Every organization should investigate which, if any, privacy acts
it falls under. Beyond that, common sense and smart business
practices should rule.
“It’s important to realize that even if PIPEDA doesn’t strictly
apply to employee records held by your organization, employers
should still be taking steps to respect privacy,” said Lisa Bolton, a
lawyer with Sherrard Kuzz LLP in Toronto.
Common sense should rule, in other words – no one is going to
open up their payroll info just because there’s no legislation speci-fying
that they can’t.
CAN EMPLOYERS COLLECT EMPLOYEE INFO?
Amid all of those privacy regulations, there are some common
basics that apply to any employer. For starters, “information” in-cludes
such things as birth date, income, address, medical history,
religion, political affiliations, education, others’ opinions about
the employee and visual images including photographs and vid-eos
where the employee is identifiable. Typically, web history and
email content would be included in this list as well.
According to the Office of the Privacy Commissioner of
Canada, PIPEDA and the provincial privacy laws in B.C. and
Alberta share an important principal: “An organization may col-lect,
use or disclose information for a purpose that a reasonable
person would consider appropriate in the circumstances.” The
Privacy Commissioner also proposes the following questions to
help assess whether the monitoring is legitimate: Is it necessary?
Will it be effective? Is the loss of privacy proportional to the ben-efit
gained? Is there a less invasive way of achieving the same end?
Employers also need employee consent to gather and disclose
the information (with some exceptions) and they need to make
the “why” of the collection clear, ahead of time. The data should be
kept on hand only as long as necessary and be kept safe during that
time. Most important, corporate privacy policies need to be acces-sible
and understood by all employees.
THE BALANCING ACT
Despite all of this, employees are still legally entitled to at least
some degree of privacy. In 2012, a Supreme Court of Canada de-cision
stated, “Canadians can reasonably expect privacy in the
information contained on company computers, where personal
use is permitted or reasonably expected.”
It comes down to a careful give and take. While employees can
expect some confidentiality when it comes to what they do while
they’re at work, employers still have a right to make sure their lap-tops,
cell phones and office hours aren’t being misused. The middle
ground can be found where organizations clearly map out their
expectations.
“For employers, this underscores the importance of a direct and
understood privacy policy,” said Piccolo. “Companies who wish to
monitor their employees’ use of technology will want to spell this
out explicitly and state it publicly.”
An organization might advise employees that their emails and
web history will be routinely monitored to ensure productivity.
Or staff members might be told that the organization allows web
browsing for personal use only during lunch breaks, for example.
To ensure employees have either a very low expectation – or no
expectation at all – of privacy when it comes to information stored
on a work device, Piccolo points out that some organizations im-plement
an absolute prohibition on non-work related Internet
use, blocking access to certain websites used mainly for personal
reasons and creating network architecture that prevents employ-ees
from saving information in non-public folders. In addition to
managing expectations, this also reduces the need to constantly
monitor employees’ web use.
cover feature
Mopic/Shutterstock
20 ❚ SEPTEMBER 2014 ❚ HR PROFESSIONAL