Tracking vehicles for legitimate business purposes not a violation of employee privacy
There is no greater test of a parent’s trust than when they first allow their teenage child to take the car out on their own. Not only are parents left to worry about the safety of their child and the physical integrity of their vehicle, but they must also consider the potential liability of having their child share the streets with others.
Employers experience similar reservations entrusting a company vehicle to an employee, particularly where the employee is new and untested and may spend the majority of her working day with little to no supervision.
To address this issue, many employers have turned to a Global Positioning System (GPS) as a means of ensuring company vehicles are being driven safely and employees are where they should be. Deployment of a GPS in a company vehicle is not illegal, but its use is not without controversy. Some employee advocates argue it represents a breach of employee privacy rights.
GPS and employee privacy — what’s the issue?
A recent British Columbia decision sheds light on this issue in the context of that province’s Personal Information Protection Act (PIPA), which regulates the collection, use and disclosure of personal information in the private sector. In Schindler Elevator Corporation, the B.C. Information and Privacy Commissioner addressed the question of whether an employer’s installation of GPS and engine monitoring technology in company vehicles violated the privacy rights of its mechanic drivers.
The system in question tracked two different types of data: real-time information about the location and movements of a service vehicle, and the vehicle’s engine status and operation. This second category included data about distance travelled, speed, harsh braking, sharp acceleration and idling, as well as the time at which the ignition turned on and off.
The information generated by the GPS system was only viewed by the employer in accordance with its GPS policy. Under the policy, data was not constantly monitored, but rather viewed only when the operation of a vehicle deviated from accepted standards.
The union filed a complaint with the privacy commissioner alleging the employer’s GPS policy violated employee privacy rights. The employer argued the GPS system collected “vehicle information,” not “personal information,” and was therefore not subject to scrutiny under PIPA; and the GPS system provided a number of legitimate benefits, including improved planning of route assignments, enhanced safety and security by proactively identifying unsafe driving practices (rather than waiting for complaints from the public or charges), more efficient scheduling of vehicle maintenance, and the reduction of “time theft” by validating the hours a vehicle is in operation.
The privacy commissioner agreed with the union that the information collected was personal. According to the commissioner, the information did not need to be “about an identifiable individual in some ‘personal’ or ‘private’ way” so long as it could be used to identify the driver of a specific vehicle.
The privacy commissioner then considered whether the information was “employee personal information,” in which case different rules would apply to its collection, use and disclosure. This involved consideration of whether the information was collected, used or disclosed “solely for the purposes reasonably required to establish, manage or terminate an employment relationship.” The privacy commissioner answered in the affirmative, noting the GPS system and policy were for “legitimate, reasonable, business purposes.”
In light of her finding the information was “employee personal information,” the privacy commissioner then had to determine whether PIPA had been complied with. This involved a consideration of the following questions:
Is the information collected and used of a sensitive nature? Is more information collected than is reasonably required for the employer’s purposes? The privacy commissioner concluded the information was not especially sensitive since the information arose, overwhelmingly, in the context of work-day activities.
Is the collection, use or disclosure of the information likely to be effective in fulfilling the company’s objectives? The privacy commissioner noted the employer had reported a 30 per cent drop in accident costs since it implemented the GPS system. This was a good indication it was effective, at least insofar as it related to promoting safe driving habits.
Are there reasonable alternatives that ought to have been considered? The privacy commissioner found self-reporting by drivers appeared to be the only alternative and this was not as effective.
Has the information been collected covertly? The privacy commissioner noted the employees were well aware of the GPS system and policy.
On this basis, the privacy commissioner concluded there had been no breach of the employees’ privacy rights under PIPA.
What the decision means for employers
The decision in Schindler was made under the B.C. privacy regime, one of four jurisdictions in Canada to specifically legislate protections for employee personal information (other than health information) in the private sector — the others being Alberta, Quebec and the Federal level. Nevertheless, it provides invaluable insight as to the best practices available to employers to reduce the risk of having workplace surveillance policies successfully challenged.
When contemplating the implementation of a surveillance policy, employers should consider the following factors:
•Is the information collected and used of a sensitive nature or within the normal context of work-day activities?
•Is more information collected than is reasonably required for the employer’s purposes?
•Is the collection, use or disclosure of the information likely to be effective in fulfilling the company’s objectives?
•Are there reasonable alternatives that ought to be considered?
•Is the employer’s policy and practice clear and understandable to employees?
•Have employees been made aware of the policy and practice? See Schindler Elevator Corp., Re, 2012 CarswellBC 4283 (B.C. Information & Privacy Commr.).
