Is GPS data “personal information?”

A recent decision by the Alberta Privacy Commissioner has confirmed that in some cases, an organization’s requirement for independent contractors to install GPS tracking devices on their vehicles will not violate applicable privacy legislation but the data collected may be considered “personal information”.

Order P2019-04 involved a complaint by independent contractors retained by NAL Resources Management LTD. NAL required the contractors to install GPS devices on their vehicles, with a default setting of “on”. The devices were intended to “promote good driving behavior” and allow NAL to locate the contractor in the event of a “Safety Line call out.” The independent contractors filed a complaint alleging the data was “personal information” and therefore NAL required their consent for its use, collection, or disclosure.

This decision investigated the difference between the definition of “employee” in Alberta’s Personal Information Protection Act, and whether the information collected by the GPS constituted “personal employee information” versus “personal information”. If information was considered “personal information”, the contractor’s consent would be required for the use, collection, and disclosure of said information. However, if the information was considered “personal employee information” no consent was required.

“Personal information” was defined as “information about an identifiable individual”. The act generally requires the consent of an individual for the use, collection, or disclosure of “personal information.”  In contrast, “personal employee information” was defined by the act as personal information reasonably required by the organization for the purposes of establishing, managing, or terminating an employment or volunteer-work relationship, or managing a post-employment or post-volunteer-work relationship between the organization and the individual. This type of information did not require the consent of the employees.

In the present case, the commissioner found that the GPS data had a personal dimension given that the data collected would enable NAL to determine the physical location of the contractor, as an individual, which could be expected to have personal consequences for the contractors as individuals. Accordingly, the GPS tracking data was “personal information.”

However, the commissioner determined that in the present circumstances the GPS data was not “personal information” but rather “personal employee information” because the independent contractors were considered “employees” under the act.

The commissioner noted that s. 1(1)(e) of PIPA goes well beyond the common law definition of employee to include directors, office-holders, volunteers, students, contractors or agents of an organization. Consequently, information about a contractor reasonably required by an organization to manage a contractual relationship would be “personal employee information” under PIPA, regardless of the fact that at common law, independent contractors are not considered employees.

The takeaway

This decision is interesting for employers and privacy professionals alike. It is a solid reminder that words such as “employee” can carry different meanings across different legislation and one should always “double check” before diving in. It is also a reminder that employers need to seriously consider whether any productivity/data tracking services are collecting “personal information” under their province’s specific privacy legislation. While this was a decision of Alberta’s privacy commissioner, the definition of “personal information” is mirrored in the federal privacy legislation PIPEDA that applies to provinces that do not have substantially similar privacy legislation.

Share

Related Posts

Imagen 1

The new age of workplace gossip – TMI!

I’ve discussed workplace gossip here before, and what bosses can do to prevent it or at least reduce the potential harm, but there are a couple of hyper-modern developments that I didn’t get into: reality television and the Internet. These two things have created a culture of “sharing”, for lack of a better word, that encourages people at play or work to divulge the most mundane and private details of their lives to others—the kind of information that one previously might only have shared with family or best friends.

Adam Gorley

Read more
Imagen 1

Privacy risk management – by design

I’ve discussed the Privacy by Design principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.

Colin Braithwaite

Read more
Imagen 1

Workplace organizational behaviour part II: Perception

Behaviour in the workplace is based on people’s perception of it. In this post, let’s examine how one’s perception influences productivity, absenteeism, turnover and job satisfaction.

Christina Catenacci, BA, LLB, LLM, PhD

Read more