As technology becomes more inexpensive, accessible and ubiquitous, we are seeing an increase in employers’ use of surveillance tools. While workplace monitoring has its benefits, such as providing safety coverage and greater transparency, it can come with risks, including the unlawful collection of employees’ personal information. Recognizing the enhanced role technology plays in the modern workplace, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) recently published two guidance documents to help employers navigate their use of employee surveillance:
As a starting point, the collection, use and disclosure of employee’s personal information accessed by employers is subject to BC’s Freedom of Information and Protection of Privacy Act (FIPPA) for public bodies, or the Personal Information Protection Act (PIPA) for private organizations. Under FIPPA, public body employers are not required to obtain consent before they collect personal information from employees if it is necessary for and directly related to a program or activity of the public body, but must notify employees whenever they collect personal information regarding employees “indirectly”, for the purposes of managing or terminating an employee relationship. Under PIPA, organizations are required to obtain employees’ consent before collecting personal information, unless the information is collected solely for reasonable purposes in connection with establishing, managing or terminating an employment relationship, in which case employers must notify employees that it is occurring and explain the purposes of collection.
Additionally, private organizations are required to develop and follow privacy practices to meet their PIPA obligations. OIPC recommends that the best way for an organization to show compliance with BC privacy law is to develop a privacy management program, which includes:
- Adequate resources for the development, implementation and monitoring of privacy controls;
- The presence of applicable policies and procedures;
- Up-to-date documentation of risk assessment and mitigation strategies;
- Adequate training delivered regularly;
- Adequate information incident management processes;
- Compliance monitoring; and
- Regular reporting to the executive.
OIPC also recommends that employers consider the following when deploying specific types of employee monitoring:
- Although video and audio surveillance can deter employees from engaging in criminal activity and other inappropriate behaviour, employers must show that collecting this information is necessary for managing or terminating an employee relationship before commencing such surveillance. OIPC recommends that organizations explore less privacy-intrusive methods, such as in-person employee supervision, and to weigh the privacy harm before resorting to video and audio surveillance. With respect to overt video surveillance, employers are advised to limit their collection of video surveillance, allow only authorized personnel to access this surveillance, securely store and destroy video surveillance and provide clear notification of use of cameras to individuals before they enter a place of employment that uses video monitoring.
- For employers that use of software to guard their electronic infrastructure from internal and external threats like malware, social engineering and unauthorized employee access, and manage their IT networks to ensure that employees do not use excessive amounts of work time to check social media or do online shopping, beware of over-collection of employees’ personal information. Before collecting employees’ personal information through software or IT management, employers must notify employees and explain the purpose for which related information is collected.
- GPS tracking and remote sensing can be installed on employees’ smartphones or in company vehicles and allow employers to keep an eye on their employees’ travel routes, hours of work and safety. However, continuous, real-time monitoring of employees, like the type we described in a previous blog post, could be excessive and invasive. Employers should consider employees’ knowledge and consent before using GPS tracking or remote sensing.