Latest News

July 23rd, 2004:

Workplace privacy legislation in Ontario - An update
By Greg McGinnis
July 23, 2004

Stringer Brisbin Humphrey, Management Lawyers

Stringer Brisbin Humphrey is one of the country’s premier human resources law firms providing representation, proactive management strategies and training. Areas of practice include: labour relations, employment law, wrongful dismissal, human rights, workers’ compensation, occupational health and safety, employment standards, union organizing and certification, pensions and benefits, construction industry labour relations and related matters. For questions or comments, please visit  or contact

More than six months have now passed since January 1, 2004, the date on which the Personal Information Protection and Electronic Documents Act ("PIPEDA") purported to extend to private-sector organizations within provincial jurisdiction. This would include most employers in Ontario. Have we learned anything? The answer is, a little, but not much.

This article is dated July, 2004.

We still have no solid information about when the province of Ontario intends to introduce its own legislation. However, the new government has made general noises in favour of a "made-in-Ontario" approach, partly in response to statements from the Ontario Information and Privacy Commissioner identifying private sector legislation as a priority. 

With Alberta and British Columbia's privacy statutes receiving the "PIPEDA" stamp of approval in April 2004, there are now two more models (in addition to Quebec's law) that Ontario could follow if it felt the need to have its own privacy statute. 

The good news remains that, for Ontario employers, a great deal of anxiety about privacy compliance is premature. The bad news is that it is time to start thinking about the issue, at the very least, if only to anticipate the changes that are undoubtedly coming.


So, private sector organizations in all Canadian provinces are supposed to have been complying with PIPEDA since January 1, 2004 - unless, that is, the province in which the organization operates has enacted legislation deemed "substantially similar" by the federal government. 

For those who are not expert in Canadian constitutional law, most private sector organizations in Ontario would be considered "provincially regulated". Exceptions include banks, airlines, railways, telephone companies, radio and television networks, and interprovincial or international trucking, which are federally regulated. PIPEDA has been in place for most federally regulated organizations since January 1, 2001. 

To date, the only provinces to have received a federal exemption from PIPEDA are Quebec, Alberta and British Columbia. Ironically, Quebec has laid the groundwork for a constitutional challenge to the PIPEDA, which may go directly to the Supreme Court of Canada. 

On January 1, 2004, Alberta and British Columbia had both passed private sector privacy legislation. Both of these Acts regulated the collection, use and disclosure of "employee personal information" by employers, as well as personal information about non-employees. 

The former federal Privacy Commissioner savaged the Alberta and British Columbia bills the previous summer. In his Report to Parliament Concerning Substantially Similar Provincial Legislation, Mr. Radwanski stated that the British Columbia bill suffered from "a number of very grave deficiencies that would...make it impossible for the government of Canada to recognize this legislation in its current form as substantially similar" to PIPEDA. One of the criticisms leveled at the BC bill was that it is "clearly inferior" to PIPEDA "with regard to privacy rights in employment." 

This report also cited "several serious deficiencies" in the Alberta bill, one of which was that it was also "clearly inferior" to the federal act "with regard to privacy rights in the workplace." 

Although the writer predicted a looming battle between these provinces and the federal government over the PIPEDA issue, the federal government defused the issue by approving the Alberta and British Columbia statutes as "substantially similar" to PIPEDA, despite the former Commissioner's remarks. Did an upcoming federal election have a role to play...?

The Ontario situation

Ontario and the other provinces have not introduced private sector privacy legislation. For the time being, the PIPEDA is the only private sector privacy legislation with any application in those provinces.  

Ontario's Ministry of Consumer and Business Services had circulated a draft private sector privacy bill for consultation purposes in March 2002, but the draft bill never made it to first reading. Rumour has it that the criticisms of the draft bill (including some prepared by the author) were so numerous and complex that the Tories decided to shelve the project altogether after putting the bill through several revisions. 

With a new Liberal government in power in Ontario, private sector privacy legislation is likely to appear at some point, but has not been a priority in the short term. 

On June 15, 2004, Ontario's Information and Privacy Commissioner Ann Cavoukian issued her office’s 2003 Annual Report, which included a "blueprint for action" on access and privacy. A "top priority," said the Commissioner, "should be the introduction of made-in-Ontario privacy legislation that will cover the private sector."

The same day, in response to questions about the Annual Report in the Legislature, Gerry Phillips, the Chair of the Management Board of Cabinet, said, "We will continue to improve the access to information and protection of privacy. ... I will say, though, that we are acting on a number of the areas. One of her recommendations is protection of privacy for private companies. Minister [of Consumer and Business Services] Watson is looking at that and monitoring the performance in BC and Alberta."

Perhaps we will see yet another attempt in Ontario at private sector privacy regulation in the fall session of the Legislature. 

For now, subject to a significant constitutional caveat, PIPEDA now applies to every organization in Ontario that collects, uses or discloses personal information in the course of a commercial activity within the province. 

Quebec is now poised to challenge the constitutionality of PIPEDA on the basis that its extension to the provinces interferes with provincial jurisdiction. We may not know for some time whether the law will survive the challenge. The conservative advice, of course, is for Ontario organizations to comply with PIPEDA unless a Court rules that it is not required to do so.

But what about workplace privacy?

Compliance with PIPEDA has different meanings depending on the subject matter. Whether or not it is constitutionally sound, PIPEDA certainly claims to apply to the act of collection, use and disclosure of information about individual customers or members of the public by provincially regulated organizations. But what about their employees? 

A common misconception, even now, is that the PIPEDA will apply to workplace privacy regulation in the provincial private sector unless the province adopts "substantially similar" legislation.

PIPEDA does NOT apply to the collection, use or disclosure of "employee personal information" in the provincial private sector. 

The reason for this is that Part 1, section 4 provides that the Act only applies "in respect of personal information about an employee of the connection with the operation of a federal work, undertaking or business." [Emphasis added] 

From the perspective of private sector workplace privacy regulation, therefore, it would appear that employers in the federal jurisdiction must comply with PIPEDA, employers in Alberta, British Columbia and Québec must comply with the provincial legislation in force, while employers in Ontario and the other provinces do not have to comply with either the PIPEDA or provincial legislation. 

Nevertheless, as the past few months have demonstrated, many organizations that employers deal with on a regular basis (insurance companies, pension administrators, payroll services) do regard themselves as bound to comply with the 10 “privacy principles”, so the PIPEDA has tended to have an impact on employers even if it does not directly apply to them.

Is there any privacy regulation for private sector employers in Ontario?

Of course, all of this does not mean that there is no such thing as private sector privacy regulation in Ontario or the other provinces that do not have specific legislation. In Ontario, employee privacy interests are protected in various ways, sometimes explicitly and sometimes by implication, under the Occupational Health and Safety Act, the Workplace Safety and Insurance Act and the Human Rights Code. 

For example, one might reasonably suggest that the limitations on employers' right to engage in employee drug and alcohol testing under the Ontario Human Rights Code implicate employee privacy interests (in a positive manner for the employee), even if these limitations do not arise out of an explicit "right to privacy." 

Further, for unionized employers, there have been significant limitations for a long time on employers' ability to intrude into their employees' privacy by conducting, for example, personal searches or video surveillance. 

There also seems to be developing a common law "right to privacy" in employment, which may not be recognized (yet) in the form of an actual tort of breach of privacy, but may provide the basis for a constructive dismissal claim, or for aggravated damages in the case of a wrongful dismissal claim.

Indeed, the workplace privacy rights (express or implied) that employees already possess under legislation, collective agreements or common law principles form the basis for one of the principal arguments that the employer community raised against Ontario's draft bill. 

It is certainly hard for many employers and their legal advisors to see why workplace privacy regulation should be regarded as a pressing social policy issue, or to identify the injustice that employees are actually (as opposed to theoretically) experiencing that would warrant imposing the additional costs and complexity of complying with a completely new set of rules.

Is there anything employers should be doing?

However valid such concerns may be, many employers nevertheless feel that they should now be doing something to bring their policies and procedures into line with the privacy values expressed in the PIPEDA, whether out of a misunderstanding about the application of the PIPEDA, or because they feel that they will have to do so eventually. 

Many provincially regulated employers have decided to make workplace privacy rules an extension of their overall privacy initiative, even if, strictly speaking, it is not necessary right now.

In the spirit of "doing something", employers and their counsel should consider taking the following steps:

  1. Appoint a person responsible for carrying out privacy complaints and activities within the organization.
  2. Review employment applications with a view to ensuring that only appropriate information is requested.
  3. Consider including a statement of consent to the collection, use and disclosure of employee personal information in employment agreements.
  4. Review and amend forms for requesting employee medical information to include a statement regarding collection, use and disclosure of such information.
  5. Review practices for storage of and access to, employee personnel files and discipline records.
  6. Review practices for storage of and access to employee medical information, whether or not related to worker's compensation claims.
  7. Review practices for the retention of employee information of all kinds.
  8. Review practices for conducting surveillance of and investigations about, employees, particularly where there is an allegation of employee misconduct.
  9. Review practices for providing employment references, including whether the organization will provide any information about the employee without a written consent.
  10. Develop an employment policy concerning the use of email, Internet and computer systems, which includes the employees' consent to employer surveillance.
  11. Design a complaints and investigation process for employees who wish to challenge the organization's compliance with its privacy practices.

Article posted with the consent of the author.

Written By: Greg McGinnis
Visit the News page here..

Benefit Administration | Human Resources Services | Links | Making The Pieces Fit | News Archive | Privacy Policy | Profile - Who We Are | Testimonials | Training & Development |
© Martha Young & Associates 2018

Web Design & Hosting by: