Today’s workplace looks quite a bit different than it did twenty, or even ten years ago. Smartphones are not just a luxury but a necessity, and employees are spending more and more time connected to the office, even while they are at home. Employers must grapple with significant amounts of accessible information about employees, and employees often contend with the use of work-issued technology for both professional and personal purposes.
When someone has a work-issued phone, are they allowed to log into their personal email and social media accounts? What does privacy look like in this context and how can employers deal with a changing legal landscape that at times has not yet caught up with the prevalence of various forms of technology in the workplace?
Technology in the workplace
While technology in the workplace such as computer-monitoring software, surveillance systems, cloud computing, and GPS tracking are providing businesses with increased monitoring capabilities, such technology also raises the importance for organizations to have employee privacy policies. For example, if a private sector employer in BC wants to introduce computer monitoring software to their workplace, they have to comply with section 13 of the BC Personal Information Protection Act (PIPA), which requires, among other things, that employers notify their employees of the manner and purposes (such as employee safety or loss prevention) for collecting personal information.
Did you know?
PrivacyRight helps small businesses and organizations in BC understand their obligations under the Personal Information Protection Act (PIPA). Webinars, videos, and podcasts provide educational content in fun and easy to understand formats.
For employers, such policies are beneficial in managing employment relationships not only from an administrative perspective but also because when employees are put on notice they tend to adjust their workplace practices accordingly.
Employee privacy policies can also facilitate employees’ understanding of their privacy obligations to customers, third parties, and other staff members. These policies work to establish expectations around confidentiality, employee access, and security such as technological and physical safeguards. As a result, employees will be better able to protect privacy and maintain security when they are able to recognize, act on and/or avoid privacy issues as they arise.
For example, a policy can state that sensitive work files should not be shared or distributed through cloud-based file hosting services. Along with reducing the risk of a breach, this also assists in demonstrating due diligence to the OIPC in the event of a privacy incident or complaint.
- The purposes for collection, use, and disclosure of personal information, including requirements for consent and notification;
- Access to and correction of personal information;
- Retention and disposal of personal information;
- Responsible safeguarding of information, including appropriate access controls and the use of administrative, physical, and technological security measures; and
- A process for responding to privacy complaints.
Michela V. Fiorido is a lawyer at Harris & Company LLP in Vancouver. She advises private and public sector employers on information access, protection and privacy policies as well as technology use in the workplace.