Privacy at Work: What Your Employer Can and Cannot Do

Your privacy rights as an employee in Canada, including workplace monitoring, email surveillance, background checks, and biometric time-clock systems.

TL;DR

Employers in Canada must have a reasonable purpose, notify you, and limit collection to what is necessary. BC and Alberta PIPA and Quebec's Law 25 apply to private-sector employers in those provinces. Federally regulated employers are covered by PIPEDA or the Privacy Act for public servants. Surveillance, monitoring, biometric systems, and medical information all have specific rules.

Who is covered

In British Columbia, Alberta, and Quebec, provincial private-sector laws (PIPA and Law 25) apply to how employers handle personal employee information.

In other provinces, employee information is often considered outside PIPEDA's commercial activity definition, but employees of federally regulated businesses (banks, airlines, telecoms, interprovincial trucking) are covered by PIPEDA.

Public-sector employees are covered by the federal Privacy Act or the applicable provincial access-and-privacy legislation.

Workplace monitoring

Canadian law generally allows employer monitoring only when:

The employer has a clearly identified, reasonable purpose (security, productivity, regulatory compliance).
Employees are told in advance how monitoring occurs.
Monitoring is proportionate and not more intrusive than necessary.
Information collected is used only for the stated purpose.

Ontario's Bill 88 (Electronic Monitoring Policies)

Since 2022, Ontario employers with 25 or more employees must have a written policy describing any electronic monitoring of employees.

The policy does not limit what the employer can do, but it must be transparent about the monitoring, its purpose, and the circumstances.

Biometric time-clocks and access control

Fingerprint scanners, facial-recognition time-clocks, and other biometric systems require heightened scrutiny because biometric information is sensitive.

Commissioners in BC and Alberta have found that biometric time-clocks are not reasonable if a less intrusive alternative (card, PIN, password) would serve the same purpose.

Medical information and return-to-work

Employers can ask about work-related limitations (what you can and cannot do) but are generally not entitled to diagnosis, symptoms, or treatment details. Medical notes should contain only what is needed to support accommodations or leave.

Sources & References

Personal Information Protection Act (PIPA British Columbia)—BC's private-sector privacy law governing the collection, use, and disclosure of personal information by organizations operating in British Columbia.BC Laws
Personal Information Protection Act (PIPA Alberta)—Alberta's private-sector privacy law governing how organizations handle personal information including employee personal information.King's Printer of Alberta
Quebec Law 25 (Act respecting the protection of personal information in the private sector)—Quebec's modernized privacy regime introducing mandatory breach notification, privacy impact assessments, data portability, right to be forgotten, and automated decision-making transparency.Publications du Québec
Personal Information Protection and Electronic Documents Act (PIPEDA)—Federal private-sector privacy law governing the collection, use, and disclosure of personal information.Justice Laws Website
Office of the Privacy Commissioner of Canada (OPC)—Oversees compliance with PIPEDA and the Privacy Act, investigates complaints, and promotes privacy rights.Government of Canada

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.