Privacy Law

LEGISLATION WATCH

Legislation Update (PIPEDA)

The federal government has recently introduced amendments to PIPEDA (Personal Information Protection and Electronic Documents Act). Depending upon the business, these changes may be significant. In addition to the existing exceptions that allow for use and disclosure of personal information without the individual's consent, an individual's business contact information will now be excluded from the application of PIPEDA if that information is collected, used or disclosed solely to communicate with the individual in a business context. 

PIPEDA currently does not contain a specific definition of "consent", but the amendments provide additional guidance by stating, "the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting." In some cases, privacy clauses in existing contracts will need to be amended to incorporate this amendment. 

For federally regulated employers, they are now permitted to collect, use and disclose personal information of an individual without consent in order to establish, manage or terminate an employment relationship with the individual employee. 

Lastly, these proposed PIPEDA changes will continue to complicate federally regulated enterprises, such as telecom service providers, given that the recent changes have not effectively clarified how the disclosure of any and all personal information to law enforcement agencies upon request without a warrant balances an individual's Charter rights. 

EMPLOYMENT-BASED PRIVACY CASES

Privacy for Departing Employees

Alberta, like BC, has an active Privacy Commissioner's office that oversees numerous complaints. Recently, one Alberta employee alleged that the internal company memo announcing her departure breached privacy legislation by disclosing personal information without her consent. The memo indicated that she was leaving to work elsewhere, which was held to be 'personal information' even though the former employee had been quite open with others in her department about her new job. The memo also referenced the differences of opinion between the company and the departing employee on workplace expectations, and wished her luck with her future endeavours. This second reference in the internal memo was also categorized as an unreasonable disclosure of 'personal information' about an identifiable individual - and another privacy breach! 

This is an indication of how broadly 'personal information' may be interpreted, and how unintentionally an employer could breach privacy rules. Caution is always advised, and timely legal advice beforehand may save the cost of future litigation or adjudication arising from a privacy complaint. 

New Workplace Technology & Employee Privacy

Employers often implement new workplace technology that is simply a more technologically advanced version of an older practice. For example, replacing an employee punch-card time clock with a biometric scanner, to monitor workplace attendance and provide for better building security, is becoming quite common as the cost of these products decrease. In some instances, an employer could inadvertently cross the line with privacy laws by simply updating its technology. 

In a review of four recent cases where biometric scanners were challenged as a breach of privacy, two of the four technologies were found to be a breach of an employee's privacy. The various biometric scanner systems scanned an employee's corneas, fingerprints, or hand dimensions. The amount, type and accessibility of the personal information that was stored by the computer scanner of each individual employee's personal characteristics appeared to be the dividing line between whether the scanner systems were acceptable or not.

In a recent Saskatchewan case, an arbitrator commented on a company vehicle that had a position monitoring device installed on it. He appeared to quietly adopt the BC approach that so long as the data collected deals only with the vehicle's location and does not identify the person who was driving it, then this technology is outside the review of privacy laws - since it is not 'personal information' about an identifiable individual. 

Legal advice should be obtained before an RFP process is initiated whenever technological changes are being considered for a workplace that involves the storage or gathering of personal information about an employee. 

Privacy, Social Media and the Recruitment Process

A developing area of law involves privacy breaches when employers conduct social media searches as part of the new-hire recruitment process. With the availability of social media, a recruiter is often tempted to perform a "Google" search to see what pops up on the leading candidates. 

The Alberta Office of the Information and Privacy Commissioner recommends the following (and this advice is equally good advice for Saskatchewan employers): 

Do not wait until after you conduct a social media background check to evaluate compliance with privacy legislation; 

1. Do not assume in advance that a social media background check will only retrieve information about one individual and not about multiple individuals; 
2. Do not perform a social media background check from a personal account in an attempt to avoid privacy laws; 
3. Do not attempt to avoid privacy obligations by contracting a third party to carry out background checks; and 
4. Do not perform a social media background check thinking that an individual will not find out about it. For example, an individual can use web analytics to determine what IP address accessed the individual's personal information. 

This is an area of the law that continues to develop as technology changes (e.g. Facebook and other websites change what information is included and what security screening is available to users), so timely and current advice is recommended. 

Public Surveillance Evidence

An Ontario arbitrator recently found that: 

"I am not persuaded that there exists in Ontario a general right to privacy such that it would preclude the observing of a person's presence or activities in public, the documentation of such presence or activities, or the photographing or video recording of such presence or activities. Neither am I able to find that there exists a general expectation of such a privacy right in public places in Ontario. Nor, in the matter of the instant case am I able to find that the collective agreement between the parties contains language that would preclude the employer from observing, documenting, photographing, or video recording an employee's presence or activities in a public place, or that would preclude the employer from monitoring an employee's work activities during working hours." 

Adopting a similar approach, the Ontario Court of Appeal recently found no general common law right to privacy (but a limited right to prevent "intrusion upon seclusion"), confirming that there is no right to privacy when in a public place. 

Illness and Poor Attendance

An arbitrator's decision was upheld, where he decided that a cursory medical note for an employee's illness was insufficient. The existence of such a medical note did not shift the obligation to the employer to prove that it had complied with the collective agreement. The Union still had to prove that the employee was entitled to sick pay in the circumstances. 

An employee's dismal attendance record was accepted as a valid consideration when an employer refused to promote an employee. The seasonal employee had applied for a full time position, where reliable full time attendance was important to the performance of the full time job.