Tired of relying on employee self-reports and chance observations by supervisors, in 2010 Schindler Elevator Corporation (“Schindler”) installed GPS and engine monitoring technologies in its company vehicles. Schindler’s employees do not report to an office as part of their daily routine – they travel from their home, in company vehicles, to various work sites and return directly home from the work site at night.
This prompted a complaint by the employees to the Office of the Information and Privacy Commissioner for British Columbia. The employees were seeking an order prohibiting Schindler from using the GPS and engine monitoring devices, allegating that their use contravened the Personal Information Protection Act (“PIPA”). The main issue in the dispute related to whether the information collected by the monitoring devices was “personal information” under section 1 of PIPA.
Under PIPA, personal information is defined as “information about an identifiable individual and includes employee personal information but does not include (a) contact information, or (b) work product information.”
In Decision P12-01, the Privacy Commissioner outlined case-law on this issue from other jurisdictions. Two lines of reasoning have formed around the definition of personal information – one which provides for an expansive definition but allows for exceptions, and is based upon the analysis of the Supreme Court of Canada in Dagg v. Canada (Minister of Finance)¸  2 S.C.R. 403. The other line of cases stem from the Federal Court of Appeal decision in Canada (Information Commissioner) v. Canada (Canadian Transportation Accident Investigation and Safety Board) [ ], 2006 FCA 157, and define personal information by reference to personal privacy, intimacy and dignity, finding that personal information must not only identify an individual, it must also be “about” a particular individual. This second line of reasoning narrows considerably the definition.
The Privacy Commissioner ultimately sided with the more expansive definition of personal information, concluding that personal information is information that is “reasonably capable of identifying a particular individual, either alone or when combined with other available sources of information, and is collected, used or disclosed for a purpose related to the individual” (para. 85).
The data collected by Schindler could not fall into the category of work product information as this information must be prepared or collected by the individual instead of being machine-generated. The data collected by the GPS and engine monitoring devices was personal information as it served two purposes: one was to provide Schindler with data regarding its assets (e.g. for maintaining the vehicles), but the other was to be used in the management of the employees (and so related to an individual employee).
The Commissioner went on to consider whether the data was also employee personal information. This was necessary as there are special rules for its collection and use under PIPA. Employee personal information is defined as personal information about an individual that is collected solely for purposes reasonably required to establish, manage or terminate an employment relationship. Therefore, there are two elements to meeting this definition: the collection must be reasonably required to manage the employment relationship and it must be solely for those purposes (meaning that as between the organization and employee, the organization’s sole purpose for collecting the information is to manage this relationship). The Commissioner found that Schindler’s purposes were legitimate, reasonable business purposes and the data was solely collected to manage this employment relationship.
Then the Commissioner had to determine if it complied with the provisions in PIPA authorizing its use. Sections 13, 16 & 19 state that the only way to collect, use or disclose employee personal information without individual consent is if such collection is “reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.” These sections require further examination of whether the collection itself, and not its purpose, is reasonable.
This assessment is based on the context of the collection; the sensitivity of the information; the quantity of the information being collected; the likelihood of effectiveness of the information; and whether there are alternatives. On the basis of these factors, the Commissioner found that Schindler’s collection of GPS and engine monitoring data is reasonable. Schindler was authorized to collect and use the GPS and engine monitoring data for employee management.