian Privacy Law Review is published monthly by LexisNexis Canada Inc., employers to monitor their employees has become more 123 Commerce Valley Drive East, Suite 700, acute. Employees’ use of computers, the Internet, e-mail, and Markham, Ont., L3T 7W8, and is available by subscription only. social media at work (for work-related and non-work-related Web site: www.lexisnexis.ca purposes) presents new concerns for employers, including the Design and compilation © LexisNexis Canada Inc. effect of such use on productivity, workplace harassment, 2012. Unless otherwise stated, copyright in and their liability for their employees’ online activities. individual articles rests with the contributors. Employers may be found liable for their employees’ online ISBN 0-433-44417-7 ISSN 1708-5446 ISBN 0-433-44418-5 (print & PDF) defamatory remarks, copyright and trademark infringement, ISBN 0-433-44650-1 (PDF) harassment, and other illegal conduct in the course of em- ISSN 1708-5454 (PDF) ployment. Workplace harassment may be more readily facili- Subscription rates: $230.00 (print or PDF) tated through the use of company e-mail or through the $350.00 (print & PDF) sharing of hateful or offensive material from the Internet. As Editor-in-Chief: a result of these concerns, many employers take the position Professor Michael A. Geist that monitoring their employees’ computer usage and online Canada Research Chair in Internet and E-Commerce Law activities is necessary to detect activity that may negatively University of Ottawa, Faculty of Law affect the business. Furthermore, employers may have a duty E-mail: [email protected] to monitor employees in order to meet the legal occupational LexisNexis Editor: health and safety obligations to provide a harassment-free Boris Roginsky 5 LexisNexis Canada Inc. and non-discriminatory workplace. Tel.: (905) 479-2665 ext. 308 Fax: (905) 479-2826 On the other hand, the digital workplace also presents new E-mail: [email protected] and increased risks to employees’ privacy. A reality of the Advisory Board: digital workplace is that employees use employer-owned • Ann Cavoukian, Information and Privacy technology to send and share personal information over the Commissioner of Ontario, Toronto Internet, e-mail, and social-media sites. For example, em- • David Flaherty, Privacy Consultant, Victoria • Elizabeth Judge, University of Ottawa ployees communicate with other employees and unrelated • Christopher Kuner, Hunton & Williams, third parties over their employer’s e-mail server; they store Brussels • Suzanne Morin, Research in Motion, Ottawa their financial records on their employer-owned computers; • Bill Munson, Information Technology they access and use social-media sites from their employer’s Association of Canada, Toronto Internet network; and they use employer-owned smart phones • Stephanie Perrin, Service Canada, Integrity Risk Management and Operations, Gatineau and other PDAs as if the devices were their own. These • Patricia Wilson, Osler, Hoskin & Harcourt LLP, practices and other new technologies have also given Ottawa employers the ability to more readily track or monitor their Note: This Review solicits manuscripts for consideration by the Editor-in-Chief, who reserves the right to reject any manuscript or employees’ personal information and performance. Tech- to publish it in revised form. The articles included in the Canadian Privacy Law Review reflect the views of the individual authors and do nologies exist to allow employers to scan e-mails, track not necessarily reflect the views of the advisory board members. This Review is not intended to provide legal or other professional advice Internet usage, monitor keystrokes, search hard drives, and and readers should not act on the information contained in this Review monitor an employee’s movements on and off the job. As a without seeking specific independent advice on the particular matters with which they are concerned.
74 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 result, the quantity and accessibility of employees’ Electronic Documents Act.7 PIPEDA applies to all personal information in the workplace have expo- collection, use, and/or disclosure of “personal in- nentially increased, giving rise to greater concern formation” in the course of “commercial activity” for their privacy rights. by an “organization” and imposes several main pri- This article examines the balance that is currently vacy-related obligations on organizations subject to 8 being struck in the private sector digital workplace its provisions. Personal information is defined between Canadian employers’ rights to monitor broadly in PIPEDA and currently includes informa- their employees to ensure performance and work- tion about an employee other than name, title, and 9 place safety, on the one hand, and employees’ business address and telephone number. PIPEDA rights to privacy, on the other. More specifically, has limited application in most workplaces. With we focus on the employer’s right to monitor em- respect to personal information about employees, ployees’ use of e-mail, social media, and company- consistent with the constitutional division of pow- owned computers and vehicles. We also consider ers in Canada, PIPEDA applies only to federally the issue of employers conducting background regulated employers (those engaged in a “federal checks on prospective employees via social media. work, undertaking or business” and employers in Before examining these various issues, we outline the three territories). Consequently, PIPEDA does the legislative framework surrounding Canadian not apply to provincially regulated employers. employees’ privacy rights in the workplace. 2) Provincial Legislative Protection A. Privacy Rights With the exception of employment related to fed- in the Canadian Workplace eral works, undertakings, and businesses governed A private sector employee’s right to privacy is con- by PIPEDA, the provinces have jurisdiction tained in a patchwork of rights codified in various over matters pertaining to employment. Quebec, pieces of legislation and arising from the common Alberta, and British Columbia have each enacted 10 law. The nature and scope of protection given to an privacy legislation that regulates the collection, employee’s personal information vary according to use, and disclosure of employees’ personal infor- the province and sometimes the sector in which the mation by organizations that are not otherwise fed- employee is working. In Ontario and several other erally regulated. As an aside, each of these laws has 6 been deemed “substantially similar” to PIPEDA provinces, there is a gap in legislative protection by the federal privacy regulator, the Privacy for private sector employees’ privacy rights. These Commissioner of Canada, though the manner in provinces have not enacted private sector privacy which they deal with employees’ personal informa- legislation of general application, and, as discussed tion is not uniformly consistent with PIPEDA. below, the federal privacy legislation does not ex- These provincial laws apply to employees’ personal tend to provincially regulated private sector em- information in private sector organizations within ployers’ collection, use, and disclosure of each of those provinces, but they do not regulate employees’ personal information. the personal information of employees working for 1) Federal Legislative Protection federally regulated employers; that personal infor- Canada’s main private sector privacy legislation is mation is regulated by PIPEDA. Outside Quebec, the federal Personal Information Protection and Alberta, and British Columbia, therefore, a legisla-
75 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 tive gap exists with respect to the rules governing that a court would find that the employee had an the protection of employees’ personal information expectation of privacy in the communication. in the non-federally regulated private sector A recent phenomenon relating to surveillance is workplace. the use of GPS data as a method of monitoring 3) Differences between PIPEDA employees who make use of employer-owned ve- and the Provincial Legislation hicles. The collection of GPS data likely consti- Under PIPEDA, employers may collect, use, and tutes the collection of “personal information” disclose employees’ personal information only “for concerning the employee insofar as it shows an purposes that a reasonable person would consider employee’s movements and whereabouts. GPS appropriate under the circumstances” and, in most tracking of federally regulated employees is there- cases, only when the employee’s consent has been fore subject to PIPEDA. The Office of the Privacy obtained.11 The legislation in British Columbia and Commissioner of Canada (the “Office”) has con- Alberta is similar and provides that employers can sidered employers’ collection of personal informa- collect, use, and disclose employee personal infor- tion through GPS and set out a tripartite test to mation only for purposes that are reasonable and determine if the collection is “reasonable” under only once the employee has been notified before or PIPEDA: during the collection.12 Neither the B.C. PIPA nor 1. Is the measure demonstrably necessary to the Alberta PIPA requires employers to seek the meet a specific need and is it likely to be consent of employees before using or disclosing effective in meeting that need? their employees’ personal information.13 In 2. Is the loss of privacy proportional to the Quebec, the onus on employers is more stringent. benefit gained? The Quebec Act requires that prior to collecting employee information, an employer must inform 3. Is there a less privacy-invasive way of 17 the employee of the purpose for which the informa- achieving the same end? tion will be collected, the manner in which it will In addition, the Office has described “reasonable be used, and who will have access to it.14 purposes” for the use of GPS tracking to include 4) The Criminal Code and Surveillance the following: The Criminal Code of Canada15 contains an of- 1. managing safety and development fence that applies to employers’ workplace surveil- (e.g., allowing for follow-up when vehicles lance and monitoring. Section 184 of the Code were stationary for an inordinate period of makes it an offence to wilfully intercept a private time and allowing for the management of communication.16 “Intercept” includes listening, dangerous driving habits); recording, or acquiring a communication. The 2. promoting asset protection and management meaning of “private communication” involves a (e.g., allowing for the recovery of stolen fact-specific inquiry centred on the expectation of vehicles and reducing the wear on vehicles privacy associated with the nature of the communi- through better route management); and cation. Therefore, if the employer has the em- ployee’s express or implied consent, it is unlikely
76 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8
3. enhancing customer service (e.g., through B. The Common Law Approach improved scheduling services and to Employers’ Rights and Employees’ driver/dispatch communications).18 Privacy It is not considered reasonable to use GPS tracking In Ontario—and all the other provinces that do not as a method of determining employee performance have private sector privacy legislation—private unless the employer has a clear policy outlining an sector employees’ privacy interests are governed appropriate process of warnings, and progressive largely by a combination of common law protec- monitoring is established and made clear to em- tions of privacy and contractual provisions. ployees. Employees in the private sector who are Applicable contractual provisions may be found in not protected by PIPEDA, provincial privacy re- the employment agreement or may be stand-alone gimes, or rights under a collective bargaining policies of employers that bind employees. Em- agreement must resort to the common law for pro- ployers in all provinces and sectors have always tection, including perhaps to the newly minted tort been permitted (and are often encouraged) to put in of intrusion upon seclusion (described in further place clear workplace privacy and computer-use detail below) if they wish to complain about their policies, including policies that stipulate how employer’s use of GPS tracking. The use of GPS personal information will be collected, used, and devices to track employees in non-employer vehi- disclosed and delineate permissible use of em- cles is an entirely different manner and engages ployer-supplied technology (such as PDAs, com- other common law rights protected under laws of puters, and other devices) that can collect and trespass and nuisance. preserve employee personal information and the 5) Human Rights Legislation personal information of non-employees with whom the employee deals. Where these policies are per- Provincial human rights legislation, such as that in missible and enforced, courts have held that an em- Ontario, may provide some degree of protection for ployee’s privacy rights are not infringed by an employees’ personal information resulting from the employer who monitors the employee in accor- requirement that employers approach all aspects of dance with the terms of the policy.20 employment (hiring, training, discipline, and firing) In addition, in a manner that does not discriminate on a prohib- employees have no reasonable expectation of pri- ited ground (race, ancestry, place of origin, colour, vacy regarding information stored on work-issued ethnic origin, citizenship, creed, sex, sexual orien- devices if the employer implements a policy that 21 tation, age, record of offences, marital status, fam- indicates otherwise. ily status, or disability).19 This requirement has led Private sector employers in the provinces that lack many employers to avoid collecting personal in- provincial privacy legislation have a wider latitude formation from employees that relates to these as- to monitor their employees compared with their pects. An employer that obtains this information counterparts in federally regulated sectors or in could be vulnerable to an allegation that subsequent British Columbia, Alberta, and Quebec. However, a employment decisions relating to the employee recent decision of the Ontario Court of Appeal may were based on that information. have filled, at least partly, the legislative gap and
77 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 extended greater protection to employees’ privacy C. Protection of Personal Information interests in those provinces. in the Workplace under the Charter On January 18, 2012, the Ontario Court of Appeal The Supreme Court of Canada has recognized a confirmed the existence of a right of action for in- right to privacy subsumed in ss. 7 and 8 of the tentional breach of privacy rights—the tort of intru- Charter.26 Employees who are engaged by state sion upon seclusion.22 Following U.S. privacy actors may have Charter protection for their pri- jurisprudence, the court ruled that to make out the vacy interests in the workplace. This protection was tort of intrusion upon seclusion, the plaintiff must considered by the Ontario Court of Appeal in plead and prove that (1) the defendant intentionally Cole,27 discussed in greater detail below. However, or recklessly intruded on the plaintiff’s private it is important to note that private sector employers affairs or concerns; (2) there was an absence of are not directly subject to the Charter. Finally, the lawful justification; and (3) the intrusion, viewed common law of employment still must develop in a objectively, was highly offensive, causing distress, manner that is consistent with Charter values, in- humiliation, or anguish. Proof of loss is not an ele- cluding the recognized right to privacy thereunder. 23 ment of the cause of action. The court took steps D. Examples of the Balance between to restrict the application of the cause of action to Employers’ Rights and Employees’ “deliberate and significant invasions of personal Privacy Interests privacy.”24 However, given the potential power im- balance that exists in the employer-employee rela- A review of three recent decisions (one each in re- tionship and the nature of the personal information spect of employers governed by PIPEDA, by pro- about employees that is often readily available to vincial privacy legislation, and by the Charter) employers, misuses of personal information in the indicates that e-mails or social-media messages workplace might be argued to fall within the sphere concerning an employee can fall within the defini- 28 of conduct that the court had envisioned as giving tion of “personal information” and that employees rise to liability. As a result, depending on the cir- have an expectation of privacy regarding informa- cumstances—including whether the employer has tion stored on company-owned computer equip- policies established permitting the collection, use, ment if the employer does not have a privacy policy 29 or disclosure of employees’ personal information— in place that indicates otherwise. As a result, un- the tort of intrusion upon seclusion may apply to reasonable monitoring of an employee’s digital ac- breaches of privacy in the digital workplace. If the tivities may amount to a breach of privacy laws or employer has a clear policy that permits it to moni- the Charter (where applicable) in appropriate cir- tor employees’ computer usage and online activi- cumstances. The cases suggest that monitoring may ties, an employee who has been subjected to such be reasonable if the employer suspects that the em- monitoring will be unable to use the intrusion upon ployee is or has been engaged in fraud, breach of seclusion cause of action.25 Therefore, the court’s the employment contract (including time theft) or reasoning reinforces the need for employers to some other unlawful activity. Where less intrusive maintain clear and consistently enforced computer- means are unavailable to investigate these issues, it use and Internet policies. is more likely that the employer’s monitoring would be considered reasonable. Finally, where the employer has a clear and consistently enforced pol-
78 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 icy in place, monitoring may be viewed as more use, or disclosure must be reasonable in order to acceptable. comply with PIPEDA.
1) Bell Canada v. Johnson: Employees’ 2) Alberta Privacy Commissioner Order: Use Work E-mails Are “Personal Information” of Keystroke Monitoring Technology May In Bell Canada,30 the Federal Court of Canada de- Be Reasonable in Certain Circumstances termined that PIPEDA does not require employers In a public-sector case in Alberta,31 the Alberta to provide employees with access to all e-mails Information and Privacy Commissioner determined stored on the employer’s network that relate to the that a regional library’s installation of keystroke employee and that contain personal information monitoring technology on one of its employees’ concerning the employee. Johnson, an employee of computers was unreasonable in the circumstances Bell Canada, made an access request under and contravened the Alberta Freedom of Informa- PIPEDA seeking “e-mails concerning me in this tion and Protection of Privacy Act.32 The commis- company … from all sources.” The court observed sioner observed that the library’s undisclosed use of that there was no issue that e-mails sent in the the software amounted to surveillance of the em- course of business are accessible through PIPEDA; ployee. The use of the software may have been rea- the question was whether personal e-mails sent by sonable if the employee was suspected of employees at work were accessible. Since the court committing fraud using the library-owned informa- determined that the exemption for personal infor- tion technology equipment; however, on the facts mation used solely for personal purposes found in of the case, there were less intrusive means avail- s. 4(2)(b) applied only to individuals, it focused its able to the library for managing the employee analysis on s. 4(1). That section provides that and, therefore, the monitoring breached the Act. PIPEDA applies only to personal information col- Although this decision emanates from the public lected, used, or disclosed in the course of “com- sector, it demonstrates that, in certain circum- mercial activities” or about an employee that the stances, employers, subject to privacy legislation, organization collects “in connection with a federal may be permitted to monitor their employees’ work, undertaking or business.” The court held that computer usage without providing the employees only information collected because the organization with advance notice.33 has a commercial need for it is captured by 3) R. v. Cole: Employees May Expect PIPEDA: “Information collected in connection with Privacy of Information Stored the operation of the business requires that there be on Employer-Owned Computers a business purpose for the information. There is none with respect to personal e-mails.” The impli- In Cole, a high school teacher was charged with cation of the court’s decision is that employees’ possession of child pornography and unauthorized e-mails are private, personal information, meaning use of a computer contrary to the Criminal Code. that PIPEDA does not permit an employer’s collec- While conducting regular server maintenance, a tion, use, or disclosure of these types of e-mails computer technician accessed the teacher’s school- without the employee’s consent, because there is no board-issued laptop and found sexually explicit im- commercial need for the employer to do so. Even ages of an underage student. The technician copied when an employee has consented, the collection, the photos onto a disk and reported his findings to
79 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 the principal, who then asked the teacher to hand a) Implications of the Cole Decision over the laptop. A second search of the computer The implications of Cole for private sector employ- was conducted by a school board official who cop- ers are not necessarily far reaching. First, the deci- ied the temporary Internet files onto another disk. sion arose out of a criminal proceeding, so although Both disks and the laptop were turned over to the the case creates a helpful precedent for employees police, who then performed a warrantless search whose workplace privacy is breached through a and charged the teacher under the Criminal Code. warrantless police search, it does not create any The Court of Appeal determined that the teacher’s new sources of liability for employers. Second, the Charter rights were breached by the police but not case was decided in the Charter context and the by his employer. In reaching its decision, the court court’s analysis assumed that the Charter applied to found that the teacher had a reasonable expectation the school board. The court’s analysis thus applies of privacy regarding personal material he stored on only to employers subject to the Charter. Despite his work-issued laptop. The court relied on the trial the limited direct application this case may have for judge’s findings of fact that the teacher and his col- private sector employers, the court’s reasoning still leagues used their computers to regularly store sen- provides important lessons for them. sitive personal information and that, although the Most important, the decision in Cole clarifies that school board owned the computer, it gave de facto an employee’s privacy interests are not simply ne- control of the computers to the teachers. Moreover, gated because the employer owns the technology the school board did not have a clear policy in used by the employee. Employers can no longer place permitting it to monitor, search, or otherwise rely on the mere ownership of property to insulate police the teacher’s laptop use. Although it was themselves from claims that employees have a rea- lawful for the police to look at the disk containing sonable expectation of privacy regarding their per- images of the student, it was unlawful for the police sonal information stored on employer-issued to copy the laptop’s entire hard drive or to search 34 technology. The court’s reasoning in Cole also the disk containing the temporary Internet files. highlights the importance for employers of having a The lack of exigency, the teacher’s privacy inter- clear, consistently enforced computer-usage and/or ests over his browsing history, and the broad nature computer-monitoring policy in place to minimize of the search contributed to the unreasonableness employees’ privacy expectations. and unlawfulness of the police search under s. 8 of the Charter. E. Conducting Background Checks via Social Media With respect to the school board, the court con- cluded that neither the technician’s search nor the The digital workplace has also transformed the hir- school board official’s search breached the ing process. Employers are no longer restricted to teacher’s Charter rights, since the first search the references given by prospective employees and occurred during routine maintenance and the can instead conduct their own online research. A second search constituted reasonable follow-up to 2009 U.S. poll found that 45 per cent of employers the initial findings. conducted background checks via some form of social media throughout their hiring process.35 These background checks can include a variety of actions but may be as simple as viewing a candi- 80 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 date’s Facebook profile or reading the person’s ble.41 The commissioner launched an investigation blog posts; or the checks may be as thorough as into the B.C. New Democratic Party after the media hiring an organization to search for every bit of in- reported that the party had requested all leadership formation on social media about the prospective candidates’ Facebook passwords (and other social- employee.36 When employers or organizations media passwords) in order to conduct a background hired on behalf of employers search social media search to vet the candidates’ social-media usage for for individuals, the collection, use, or disclosure of inappropriate material. The party’s explanation for that information is subject to PIPEDA and the pro- the background searches was the desire to avoid vincial private sector privacy legislation.37 Indi- repeating the situation that had occurred in the viduals in provinces that lack private sector privacy 2009 provincial election, when a candidate was legislation have recourse for improper social-media forced to withdraw after inappropriate Facebook background checks under PIPEDA, because the photos were discovered on his profile. The investi- provisions relied upon in this circumstance are not gation concluded that, although the NDP had ob- specific to the employee-employer relationship. tained the candidates’ consent and had identified the purpose for its request, as required under the As a result of an ever-increasing use of social me- B.C. PIPA, the collection was nonetheless unrea- dia and the development of online personalities, sonable and, therefore, a breach of that Act. employers must now be wary of the possibility that their employees may have online personas that The commissioner explained that reasonableness would negatively impact the business. What better must be assessed in light of various factors, includ- time to weed out these employees than at the inter- ing the purpose of the collection and surrounding view stage? However, despite the potential per- circumstances, the quantity and type of information ceived benefits to conducting background checks collected, and the uses to which the information through social media, the risks associated with would be put. The surrounding circumstances in these checks mean that employers who misuse this this case included the fact that collecting informa- hiring technique may run the risk of breaching pri- tion on a particular person’s Facebook account will vacy legislation. result in obtaining third-party information that con- cerns people who have not consented to the collec- Researching social media on a person may produce tion and that is often likely to be inaccurate or out a huge amount of irrelevant or inaccurate informa- of date. tion. Canadian privacy legislation requires organi- zations to take steps to ensure that the information This decision suggests that, if a social-media back- they are collecting is accurate.38 Breach of the ac- ground check is somehow confined to exclude any curacy requirement amounts to breach of the legis- third-party information and steps are taken to check lation.39 Furthermore, the Federal Court of Canada the accuracy or timeliness of the information, these has awarded damages, albeit a modest amount, to checks may be permissible under privacy legisla- an individual for inaccurate information disclosed tion. It also seems unlikely that individuals who by an organization.40 determine that they have been the target of social- media background searches would have a right of A recent decision of the B.C. Information and action against the organization for intrusion upon Privacy Commissioner provides useful insight into seclusion. Depending on the quantity and scope of when these background searches may be permissi- 81 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8 information collected, it is at least arguable that an Workplace in the Social Media Age program on organization is lawfully entitled to review the con- April 25 and 26, 2012. tents of a prospective employee’s social-media us- Reprinted with permission from Torys LLP. age in order to assess the employee’s suitability for © 2012 by Torys LLP] employment. Furthermore, given the proliferation ______of employers that are using social media for back- 1 A. Zborosky, “Personal Information Privacy and Electronic ground checks as part of their hiring processes and Document Act From the Perspective of Employees and the reality that information on social-media sites Unions” (Address to the Canadian Bar Association concerning individuals is often posted by the indi- Mid-Winter Meeting, February 2004) at 7. 2 vidual, it seems unlikely that a reasonable person R. v. O’Connor, [1995] S.C.J. No. 98, [1995] 4 S.C.R. 411 would conclude that there was a highly offensive at para. 113. 3 R. v. Tessling, [2004] S.C.J. No. 63, 2004 SCC 67 intrusion into the individual’s private affairs capa- at para. 23. ble of causing distress, humiliation, or anguish. 4 On January 18, 2012, the Ontario Court of Appeal recog- nized a private right of action for intentional intrusion upon F. Conclusion and Lessons Learned one’s seclusion, though the court avoided calling the new This review of cases suggests that Canadian em- nominate tort one of “invasion of privacy” in Jones v. Tsige, ployers in the private sector would be wise to im- [2012] O.J. No. 148, 2012 ONCA 32 [Jones]. 5 R. Gary Dickson, QC, and Sandra Barreth, “Privacy Laws plement and consistently enforce clear policies that and Virtue Testing in the Workplace” (Presentation for the permit them to monitor their employees’ computer Canadian Bar Association, Saskatchewan Branch), and Internet usage. The policy can be a stand-alone February 3, 2006 at 8. 6 document or can be included as terms in the em- The only provinces that have enacted provincial privacy ployment agreement or as part of an employee code legislation of general application are British Columbia, Alberta, and Quebec. of conduct. What is important is that the policy 7 S.C. 2000, c. 5 [PIPEDA]. clearly states the reasons that might give rise to the 8 PIPEDA, s. 4(1)(a). employer’s monitoring. For example, these reasons 9 PIPEDA, s. 2(1) definition of “personal information.” Note could include protecting (1) the integrity of data; that the amendments to PIPEDA currently pending before Parliament as Bill C-12 amend this definition to remove the (2) the monitoring systems; (3) the confidentiality exclusion of the stipulated employee information from the of information and data belonging to the company, definition of personal information. However, Bill C-12 also its employees, clients, suppliers, and so on; adds a definition of “business contact information” (which (4) the company’s compliance with applicable includes name, position or title, work address, phone and laws (including intellectual property laws); and fax number, e-mail address, and similar information) that is exempted from the obligations in part I of PIPEDA to the (5) employees and the workplace environment from extent that the business contact information is used to 42 harassment and discrimination. These policies communicate with the employee in relation to their em- enable employers to ensure quality control, produc- ployment. Further, s. 4(1)(b) of PIPEDA is amended to tivity standards, and a safe and harassment-free make clear that personal information collected from an ap- workplace, while also providing employees with plicant for employment is subject to the same obligations as employee information. clear guidelines and expectations. 10 An Act Respecting the Protection of Personal Information [Editor’s note: This article was originally presented in the Private Sector, R.S.Q., c. P-39.1 [Quebec Act]; Personal Information Protection Act, SA 2003, c. P-6.5 at The Law Society of Upper Canada's Special [Alberta PIPA]; and Personal Information Protection Act, Lectures 2012: Employment Law and the New SBC 2003, c. 63 [B.C. PIPA].
82 CANADIAN PRIVACY LAW REVIEW • Volume 9 • Number 8
11 PIPEDA, s. 5(3) and Principle 4.3. 31 Alberta Information and Privacy Commissioner Order 12 B.C. PIPA; Alberta PIPA. F2005-003 available at 13 This stands in contrast to the general provisions in both
(4th) 1 (Fed. Ct.) [Bell Canada]. . 29 Cole, supra note 20. 30 Supra note 28.
ELECTRONIC VERSION AVAILABLE A PDF version of your print subscription is available for an additional charge. A PDF file of each issue will be e-mailed directly to you 12 times per year, for internal distribution only.
83