If You Care About Privacy · 🇨🇦 Canada

Workplace Privacy Rights & Employer Monitoring Limits

Difficulty Medium Applies To All Provinces & Territories Last Updated 2026-03-01

Overview

The digital workplace has made employer surveillance easier and more pervasive than at any point in history — keystroke logging, GPS tracking, email scanning, screen recording, and browser history monitoring are all technically possible and widely deployed. The legal framework governing what is permissible lags far behind the technology.

In Canada, the framework is fragmented: federally regulated employees (banks, airlines, telecommunications companies, interprovincial transportation) are protected by PIPEDA. Provincially regulated employees in most of Canada operate under a patchwork of common law privacy rights, collective agreement provisions, and provincial human rights codes. Ontario added a transparency requirement in 2022 — but it stopped short of creating enforceable limits on what employers can monitor.

Understanding the distinction between what employers must disclose and what employees can challenge or prohibit is the key to navigating this area effectively.

Who Is Covered by Which Law?

Federally Regulated Employees — PIPEDA Applies

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) applies to the collection, use, and disclosure of personal information by:

  • Banks and federally regulated financial institutions
  • Airlines and federally regulated transportation companies
  • Telecommunications companies (Bell, Rogers, Telus, etc.)
  • Broadcasting companies
  • Federal Crown corporations
  • Any other business or undertaking operating under federal jurisdiction

Approximately 10% of Canadian workers are in federally regulated sectors. If you work for a bank, a major airline, or a national telecom, PIPEDA governs your employer’s handling of your personal information — including information collected through monitoring.

Provincially Regulated Employees — Ontario and Beyond

The majority of Canadian workers are employed by provincially regulated businesses. Privacy law for these workers depends on the province:

  • Ontario: No private-sector employee privacy statute equivalent to PIPEDA; relies on common law (intrusion upon seclusion), the Ontario Human Rights Code, and the new Electronic Monitoring Policy requirement under the Employment Standards Act (ESA)
  • British Columbia: Personal Information Protection Act (PIPA, S.B.C. 2003, c. 63) — applies to provincial private-sector organisations, including employee information
  • Alberta: Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5) — same as BC, a provincial privacy act covering employee data
  • Quebec: Act respecting the protection of personal information in the private sector (now modernised by Law 25/Bill 64, fully in force as of September 2023) — one of the strongest employee privacy regimes in Canada
  • Other provinces: No equivalent private-sector privacy legislation; employees rely on common law and collective agreements

Ontario’s Electronic Monitoring Policy Requirement (Bill 88, 2022)

Ontario’s Working for Workers Act, 2022 (S.O. 2022, c. 7) amended the Employment Standards Act, 2000 to add Part XI.1: Written Policy on Electronic Monitoring of Employees. This came into force October 11, 2022.

Who Must Comply

Employers with 25 or more employees in Ontario on January 1 of any year must have a written electronic monitoring policy in place. This is calculated by headcount — part-time, seasonal, and remote workers all count.

What the Policy Must Contain

The written policy must describe:

  1. Whether the employer electronically monitors employees, and if so:
  2. How employees are monitored (the specific methods and technologies used)
  3. In what circumstances monitoring occurs (at all times, only during working hours, only on company devices, etc.)
  4. The purposes for which information obtained through monitoring may be used by the employer

The policy must be provided to all existing employees within 30 days of the policy being written (or within 30 days of an amendment) and to new employees within 30 days of their start date.

Assignment Employees (Temp Agency Workers)

Temporary help agencies must also provide the policy to assignment employees — and clients of temp agencies must provide the agency with any policy details that apply to the workplace where the assignment employee works.

What the Law Does NOT Do

This is the most critical and widely misunderstood aspect of Bill 88:

The legislation explicitly states that nothing in Part XI.1 affects or limits an employer’s ability to use information obtained through electronic monitoring of employees.

Ontario’s law creates a disclosure obligation, not a prohibition. It does not restrict the types of monitoring an employer may conduct. An employer can lawfully state in the policy that “we monitor all keystrokes, browser history, screen activity, and GPS location on all company and personal devices during working hours” — and that is compliant.

The enforcement mechanism is also narrow: The only ESA complaint available to employees is if the employer:

  • Fails to have a written policy at all
  • Fails to provide the policy to employees within the required timeframe

An employee cannot file an ESA complaint because they believe the monitoring is excessive or unfair — that is not within the ESA’s jurisdiction under the current legislation.

PIPEDA Rights for Federally Regulated Employees

For employees in federally regulated sectors, PIPEDA provides substantially stronger protections:

PIPEDA’s ten principles require that employers:

  1. Identify purposes for collecting personal information before or at the time of collection
  2. Obtain consent (express or implied) for collection, use, and disclosure
  3. Limit collection to what is necessary for the identified purposes
  4. Use information only for the original purpose unless consent is obtained for a new purpose
  5. Ensure accuracy of personal information
  6. Provide access to individuals who request their own information
  7. Allow correction of inaccurate information

The Employment Relationship Exception

PIPEDA allows employers to collect, use, and disclose employee personal information without consent if the collection is “necessary to establish, manage, or terminate an employment relationship” and the employee has been notified that their information may be collected.

This exception is meaningful but not unlimited. The OPC has held that surveillance must be:

  • Demonstrably necessary for the employment purpose claimed
  • Likely to be effective in meeting that purpose
  • Not overly intrusive given the privacy interest at stake
  • The least privacy-invasive option available

Personal Devices

PIPEDA draws a meaningful line at personal devices. Employers cannot unilaterally access personal devices simply because they are used for work. If an employer wants to monitor activity on a personal device (e.g., through mobile device management (MDM) software), they must:

  • Obtain informed consent from the employee
  • Disclose what will be accessed and collected
  • Limit monitoring to the work-related portion of the device

What Employers Can and Cannot Do: Practical Guide

Generally Permissible (With Notice)

  • Monitoring of company-issued devices (laptops, phones, tablets) — email, browser history, files accessed
  • Time-tracking software on company devices during working hours
  • GPS tracking of company vehicles during working hours for route or delivery management
  • Recording of work-related phone calls with advance notice (e.g., “this call may be recorded for quality and training purposes”)
  • Access logs for company premises, systems, or VPNs
  • Email monitoring on work email accounts (employees have very limited expectation of privacy in work email)

Significantly More Limited or Legally Risky

  • Personal device monitoring without explicit, informed consent — particularly accessing personal email, text messages, or personal apps through MDM software
  • Continuous screen recording on home computers during remote work — especially where an employee’s family or personal activities may be captured
  • Constant GPS tracking of personal vehicles even when used for work purposes during non-work hours
  • Monitoring personal social media accounts — an employee’s personal Facebook or Instagram profile is generally protected absent a specific legitimate business purpose
  • Keylogger software that captures passwords to personal accounts
  • Audio or video surveillance in washrooms, change rooms, or other private spaces — prohibited under criminal law (Criminal Code, s.162 — voyeurism provisions)

Likely Unlawful

  • Covert surveillance of employees without any notice or disclosure — in many contexts, this breaches PIPEDA (for federally regulated workers) and may give rise to common law privacy tort claims in Ontario (intrusion upon seclusion — Jones v. Tsige, 2012 ONCA 32)
  • Video recording employees in private spaces
  • Accessing personal accounts (banking, personal email, medical portals) through employer access to a personal device
  • Using monitoring information for purposes unrelated to the employment relationship (e.g., sharing with third parties, using health-related information for discriminatory purposes)

How to Find Out If Your Employer Has a Monitoring Policy

Under Ontario’s ESA, the policy must be provided to you. If you have not received one:

  1. Ask your HR department or direct manager in writing (email is fine) whether the company has an electronic monitoring policy under Part XI.1 of the ESA, and request a copy.
  2. Check your employee onboarding documents — many employers include it in the employee handbook or new hire package.
  3. Check your employment contract — monitoring clauses are often buried in the schedule of terms.

If the employer refuses to provide the policy or claims one does not exist (when the employer has 25+ employees), that is an ESA violation.

How to File a Complaint

If You Are in Ontario — ESA Complaint

If your employer has 25+ employees and has failed to provide an electronic monitoring policy, file a complaint with the Ministry of Labour, Immigration, Training and Skills Development at ontario.ca/page/submit-employment-standards-claim.

Note: This complaint mechanism is limited to the disclosure failure. It does not adjudicate whether the monitoring itself is lawful.

If You Are a Federally Regulated Employee — PIPEDA Complaint

File a complaint with the Privacy Commissioner of Canada (OPC):

  • Online at priv.gc.ca/en/report-a-concern
  • By mail to: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H3
  • Phone: 1-800-282-1376

The OPC will investigate whether the employer’s collection, use, or disclosure of your personal information violated PIPEDA. If the complaint is upheld and the employer refuses to comply with OPC recommendations, the employee (or OPC) can apply to Federal Court for a remedy including damages.

In BC and Alberta — Provincial PIPA Complaints

File with the provincial Information and Privacy Commissioner:

  • BC: Office of the Information and Privacy Commissioner of BC — oipc.bc.ca
  • Alberta: Office of the Information and Privacy Commissioner of Alberta — oipc.ab.ca

Ontario Common Law — Intrusion Upon Seclusion

For covert, highly offensive monitoring in Ontario, employees can pursue a civil action for the tort of intrusion upon seclusion established in Jones v. Tsige, [2012] ONCA 32. To succeed, you must show:

  1. The employer’s conduct was intentional or reckless
  2. The employer invaded your private affairs or concerns without lawful justification
  3. A reasonable person would regard the invasion as highly offensive

Damages are available even without proof of economic loss — courts have awarded $10,000–$20,000 for serious intrusions, and higher in egregious cases.

Quebec: The Strongest Employee Privacy Protections in Canada

Quebec’s modernised privacy legislation (Law 25, fully in force September 2023) applies to private-sector employers in Quebec and includes:

  • Privacy impact assessments (PIAs) required before deploying new monitoring technology
  • Express consent requirements for the use of biometric data (e.g., facial recognition, fingerprint time clocks)
  • A right to be informed of all personal information collected and the purposes
  • Data minimisation requirements — employers may only collect information strictly necessary for the stated purpose
  • Significant penalties for non-compliance (up to 4% of worldwide turnover or $25 million, whichever is greater, for organisations)

Quebec employees can file complaints with the Commission d’accès à l’information (CAI) at cai.gouv.qc.ca.

What Most People Don’t Know

  • Ontario’s electronic monitoring law does not give you a right to privacy. It gives you a right to know you are being monitored. The monitoring itself can be lawful and extensive. The value is that once you know what’s happening, you can make informed decisions about what you do on company devices.
  • “Company device” does not mean unlimited monitoring. Even on a company laptop, an employer who accesses personal email accessed through a browser, or a personal banking portal, may exceed what PIPEDA permits — even for federally regulated employers.
  • Arbitration under collective agreements often provides stronger rights. Unionised employees in Canada have successfully challenged excessive monitoring through grievance arbitration — arbitrators have developed a robust body of “reasonableness” standards for surveillance, which far exceed the protections available to non-union employees.
  • Bring-Your-Own-Device (BYOD) policies cut both ways. If your employer has a BYOD policy allowing you to use your personal phone for work, they may have attempted to install MDM software with broad access. Read the policy carefully — and know you can refuse to install monitoring software on a personal device, though your employer may then deny you the ability to use your personal device for work.
  • Resignation and termination are not the only remedies. Employees who discover covert monitoring often feel powerless. But OPC investigations, ESA complaints, and civil claims are real options with meaningful outcomes.

Who Benefits Most

  • Remote workers whose employers have deployed extensive monitoring software on home computers — understanding what is disclosed in the policy vs. what may be overreach
  • Federally regulated employees (bank tellers, airline employees, telecom workers) who have PIPEDA rights beyond mere disclosure
  • Quebec workers who have the strongest statutory privacy protections of any employee group in Canada
  • Any Ontario employee who has not received an electronic monitoring policy from an employer with 25+ people — a straightforward and verifiable ESA violation
  • Employees with personal devices used for work who have not had the data access implications of MDM software explained to them
  • Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5 — federal privacy legislation governing federally regulated employer data practices
  • Working for Workers Act, 2022, S.O. 2022, c. 7 — Ontario legislation adding the electronic monitoring disclosure requirement to the ESA
  • Employment Standards Act, 2000, S.O. 2000, c. 41, Part XI.1 — the specific ESA provision requiring written electronic monitoring policies
  • Personal Information Protection Act (PIPA), S.B.C. 2003, c. 63 (British Columbia)
  • Personal Information Protection Act (PIPA), S.A. 2003, c. P-6.5 (Alberta)
  • Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1, as amended by Bill 25 (S.Q. 2021, c. 25) (Quebec)
  • Jones v. Tsige, [2012] ONCA 32 — established the tort of intrusion upon seclusion in Ontario
  • Criminal Code, R.S.C. 1985, c. C-46, s. 162 — voyeurism prohibition

Frequently Asked Questions

My Ontario employer has over 25 employees but never gave me an electronic monitoring policy — is that a violation I can report?

Yes. Employers with 25 or more employees in Ontario on January 1 of any year must have a written electronic monitoring policy and provide it to all employees within 30 days of it being written (and to new hires within 30 days of their start date). If you haven’t received one, ask HR in writing. If they refuse or claim one doesn’t exist, you can file an Employment Standards claim with the Ontario Ministry of Labour.

Can my employer legally monitor my personal phone or laptop if I use it for work?

Personal devices carry significantly stronger privacy protections than company-issued devices. Employers — including federally regulated ones under PIPEDA — cannot unilaterally access personal devices without informed consent. If your employer installed mobile device management (MDM) software on your personal phone, they must have disclosed what data would be accessed. You have the right to refuse MDM installation on a personal device, though the employer may then bar it from the workplace network.

Does Ontario’s electronic monitoring law actually restrict what my employer can monitor?

No — and this is the most commonly misunderstood aspect of Bill 88. Ontario’s law creates a disclosure obligation only: employers must tell you how and why they monitor, but the legislation explicitly does not limit or restrict the monitoring itself. An employer can lawfully disclose that they monitor all keystrokes, screen activity, and GPS location, and be fully compliant with the law.

I work remotely and my employer installed screen-recording software. Can they record my home environment?

Continuous screen recording on home computers during remote work is a legally grey area, particularly where family members or personal activities may be captured incidentally. For federally regulated employees, PIPEDA’s proportionality principle requires that monitoring be no more intrusive than necessary. For Ontario workers, the ESA complaint mechanism only covers whether a policy was disclosed — not whether the monitoring is excessive. A civil claim for intrusion upon seclusion may be available if the surveillance is egregious and covert.

How do I find out exactly what my employer is monitoring on my company laptop right now?

Start by requesting a copy of the electronic monitoring policy under Ontario’s ESA (if applicable). Review your employment contract for monitoring clauses. For federally regulated employees, you can submit a PIPEDA access request to your employer’s HR department requesting all personal information collected about you, including monitoring data. On your device itself, a system administrator can see installed software — though IT departments are generally not obligated to disclose monitoring tools beyond what’s in the policy.

Sources