Workplace Privacy Violations
Your employer cannot collect, use, or disclose your personal information without limits.
Content last verified against official statutes: March 30, 2026
What the Law Says
PIPEDA Principle 4.3 requires that personal information be collected, used, or disclosed only with the knowledge and consent of the individual, and only for purposes that a reasonable person would consider appropriate. Principle 4.9 gives you the right to access your personal information held by the employer and to challenge its accuracy. Under PIPEDA, personal information includes employee monitoring data, medical records, performance data, emails about you, and any other information about an identifiable individual.
What This Means for You
Your employer can monitor your work activities, but not without limits. Monitoring must be proportionate, justified by a legitimate business purpose, and applied consistently (not selectively to one employee). Your medical information cannot be shared with colleagues who have no need to know. Your personal data cannot be collected, used, or disclosed beyond what is necessary for the employment relationship. You have the right to request access to all personal information your employer holds about you, and they must respond within 30 days.
Real Example
An employee at a federally regulated company filed a formal harassment complaint after a colleague publicly disclosed the employee's medical condition in front of other staff members. The disclosure was made in a casual, joking manner with no business purpose. The employee documented the exact time, what was said, and who was present. In the formal complaint, the employee identified the public disclosure of medical information as a specific violation alongside the primary harassment. The employee also submitted a PIPEDA Principle 4.9 access request to obtain all personal information the employer held, triggering a 30-day response obligation.
What You Can Do
- 1Submit a written access request under PIPEDA Principle 4.9 to your employer's Privacy Officer. They must respond within 30 days.
- 2If your medical or personal information is disclosed to unauthorized people, document who disclosed it, to whom, when, and the context.
- 3If monitoring is applied selectively to you and not others, document the selective application with dates and comparators.
- 4File a complaint with the Office of the Privacy Commissioner (OPC) if the employer fails to respond to your access request or violates your privacy rights. There is no statutory time limit specified in PIPEDA for OPC complaints, but earlier is better.
- 5Note that privacy violations can strengthen other claims (harassment, reprisal) by demonstrating a pattern of conduct.
Warning Signs
- Your medical condition, personal circumstances, or private information discussed by colleagues or management without your consent
- Monitoring of your work activities (email, screen, badge access) that is not applied to other employees in the same role
- Employer collecting personal information beyond what is needed for your job
- Employer refusing or ignoring your request to access your own personnel file or personal data
- Third parties (staffing agencies, external investigators) receiving your personal information without your knowledge
- IT changes (new monitoring software, restricted access) applied selectively to you following a complaint
What to Document
- Any instance of personal information disclosure with date, time, who disclosed, to whom, and what was disclosed
- Monitoring actions with dates, noting whether other employees are subject to the same monitoring
- Your written access request (date sent, to whom, what you requested)
- The employer's response (or non-response) and the number of days elapsed
- Any personal information you discover the employer holds that you were not informed about
Where to File
Internal
- Written access request to Privacy Officer under PIPEDA Principle 4.9
- Written complaint about unauthorized disclosure to HR
External
Office of the Privacy Commissioner (OPC)
Handles access request refusals, unauthorized disclosure, and disproportionate collection.
Key Statutes
When Should You Contact a Lawyer?
This platform is designed to help you build your case independently — collecting evidence, documenting incidents, writing complaints in compliance language, and navigating the internal HR process. Many employees can handle these steps without a lawyer.
The most effective time to engage a lawyer is after you have completed the internal process and your employer has failed to resolve your complaint. At that point, a lawyer can review your complete file — your timeline, evidence, complaint, and the employer's response — and provide strategic advice before you file with an external body such as the CIRB, CHRC, or OPC.
By doing the groundwork yourself, your consultation becomes a focused strategic review rather than a costly fact-gathering session. This approach has been validated by employment lawyers who reviewed files prepared using this methodology and found the documentation thorough with nothing to add.
Did this help you?
MyWorkRights.ca is free for every Canadian worker. If this information helped you, consider supporting the project. Every dollar goes toward keeping this site updated and reaching more employees who need it.
Powered by Stripe
Cite This Page
MyWorkRights.ca, "Workplace Privacy Violations," accessed 2026-04-01, https://myworkrights.ca/harassment/privacy
Written by the MyWorkRights.ca team, based on direct experience navigating the CIRB, OPC, and CHRC complaint processes and 500+ hours of employment law research.