Opinion

Canada - The OPC and other privacy authorities release new resolutions on the privacy of employees and young people

Published Date
Oct 17, 2023
The Office of the Privacy Commissioner of Canada (the OPC) published two new resolutions which aim to protect the privacy of employees and young people, on 6 October 2023. The resolutions follow concerns of privacy federal, provincial and territorial privacy commissioners and ombuds (FPT Privacy Commissioners) regarding the privacy law landscape in Canada not providing sufficient protections to these two specific groups of population.

Resolution on employee privacy

The first resolution aims to protect employee privacy, which has been under increasing pressure due to the rise of intrusive electronic surveillance of workers, such as by measuring productivity levels, moods and fatigue, as well as using artificial intelligence (AI) systems, for instance, for evaluating job applications and reviewing the facial expressions of interviewees during video calls. The FPT Privacy Commissioners has released a list of suggestions for federal, provincial and territorial governments in Canada to improve the privacy rights of employees by adopting a consistent privacy framework for protecting all categories of employees. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies currently only to federally regulated employees, and only some provinces have privacy laws protecting non-federally regulated employees.  

The FPT Privacy Commissioners also call on employers to respect the privacy of employees and to process employee data based on the principles of reasonableness, necessity and proportionality. A set of recommendations for employers include, among others:

  • acting reasonably and in a proportionate manner when using employee information through electronic surveillance;
  • only using biometric information where it is necessary, proportionate, and lawful to do so, and only where there is no less privacy-intrusive means to achieve the same legitimate purpose;
  • only using electronic monitoring and AI technologies where it is reasonably necessary for the employer-employee relationship;
  • not using AI technologies for making significant decisions about an employee (e.g. their performance or career progress) without human supervision of AI;
  • identifying, assessing and mitigating risks to privacy by carrying out privacy and algorithmic impact assessments;
  • ensuring that there are clear policies and procedures to prevent the use of technologies beyond clearly identified purposes;
  • keeping employees and potential employees informed of the electronic monitoring tools that are being used; and
  • Using FPT Privacy Commissioners consultation services before using new technologies and practices with significant impact on employee privacy.

Resolution on protection of young people

The second resolution aims to protect the privacy of young people in digital world and lists a set of measures that could be implemented by public and private sector organisations and be reflected in the future legislative reforms. Examples of these measures include:

  • addressing young people’s privacy by design, e.g., by conducting privacy impact assessments from the design stage and considering the specific impacts for young people;
  • transparency, which is key for informed decision-making and obtaining valid consent. Information should be adjusted to the age of the young person and parents/legal guardians should be involved;
  • implementing protective privacy settings by default, including turning off profiling and location tracking (unless it is necessary for the product or service to function when being used, such as navigation);
  • avoiding any deceptive practices, such as manipulative or deceptive design or behavioural incentives to make poor privacy choices;
  • the personal information of young people should not be disclosed to third parties unless express consent is obtained, and the disclosure is legally required for a valid reason;
  • providing the means for young people to correct mistakes in their personal information and having a strict data retention policy; and
  • facilitating the right of young people to access and correct their personal information, including by adapting practices and procedures taking into account the needs of young people.

The press release for both resolutions is available here, the employee resolution here and the young people resolution here.

 
Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger