SlideShare a Scribd company logo

New Technologies in the Workplace: Balancing Privacy and Employer Needs

L
lgarib

Also posted at: http://www.cippic.ca/uploads/OHRPA-Oct07%28pl%29.pdf

1 of 30
Download to read offline
New Technologies in the Workplace: Privacy Issues Ontario Human Resources Professionals Association Ottawa,ON - October 23, 2007 Philippa Lawson, Director Canadian Internet Policy and Public Interest Clinic University of Ottawa, Faculty of Law www.cippic.ca Louisa Garib, LL.M. Barrister & Solicitor Ottawa, ON
New Technologies • Video surveillance • Email monitoring • Internet use monitoring/restrictions • Computer use monitoring • GPS/location monitoring devices • Drug/alcohol testing • Biometrics • Blogging; Personal webpages
Employer Uses • Monitoring: – Protection against theft/fraud – Detecting/documenting misconduct – Ensuring conformity with laws/standards – Ensuring productivity • Attendance Management • Workplace Safety (drug/alcohol testing) • Background Checks
Privacy Commissioners • An employer’s need for information should be balanced with an employee’s right to privacy – privacy rights flow from contract, statutes/civil code, Charter of Rights, or common law – inherent right to privacy? • Whether or not employee privacy is protected by law or contract, respecting privacy in the workplace makes good business sense
Arbitrators (majority) “…as between employer and employee, the latter's reasonable expectations of privacy are not set aside simply by the entering into of the employment relationship; ...but just as an employee's privacy interests require protection against the overzealous exercise of management rights, so also must an arbitrator acknowledge the employer's legitimate business and property interests. What is required, then, is a contextual and reasonable balancing of interests. There is no absolute rule affording precedence to one legitimate interest over the other….”
Arbitrators (minority) • no inherent right to privacy – must be based in contract or statute • but employees may have privacy “interests” worth protecting • key factor in analysing “breach of privacy” claims = employer’s duty to act fairly and reasonably
Applicable Law • Contract/Collective Agreement • Data Protection law – public sector statutes – private sector statutes • PIPEDA • Alta PIPA, BC PIPA, Quebec Act • Gap: employees of provincially-regulated private sector companies in other provinces • Common law – nascent recognition of tort of “privacy invasion” • Somwar v. McDonald’s (Ont SCJ, 2006)
Public Sector - Privacy Act • can collect, use, disclose employee information without consent if it relates directly to an operating program or activity of a public body + can disclose for variety of other specific listed purposes
Public Sector - Charter • Canadian Charter of Rights and Freedoms • s.8: “Everyone has the right to be free from unreasonable search and seizure” – protects “reasonable expectations of privacy” • s.7: “Everyone has the right to life, liberty, and security of the person” “….grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection….” (LaForest, J., R. v. Dyment (1988))
Private Sector - PIPEDA • protects “personal information” = info about an identifiable individual, other than name/business contact info of employees • no special rules for workplace • must not collect, use or disclose PI without the individual’s knowledge and consent, or for inappropriate purposes – or in specific exceptional circumstances
Alberta/BC Approach • “personal employee info” = personal info required & used solely for an employment relationship • ERs may collect, use and disclose personal employee information without consent if the individual is an employee or potential employee AS LONG AS: – the collecting, using and disclosing of personal information is reasonable for the purpose and limited to the work relationship; and – notice is given to employees about the purpose for collecting their personal information.
Email Access/Monitoring
Email Access • Employees have no reasonable expectation of privacy in email at work – Camosun College v. CUPE (Arb, 1999) • Email sent to Union members on ER computer network; was forwarded to management – Briar et al v. Treasury Board (PSSRB, 2003) • ER acting on complaint about offensive emails • ER had policy re: acceptable email use • Clear log-in warning that system is monitored for compliance with policy
Computer Surveillance • Notice to employees is critical – written policy should be available to EEs • Surreptitious monitoring of specific employee requires reasonable cause: – Parkland Regional Library (Alta IPC, 2005) • keystroke logging by ER • premature; less invasive means available
Video Surveillance
Overt Video Surveillance • PIPEDA #279: – webcams unjustified for monitoring employee productivity when managers off-site – “Continuous indiscriminate surveillance of employees was based on a lack of trust and treats all individuals with suspicion when the underlying problems rest with a few individuals or with a management plan that may not be entirely sound.”
Overt Video Surveillance • PIPEDA #273: – webcams OK for purpose of protecting EEs of broadcasting company • no information collected • no reas. expectation of privacy in webcam locations – BUT must inform EEs & make policy document available to them
Overt Video Surveillance • Eastmond v. CPR (2004) Fed Ct: – purposes = reduce vandalism, deter theft, reduce CP’s liability for property damage, provide staff security – Test: • Necessary to meet a specific business need? • Likely to be effective in meeting that need? • Is loss of privacy proportional to benefit gained? • Is there a less privacy-invasive means?
Covert Video Surveillance • higher threshold for acceptability: – must be a substantial problem justifying surreptitious surveillance + strong possibility that surveillance will be effective + no reasonable alternative to surreptitious surveillance
Off-duty covert surveillance • PIPEDA #269: – video surveillance to determine if EE truthful about physical limitations – need substantial evidence of broken trust + reasonable grounds to suspect violation of employment contract – no less invasive means available – OK in this case
GPS/Location Tracking • PIPEDA #351: – should have clear policy on use of GPS so as to prevent “function creep” & to inform EEs – must notify employees up front – purposes must be appropriate • dispatch, asset management, safety OK • employee management OK in exceptional situations – no less invasive means of achieving purposes
Private blogs/publications • Chatham-Kent and CAW (Arb, 2007): – careless public posting of personal info about clients +/or disrespectful comments about management can justify termination • Corporate policies for employee blogging – limits to what employees are permitted to disclose – expectations regarding employee blogging • Available to employers/potential employers – “publicly available” exception to consent requirement
Biometrics
Biometrics • IKO Industries Ltd. and U.S.W.A., (Arb, 2005) – hand scan = unreasonable privacy invasion – EE physical and informational privacy affected – balancing test: ER needs vs. EE rights • reasonable in circumstances • reasonable manner implemented • less intrusive, alternative means available
Biometrics • Canada Safeway Ltd. v. UFCWU (Arb, 2005) – hand scan permissible – privacy intrusion minimal – balancing test: ER need > EE privacy loss – But concerned about: • lack of ER policies • destruction on termination • training and use of technology
Biometrics • Wansink v. Telus Communications Inc. [2007] Fed CA (PIPEDA #281) – voice print used for authentication purposes – voice print = personal information – reasonable collection in circumstances – OK to discipline EEs who refuse – but ER not exempted from consent provisions • deficiency in PIPEDA?
Biometrics - summary • Biometrics = Personal Information • Reasonableness test applied – Does a problem exist? Can biometrics address it? – Is manner of implementation reasonable? – Alternative means explored? • Notice (and consent) important • Need policies for use, safeguarding, access, destruction • Final thought: Religious accommodation? (407)
General Rules for Employers • Don’t collect pi for inappropriate purposes • Only collect what you need for stated purposes • Always use least-invasive means • Tell EEs what info you collect & why/how used • Have a clear and complete policy on point • Don’t engage in surreptitious surveillance without reasonable grounds/good justification (no other way of resolving problem)
www.cippic.ca

Recommended

Employment and Labour Law Seminar - June 13, 2013
Employment and Labour Law Seminar - June 13, 2013Employment and Labour Law Seminar - June 13, 2013
Employment and Labour Law Seminar - June 13, 2013This account is closed
 
Unit 14 LO2
Unit 14 LO2Unit 14 LO2
Unit 14 LO2jessraymond1
 
Hiring and firing in the digital age
Hiring and firing in the digital ageHiring and firing in the digital age
Hiring and firing in the digital ageRobert B. Fitzpatrick, PLLC
 
Workplace Privacy Presentation
Workplace Privacy PresentationWorkplace Privacy Presentation
Workplace Privacy PresentationSarah Forbes
 
Don't be a robot: You can't automate your ethical considerations
Don't be a robot: You can't automate your ethical considerationsDon't be a robot: You can't automate your ethical considerations
Don't be a robot: You can't automate your ethical considerationsNehal Madhani
 
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Armstrong Teasdale
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
Employee Privacy Rights: New Developments in the Law
Employee Privacy Rights: New Developments in the LawEmployee Privacy Rights: New Developments in the Law
Employee Privacy Rights: New Developments in the LawEnercare Inc.
 

Recommended

Employment and Labour Law Seminar - June 13, 2013
Employment and Labour Law Seminar - June 13, 2013Employment and Labour Law Seminar - June 13, 2013
Employment and Labour Law Seminar - June 13, 2013This account is closed
 
Unit 14 LO2
Unit 14 LO2Unit 14 LO2
Unit 14 LO2jessraymond1
 
Hiring and firing in the digital age
Hiring and firing in the digital ageHiring and firing in the digital age
Hiring and firing in the digital ageRobert B. Fitzpatrick, PLLC
 
Workplace Privacy Presentation
Workplace Privacy PresentationWorkplace Privacy Presentation
Workplace Privacy PresentationSarah Forbes
 
Don't be a robot: You can't automate your ethical considerations
Don't be a robot: You can't automate your ethical considerationsDon't be a robot: You can't automate your ethical considerations
Don't be a robot: You can't automate your ethical considerationsNehal Madhani
 
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Armstrong Teasdale
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
Employee Privacy Rights: New Developments in the Law
Employee Privacy Rights: New Developments in the LawEmployee Privacy Rights: New Developments in the Law
Employee Privacy Rights: New Developments in the LawEnercare Inc.
 
Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family CourtELCook
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Workplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer ResponsesWorkplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer ResponsesThomas Benjamin Huggett
 
Key Issues In Workplace Privacy
Key Issues In Workplace PrivacyKey Issues In Workplace Privacy
Key Issues In Workplace PrivacyDan Michaluk
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPV2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPVTim Drexler
 
Employee issues and privacy
Employee issues and privacyEmployee issues and privacy
Employee issues and privacyDan Michaluk
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
How to Start and Grow an IP Law Practice
How to Start and Grow an IP Law PracticeHow to Start and Grow an IP Law Practice
How to Start and Grow an IP Law PracticeRocket Matter, LLC
 
Ethical privacy and security issues
Ethical privacy and security issuesEthical privacy and security issues
Ethical privacy and security issuesMarcelo Augusto A. Cosgayon
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Working Remotely Vpn Paradigm
Working Remotely Vpn ParadigmWorking Remotely Vpn Paradigm
Working Remotely Vpn Paradigmpparam02
 
File000164
File000164File000164
File000164Desmond Devendran
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014Infodec Communications
 
Privacy tort and your workplace
Privacy tort and your workplacePrivacy tort and your workplace
Privacy tort and your workplaceDan Michaluk
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Investigating without running afoul of privacy laws
Investigating without running afoul of privacy lawsInvestigating without running afoul of privacy laws
Investigating without running afoul of privacy lawsDan Michaluk
 
Understanding employee privacy
Understanding employee privacyUnderstanding employee privacy
Understanding employee privacyG&A Partners
 

More Related Content

What's hot

Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family CourtELCook
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Workplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer ResponsesWorkplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer ResponsesThomas Benjamin Huggett
 
Key Issues In Workplace Privacy
Key Issues In Workplace PrivacyKey Issues In Workplace Privacy
Key Issues In Workplace PrivacyDan Michaluk
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPV2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPVTim Drexler
 
Employee issues and privacy
Employee issues and privacyEmployee issues and privacy
Employee issues and privacyDan Michaluk
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
How to Start and Grow an IP Law Practice
How to Start and Grow an IP Law PracticeHow to Start and Grow an IP Law Practice
How to Start and Grow an IP Law PracticeRocket Matter, LLC
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Working Remotely Vpn Paradigm
Working Remotely Vpn ParadigmWorking Remotely Vpn Paradigm
Working Remotely Vpn Paradigmpparam02
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014Infodec Communications
 
Privacy tort and your workplace
Privacy tort and your workplacePrivacy tort and your workplace
Privacy tort and your workplaceDan Michaluk
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 

What's hot (20)

Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family Court
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Workplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer ResponsesWorkplace Behavior and Privacy Issues - Employer Responses
Workplace Behavior and Privacy Issues - Employer Responses
 
Key Issues In Workplace Privacy
Key Issues In Workplace PrivacyKey Issues In Workplace Privacy
Key Issues In Workplace Privacy
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPV2015 NEW 1 FTSI INFO Packet with SEWPV
2015 NEW 1 FTSI INFO Packet with SEWPV
 
Employee issues and privacy
Employee issues and privacyEmployee issues and privacy
Employee issues and privacy
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
How to Start and Grow an IP Law Practice
How to Start and Grow an IP Law PracticeHow to Start and Grow an IP Law Practice
How to Start and Grow an IP Law Practice
 
Ethical privacy and security issues
Ethical privacy and security issuesEthical privacy and security issues
Ethical privacy and security issues
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Working Remotely Vpn Paradigm
Working Remotely Vpn ParadigmWorking Remotely Vpn Paradigm
Working Remotely Vpn Paradigm
 
File000164
File000164File000164
File000164
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014MDCC: Privacy and trade practices - 29 October 2014
MDCC: Privacy and trade practices - 29 October 2014
 
Privacy tort and your workplace
Privacy tort and your workplacePrivacy tort and your workplace
Privacy tort and your workplace
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The Challenges
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 

Similar to New Technologies in the Workplace: Balancing Privacy and Employer Needs

Investigating without running afoul of privacy laws
Investigating without running afoul of privacy lawsInvestigating without running afoul of privacy laws
Investigating without running afoul of privacy lawsDan Michaluk
 
Understanding employee privacy
Understanding employee privacyUnderstanding employee privacy
Understanding employee privacyG&A Partners
 
Privacy in the Workplace: Employee Monitoring and Surveillance
Privacy in the Workplace: Employee Monitoring and SurveillancePrivacy in the Workplace: Employee Monitoring and Surveillance
Privacy in the Workplace: Employee Monitoring and SurveillanceOverholt Law
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to KnowBoyarMiller
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy IntroductionNiclasGranqvist
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsDan Michaluk
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...ictseserv
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
CERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionCERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionEUDAT
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)brentcarey
 

Similar to New Technologies in the Workplace: Balancing Privacy and Employer Needs (20)

Investigating without running afoul of privacy laws
Investigating without running afoul of privacy lawsInvestigating without running afoul of privacy laws
Investigating without running afoul of privacy laws
 
Understanding employee privacy
Understanding employee privacyUnderstanding employee privacy
Understanding employee privacy
 
Privacy in the Workplace: Employee Monitoring and Surveillance
Privacy in the Workplace: Employee Monitoring and SurveillancePrivacy in the Workplace: Employee Monitoring and Surveillance
Privacy in the Workplace: Employee Monitoring and Surveillance
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
 
Seeley "Necessary Protections of Privacy"
Seeley "Necessary Protections of Privacy"Seeley "Necessary Protections of Privacy"
Seeley "Necessary Protections of Privacy"
 
HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413
 
Key Points on The Law Relating To CCTV
Key Points on The Law Relating To CCTVKey Points on The Law Relating To CCTV
Key Points on The Law Relating To CCTV
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
CERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data ProtectionCERN 5 Things you should know about Data Protection
CERN 5 Things you should know about Data Protection
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)
 

New Technologies in the Workplace: Balancing Privacy and Employer Needs

  • 1. New Technologies in the Workplace: Privacy Issues Ontario Human Resources Professionals Association Ottawa,ON - October 23, 2007 Philippa Lawson, Director Canadian Internet Policy and Public Interest Clinic University of Ottawa, Faculty of Law www.cippic.ca Louisa Garib, LL.M. Barrister & Solicitor Ottawa, ON
  • 2.
  • 3. New Technologies • Video surveillance • Email monitoring • Internet use monitoring/restrictions • Computer use monitoring • GPS/location monitoring devices • Drug/alcohol testing • Biometrics • Blogging; Personal webpages
  • 4. Employer Uses • Monitoring: – Protection against theft/fraud – Detecting/documenting misconduct – Ensuring conformity with laws/standards – Ensuring productivity • Attendance Management • Workplace Safety (drug/alcohol testing) • Background Checks
  • 5. Privacy Commissioners • An employer’s need for information should be balanced with an employee’s right to privacy – privacy rights flow from contract, statutes/civil code, Charter of Rights, or common law – inherent right to privacy? • Whether or not employee privacy is protected by law or contract, respecting privacy in the workplace makes good business sense
  • 6. Arbitrators (majority) “…as between employer and employee, the latter's reasonable expectations of privacy are not set aside simply by the entering into of the employment relationship; ...but just as an employee's privacy interests require protection against the overzealous exercise of management rights, so also must an arbitrator acknowledge the employer's legitimate business and property interests. What is required, then, is a contextual and reasonable balancing of interests. There is no absolute rule affording precedence to one legitimate interest over the other….”
  • 7. Arbitrators (minority) • no inherent right to privacy – must be based in contract or statute • but employees may have privacy “interests” worth protecting • key factor in analysing “breach of privacy” claims = employer’s duty to act fairly and reasonably
  • 8. Applicable Law • Contract/Collective Agreement • Data Protection law – public sector statutes – private sector statutes • PIPEDA • Alta PIPA, BC PIPA, Quebec Act • Gap: employees of provincially-regulated private sector companies in other provinces • Common law – nascent recognition of tort of “privacy invasion” • Somwar v. McDonald’s (Ont SCJ, 2006)
  • 9. Public Sector - Privacy Act • can collect, use, disclose employee information without consent if it relates directly to an operating program or activity of a public body + can disclose for variety of other specific listed purposes
  • 10. Public Sector - Charter • Canadian Charter of Rights and Freedoms • s.8: “Everyone has the right to be free from unreasonable search and seizure” – protects “reasonable expectations of privacy” • s.7: “Everyone has the right to life, liberty, and security of the person” “….grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection….” (LaForest, J., R. v. Dyment (1988))
  • 11. Private Sector - PIPEDA • protects “personal information” = info about an identifiable individual, other than name/business contact info of employees • no special rules for workplace • must not collect, use or disclose PI without the individual’s knowledge and consent, or for inappropriate purposes – or in specific exceptional circumstances
  • 12. Alberta/BC Approach • “personal employee info” = personal info required & used solely for an employment relationship • ERs may collect, use and disclose personal employee information without consent if the individual is an employee or potential employee AS LONG AS: – the collecting, using and disclosing of personal information is reasonable for the purpose and limited to the work relationship; and – notice is given to employees about the purpose for collecting their personal information.
  • 14. Email Access • Employees have no reasonable expectation of privacy in email at work – Camosun College v. CUPE (Arb, 1999) • Email sent to Union members on ER computer network; was forwarded to management – Briar et al v. Treasury Board (PSSRB, 2003) • ER acting on complaint about offensive emails • ER had policy re: acceptable email use • Clear log-in warning that system is monitored for compliance with policy
  • 15. Computer Surveillance • Notice to employees is critical – written policy should be available to EEs • Surreptitious monitoring of specific employee requires reasonable cause: – Parkland Regional Library (Alta IPC, 2005) • keystroke logging by ER • premature; less invasive means available
  • 17. Overt Video Surveillance • PIPEDA #279: – webcams unjustified for monitoring employee productivity when managers off-site – “Continuous indiscriminate surveillance of employees was based on a lack of trust and treats all individuals with suspicion when the underlying problems rest with a few individuals or with a management plan that may not be entirely sound.”
  • 18. Overt Video Surveillance • PIPEDA #273: – webcams OK for purpose of protecting EEs of broadcasting company • no information collected • no reas. expectation of privacy in webcam locations – BUT must inform EEs & make policy document available to them
  • 19. Overt Video Surveillance • Eastmond v. CPR (2004) Fed Ct: – purposes = reduce vandalism, deter theft, reduce CP’s liability for property damage, provide staff security – Test: • Necessary to meet a specific business need? • Likely to be effective in meeting that need? • Is loss of privacy proportional to benefit gained? • Is there a less privacy-invasive means?
  • 20. Covert Video Surveillance • higher threshold for acceptability: – must be a substantial problem justifying surreptitious surveillance + strong possibility that surveillance will be effective + no reasonable alternative to surreptitious surveillance
  • 21. Off-duty covert surveillance • PIPEDA #269: – video surveillance to determine if EE truthful about physical limitations – need substantial evidence of broken trust + reasonable grounds to suspect violation of employment contract – no less invasive means available – OK in this case
  • 22. GPS/Location Tracking • PIPEDA #351: – should have clear policy on use of GPS so as to prevent “function creep” & to inform EEs – must notify employees up front – purposes must be appropriate • dispatch, asset management, safety OK • employee management OK in exceptional situations – no less invasive means of achieving purposes
  • 23. Private blogs/publications • Chatham-Kent and CAW (Arb, 2007): – careless public posting of personal info about clients +/or disrespectful comments about management can justify termination • Corporate policies for employee blogging – limits to what employees are permitted to disclose – expectations regarding employee blogging • Available to employers/potential employers – “publicly available” exception to consent requirement
  • 25. Biometrics • IKO Industries Ltd. and U.S.W.A., (Arb, 2005) – hand scan = unreasonable privacy invasion – EE physical and informational privacy affected – balancing test: ER needs vs. EE rights • reasonable in circumstances • reasonable manner implemented • less intrusive, alternative means available
  • 26. Biometrics • Canada Safeway Ltd. v. UFCWU (Arb, 2005) – hand scan permissible – privacy intrusion minimal – balancing test: ER need > EE privacy loss – But concerned about: • lack of ER policies • destruction on termination • training and use of technology
  • 27. Biometrics • Wansink v. Telus Communications Inc. [2007] Fed CA (PIPEDA #281) – voice print used for authentication purposes – voice print = personal information – reasonable collection in circumstances – OK to discipline EEs who refuse – but ER not exempted from consent provisions • deficiency in PIPEDA?
  • 28. Biometrics - summary • Biometrics = Personal Information • Reasonableness test applied – Does a problem exist? Can biometrics address it? – Is manner of implementation reasonable? – Alternative means explored? • Notice (and consent) important • Need policies for use, safeguarding, access, destruction • Final thought: Religious accommodation? (407)
  • 29. General Rules for Employers • Don’t collect pi for inappropriate purposes • Only collect what you need for stated purposes • Always use least-invasive means • Tell EEs what info you collect & why/how used • Have a clear and complete policy on point • Don’t engage in surreptitious surveillance without reasonable grounds/good justification (no other way of resolving problem)