'It's a decision that gives comfort to employers,' says lawyer discussing implications of CAI decision on employee monitoring
A recent decision out of Quebec is providing “very helpful” insights for employers when it comes to workplace surveillance, according to legal experts.
The Commission d’accès à l’information (CAI) of Quebec issued an order requiring Crane Supply to significantly limit its use of video surveillance inside company vehicles.
The CAI found that the collection of images went beyond what was necessary and was not sufficiently justified under Quebec’s privacy laws.
This decision brings needed clarity for organizations operating in safety-sensitive environments as questions have circulated for years about what is “reasonable” when it comes to in-cab monitoring, according to Adam LaRoche, a partner at Osler, Hoskin & Harcourt in Calgary.
“One of the really important parts of this finding is the ultimate determination that the practice itself is reasonable or necessary from a Quebec perspective,” he says.
“It’s a decision that gives comfort to employers who work in dangerous goods or transportation or in large, dangerous vehicle driving. It’s really helpful from that perspective.”
However, the CAI’s finding is not an open invitation for all kinds of surveillance, says LaRoche.
“I would caution employers from reading this decision as a blanket authorization to conduct in-cab monitoring,” he notes, emphasizing the need for a contextual assessment.
Image collection in vehicles
Around February 2023, the company installed a bidirectional video surveillance system in all its vehicles, allowing for the collection of images from both the outside and inside of its vehicles.
The system collected images from the moment the vehicle was started and up to 20 minutes after the engine was turned off. The audio recording and audio alert features were not activated.
There were also AI-driven features that detected predetermined events occurring within the vehicle cabins — such as a driver smoking, tailgating or excessive speed — and generated incident reports.
But the CAI decided Crane Supply was overstepping in its surveillance:
“The company did not sufficiently minimize the invasion of privacy represented by the collection of personal information it conducts. Therefore, the company did not demonstrate the necessity of this collection.”
The commission ordered Crane Supply to limit image collection inside vehicle cabins to only brief periods before and after a specific incident, or to cease such collection altogether. The company was also instructed to stop recording after vehicle engines were turned off and to destroy footage not related to a specific event.
Balancing privacy and legitimate business needs
One of the things the decision highlighted was that the surveillance system was not necessarily implemented in the least privacy-invasive way possible, says Wendy Mee, partner at Blakes in Toronto.
“It wasn't that the system itself was totally offside, it's just that there could have been things that were done along the way to... implement it in a way that was more proportional.”
One of the commission’s recommendations was only to record when there was an accident on the road, but this take is “a bit too narrow,” she suggests.
“If I was to argue against that, I would say, ‘Well, the point of this technology is not to just analyze accidents, but also to analyze behaviour that could result in an accident.’”
In Quebec, the general requirement for workplace surveillance is that the objective be legitimate, important and real.
And prior to launching a system such as that used by Crane Supply, employers must carry out a Privacy Impact Assessment (PIA) to determine issues such as the nature of personal information collected, the relevant risks, transporter data transfers, and how the data will be protected.
And the PIA should be revisited, says Mee: “A perfect example of that was with COVID [when] people applied all sorts of privacy-invasive policies and tools that were appropriate in the moment but would not be appropriate now.”
Proportionality between privacy, objectives
The CAI emphasized the need for proportionality between privacy and organizational objectives.
“The test is always: ‘Is there a balance between the invasion of privacy and the legitimate obligations or legitimate needs of the employer?’” says Mee. “And if you're unnecessarily invading an employee's privacy, then obviously this decision highlights that you need to make those changes.”
She notes that determining whether a purpose is legitimate and important is not easy.
“That's a big challenge… I would assume no employer is going to go out and spend money on a technology if they don't believe they have a legitimate or important reason to do that.”
Mee says she often asks clients to consider, “Are you trying to put a birthday candle out with a fire hose? That’s the real question in terms of do you have a legitimate need…? The real tricky part is ‘Are we applying a fix that strikes the right balance?’”
Tech advances for workplace surveillance
Using advanced tech for workplace surveillance and safety is a “hot topic” that continues to evolve, according to LaRoche. And one of the key issues for employers to consider is knowing exactly how the tools work, he says.
Some forms of technology are going to be more invasive and intrusive, such as using a biometric aspect to confirm a driver's identity or a voice transcription capturing audio, says Laroche.
“That's a higher-risk practice than a system that is only measuring acceleration, deceleration, harsh braking and other telemetric data rather than facial or voice data.”
He points out that well-designed platforms will have parameters around capture and recording, with features such as stopping recording after the engine is off or only saving footage when a defined incident occurs.
Human aspect to surveillance tech
And the human element is important.
“It's important — as with all AI-related aspects — for employers to actually review the footage on a limited basis to determine that someone was in fact in breach of a workplace rule and don't take the system at its word when in fact [the worker was] using a lollipop to quit smoking.”
It shouldn't be an automated decision-making process, says LaRoche.
“It's a tool that you should use with full transparency to your employees so that they understand how the tool is going to be used before it's actually implemented.”
For example, the distinction between event-triggered and continuous monitoring is central to the CAI’s decision.
“Continuous surveillance of employees is very rarely appropriate,” says Mee. “It's very privacy invasive to be under constant monitoring, and there would have to be some very significant reason to justify that level of invasion of privacy.”
Compliance by service providers
Federally regulated employers fall under the Personal Information Protection and Electronic Documents Act (PIPEDA). Quebec’s privacy regime is the most stringent in Canada, while Alberta and B.C. also have employee-focused privacy laws.
“Outside of those three provinces, there aren’t privacy laws that restrict the ability of employers to collect personal information about employees in non-federally regulated workplaces,” says LaRoche.
Transparency about surveillance practices, both with service providers and employees, is crucial — as is compliance, he says.
“Service providers are often quick to represent that their solution is compliant with laws in a given jurisdiction. Candidly, there are often U.S. service providers who have not conducted a fulsome assessment of local regulations in Canada and in Quebec in particular.
“They make sweeping statements about how... compliant the solution is and, on further examination, we’ll determine that they haven't really taken a heartfelt look at the strict requirements in Quebec or have never assisted employers in particular in conducting the requisite Privacy Impact Assessments.”
Notice and employee consent
When it comes to employees consenting to this type of workplace surveillance, the legal requirement is often misunderstood, says Mee: “You may need consent in some cases, but in the employment context, it's typically more of a notice obligation.”
Canadian privacy laws typically do not require that employees consent to the collection, but alerting them is advisable, says LaRoche.
“There's a requirement for employers to provide notice of their personal information collection, use and disclosure practices — and for those underlying practices to be reasonable as assessed by Canadian privacy regulators,” he says, adding there's a danger to framing this as a consent issue. “If an employee declines to consent, then you're kind of stuck because the employee then says, ‘Well I'm not going to do that.’”
Who should have access to data?
Crane Supply’s dashboard camera policy stipulated that access to the collected images was limited to the vice president of operations, the regional director of operations, and the director of environment and health and safety.
Mee underscores the importance of considering who has access to the data and how long it should be retained.
“There's often a tendency to look at this issue very narrowly, like ‘Can we do this?’ But the question really should be, ‘OK, well, how long do we have to keep it for? How do we make sure that it's kept securely so that only authorized people have access to it? What sort of policies do we have to make sure that the information is only accessed and used for the purposes for which we... intended it to be?’”
Mee also highlights the risk of using data for purposes not originally disclosed to employees.
“If you're saying, ‘We're going to access it for safety purposes and training,’ but then you use it for disciplinary reasons, that’s function creep, [and] all of a sudden your purpose is something you may not have disclosed to the individual like you're required to do.”
Restricting who can view surveillance data is important, agrees LaRoche.
“There might not be a need for the entire IT department and every manager to have access to a single employee's triggered video recordings when it [should] just be one IT person and that employee's direct manager and their supervisor — that might be sufficient.”
Retention of data key consideration
Another oversight? The instinct to retain data for a long time so that it's available for access because people don't want to lose the opportunity to take a look at something that could be relevant, says LaRoche.
“But, ultimately, when these kinds of issues end up in front of a privacy regulator or they're disputed at arbitration, what will go to the underlying reasonability assessment — from the regulator, from the labour arbitrators — is ‘How long are you keeping this data?’” he says.
“It's much easier to argue that the practice is reasonable where data is retained for a matter of hours unless there is a trigger… rather than seven straight days of footage being retained and available for you.”
Next steps in workplace surveillance
While this decision applied to video surveillance of employees for safety-related purposes, employers are increasingly looking to use this tech for potentially less compelling purposes such as performance management or enhancement, says LaRoche.
“[They] will need to assess whether those purposes will be as compelling in the eyes of a regulator. And I think the answer to that is probably not.”
