The importance of developing a workplace privacy policy

Throughout Canada, privacy in the workplace is becoming increasingly important

The importance of developing a workplace privacy policy

Throughout Canada, privacy in the workplace is becoming increasingly important. Employers regularly face the difficult challenge of balancing their need to know with an employee’s right to privacy. Increasing the difficulty for employers in understanding their obligations is that privacy in the workplace is not governed by the same laws throughout Canada.

In Ontario, there is no legislation to regulate and protect an employee’s privacy rights. Despite this, some employers located in Ontario may be subject to the federal legislation known as the Personal Information Protection and Electronics Documents Act or PIPEDA. PIPEDA applies to all workplaces that are federally regulated. When considering privacy obligations an employer’s first step should be determined if it is a provincially or federally regulated workplace and which laws apply. Provincially regulated employers may also have obligations under a Collective Agreement or at common law.

If your workplace is federally regulated an important change is coming to PIPEDA on November 1, 2018. Mandatory breach notification requirements will be implemented under PIPEDA and employers will be required to notify affected individuals as well as the federal Privacy Commissioner when a security incident involving personal information results in a real risk of significant harm. Employers should prepare for this new requirement by ensuring that their privacy policy includes a procedure to identify and if necessary, report incidents. It is important that any procedure include the following elements:

  • Define what an incident is and establish a reporting procedure;
  • Allow for measures to reduce exposure or impact such as temporarily suspending IT services;
  • Establish an investigation process to determine the extent of the breach and the reasons it occurred;
  • Have a media or communication policy to provide information to affected individuals and outline how communications should be made; and,
  • Establish a notification process.

Beyond notification in the event of a breach, employers should also consider a privacy policy to assist in collecting personal information and setting expectations in the workplace. Although not required by legislation, provincially regulated employers can use PIPEDA as a guide when developing a workplace privacy policy. Generally it is recommended to include the following:

  • Establish what, why and how personal information will be collected;
  • The employee’s consent should be obtained to collect the information;
  • Only the information necessary should be collected. For example, if requesting medical information for an accommodation it would be necessary to know an employee’s restrictions and limitations but not necessary to know his or her diagnosis;
  • The information should only be used for the purposes it is collected for and only kept for as long as it is needed;
  • The information should be accurate and up to date; and,
  • Employees should have the ability to access and if necessary correct their personal information.

It is also recommended to consider whether a policy on internet use, e-mail or telephone use is necessary and appropriate in your workplace.

The lawyers at CCPartners can assist your workplace in determining what your legal requirements regarding privacy are and can also guide you through the process of creating and implementing effective privacy policies. Click here for members of the CCP team who can assist.

Click here to access CCPartners’ “Lawyers for Employers” podcasts on important workplace issues and developments in labour and employment law.