employer-violated-privacy
Workplace Privacy - What can I do if I think my employer has violated my privacy?
The information provided on this webpage is of a general nature and does not constitute legal advice. Moreover, it addresses only some issues in information privacy, labour and employment law. If you have questions about privacy and your workplace, you should consult a lawyer, your union representative, or the human resources department of the organization you work for. For general information on private sector data protection laws, see CIPPIC’s webpage on Privacy. CIPPIC welcomes feedback and comments on this webpage at cippic@uottawa.ca.
If your workplace is subject to privacy legislation, you can complain to your provincial privacy commissioner or the Federal Privacy Commissioner’s office if you believe that your employer has breached your privacy under that legislation (see description of the complaint process below).
If you are a unionized worker and you believe that your personal information was mishandled or your privacy has been compromised, you should follow your workplace’s internal dispute resolution process and consult your union representative. If you are a unionized worker and your employer is subject to privacy legislation, you may also choose to complain to the relevant privacy commissioner’s office for an alleged breach of applicable privacy law.
Employees who are not covered by privacy legislation or a collective agreement may choose to make a claim for breach of privacy or the duty of confidentiality in the courts. It should be noted, however, that there is no general common law right to workplace privacy yet recognized in Canadian law.
- The complaint and the investigative process at the federal level
- The Commissioner’s report and findings
- The Federal Commissioner’s powers under privacy legislation
- Hearing at Federal Court
- Offences under PIPEDA and prosecuting those who violate the Act
- How do I make a complaint under provincial privacy legislation?
- Fines and other penalties for employers who violate provincial privacy legislation
- Can I go to court to sur for breach of privacy?
Q. How do I make a complaint under PIPEDA or the federal Privacy Act
If you work for a federally regulated employer or the federal public sector and you believe that your employer has not respected your privacy rights under PIPEDA, your first line of action is to contact your employer’s privacy officer. Employers governed by PIPEDA must appoint a privacy officer to deal with employee concerns about privacy and access to personal information and that person’s contact information must be circulated within the organization.
Under both PIPEDA and the Privacy Act, your employer must respond to your initial concern in writing. That response must also include contact information for the Office of the Privacy Commissioner of Canada in the event that if you are dissatisfied with your employer’s response and want to file an official complaint under the applicable statute.
1. The complaint and investigative process at the federal level
Based on your complaint, the Privacy Commissioner may decide whether to proceed with an investigation. The Federal Privacy Commissioner does not have enforcement powers under the Act, which means that she cannot order an employer to do anything. Instead, the Commissioner can evaluate a complaint, investigate the circumstances that gave rise to the complaint, and provide the parties with her findings. If you are unsatisfied with the Privacy Commissioner’s investigation, you may apply to the Federal Court for a new hearing of your complaint.
The complaint process generally follows the steps set out below:
- Individuals must submit their complaint, in writing, to the Commissioner.
- There is no time limit for complaints regarding alleged privacy breaches.
- Complaints relating to denial of access to personal information must be made within six (6) months after the refusal or the date on which the employer had to respond to the access request.
- A case management system screens complaints.
- If there are reasonable grounds, the Federal Commissioner will investigate a complaint.
- Investigations are confidential and interviews are conducted in private.
- The organization will be informed in writing of the substance of the complaint.
- The investigator contacts the designated privacy officer at the organization to explain the investigation process, request records, and arrange for access to the workplace, if necessary.
- The Commissioner will hear from both sides in the investigation.
- Organizations may submit representations to the Commissioner at any time.
- Before finalizing the investigation, the results are disclosed to the parties.
- At this time, parties are free to make additional representations.
- The investigator submits the report and any additional representations to the Commissioner.
For more information, see: A Guide for Businesses and Organizations: Your Privacy Responsibilities, Canada's Personal Information Protection and Electronic Documents Act
a) The Commissioner’s report and findings
The Commissioner submits her report to the parties within one (1) year of receiving the complaint. The complaint can be disposed of by being well-founded, not well-founded, or resolved. The report includes the investigation results, any settlement reached by the parties, and recommendations. At any time, the Commissioner can request notice of any action taken by the organization, or any proposed action to be taken to implement her report recommendations. The Commissioner can also ask for an explanation as to why no action has been taken. In addition, the Commissioner will ask for notice if either party seeks recourse to Federal Court.
The Commissioner PIPEDA and the Privacy Act. These summaries do not identify the parties.
2. The Federal Commissioner’s powers under privacy legislation
The Federal Privacy Commissioner is an ombudsperson and her office is an investigative agency. The Commissioner’s Office is empowered to investigate in the same manner and to the same extent as a Superior Court of record.
The Federal Commissioner has the power to:
- mediate between the parties;
- make recommendations in relation to a particular complaint or general privacy issue;
- compel evidence from the parties - but will return documents within 10 days on request;
- issue subpoenas;
- on reasonable notice, conduct an audit of an organization if a breach is suspected;
- order an audit in the public interest;
- initiate a case before the Federal Court; and
- initiate a review in Federal Court in access to personal information cases.
The Commissioner does not have the statutory authority to:
- make binding orders on the parties;
- issue penalties to remedy a breach of PIPEDA or the Privacy Act;
- initiate a Charter challenge;
- prosecute cases (Blood Tribe (Department of Health) v. Canada (Privacy Commissioner) [2005] 4 F.C.R. 34 at para. 43).
The Attorney General of Canada has the authority to prosecute offences prescribed under PIPEDA. To date, the Attorney General has not prosecuted any cases under PIPEDA.
The Federal Court of Appeal has ruled that the Federal Privacy Commissioner cannot order production of documents to verify that they contain information subject to solicitor-client privilege under PIPEDA. The Court of Appeal found that to verify a claim of solicitor-client privilege, the Commissioner must instead apply to the court to review the documents in question in order to determine whether they are subject to privilege or whether they can be disclosed under the Act (Blood Tribe Department of Health v. Canada (Priv. Comm.) [2005] 4 FCR 34; reversed on this point 2006 FCA 344, Oct. 18, 2006. The Commissioner is seeking leave to appeal this decision.
3. Hearing at Federal Court
If an employee or an employer is not satisfied with the Privacy Commissioner’s findings, they can apply for a hearing at Federal Court under both PIPEDA and the Privacy Act.
Under PIPEDA, the Court can:
- order remedies, including damages for humiliation with no maximum limit; and
- require the organization to change its information management practices to comply with PIPEDA and post a notice describing those changes.
4. Offences under PIPEDA and prosecuting those who violate the Act
Section 27 of PIPEDA prohibits employer reprisals against whistleblowers. An employer cannot take retaliatory action against an employee who:
- in good faith and on a reasonable basis, notifies the Commissioner of a violation or intention to violate PIPEDA; or
- refuses, or has stated an intention to refuse to do anything that contravenes PIPEDA.
Employers are also prohibited from dismissing, suspending, demoting, disciplining, harassing, or otherwise disadvantaging a “whistle-blowing” employee, or denying that employee a benefit of employment.
Under s. 27 of PIPEDA, the employee may request to remain anonymous at the discretion of the Commissioner. To date, there has been no case litigated under s. 27 of PIPEDA.
Section 28 of PIPEDA sets out the following offences and punishment:
- it is a criminal offence for anyone to obstruct the Privacy Commissioner or her delegate while investigating a complaint or conducting an audit;
- destruction of information is considered an offence;
- anyone who knowingly contravenes PIPEDA is guilty of an offense.
Courts may punish offences under PIPEDA on summary conviction with a fine up to $10,000 or on indictment with a fine up to $100,000. As of May 2007, no damages have been awarded to complainants by the Federal Court or Federal Court of Appeal under PIPEDA
Q. How do I make a complaint under provincial privacy legislation?
The complaints process and investigatory powers of the provincial privacy commissioners are very similar to those of the Federal Commissioner. Provincial privacy statutes usually provide up to 30 days or a “reasonable amount of time” to apply to review or appeal an employer’s privacy or access decision by the commissioner. In B.C., the Commissioner can order employers to disregard frivolous access requests or requests that would unreasonably interfere with business operations.
Significantly, however, in some provinces like Ontario, B.C. and Alberta, privacy commissioners can make binding orders to organizations to remedy a breach of provincial privacy statutes, including payment of statutory fines. B.C., Alberta and Quebec Commissioners have additional powers pursuant to provincial Public Inquiries Acts.
Provincial commissioners’ decisions are subject to judicial review in provincial courts, but are given a degree of deference because of the Commissioners’ expertise and decision making responsibilities under the statute.
1. Fines and other penalties for employers who violate provincial privacy legislation
Fine maximums for breaching provincial privacy legislation vary from $10,000 for individuals to $100,000 for organizations, depending on the jurisdiction. Notably, damages for loss or injury can be awarded in B.C. and Alberta.
Quebec employees can invoke the civil code or provincial human rights charter for damages for a breach of privacy. Under the Ontario public sector statutes, individuals who breach privacy legislation or ignore the Information and Privacy Commissioner’s orders can be fined up to $5000.
If you want to find out more information about initiating a privacy complaint, consult your provincial privacy commissioner or the Office of the Privacy Commissioner of Canada's website for more information (see CIPPIC’s Workplace Privacy Resources page).
Q. Can I go to court to sue for breach of privacy?
Canadian courts have not recognized a general common law right to workplace privacy to date. However, that may be changing. In January 2006, an Ontario court found that “it is not settled law in Ontario that there is no tort of invasion of privacy,” freeing an employee to pursue a lawsuit on against McDonald’s Restaurants on the grounds that the company had investigated his credit history without his consent, and thus breached his right to privacy at common law: see Somwar v. McDonald's Restaurants of Canada Ltd., 2006 CanLII 202 (ON S.C.). Although the case ultimately settled out of court, individuals are free to try to make a case for breach of privacy before the courts in Ontario.
Notably, in Jackson v. Canada (Attorney General), [2006] O.J. No. 3737, the Ontario Court of Appeal decided that the appellants pled sufficient facts to entitle them to a trial as to whether their employer’s negligent failure to protect their employee personal information engaged a section 7 Charter challenge and whether the level of stress and anxiety engendered by its release rose to the level of “serious state imposed psychological stress.” In British Columbia, Manitoba, Newfoundland and Saskatchewan, individuals also have a statutory right to sue for invasion of privacy under provincial privacy legislation.
Back to Workplace Privacy main page
This page last updated: October 1st, 2007
This webpage was researched and drafted by Louisa Garib, LL.M., and edited by CIPPIC 2007 summer intern Janet Lo.