Privacy and data protection concerns are at an all time high. With tech giants under scrutiny for large-scale privacy breaches, much of the recent media attention has focused on companies’ handling of client or consumer personal information. However, looming equally large are concerns regarding employers’ handling (and mishandling) of employee personal information.
Which Privacy Laws Apply to your Workplace?
In Canada, the privacy law landscape is relatively new, but rapidly evolving. In 2000, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) was enacted in order to regulate private sector collection, use and disclosure of personal information in the course of commercial activity. However, PIPEDA has limited application in the employment context as it only applies to federally regulated employers.
British Columba, Alberta and Quebec have enacted privacy legislation for provincially regulated, private sector employers. However, there is currently no equivalent legislation in Ontario
What have the Courts Said?
In the absence of any privacy legislation that applies to private sector employers in Ontario, the courts have frequently addressed the issue of privacy in the workplace. In a landmark 2012 case, Jones v. Tsige, the Ontario Court of Appeal confirmed the existence of the tort of “intrusion upon seclusion”, or invasion of privacy, in Ontario. “Intrusion upon seclusion” can arise as a result of an intrusion into an individual’s highly sensitive information, including financial or health records, sexual practices and sexual orientation, employment information, and diary or private correspondence. The implication is that employees in Ontario are entitled to a “reasonable expectation of privacy” even if they are using employer-provided technology. Unsurprisingly, there have been a number of cases in recent years in which employees have claimed “intrusion upon seclusion” in respect of personal employee information.
Additionally, in the unionized context, some arbitrators have recognized various workplace privacy rights, including drug and alcohol testing, employee surveillance and monitoring, and searches of employee property, although many of these decisions have referenced a collective agreement which specifically addresses these protections.
As federal and provincial privacy legislation and the common law continue to develop in this area, employers can follow a few best practices in order to minimize the risk of privacy breaches:
- Do not disclose any personal employee information without first securing the employee’s permission, unless the disclosure is for the purposes of complying with a court order or government mandate.
- Limit access to personal employee information to authorized staff.
- Ensure that personal employee information is stored securely.
What’s Coming up Next?
Earlier this year, it seemed that provincial privacy legislation was on the horizon for Ontario, when Bill 14, the Personal Information Protect Act, was introduced at a first reading on March 21, 2018. While Bill 14 quickly passed second reading on March 22, 2018 and was referred to the Standing Committee on Justice Policy, it was not enacted prior to the provincial election in June and died on the Order Paper.
Bill 14 mirrored PIPEDA in many respects, however it included specific provisions which would regulate the handling of employee personal information by provincially regulated employers in Ontario. Bill 14 also granted specific enforcement powers to the Information and Privacy Commissioner of Ontario to initiate compliance investigations and audits in the private sector and conduct inquiries and make orders regarding privacy complaints.
While it is yet to be seen whether the Conservative government will re-introduce Bill 14, it is likely that Ontario will enact provincial privacy legislation in the future, as privacy and data protection concerns gain increasing prominence in the workplace. We will be following the development of any potential legislation closely and will publish any updates.
 2012 ONCA 32.