Two recently-issued Reports of Findings from the Office of the Privacy Commissioner of Canada (the “OPC”) aid in the better understanding of the extent to which employers who are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) can monitor their employees in the workplace.
Both cases involved trucking companies engaging in audio recording of truck drivers. In both cases, the OPC emphasized that trucking companies’ use of always-on audio recording of its drivers will be difficult to justify, even when there are controls in place to limit access to the recordings. The OPC was of the view that such recording should be limited to the driver’s working hours. There are, however, significant issues in the ways the OPC arrived at this conclusion.
1. The Reports
The two Reports are PIPEDA Findings #2021-008 (the “2021 Report”) and PIPEDA Findings #2022-006 (the “2022 Report”, and together with the 2021 Report, the “Reports”) and both were released on September 29th, 2022, though dealing with investigations in July 2022 and March 2021 respectively.
The complainant in each of the Reports was a truck driver advancing an allegation that his employer was inappropriately collecting his personal information (in the 2022 Report, the allegation was that it had been collected without consent; in the 2021 Report, the collection and use was alleged to be unreasonable). In both Reports, the employer had installed a dash mounted camera system with audio and video recording capabilities (the “Systems”). Notably, the investigations focused on the collection of audio information by the Systems (exclusively so in the 2021 Report), and did not comment on video recording, location tracking or event recording, all of which were features in the Systems at issue.
The OPC applied the following well-established test to determine whether a reasonable person would find that the collection, use and disclosure of this personal information was for appropriate purposes in the circumstances:
(a) degree of sensitivity of the information;
(b) whether the employers’ purposes represent legitimate needs / bona fide business interests;
(c) whether the collection, use and disclosure would be effective in meeting the employers’ needs;
(d) whether there are less privacy invasive means of achieving the same ends at comparable cost and with comparable benefits; and
(e) whether the loss of privacy is proportional to the benefits.
2. Summary of conclusions by the OPC
The OPC accepted that in both cases, the employers’ purposes for installing and utilizing the Systems addressed legitimate needs, notably road safety, security, regulatory compliance and employee performance. The OPC further agreed with both employers submissions that the Systems were effective in enhancing road safety and driver compliance with applicable policies and procedures as well as supporting employer investigations into incidents and accidents.
However, in each case, the OPC expressed concerns with regard to the overall intrusiveness of the Systems, drawing particular attention to audio recordings being made while the trucks were idle and the drivers were off-duty:
(a) The 2021 Report
The OPC recognized the utility of audio recording in certain circumstances, but concluded it to be entirely unnecessary for the subject System to record audio at all times while the truck was on. The OPC observed that commercial transport drivers often sleep or take rest breaks in their trucks and will leave the trucks idling in order to maintain heat (it is unclear from the Report whether there was any evidence led on this point, or the OPC speculated that this was a possibility).
The OPC therefore concluded that when drivers are not on duty, even if they are in their truck, the subject System should not be making audio recordings.
The complaint alleged non-compliance under section 5(3), a catch-all category of PIPEDA that requires a consideration of reasonableness, and states:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.PIPEDA, s. 5(3)
The OPC has flexibility to set the height of the “reasonableness” threshold – if the OPC determines information is sensitive, then the remainder of the test (i.e., legitimate need, effectiveness, less privacy invasive means, proportionality) becomes that much harder to satisfy.
Interestingly, the OPC does not actually find that the employer collected any sensitive personal information, only that the information “had the potential be sensitive”, and the recordings “might have included” private conversations.
Even if the recorded information was found to be sensitive, the company explained that the recordings were stored locally on an SD card, overwritten every 72 hours, and “were only to be accessed in limited identified circumstances.” However, the OPC’s analysis of proportionality failed to consider that the storage and access controls would have significantly limited any loss of privacy.
Nonetheless, the OPC found that less privacy-invasive means could have been used (limiting recording to on-duty working hours, and limiting recording to the two-way radio communications that were at issue). It further found that, notwithstanding the controls above, that the impact on drivers’ privacy was disproportionate to any benefits the company may have gained from the surveillance.
The company advised that it is no longer using audio recording/monitoring and the OPC found the matter to be well-founded and resolved.
(b) The 2022 Report
The OPC made findings similar to those in the 2021 Report, concluding that the System was more intrusive than necessary because it remained active even when a driver was off duty and not driving. As in the case above, there were controls in place to limit the capture of audio information. Here, the System only saved 12 second clips when triggered by safety events. The OPC also found there to be a disproportionate impact on drivers’ privacy.
Furthermore, the OPC found that more of the employer’s personnel than was necessary had access to the video footage being recorded by the subject System and such access should be strictly limited to personnel who “need to know”.
This Report then takes a odd turn. Presumably, the company is federally-regulated (the OPC never explicitly states this, nor provides the basis for its jurisdiction), and would be able to avail itself of the exception to consent provided for in section 7.3 (relating to personal information collected, used or disclosed in the course of an employment relationships if adequate notice is provided).
The OPC found the company couldn’t rely on this because it had not been sufficiently transparent in its notice because it had failed to specifically mention that the information might be used for disciplinary purposes (although it mentioned a number of other work-related purposes, including it being “necessary to manage its employment relationships”). Having amended the notice to specifically include references to disciplinary purposes, the OPC then concluded that going forward, the company could rely on this exception from consent.
This seems, however, to be a circular argument. Recall that section 5(3) of PIPEDA limits organizations to collecting, using or disclosing personal information for purposes that a reasonable person would consider are appropriate in the circumstances. Under section 5(3), the focus is on reasonableness – consent is irrelevant. So, even if the company had included the language around disciplinary purposes in its notice prior to being investigated, it would not have saved the company from a finding that its use of the System was inappropriate under section 5(3), as was the finding in the 2021 Report.
The Report takes an additional surprising turn. In support of its position that the consent exception could only be relied on if the notice to employees include language about disciplinary uses, the OPC then quotes directly from a legal opinion provided by the company’s legal counsel that noted this issue.
The OPC states that it came into possession of counsel’s advice via “an email provided to the complainant by [the company] and further shared by the complainant with our Office”. It is not clear why this legal advice was not considered privileged, or whether privilege was waived, or whether this was even drawn to the company’s or counsel’s attention so that it could invoke privilege.
There is an important lesson here for companies – when corresponding with complainants, do not simply forward legal advice from counsel. Similarly, always check the email chain to confirm that you are not inadvertently passing along privileged information buried in the email chain.
3. Concluding comments
There are legitimate reasons for an employer to collect, use and disclose sensitive personal information about an employee. Especially in enterprises and industries where the preservation of employee and public safety are paramount, it is clear from the Reports that the OPC will recognize a legitimate need for employers to collect, use and disclose the personal information of employees in order to meet these objectives. However, it will interpret this section narrowly.
Employers should also be that workspaces can, in certain contexts, be considered private spaces, and the collection of personal information when employees are off-duty, or on a break, will be considered highly intrusive and potentially unreasonable. The OPC will scrutinize proportionality and invasiveness factors closely, and companies should re-evaluate existing controls with this in mind.
For the subject employer in the 2021 Report this meant discontinuing the use of audio surveillance. For the subject employer in the 2022 Report this meant making System modifications disabling the audio and video recording functions when a truck is clearly not being operated and agreeing to limit access to recordings exclusively to personnel with a “need to know”.
 Turner v. Telus Communications Inc., 2005 FC 1601 (CanLII), <https://canlii.ca/t/1m3zx>, retrieved on 2022-10-03
 2021 Report, at para. 9 and 2022 Report, at para. 12.
 2021 Report, at para. 11 and 2022 Report, at para. 15.
 2021 Report, at para. 18 and 2022 Report, at para. 16.
 2021 Report, at para. 21.
For more information about Dentons’ data expertise and how we can help, please see our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.