chap 10
Cards (31)
- PIPEDAPersonal Information and Protection and Electronic Documents Act
- This statute applies to all information collected by organizations, including employers, for business purposes (both provincial and federal organizations, unless the province has a comparable piece of legislation)
- Consent from an employeeMust be obtained by an employer to share an employee's information with a third party (consents must always be current; a high degree of specificity is required; a fresh consent may need to be obtained for a consent to be valid)
- This statute allows employees to access their personal information being held by an employer to challenge its accuracy
- What is not considered personal information in the workplace
- A worker's name
- A worker's job title, business address, or business telephone number
- What is considered personal information in the workplace
- A worker's residential address
- A worker's income, birth date, credit records, loan records
- A worker's medical records, genetic information, intentions to change jobs
- A worker's performance record
- Organization duties under PIPEDA
- Appoint a person to oversee compliance with PIPEDA's requirements
- Collect only information that is necessary for its stated purposes
- Obtain consent from a person to collect information from him or her
- Limit, use, disclosure, and retention of information
- Keep an individual's information up-to-date and accurate
- Keep personal information in secure locations
- Ensure supervisors are familiar with privacy laws
- Provide individuals with details about information being held about them
- Provide individuals with recourse to make a complaint when they feel that their information has been compromised
- PIPEDA Case Summary #2003-226, XPXAD no. 114: 'Employer's practices regarding medical reports too lax'
- While applying for long term disability insurance benefits, an employee was asked by her employer to provide all medical information necessary for the LTD application to be processed
- The employer's intention was to expedite the employee's application. However, only the insurance company required the medical information to process the application
- The employee refused to provide her medical information for privacy reasons (her medical diagnosis might be revealed because the human resources fax machine she was being asked to send the information to was not secure)
- The employee filed a complaint with the Privacy Commissioner
- Privacy Commissioner's Decision
- Direct transmission of diagnostic information to insurer: the worker should have been given the option to provide medical information directly to the insurer
- Alternative option: the employee should be allowed to transmit her information to medical staff in the health services department of the company
- Rationale: since, under PIPEDA, an employer has a duty to limit the collection and use of a worker's personal information
- Improper request: the worker should not have been asked to send her personal information to a fax machine in an unlocked, insecure room accessible to several human resource employees
- The employer should have advised the worker of her right to maintain complete privacy in her medical diagnostic information
- Eastmond v. Canadian Pacific Railway: 'Employer installed video surveillance cameras in the work yard to reduce vandalism, deter theft, improve security for employees, and to reduce its potential liability for property damage'
- An employee applied to privacy commissioner on the basis that security was not a serious issue and that the cameras could be used to monitor the performance and conduct of the employees
- Privacy commissioner found that because thefts were relatively rare and security was not a major issue, that alternatives to video surveillance cameras should have been used, such as better lighting as these measures were more protective of privacy
- Because the employer did not comply with the PC's recommendations, Eastmond applied to the Federal Court for a compliance order
- Federal Court's Decision
- Low expectation of privacy: the cameras were not hidden from view and were located in an area where employees could be said to have a low expectation of privacy
- Limited access to surveillance footage: the surveillance tapes would only be viewed and footage maintained by the employer if there was a reported incident of vandalism or theft that needed to be investigated
- Requiring employee consent prior to collecting the information or accessing the information would compromise the employer's investigation into breaches of the law; the employer did not need to obtain employee consent in these circumstances under PIPEDA
- Alternatives to surveillance cameras not economically viable: the employer had considered the alternatives which were more protective of worker privacy, such as fencing, better lighting, and security guards, but found that these options were not economically viable
- Parkland Regional Library: 'Is monitoring keystrokes contrary to privacy legislation'
- Without his knowledge, a library employer installed monitoring software on an information technician's computer because it was concerned that his low productivity might be due to his use of the computer for personal purposes
- When the technician discovered this monitoring program, he filed a complaint with the PC
- Privacy Commissioner's Decision
- Personal information test met: the data collected from this spy software by the employer is "personal information" under the applicable privacy laws because it revealed how much work the employee did and how he did it
- Some of the personal activities conducted by the employee over his work computer, including his personal internet banking, was specifically authorized by the employer, and the employer had captured this information too
- Level of intrusion not necessary to address concern about productivity: This level of intrusion was not necessary; the employer could just have asked the employee about his apparently low productivity and easily met the employee to discuss the issue. There was no pressing reason for the secretive monitoring of the employee's performance
- Jones v. Tsige: 'ONCA recognizes new tort of intrusion upon seclusion'
- Jones, a BMO employee, discovered that a fellow female bank employee had accessed her bank account at least 174 times over the previous 4 year period
- The Defendant, Tsige, admitted to doing this, because she had been involved with Jones' ex-husband and was checking to see whether Jones was receiving support payments from him
- The Defendant was suspended for one week without pay for breach of the employer's privacy policy and denied her bonus
- The Plaintiff sued the Defendant in a tort action since PIPEDA provides remedies against organizations and the Plaintiff wanted monetary damages from the Defendant for the violations of privacy
- The Plaintiff lost at trial on the basis that was no independent tort action based on privacy
- The Plaintiff appealed
- Ontario Court of Appeal's Decision
- The court recognized a new privacy tort in this case. To prove this tort, a Plaintiff must show the following: an unauthorized intrusion, that the intrusion was highly offensive to a reasonable person, that the matter intruded upon was private, that the intrusion caused anguish and suffering (although the Court suggested this last requirement will be assumed to be met when the first three criteria are satisfied)
- The plaintiff received the sum of $10,000.00 in damages (ONCA set a cap of $20,000.00 on damages in these type of cases)