Chapter 10: Privacy Inside and Outside the Workplace

Chapter 10 – Privacy Inside and Outside the Workplace

PIPEDA Overview

The Personal Information and Protection of Electronic Documents Act (PIPEDA) is a Canadian law that oversees how private sector organizations collect, use, and disclose personal information in the course of commercial activities.

Applicability of PIPEDA

1. Commercial Purposes: PIPEDA's principles apply to personal information gathered by organizations for commercial purposes. However, if a province has similar legislation, that provincial law prevails.

2. Ontario Privacy Legislation: In Ontario, there are specific privacy laws protecting personal health information and the personal data of public employees.

3. Federally Regulated Organizations: PIPEDA is applicable to all organizations regulated at the federal level.

4. Provincially Regulated Workplaces: It does not apply to workplaces that are regulated at the provincial level; it is limited to the commercial activities of businesses in Ontario.

5. Nature of Commercial Activity: Notably, employment does not fall under commercial activities as defined by PIPEDA since it pertains to operations like selling and lending but not employee-related functions.

Definition of Personal Information

Included Definitions

Under PIPEDA and relevant provincial laws, personal information encompasses:

1. A worker’s residential address.

2. Individual data such as income, birth date, credit records, and loan records.

3. Medical records, genetic data, and intentions to change jobs.

4. Performance records of employees.

5. Specific items like blood type.

Exclusions from Personal Information

However, it does not include:

6. A worker’s name.

7. Job title, business address, or business telephone number.

Organization Duties Under PIPEDA

Organizations have specific responsibilities to ensure compliance with PIPEDA:

1. Designated Officer: Appoint a responsible person to ensure adherence to the act’s provisions.

2. Data Collection Limitations: Only collect information essential for stipulated purposes (e.g., do not inquire about religious affiliations during a credit check).

3. Consent Requirement: Obtain explicit consent before collecting personal data from individuals.

4. Usage Restrictions: Limit the use, disclosure, and retention of data obtained—prohibiting sharing without consent and using the information solely for the intended purpose.

5. Data Accuracy: Ensure personal information is kept current and accurate.

Continuing Organizational Duties

6. Secure Storage: Safeguard personal information in secure locations to prevent unauthorized access.

7. Supervisor Training: Ensure that supervisors are knowledgeable about privacy laws and the protection of personal information.

8. Transparency of Information Hold: Organizations must inform individuals about the information held about them.

9. Complaint Mechanism: Establish processes for individuals to lodge complaints if they believe their personal information is compromised.

Relevant PIPEDA Case Law

Case 1: Medical Information Request

Case Summary #2003-226: In this case, a worker was mandated by her employer to submit extensive medical information for long term disability applications. The Privacy Commissioner ruled that the employer should have allowed direct submission to the insurer instead of through an unsecured fax to HR, affirming the employee's right to privacy in her medical information.

Case 2: Eastmond v. Canadian Pacific Railway

In this case, video surveillance was set up in a work yard ostensibly for security reasons aimed at reducing theft. The Privacy Commissioner found the security concern insufficient to justify surveillance when less intrusive measures like improved lighting were available. The Federal Court ultimately sided with the employer, emphasizing the necessity for legitimate purposes under PIPEDA.

Case 3: Employee Monitoring

The incident with a library technician involved unauthorized software monitoring of computer keystrokes by an employer. This practice was deemed a significant invasion of privacy, and the Privacy Commissioner ruled that such a high level of intrusion wasn't warranted. The employer could have addressed productivity concerns through direct communication, highlighting the importance of employee privacy.

Case 4: Jones v. Tsige

This landmark case established a new tort of intrusion upon seclusion in Ontario. Jones, an employee whose privacy was violated by a coworker accessing her bank account multiple times, successfully argued for damages. The Ontario Court of Appeal outlined requirements for this tort, reinforcing the need for legal acknowledgment of privacy infringements in the workplace.