Privacy in the workplace is an area that invites a broad range of views and perspectives. Whether the information relates to data on an electronic device such as an employer-provided computer or blackberry, or personal employee information such as bank account information for pay cheque deposits, we all expect some degree of privacy in the workplace.
What remains in dispute in many workplaces is where to draw the line between public space and personal privacy. The law on workplace privacy continues to evolve in a non-linear fashion, in part because of the patch-work of Canadian legislation that governs privacy. This post will outline the basic framework of law that governs privacy issues in Ontario workplaces.
Privacy Legislation in Ontario
Ontario does not have its own privacy legislation (other than for health care information) and therefore defaults to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to the commercial information of an Ontario company, but not to personal employee information, unless the employee works for a federally governed organization (banks, railroads, etc).
Here is the specific language in PIPEDA:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
If the information in question relates to health and medical information, then the Personal Health Information Protection Act (PHIPA) applies.
Privacy Case Law
To keep it interesting, the courts also continue to develop the common law on privacy. In addition to filing a claim with the applicable privacy commission office for a breach of a privacy statute, an individual or organization could instead take their matter to the courts. There is still debate, however, about whether one can file a claim in the courts based on an independent claim of a privacy breach, as opposed to adding on a privacy claim to an underlying claim such as breach of contract.
[**JANUARY 2012 ADDENDUM – see my post on Jones v Tsige regarding new developments in privacy case law in Ontario. We now have a tort of privacy in Ontario and the following commentary on caselaw is out of date.]
The court in the recent case of Jones v Tsige  ONSC 1475 (Ont. Sup. Ct) held that there is no independent right to sue for invasion of privacy. A bank employee in that case had accessed and viewed another employee’s banking information 174 times. The case walks through the recent authorities on the possibility of a tort of privacy as its own actionable wrong and concludes that there is no such authority in Ontario. The court made reference to Euteneier v Lee  CanLII 33024 (Ont. C.A.), a case which noted in passing that there was no free standing right to privacy under the Charter or common law.
There is another line of cases, however, that suggests it may be time to recognize the tort of privacy. See for example, Somwar v McDonald’s Restaurants of Canada Limited (2006) CanLII 202 (Ont. Sup. Ct.).
Jones v Tsige is the more recent case, so at this moment, it is likely that a party could not sue on the basis of a privacy claim alone.
Given the current state of the legislation and caselaw, for non-health related employee information in Ontario workplaces, there is a legislative and judicial gap. Often the gap is taken care of through language in a collective agreement, an employment contract, an employee handbook, workplace policies on email or computer use, or general expectations communicated to employees in the workplace.
Where the gap remains outstanding, however, companies would be wise to integrate the principles of privacy law outlined in PIPEDA throughout the organization. Privacy legislation and privacy caselaw continues to grow and it’s only a matter of time before there will be some sort of express legislation or body of caselaw that requires employers to maintain a minimum level of protection of employee personal information.
In any event, Ontario companies are required to comply with PIPEDA in their commercial dealings, so it may prove difficult to defend if employee personal information is less protected than other corporate data.