The Office of the Privacy Commissioner of Canada (OPC) has published some practical tips for employers regarding privacy in the workplace.
These tips are quoted from the OPC website:
- Know the law – Be aware of your legal obligations under federal or provincial privacy laws, as well as human rights and workplace laws, and any commitments that you might have under collective agreements.
- Map out the information that you collect from employees – Know whether the pieces of information, either alone or in combination, amount to personal information about the employee. Your organization’s privacy risks and obligations are linked to the sensitivity of the personal information that your organization collects, uses and discloses. See the OPC’s Interpretation Bulletin: Personal Information for additional information.
- Conduct a privacy impact assessment – A PIA can be a useful tool to help you identify your legal requirements and the potential impact your programs and activities will have on employee privacy.
- Test your proposed information management practices – Identify all purposes for which you plan to collect, use or disclose personal information. Then consider whether you need the information for a legitimate purpose, and whether there might be a less privacy-invasive way of achieving the same ends. See the OPC Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) for more information.
- Limit collection – Only collect the information that you need for a stated purpose, be transparent about how you will use it, and collect it by fair and lawful means. Remember that employee files should only contain necessary information.
- Be transparent and open – Create clear policies on practices such as monitoring employee attendance and activities in the workplace, and communicate the policies to your employees before implementing them. These policies should lay out why and how the information is being collected and how it will be used, including any potential consequences for employees. The policy should also state how long the information might be retained.
- Respect key privacy principles – You may not need employees’ consent to collect certain personal information, but other obligations to protect privacy continue to apply, such as accountability, accuracy, and individual access. You should have security safeguards in place that correspond to the sensitivity of the information.
- Be aware of inappropriate practices/no-go zones – Given the unequal positions of power between employers and employees, there is a risk that employers could ask for more information than they are allowed to collect, and that individuals may feel unduly pressured to provide it. For example, asking employees (or potential employees) to provide you with access to password-protected areas of their social media accounts would likely go too far. The OPC guidance on inappropriate data practices has more information about what information employers (or prospective employers) can request.
Although the federal legislation does not apply to all BC employers, these suggestions are still helpful for all employers to consider. There are other helpful resources for employers on the OPC website.
Click on this link to the OPC website, which includes additional resources. Privacy in the workplace – practical tips for employers – Office of the Privacy Commissioner of Canada
For more information on this and other similar topics, please contact Scott Marcinkow at email@example.com or anyone else from our team listed on the Authors page.