What’s the harm in asking? Well, it’s personal.
When it comes to sharing our personal information at work, it goes without saying that some details are better left at home. However, modern employers are often tasked with navigating these sensitive topics, including by equity-focused legislation, while promoting a socially accepting work environment and corporate culture.
As any good privacy counsel will tell you, employers must exercise caution as it relates to employees’ sensitive personal information. As the CBC recently found out, the benefit of using, storing, or even requesting this information, despite the external pressures of fostering a welcoming workplace, may be outweighed by the risks of mishandling it.
CBC’s mishandling of employee personal information
The National Post recently reported that the CBC allegedly mishandled sensitive employee personal information – specifically, their ethnicity, marital status, sexual orientation, and religious beliefs. Employee information was collected in response to an internal and purportedly confidential diversity survey.
Employees discovered their sensitive information had been linked to their personal files in the Crown corporation’s cloud-based human resources platform, Workday. Now, the federal privacy commissioner is investigating the CBC’s possible mishandling of this data, which the CBC explained was collected for “statistical analysis of its workforce” to “identify involuntary systemic obstacles.”
The personal information was only available to an employee privately viewing their online profile. It was not available to any supervisors; access was restricted to certain human resources staff.
An investigation into the incident has been commenced by the Office of the Privacy Commissioner of Canada.
Privacy legislation and employee information
As a Crown corporation, the CBC must comply with the federal Privacy Act when collecting and managing employee personal information. These same privacy obligations for federally regulated works, undertakings, and businesses are found in the Personal Information Protection and Electronic Documents Act (PIPEDA). The personal information of Ontario employees that work in the public sector is protected under either the Freedom of Information and Privacy Protection Act or the Municipal Freedom of Information and Privacy Protection Act. Public sector organizations are also bound by the Charter of Rights and Freedoms, which contains privacy-related protections.
What about employees that work in the Ontario private sector?
These employees have to turn to the common law and employment contracts, collective agreements, and workplace policies for privacy protection. The Supreme Court of Canada has held that employees have a reasonable expectation of privacy in their personal information that is held by employers. This expectation of privacy will depend on the “totality of the circumstances.” When the information goes to the employee’s “biographical core,” i.e., information that reveals intimate details of that person’s lifestyle or personal choices, a stronger argument for a reasonable expectation of privacy can be made.
While Ontario employees in the private sector do not currently have statutory privacy protections, their employers are required to disclose any electronic monitoring they carry out on employees. For more information about electronic monitoring policies, click here.
Best practices for Ontario private sector employers
While the CBC had a commendable purpose for collecting its employees’ sensitive personal information, it fell short in its use of that information and in its communications with employees.
When deciding whether to collect employee personal information, private-sector employers should consider the following:
- What are the goals and purposes with respect to collecting employee personal information?
- Can these goals and purposes be met without collecting employee personal information, or less of it?
- Are safe and effective tools and security measures being leveraged to collect, use and/or disclose employee personal information?
- Has appropriate information been provided to employees about the collection, use and/or disclosure of their personal information?
Alysia M. Christiaen and Jon Wakelin are members of the Lerners Privacy, Data and Information Security Group. They are available to provide employers advice on privacy policies and the collection of employee personal information.