A pair of decisions – one applicable to private-sector organizations and one applicable to the public sector – that effectively authorize employers to use global positioning systems (GPS) and other technologies to remotely monitor their employees have been released by the Office of the Information & Privacy Commissioner for British Columbia. The adequacy of each employer's privacy policy and whether or not employees were properly notified of the purposes for the collection, use and disclosure of the personal information played a central role in both decisions.
In Schindler Elevator Corporation, the employer installed GPS and engine monitoring technology in all service vehicles used by its field mechanics to travel to and from their homes and work sites. The vehicles are kept at the mechanics' homes while not in use for work purposes, and the mechanics do not report to a centralized office as part of their usual routine. The employer's purposes for collecting and using the information collected included managing employee performance, productivity, hours of work, and to ensure safe and lawful driving.
The Information and Privacy Commissioner for British Columbia (the Commissioner) ultimately found that the employer's actions were reasonable and authorized under B.C.'s private-sector legislation, the Personal Information Protection Act (PIPA). In coming to this conclusion, the Commissioner took an expansive view of what constitutes "personal information". She also took and expansive and practical view of the circumstances in which employers will be authorized to collect and use employee personal information. The Commissioner emphasized the collection and use has to be reasonable and the assessment of what is reasonable in these types of cases includes: "whether the personal information is of a sensitive nature", "how much employee personal information is being collected and used", "whether the collection, use or disclosure in question is likely to be effective in fulfilling the organization's objectives", "whether there are alternatives", and "whether the personal information has been collected covertly".
The Commissioner identified the following factors that led her to the conclusion that the employer's actions were authorized: (1) the employer had an appropriate privacy policy that had sufficient detail in it; (2) the employer had given its employees notice of the purposes for its collection and use of the information; (3) the employer was not using the technology to continuously monitor employees; and (4) the information being collected was overwhelmingly related to workplace activities.
Two months after the release of Schindler, the Commissioner released her decision in University of British Columbia, where the employer installed similar technology to the technology in Schindler for the purposes of monitoring its on-campus security patrol vehicles. UBC was decided under the B.C. Freedom of Information and Protection of Privacy Act (FIPPA), which applies to public bodies (public schools, Crown corporations, government ministries, etc.) in B.C.
Notwithstanding that she was reviewing a different statutory framework, the Commissioner adopted the same expansive approach to the interpretation of what constitutes "personal information" as she outlined in Schindler. She also found that UBC's monitoring activities were authorized under FIPPA because they directly related to UBC's program of campus security, the employees were not continuously monitored, and the information derived from the monitoring technology was not particularly sensitive. Although UBC's monitoring program was authorized by FIPPA, UBC did not have an adequate privacy policy and failed to provide proper notice of its intended purposes for implementing and using the technology. UBC was ordered to stop collecting, using or disclosing personal information derived from this program until it properly complied with FIPPA's notice provisions.
Both Schindler and UBC show that technologically advanced employee location monitoring can be authorized under PIPA and FIPPA, provided the collection, use and disclosure of the personal information is reasonable and employees are properly informed about the intended purposes for the collection, use and disclosure of the personal information. In order for employers (regardless of which privacy statute applies) to ensure that their collection, use, and disclosure of this type of information does not run afoul of the relevant privacy legislation, it is incumbent upon them to have a properly drafted privacy policy containing appropriate limits on collection, use, and disclosure and to clearly articulate the intended purposes to their employees in compliance with the notice provisions under the applicable statutes.