Privacy and employment law: A New era of privacy rights in Ontario workplaces?

18 minute read
16 November 2022


Since the Ontario Court of Appeal decision in Elementary Teachers Federation of Ontario v York Region District School Board, 2022 ONCA 476, many employers continue to grapple with understanding workplace privacy as well as understanding how the Canadian Charter of Rights and Freedoms (the "Charter") applies to different Ontario workplaces.

To recap Elementary Teachers Federation of Ontario, the Ontario Court of Appeal held that two teachers' privacy rights were violated after the school principal read and photographed the teachers' personal log, which had been saved in the Cloud but accessed via a school computer. After reading and recording the log, the principal reported the two teachers to the Board. The Board in turn seized and searched the teachers' laptops as part of its investigation. The Board ultimately reprimanded the two teachers, who in turn grieved the reprimand.

While the Arbitrator and the Divisional Court ruled that the Board's right to manage its operations outweighed the teachers' privacy interests, the Ontario Court of Appeal disagreed. In reaching its decision, the Court confirmed that section 8 of the Charter was not limited to a criminal context, but also applies to public institutions like school boards. Consequently, the Board was subject to Charter scrutiny and the Court held that the Board's actions constituted an unreasonable search under section 8 of the Charter.

The Court went on to note that whether a reasonable expectation of privacy exists depends on the "totality of the circumstances". Having regard to the "totality of the circumstances" the Court held, (1) the subject matter was personal and stored in the Cloud, not on a Board device or server; (2) the employees each had a direct interest in the subject data because their involvement in the log resulted in their reprimand; (3) the employees had a subjective expectation of privacy because they had taken steps to protect the log, including through password protection; and (4) it was objectively reasonable to expect that the log would be deserving of protection since it amounted to an electronic record of a private conversation. Further, using a Board issued computer did not diminish the teachers' expectation of privacy nor did the fact that the teachers left the log open on a school computer. Consequently, the principal had no legitimate reason for reviewing and recording the log and the employer's actions were found to be an inappropriate encroachment on employee privacy.

Although Elementary Teachers Federation of Ontario did not touch upon private sector employers, it may become an important decision regarding workplace privacy rights for private sector employees.

Private sector employers and the expectation of privacy in the workplace

Workplace privacy is complicated. In a digital age characterized by ever evolving technology, workplace surveillance has become increasingly sophisticated. While private sector employees may be said to enjoy a general expectation of privacy, these rights are not absolute. An employee's right to privacy must be balanced against an employer's legitimate business needs. Among other things, an employee's expectation of privacy may be affected by their type of workplace, the type of work they perform, and the existence of workplace policies.

In general, employee monitoring is permissible as long as it conforms to employer policies, Canadian privacy statutes, and Charter protections (where applicable).

Canadian privacy law basics

The Federal Personal Information Protection and Electronic Documents Act ("PIPEDA") governs how employee personal information can be collected, used, and disclosed by any work, undertaking, or business in a federally regulated sector (e.g., banks, airlines, telecommunications companies). PIPEDA applies to a federal work, undertaking or business no matter which province it is located in. However, for constitutional reasons, PIPEDA does not apply to employee personal information that is collected, used, and disclosed by provincially regulated organizations. Further, the Federal Privacy Act applies to personal information of employees of federal government institutions.

Some Canadian provinces regulate employee privacy rights via legislation. Alberta, British Columbia and Québec have enacted comprehensive private sector privacy legislation that applies to employee personal information that is collected, used and disclosed by private sector organizations operating within those Provinces.[1] No such legislation exists in Ontario for provincially regulated private sector employees.

While Ontario lacks legislation deemed "substantially similar" to PIPEDA regulating employee privacy rights in the private sector, it does have public sector privacy laws that apply to employee personal information that is collected, used and disclosed by organizations that are subject to public sector laws. The Freedom of Information and Privacy Protection Act and the Municipal Freedom of Information and Privacy Protection Act provide for protection of employee personal information in the same manner that those statutes govern the personal information of other individuals.   

Public sector organizations must also comply with the Charter, which contains privacy-related protections, including protection against unreasonable search and seizure.

As the majority of Ontario employers are not governed by the above legislation, most employee privacy protections are found in the common law and provisions of employment contracts. In Ontario, employment agreements and employer policies often contain provisions governing employee privacy rights and interests.  If an employer monitors an employee pursuant to the terms of the employer's policy, courts have held that the employee's privacy rights have not been infringed.

The Elementary Teachers Federation of Ontario decision adds to a series of significant common law decisions in the province of Ontario relating to privacy. Among these is the 2012 Ontario Court of Appeal decision in Jones v Tsige, in which the Court recognized a cause of action for invasion of privacy for the first time in the province of Ontario by definitively recognizing the tort of "intrusion upon seclusion". That case dealt with an employee improperly accessing the records of another employee in the workplace.

In 2018, the Ontario Superior Court of Justice recognized the tort of "public disclosure of private facts" in Jane Doe 72511 v. N.M. This decision confirms that privacy rights can be violated if the matter publicized or the act of publication would be highly offensive to a reasonable person and is not of legitimate concern to the public. Neither Jones v Tsige nor Jane Doe specifically addressed an employer's obligation towards its employees, but it is nonetheless possible that these torts could apply in that context if the employer's conduct satisfied the elements of the causes of action.

Elementary Teachers Federation of Ontario signals a continuing willingness of Ontario courts to recognize and affirm privacy rights at common law. Despite these developments, it is important to note that privacy torts in Ontario remain limited in scope.

Employee privacy rights and workplace investigations

The Elementary Teachers Federation of Ontario decision raises important questions as to whether private sector employers maintain a right to access or interfere with private communications sent using employer hardware, as well as important considerations regarding employee privacy in the workplace during workplace investigations.

Maintaining privacy during workplace investigations is difficult to balance and can be complex. Employers undertaking workplace investigations must balance the employer's right to investigate and take disciplinary action against an employee's right to be free from unreasonable incursions into their privacy. The more sensitive the subject matter, the more care an employer should take in safeguarding employee privacy rights.

Federal sector

Federally regulated employers should remain aware of their obligations under PIPEDA and/or the Privacy Act, as applicable, in the context of workplace investigations. PIPEDA has specific provisions governing employee personal information that is collected, used, and disclosed for the purpose of managing as well as administration of the employment relationship. However, the activities that fall within the scope of those provisions is sometimes uncertain. More specifically, employers can collect, use, or disclose employee personal information without employee consent if the collection, use, or disclosure is necessary to establish, manage, or terminate an employment relationship. To fall within the scope of this exception, the employer must have informed the individual that their information may be or has been collected, used, or disclosed for those purposes. It is possible that these provisions could apply in the context of a workplace investigation, if the investigatory process was properly described and outlined in appropriate workplace policies and notices.

The Privacy Act requires that federal government departments and agencies limit the collection, use, and disclosure of personal information. The department or agency can only collect information if it directly relates to an operating program or activity of the institution. Unless an exception applies, information can only be used or disclosed without the employee's consent for the purpose for which it was obtained, or a use or disclosure consistent with that purpose.

In a recent decision regarding disclosure of a workplace violence complainant's identity, the Office of the Privacy Commissioner ("OPC") focused on whether the Department of National Defence had shown a "consistent use" when it disclosed the name of the complainant to a second investigator tasked with investigating the complaint. The OPC stated that the test for "consistent use" is that there is a sufficiently direct connection between the original purpose of collection and the proposed use such that an individual would reasonably expect that the information could be used in the manner proposed. The OPC emphasized that it is important to ensure that (i) explanations of confidentiality restrictions included in policies and communications take into consideration potential disclosures that could be needed, and (ii) that staff follow such restrictions.

Private sector

Employers that are not subject to privacy legislation in the course of their employment relationships should remain mindful of workplace policies and employment agreements within their organizations. The provisions therein should be carefully considered to ensure that employers can undertake workplace investigations while protecting employee privacy.

While not all investigations will look the same, employers would be wise to consider the following non-exhaustive recommendations when conducting their next workplace investigation.

Firstly, all information disclosed during an investigation should only be shared on a "need-to-know" basis. Employers or investigators should only disclose information to individuals who need the data to fully participate in the investigation. Even then, only essential details should be disclosed.

Secondly, all investigation materials must be stored in a secure location. This includes both physical and digital evidence. The materials should only be accessible to approved individuals on a "need-to-know" basis.

Thirdly, parties participating in the investigation should be cautioned in writing regarding their confidentiality obligations. It is important to set out expectations in writing to maintain a record of the investigative process. In some cases, parties may be required to sign a confidentiality agreement. Confidentiality is critical to protecting privacy interests. Further, breaches of confidentiality can put the integrity of an entire investigation at risk.

Lastly, employers should build privacy obligations into their workplace policies, including a clear and informed workplace privacy policy. A clear and informed privacy policy can put employees on notice regarding company monitoring of employee activity in the course of a workplace investigation. It will also clearly define privacy expectations and ensure the policy is applied consistently.

Balancing rights and interests

Controversy often arises regarding workplace privacy due to a balancing of rights and interests. Employers have a legitimate interest to gain the information necessary to properly manage their business operations, and to maintain a safe workplace where employees are free from harassment and discrimination.  Employees have a legitimate interest in knowing how their information is being used and collected as well as having privacy rights rooted in legislation and common law.

Balancing an employer's right to manage the workplace with an employee's reasonable privacy rights continues to evolve. Generally, an employer bears the onus of demonstrating why surveillance technology is necessary and reasonable. An employer must have a compelling reason to monitor employees. This is particularly true when employers use more intrusive technologies, such as CCTV and GPS monitoring. For example, certain safety concerns may exist for employees that spend significant amounts of time using a company vehicle to travel to the private residences of clients. Consequently, an employer may be able to justify the use of a tracking program as a valuable means to keeping employees safe. However, employers must remain cognizant that any technology adopted to monitor employees must have a legitimate purpose related to work productivity or operations. This justification must be balanced against an employee's awareness of how their information is being used.

Case law is clear that employers that collect employee information without a compelling reason will run afoul of Canadian privacy laws. Consequently, employers must carefully analyze their organizational needs to determine how employee surveillance will support a legitimate business interest. If a less invasive option exists to achieve the same goal, employers may face difficulty justifying the more intrusive technology. If intrusive technologies are deemed necessary and reasonable, employers must ensure that personal information is used in a manner consistent with the purpose of collection – if they fail to do so, employers may fall victim to "function creep" and find themselves in contravention of privacy laws.

Assessing how the Charter applies to Ontario workplaces

Section 8 of the Charter protects privacy rights and an individual's right to be free from unreasonable search and seizure. However, the fundamental rights and freedoms included in the Charter only apply to some employment relationships. The Charter only governs government actions, not the actions of private citizens or private companies.

While this distinction appears relatively straightforward, it becomes less clear when defining the scope of "government actions", particularly when faced with some private entities, like the school board in Elementary Teachers Federation of Ontario.

Government actors or entities under government control

The Charter applies to entities that are part of "government" by their very nature, like provincial or federal governments. The Charter also applies to entities that are under "routine or regular" government control. Whether an entity is subject to routine or regular government control will depend on the level, degree, and purpose of the government's control.

Factors weighing in favour of an entity being under routine or regular government control include entities whose administrators can be appointed or removed at the pleasure of the government, as well as entities where the government may at all times direct the entity's operation. 

Examples of entities under routine or regular government control include police services, colleges, schools, and school boards.

Non-governmental bodies

The Charter also applies to entities performing "governmental" activities even if the entity itself is not "governmental". Notably, the Charter only applies to the governmental activities and not to other acts performed by the entity. Consequently, discerning what constitutes a "governmental activity" is both a difficult and necessary step to establish Charter applicability to a non-governmental body.

Firstly, the Charter applies to an entity exercising a power of compulsion delegated to it by statute. Secondly, a non-governmental body carrying out a government objective is also subject to the Charter. For example, while hospitals in general are not part of government, to the extent that hospitals carry out specific governmental programs, its governmental actions are subject to the Charter. To be clear, an entity that carries out actions that implement a specific governmental program could reasonably be tied to the government and subject to the Charter. However, this is often a context driven exercise requiring careful analysis.

Charter consequences

All employers that are subject to the Charter must ensure that their treatment of employees complies with the Charter. This includes the collection of employee personal information by surveillance and implementing workplace privacy policies.

Key takeaways

The ONCA decision in Elementary Teachers Federation of Ontario reinforces the right to privacy for employees, and should remind all employers – even those in the private sector – of their obligations relating to privacy in the workplace. Notably, the decision did not touch upon the private sector and this area tends to remain unchartered territory as far as workplace privacy is concerned. However, with Ontario's Bill 88 swiftly receiving Royal Assent, sweeping in electronic monitoring policy requirements to private sector employees, it appears that Ontario may be entering a new era of privacy rights in the private sector employment sphere.

If you are an employer and unclear on workplace privacy rights, employee surveillance, or Charter obligations, we encourage you to reach out to a Gowling WLG employment or privacy lawyer.

[1] See the Personal Information Protection Act in Alberta and British Columbia, and An Act respecting the protection of personal information in the private sector in Québec (Law 25, also known as "Bill 64", provides for several significant amendments to the Québec private sector act, most of which will come into force in September 2023).

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.