A recent decision of the Information and Privacy Commissioner (IPC) regarding Schindler Elevator Company has significant implications for organizations that use technology to track and monitor their employees or assign company equipment to an individual.
Schindler installed a GPS and engine status data system in its service vehicles. The vehicles are assigned exclusively to mechanics, who do not report to work at the office. Mechanics travel from homes to job sites on assigned routes. The GPS and data system records the vehicles’ location and movements, as well as time and date of locations. It also records engine status, braking, and acceleration.
Schindler collects and uses the information for a number of purposes, including employment management, monitoring hours of work, fleet efficiencies, safety, security, and vehicle maintenance.
A number of employees complained to the IPC that Schindler was collecting and using personal information contrary to the Personal Information Protection Act.
Schindler argued that the information it collected was about the vehicles and therefore, not personal information. Schindler relied on previous cases where air traffic voice recordings and telematics information about vehicle performance were determined not to be personal information.
The IPC disagreed with Schindler and determined that personal information ought to be interpreted more broadly: Personal information includes what is reasonably capable of identifying an individual (alone or combined with other information) and is collected, used or disclosed for a purpose related to the individual. Therefore, information such as GPS data and engine operation is personal information because it is about an individual when collected or used for a purpose related to an employee, such as performance management.
As a result of finding that the GPS and engine operation information was personal information, the IPC proceed to consider whether collection and use of the information was reasonably necessary in accordance with PIPA and further to examine whether Schindler had appropriate policies and safeguards in place regarding that information. In this case, Schindler was able to establish that it has a reasonable need for the information, it had given its employees notice of the collection and use of the information, and had a GPS policy (which required revision).
Technology enables business to monitor work-related activities to a greater extent than ever before. In implementing and using technology, organizations ought to properly balance the needs of business with the privacy rights of individuals. Some steps organizations should take to support appropriate collection and use of personal information include:
- Consider whether the information being collected or used falls into an expanding definition of personal information; is the information being used for a purpose related to the individual?
- Consider the reasonableness of the collection and use of information, including: sensitivity, amount, business need, effectiveness, appropriate alternatives, invasiveness, whether real time or continuous reporting is required, and potential offence to individual dignity.
- Implement policies regarding the appropriate collection, use, access, storage, security and retention of the personal information.
- Give proper notice.