Find out about legally collecting employee data in Canada, both from the perspective of employees and employers, as provided by Canadian data privacy laws
Updated 26 Mar 2024
Storing and collecting employee data is a usual practice of employers – from the hiring process to monitoring employee performance.
But as privacy and data protection concerns in the workplace increase, various questions arise both from the perspective of employers and employees.
Latest News
Questions such as: Are employees’ data and privacy rights being adequately protected? And are employers aware of employee rights and their own obligations?
To answer these questions, we must look at the recent Canadian privacy laws which address concerns about employees’ data privacy in relation to this practice.
This article is for employers and employees alike, who would like to know their respective rights and responsibilities under Canada’s data privacy laws. Lawyers may also use this article as a client education piece for their prospective clients.
What should employers know about collecting employee data?
Generally, employee monitoring is allowed in Canada. Some of the few ways in which employers might legally monitor employees and job candidates include:
- keyboard stroke and internet monitoring
- examining social media postings
- video surveillance in the workplace
- data monitoring through employer-provided devices
However, these ways of monitoring employees and job candidates must be conducted following the Canadian privacy laws.
Knowing the risks in storing and collecting employee data
When collecting employees’ data, it’s important that employers know the risks involved once it’s stored in the company’s database.
“We have the ability to collect, use and store more information than we ever did before,” says Suzanne Kennedy, partner at Harris & Company LLP in Vancouver.
“Technology allows us to store vast amounts of information,” Kennedy adds, who practices access and privacy law.
She says that it also creates risk. “In case of a privacy breach, if you’ve hung on to all your email for the past 20 years, you’re so much more exposed.”
Although technology allows us to do much more than we could in the past, we must be conscious of its inherent risks, Kennedy says.
Risks when collecting employee data from social media
One of the risks of collecting employee data is when it’s done through social media accounts of future and existing employees. “Privacy commissioners across the country have commented about the practice of employers looking to social media [accounts] when they’re hiring,” says Kennedy.
When collecting employee data from social media, there are four concerns from a privacy perspective:
- Does the candidate know their account is being monitored by the hiring employer?
- Has the hiring employer given the candidate notice that they’re collecting the candidate’s information?
- Is the hiring employer really collecting information that they need to decide whether to hire the candidate or not?
- Is what the hiring employer sees from the candidate’s social media accounts even reliable?
Employers may also start to monitor social media accounts of employees for commentary, where employee misconduct is suspected. However, employers could be challenged on the privacy compliance of that practice, says Kennedy.
“But employers who are routinely just monitoring what employees do online all the time would certainly [run afoul] of privacy laws.”
Risks when collecting employee data through third parties
Stuart Rudner, principal of Rudner Law in Markham, Ontario, sees a privacy risk in hiring using third parties.
A private third-party company may tell you “who the best candidate is for a job,” Rudner says, “but what are they doing to make sure that [candidate] data is protected?”
That is why employers who collect data of future and existing employees must ensure that third parties who act on their behalf also follow the laws on data privacy.
To know more about data privacy, watch this video:
Find other similar articles and resources under our Privacy and Data page.
Rights and interests of employers and employees
The issue on storing, using, and collecting employee data in Canada involves the rights and interests of both employers and employees.
There are two sets of legitimate rights and interests at play, says Ashley Brown, a partner in Filion Wakely Thorup Angeletti LLP in Toronto. This makes workplace privacy a complicated issue.
First, employees have a right to know how their information is being used and collected. This is also related to the employee’s right to privacy in the workplace and when using equipment provided by the employer.
However, employers also have the right to gain necessary information to effectively manage their business operations. Collecting employee data is legally allowed when used for:
- monitoring performance
- ensuring workplace safety
- paying salaries
Example: surveillance and monitoring
Video surveillance, which is often used in workplaces across Canada, can be mutually beneficial for employees and employers to safeguard work premises and employee safety, Brown says.
Another example would be GPS monitoring on work vehicles, which can provide helpful information in finding employees in emergencies.
Employees have recourse under provincial legislation or common law when their privacy rights are violated in the workplace. An example is when surveillance is hidden in areas of the workplace where employees would have a reasonable expectation of privacy, such as washrooms or changerooms.
Storing and protecting collected data
After collecting employee data, storing and protecting them is the next step that employers must take. However, the risk is when employers may simply overlook this part, especially when the data seems small and unimportant.
To address this problem, Rudner says that employers “shouldn’t gather more information that they can justify,” for reasons of both employee privacy and data protection. “You don’t need to have dates of birth or drivers’ licence numbers stored on a hard drive,” Rudner adds, even though it may be tempting to store as much information as possible.
Employers must then be strategic in what data they collect and why. They should also set up policies and procedures to protect the data they’re storing.
What are the Canadian laws on collecting employee data?
Canadian laws on collecting employee data, data privacy, and privacy in the workplace can be found both at the federal and provincial or territorial levels.
These Canadian privacy and data laws grant different rights and obligations to employers and employees.
Common law principles would also apply to common law provinces, while the Civil Code is another consideration in Québec.
Federally regulated employers
The main law that governs federally regulated employers would be the Personal Information Protection and Electronic Documents Act, or PIPEDA. The PIPEDA is a federal legislation enacted in 2000 to protect personal data privacy. It applies to employees’ personal information but only in federally regulated organizations such as:
- airports and airlines
- banks
- telecommunication companies
- transportation companies
As such, even if the employee is assigned in a province or territory, but their workplace is a federally regulated one, the PIPEDA applies to them.
Another law that applies to federal government institutions is the federal Privacy Act. It governs the federal government's collection, retention, use, and disclosure of personal information.
PIPEDA’s 10 fair information principles
The PIPEDA has established its 10 fair information principles, which also became the guiding principles for the provincial privacy and data laws.
These 10 principles are:
- accountability
- identifying purposes
- consent
- limiting collection
- limiting use, disclosure and retention
- accuracy
- safeguards
- openness
- individual access
- challenging compliance
Watch this video to know more about these 10 PIPEDA principles:
Check out our Special Report on the Top Labour and Employment Law Firms in Canada for a list of top-ranking lawyers in this practice area.
Provincially regulated employers
Different provinces have enacted their own privacy laws similarly called Personal Information Protection Act (PIPA). In contrast to PIPEDA and the Privacy Act, the PIPAs of the different provinces apply to provincially regulated private sector employers.
Some of these provinces include British Columbia, Alberta, and Québec. Most of these laws are also hinged on the principles of PIPEDA.
PIPA’s privacy provisions also apply to protect the privacy rights of the businesses’ employees and their customers.
British Columbia’s PIPA
British Columbia has enacted its own PIPA which came into effect in January 2004. BC's PIPA is also modelled on PIPEDA’s 10 fair information principles, says Kennedy.
“For workplaces, we limit to collecting what’s reasonably necessary under the circumstances. Employers must justify why they need that information,” she says, adding that “these are common principles throughout Canada.”
Alberta’s PIPA
Timothy Mitchell, a labour and employment lawyer at McLennan Ross LLP in Calgary, sheds some light on Alberta’s PIPA, along with other privacy legislation.
Mitchell says that it “achieves the right balance, erring on the right side of personal information protection and allowing for use of information without consent in express circumstances.”
Even in express circumstances, “those exceptions are prefaced in terms of whether the deviation considered reasonableness,” he says. “The reasonableness test underpins all the legislation; it balances the rights of employer and employees.”
In Alberta, Mitchell adds that there is a good body of case law flowing out of the Office of the Privacy and Information Commissioner (OPIC) on the application of Alberta’s PIPA.
This includes biometrics, video surveillance in the workplace, and even surreptitious monitoring of emails. Again, the test that OPIC adheres to is this reasonableness test.
What if new technology is created to monitor employees’ whereabouts in a building? From a privacy perspective, is the legislation robust enough to address this? Mitchell says he believes it is. “It’s quite a flexible test.”
Ontario’s common law on privacy
Ontario has no privacy legislation for provincially regulated private sector employers. However, common law has provided them protection which employers must be aware of.
The Ontario Court of Appeal decision on Jones v. Tsige has created a new tort called “intrusion upon seclusion”. This “would provide protection to any citizen in Ontario, including in the workplace context,” says Brown.
Because the tort of intrusion upon seclusion now exists, an employee can sue for breach of privacy if their private information is disclosed by employers illegally.
Rudner says that we may hear about massive data breaches, but not the less significant ones. This includes those of small employers who have “incredible amounts of personal information on their employees.”
“We fall back on common law,” says Rudner, yet that doesn’t eliminate the need for provincial legislation.
Recourse for employees in provinces without a PIPA
Even without provincial legislation in place, employees are not without recourse, both in the context of civil suits and labour arbitration, says Brown.
“Adjudicators have held employers accountable where they’ve acted unreasonably or unethically. So, it’s not a free-for-all, even without that provincial legislation in place.”
This also means that when a person’s privacy has been invaded – either personally or in the workplace – filing a civil case for damages is still possible because of common law.
What are the legal considerations when collecting employee data?
As earlier discussed, there must be a balance between the employee’s right to privacy and the employer’s need for necessary information.
This is also reflected in the guidelines of the Office of the Privacy Commissioner of Canada (OPC). Here are some considerations when collecting employee data:
- inform employees concerned: employers should inform employees on what personal information they’re collecting, why they’re collecting employee data, and what they’re doing with it
- obtain employees’ consent: collection, use, or disclosure of personal information should normally be done only with an employee’s knowledge and consent, preferably express consent
- only for necessary purpose: employers should only collect employee data that’s necessary for its stated purpose, collect it using fair and lawful means, and store them for these purposes, unless legally required or with employee’s consent
- subject to employees’ access: when collecting employee data, it must be accurate, complete, and up to date; employees should be able to access these data and challenge their accuracy and completeness
With these legal considerations in mind, it’s important to always be in touch with a lawyer who practices labour and employment, including data privacy.
Rudner says that many employers have not yet come to grips with what they can and can’t do.
“I think there’s just so much confusion out there. Most employers have no ill intent; they’re trying to protect their businesses and assets, [and] it’s so easy to install video cameras or monitor key strokes on a computer.”
Balancing rights and obligations when collecting employee data
Legally storing and collecting employee data is not just an employer’s prerogative on running the business, but also a concern for employees’ privacy rights. This issue must be viewed from a legal perspective to balance the rights and obligations of both employers and employees.
To navigate Canada’s laws on privacy and data collection, employers must first look at the federal or provincial laws that apply to them. Doing this is crucial, not only for collecting employee data, but also when storing, using, and disclosing these data to the public.
For more articles related to collecting employee data and other privacy concerns in the workplace, bookmark our Labour and Employment page under the Practice Areas tab.