July 23rd, 2004:
Workplace privacy legislation in Ontario - An update
By Greg McGinnis
July 23, 2004
|Stringer Brisbin Humphrey, Management Lawyers
Humphrey is one of the country’s premier human resources law firms
providing representation, proactive management strategies and
training. Areas of practice include: labour relations, employment
law, wrongful dismissal, human rights, workers’ compensation,
occupational health and safety, employment standards, union
organizing and certification, pensions and benefits, construction
industry labour relations and related matters. For questions or
comments, please visit
www.sbhlawyers.com or contact
More than six months have now passed since January 1, 2004, the date on which
the Personal Information Protection and Electronic Documents Act ("PIPEDA")
purported to extend to private-sector organizations within provincial
jurisdiction. This would include most employers in Ontario. Have we learned
anything? The answer is, a little, but not much.
This article is dated July, 2004.
We still have no solid information about when the province of Ontario intends
to introduce its own legislation. However, the new government has made general
noises in favour of a "made-in-Ontario" approach, partly in response to
statements from the Ontario Information and Privacy Commissioner identifying
private sector legislation as a priority.
With Alberta and British Columbia's privacy statutes receiving the "PIPEDA"
stamp of approval in April 2004, there are now two more models (in addition to
Quebec's law) that Ontario could follow if it felt the need to have its own
The good news remains that, for Ontario employers, a great deal of anxiety
about privacy compliance is premature. The bad news is that it is time to start
thinking about the issue, at the very least, if only to anticipate the changes
that are undoubtedly coming.
So, private sector organizations in all Canadian provinces are supposed to
have been complying with PIPEDA since January 1, 2004 - unless, that is, the
province in which the organization operates has enacted legislation deemed
"substantially similar" by the federal government.
For those who are not expert in Canadian constitutional law, most private
sector organizations in Ontario would be considered "provincially regulated".
Exceptions include banks, airlines, railways, telephone companies, radio and
television networks, and interprovincial or international trucking, which are
federally regulated. PIPEDA has been in place for most federally regulated
organizations since January 1, 2001.
To date, the only provinces to have received a federal exemption from PIPEDA
are Quebec, Alberta and British Columbia. Ironically, Quebec has laid the
groundwork for a constitutional challenge to the PIPEDA, which may go directly
to the Supreme Court of Canada.
On January 1, 2004, Alberta and British Columbia had both passed private
sector privacy legislation. Both of these Acts regulated the collection, use and
disclosure of "employee personal information" by employers, as well as personal
information about non-employees.
The former federal Privacy Commissioner savaged the Alberta and British
Columbia bills the previous summer. In his Report to Parliament Concerning
Substantially Similar Provincial Legislation, Mr. Radwanski stated that the
British Columbia bill suffered from "a number of very grave deficiencies that
would...make it impossible for the government of Canada to recognize this
legislation in its current form as substantially similar" to PIPEDA. One of the
criticisms leveled at the BC bill was that it is "clearly inferior" to PIPEDA
"with regard to privacy rights in employment."
This report also cited "several serious deficiencies" in the Alberta bill,
one of which was that it was also "clearly inferior" to the federal act "with
regard to privacy rights in the workplace."
Although the writer predicted a looming battle between these provinces and
the federal government over the PIPEDA issue, the federal government defused the
issue by approving the Alberta and British Columbia statutes as "substantially
similar" to PIPEDA, despite the former Commissioner's remarks. Did an upcoming
federal election have a role to play...?
The Ontario situation
Ontario and the other provinces have not introduced private sector privacy
legislation. For the time being, the PIPEDA is the only private sector privacy
legislation with any application in those provinces.
Ontario's Ministry of Consumer and Business Services had circulated a draft
private sector privacy bill for consultation purposes in March 2002, but the
draft bill never made it to first reading. Rumour has it that the criticisms of
the draft bill (including some prepared by the author) were so numerous and
complex that the Tories decided to shelve the project altogether after putting
the bill through several revisions.
With a new Liberal government in power in Ontario, private sector privacy
legislation is likely to appear at some point, but has not been a priority in
the short term.
On June 15, 2004, Ontario's Information and Privacy Commissioner Ann
Cavoukian issued her office’s 2003 Annual Report, which included a "blueprint
for action" on access and privacy. A "top priority," said the Commissioner,
"should be the introduction of made-in-Ontario privacy legislation that will
cover the private sector."
The same day, in response to questions about the Annual Report in the
Legislature, Gerry Phillips, the Chair of the Management Board of Cabinet, said,
"We will continue to improve the access to information and protection of
privacy. ... I will say, though, that we are acting on a number of the areas.
One of her recommendations is protection of privacy for private companies.
Minister [of Consumer and Business Services] Watson is looking at that and
monitoring the performance in BC and Alberta."
Perhaps we will see yet another attempt in Ontario at private sector privacy
regulation in the fall session of the Legislature.
For now, subject to a significant constitutional caveat, PIPEDA now applies
to every organization in Ontario that collects, uses or discloses personal
information in the course of a commercial activity within the province.
Quebec is now poised to challenge the constitutionality of PIPEDA on the
basis that its extension to the provinces interferes with provincial
jurisdiction. We may not know for some time whether the law will survive the
challenge. The conservative advice, of course, is for Ontario organizations to
comply with PIPEDA unless a Court rules that it is not required to do so.
But what about workplace privacy?
Compliance with PIPEDA has different meanings depending on the subject
matter. Whether or not it is constitutionally sound, PIPEDA certainly claims to
apply to the act of collection, use and disclosure of information about
individual customers or members of the public by provincially regulated
organizations. But what about their employees?
A common misconception, even now, is that the PIPEDA will apply to workplace
privacy regulation in the provincial private sector unless the province adopts
"substantially similar" legislation.
PIPEDA does NOT apply to the collection, use or disclosure of "employee
personal information" in the provincial private sector.
The reason for this is that Part 1, section 4 provides that the Act only
applies "in respect of personal information that...is about an employee of the
organization...in connection with the operation of a federal work, undertaking
or business." [Emphasis added]
From the perspective of private sector workplace privacy regulation,
therefore, it would appear that employers in the federal jurisdiction must
comply with PIPEDA, employers in Alberta, British Columbia and Québec must
comply with the provincial legislation in force, while employers in Ontario and
the other provinces do not have to comply with either the PIPEDA or provincial
Nevertheless, as the past few months have demonstrated, many organizations
that employers deal with on a regular basis (insurance companies, pension
administrators, payroll services) do regard themselves as bound to comply with
the 10 “privacy principles”, so the PIPEDA has tended to have an impact on
employers even if it does not directly apply to them.
Is there any privacy regulation for private sector employers in Ontario?
Of course, all of this does not mean that there is no such thing as private
sector privacy regulation in Ontario or the other provinces that do not have
specific legislation. In Ontario, employee privacy interests are protected in
various ways, sometimes explicitly and sometimes by implication, under the
Occupational Health and Safety Act, the Workplace Safety and Insurance Act and
the Human Rights Code.
For example, one might reasonably suggest that the limitations on employers'
right to engage in employee drug and alcohol testing under the Ontario Human
Rights Code implicate employee privacy interests (in a positive manner for the
employee), even if these limitations do not arise out of an explicit "right to
Further, for unionized employers, there have been significant limitations for
a long time on employers' ability to intrude into their employees' privacy by
conducting, for example, personal searches or video surveillance.
There also seems to be developing a common law "right to privacy" in
employment, which may not be recognized (yet) in the form of an actual tort of
breach of privacy, but may provide the basis for a constructive dismissal claim,
or for aggravated damages in the case of a wrongful dismissal claim.
Indeed, the workplace privacy rights (express or implied) that employees
already possess under legislation, collective agreements or common law
principles form the basis for one of the principal arguments that the employer
community raised against Ontario's draft bill.
It is certainly hard for many employers and their legal advisors to see why
workplace privacy regulation should be regarded as a pressing social policy
issue, or to identify the injustice that employees are actually (as opposed to
theoretically) experiencing that would warrant imposing the additional costs and
complexity of complying with a completely new set of rules.
Is there anything employers should be doing?
However valid such concerns may be, many employers nevertheless feel that
they should now be doing something to bring their policies and procedures into
line with the privacy values expressed in the PIPEDA, whether out of a
misunderstanding about the application of the PIPEDA, or because they feel that
they will have to do so eventually.
Many provincially regulated employers have decided to make workplace privacy
rules an extension of their overall privacy initiative, even if, strictly
speaking, it is not necessary right now.
In the spirit of "doing something", employers and their counsel should
consider taking the following steps:
- Appoint a person responsible for carrying out privacy complaints and
activities within the organization.
- Review employment applications with a view to ensuring that only
appropriate information is requested.
- Consider including a statement of consent to the collection, use and
disclosure of employee personal information in employment agreements.
- Review and amend forms for requesting employee medical information to
include a statement regarding collection, use and disclosure of such
- Review practices for storage of and access to, employee personnel files
and discipline records.
- Review practices for storage of and access to employee medical
information, whether or not related to worker's compensation claims.
- Review practices for the retention of employee information of all kinds.
- Review practices for conducting surveillance of and investigations
about, employees, particularly where there is an allegation of employee
- Review practices for providing employment references, including whether
the organization will provide any information about the employee without a
- Develop an employment policy concerning the use of email, Internet and
computer systems, which includes the employees' consent to employer
- Design a complaints and investigation process for employees who wish to
challenge the organization's compliance with its privacy practices.
Article posted with the consent of the author.
Written By: Greg McGinnis
Visit the News page here..