Where are you and what are you doing? Employees, surveillance and privacy

By Midhath Mahir (articled student)

Employee privacy is a thorny issue for employers and their employees. How much control can employers wield over their employees’ personal information in the work place? Are there any limits on what employee personal information can be collected, and the manner in which it is collected?

BC has two privacy laws: the Personal Information Protection Act (“PIPA”) and the Freedom of Information and Protection of Privacy Act (“FIPPA”). Both laws address the collection, use and disclosure of personal information. While PIPA applies to private organizations (including unions and political parties), FIPPA applies to public sector organizations.

FIPPA and PIPA define personal information as recorded information about an individual which can identify that person, including their personal contact information. Business contact information is not personal information.

Employers have always collected employee personal information – names, contact information, banking information, and so on – but new technologies have expanded the type of information that employers now have access to. Keystroke tracking software tracks employee internet use on work computers or mobile devices. GPS tracking technology monitors the location of employer vehicles or mobile devices. Employers may also have access to work email or text messages sent and received on work devices.

Employers often justify such surveillance measures as efforts to deter inappropriate workplace behaviour or to safeguard businesses from cyber-attacks. However, such measures may also lead to over-collection or inappropriate use of employees’ personal information.

FIPPA and PIPA mandate that employers must get the consent of their employees before collecting personal information. However, there are exceptions to this rule.

In most cases, PIPA requires private organizations to obtain employee consent before collecting personal information. However, private employers may collect personal information without consent if they collect it solely for the purposes reasonably required to establish, manage or terminate the employment. Notice, with an explanation for why such information is being collected, must be given to employees (e.g. for employee safety).

Under FIPPA, public organizations may collect employee personal information without consent where it is necessary for and directly related to a program or activity of that body. FIPPA does require that employees be notified that personal information is being collected for managing or terminating the employment, if that information is indirectly collected.

The following three decisions issued by the BC Information and Privacy Commissioner of BC (the “Commissioner”) canvass the privacy rights of employees: Use of Employee Monitoring Software by the District of Saanich, 2015 BCIPC No. 15 (“Saanich”), Schindler Elevator Corporation, 2012 BCIPC No. 25 (“Schindler”), and University of British Columbia, 2013 BCIPC No. 4 (“UBC).

In Saanich, the District installed computer software called Spector 360 to monitor employees’ online activities and to prevent cyber-attacks. Mayor Richard Atwell publicly complained that Spector 360 collected personal information from his work computer without his knowledge or consent. The District argued that employees did not have a reasonable expectation of privacy at work.

The Commissioner found that the District used Spector 360 to collect personal information of employees and citizens who dealt with the District on a day-to-day basis. The District did not have authority under FIPPA to collect such information because the information they collected was not necessary for any programs or activity of the District. The District did not notify its employees of the purpose for the collection of their personal information. The OIPC found that the collection of every keystroke, email, and screenshot of computer activities was unnecessary and in breach of FIPPA. The OIPC also noted that the District was unaware of privacy laws in BC.

In Schindler, the Commissioner found that the elevator company was authorized to collect and record the behaviour of their employees via a GPS system whilst on the job. The employer used the GPS system to ensure employee safety and accurate client billing. However, the OIPC also held that continuous monitoring of employee behaviours outside work hours was a breach of their privacy.

In UBC, the Commissioner investigated the use of a GPS system installed in UBC campus patrol vehicles to collect information about location, movement, speed and ignition. The GPS system only transmitted information about the location and status of the vehicle in question. It did not identify the operator in any manner. Nonetheless, the information was personal information as it could be linked to individual employees.

The employer claimed that it was not using this indirectly obtained information for managing employees. However, the Commissioner held that, on the facts and the face of UBC’s policy, the personal information was in fact used in managing the employment relationship. As UBC had not notified employees about this purpose for collecting the GPS information, it had breached FIPPA. UBC was ordered to stop collecting, using, or disclosing GPS information for this purpose until satisfactory notice had been provided to the union and its members.

What these decisions show is that employer monitoring of employees must be tailored to specific, permitted purposes and that appropriate notice must be given. Under both PIPA and FIPPA, private and public organizations must meet strict requirements if they are using any form of surveillance on their employees. Surveillance must be reasonable and necessary for maintaining or terminating the employment relationship.  The law requires that employers use less invasive means of keeping track of employee activities.  Video and other more invasive forms of surveillance should only be used as a last resort.

The BC Office of the Information and Privacy Commissioner has released guidelines on the collection of employee personal information. Both employers and employees should review these periodically to ensure employee privacy is being respected and protected in the workplace.