Workplace Privacy in Alberta Balancing Business Needs and Employee Rights

Workplace Privacy in Alberta Balancing Business Needs and Employee Rights
Juliette Omonigho - Workplace Privacy in Alberta Balancing Business Needs and Employee Rights (1)
By Osuji & Smith: Calgary Employment, Business & Family Lawyers Three Best Rated “Top 3” Lawyers in Calgary March 12, 2026

Workplace Privacy in Alberta Balancing Business Needs and Employee Rights

Overview

Workplace privacy is no longer a “nice to have.” Between surveillance tools, remote work, and data-driven management systems, employers are collecting more employee information than ever and often without realizing how quickly privacy risk turns into a privacy complaint, a litigation issue, or reputational harm.

In Alberta, the key private-sector framework is the Personal Information Protection Act (PIPA). PIPA is built on a reasonableness standard. What you collect, use, or disclose must be for purposes a reasonable person would consider appropriate in the circumstances. Missteps can lead to complaints to the Office of the Information and Privacy Commissioner, operational disruption, and increased exposure in employment disputes.

A quick jurisdiction note: Federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), generally applies to federally regulated employers such as banks, airlines, and telecommunications companies. Alberta public bodies are governed by different legislation. This post focuses on private sector employers in Alberta.

1. Employer obligations under Alberta PIPA

PIPA applies to most private sector employers in Alberta. It regulates the collection, use, and disclosure of personal information and requires employers to act reasonably.

Before collecting or monitoring, be able to answer these questions:

  • What personal information are we collecting?
  • What purpose are we trying to achieve?
  • Is the purpose objectively reasonable in the circumstances?
  • Is there a less intrusive way to achieve it?
  • Have we been transparent with employees?
  • Who will have access, and how long will we keep it?

Consent is not a cure-all. Even with consent, the collection, use, or disclosure must still be reasonable and proportionate.

2. Collection with consent

Organizations generally must obtain consent and collect personal information directly from the individual. Consent may be express, whether verbal, written, or electronic. Consent may also be implied where a person voluntarily provides information, and it is reasonable for that purpose, or where clear notice is given, and the person has a real opportunity to decline and does not. Even then, you can only collect, use, or disclose what you communicated, and only to the extent that is reasonable. The notice must not be false or misleading.

3. Collection without consent, limited exceptions

Under PIPA, collection without consent is the exception, not the rule. Even where an exception applies, the collection must still be reasonable in the circumstances and limited to what is necessary for the stated purpose.

A key Alberta-specific concept is personal employee information. This refers to personal information that is reasonably required to establish, manage, or terminate the employment relationship, or to manage a post-employment relationship. If an Employer is collecting personal employee information without consent, two points matter. First, it must be reasonable and solely for establishing, managing, or terminating the relationship, or for post-employment management. Second, for current employees, employers must provide reasonable notice before collecting the information and explain the purpose for which it will be used.

Outside of that, collection without consent may be permitted only in narrow circumstances, such as when collection is authorized or required by law, including court orders, subpoenas, or statutory duties under Alberta or Canadian legislation.

  • Collection may also be permitted in connection with a bona fide investigation or legal proceeding in narrow, fact-specific situations where the statutory conditions are met, and the collection is tightly scoped to what is necessary.
  • Collection may be permitted to administer or enforce a collective agreement to the extent reasonably necessary for that purpose.
  • Collection may be permitted where the information is publicly available as defined by regulation. Publicly available does not mean anything found online.
  • Collection may be permitted in connection with business transactions for limited due diligence or completion purposes, subject to statutory safeguards, restricted use, and limited retention.
  • Collection may be permitted for debt collection or payment purposes where necessary and proportionate, such as addressing overpayments.

Key caution: These exceptions are interpreted narrowly. Employers should be able to explain and document why the collection was necessary, why a less intrusive option would not work, and why the scope and retention period were proportionate. If you cannot justify the collection in two clear sentences, purpose and necessity, it is probably too broad.

4. Breach reporting and real risk of significant harm

Alberta has mandatory breach reporting when personal information is lost or accessed without authorization and the incident poses a real risk of significant harm. In those cases, organizations must report to the Office of the Information and Privacy Commissioner (OIPC) without unreasonable delay, and individuals are typically notified if and as directed by the OIPC.

For example, if a branch advisor emails a client spreadsheet to their personal email to work from home. The account gets compromised, and the file is accessed by someone else. Because the data includes high-risk identifiers (e.g., SIN/account details) and there’s unauthorized access, the employer contains the breach, documents its risk assessment, and reports to Alberta’s OIPC without unreasonable delay, then notifies affected individuals if/when the OIPC directs. Employers should have an incident response plan in place before anything happens, including how they assess risk, document decisions, and escalate quickly.

5. Employee monitoring and surveillance

Monitoring is not automatically unlawful, but it is an area where employers often overreach. A practical rule is to monitor for a specific business reason, use the least intrusive method, limit the duration, and provide clear notice to employees.

Video surveillance

If you are considering workplace cameras, be prepared to justify the specific need, the problem you are addressing, and why less intrusive options will not work. Control access, set retention limits, and give employee notice.

Digital monitoring

High-risk examples include mandatory always-on webcam access, keystroke logging, constant screen capture, GPS tracking via personal phones, and audio recording. These tools can capture far more personal information than necessary, including information unrelated to work. If they do, that can quickly become unreasonable under PIPA.

6. Remote work and hybrid privacy risks

Remote work blurs the line between work and personal life. Strong practice includes focusing on outputs and deadlines rather than constant surveillance. Be clear with employees about what is monitored, when, and why. Avoid monitoring systems that capture non-workspaces or private conversations by default. Where possible, require the use of work devices and work accounts to reduce accidental intrusion into personal phones, laptops, or personal email.

7. Handling employee data securely to minimize legal risk

Safeguarding personal information is a core PIPA obligation, and employers should not treat it as an IT task alone.  PIPA requires organizations to designate someone responsible for privacy and compliance, even if the role is informal.

Practical checklist

  • Limit access to those who truly need it
  • Use strong authentication and role-based permissions
  • Encrypt portable devices and sensitive files
  • Set retention timelines and delete on schedule
  • Maintain an incident response plan that includes breach assessment and reporting steps

8. Medical information requests, fitness for work

Medical information is highly sensitive. Employers may request health-related information to confirm whether an employee is fit for a role or to support accommodation, but requests must be limited, job-related, and reasonable. The focus should be on functional abilities, restrictions, and accommodation needs, not diagnosis or detailed medical history. Collect only what you need, explain the purpose, restrict access to those who need to know, and store it securely for only as long as necessary.

9. A short note on AI at work, privacy risks and practical controls

As of when this blog was written, Alberta does not yet have a standalone AI law, but PIPA still applies when AI systems collect or process employee personal information. AI can appear in monitoring tools that analyze video, access logs, or productivity data to generate insights. It can also appear in AI-assisted decision-making for hiring, scheduling, performance management, discipline, and termination planning. Many workplaces now use generative AI in HR or management, which may involve entering employees’ personal information into third-party platforms. AI increases privacy risk because it can collect more information than needed, infer sensitive details from ordinary data, and produce outputs that are hard to explain. Risk increases when monitoring is always on or when data is reused for secondary purposes.

Practical controls include being clear about the purpose and confirming it is reasonable and necessary, collecting the minimum information needed, avoiding overly intrusive tools, giving clear notice to employees, keeping human review for high-impact decisions like discipline, termination, and accommodation, vetting vendors, limiting access, setting retention timelines, and planning for privacy breaches.

10.  The Role of the Employment Standards Code

Even privacy-conscious employers have legal obligations to keep certain employment records and to provide written pay statements each pay period.

The Code requires employers to record and retain key information such as hours worked, wage rates, earnings and deductions, and basic employee details, and to keep those records for at least three years. Because these records contain personal information, PIPA still governs how you safeguard them, who can access them, how long you keep them, and whether you can use them beyond payroll and legal compliance.

Final Word

Privacy mistakes can create civil exposure. Disclosing highly personal information without a lawful basis can escalate quickly depending on what was disclosed, to whom, and why. Privacy is no longer an IT-only issue. It affects people, compliance, and litigation risk. The safest approach is consistent and disciplined: be clear about why you are collecting information, collect only what you need, use the least intrusive tools available, communicate openly with employees, and safeguard what you collect with appropriate retention and deletion practices.

If you are implementing monitoring, introducing AI tools, managing a remote workforce, or responding to a privacy complaint or breach, early legal advice can prevent costly mistakes. I help Alberta employers review and update privacy policies, draft PIPA-compliant notices and consent language, assess monitoring programs, train managers, respond to OIPC complaints, and build practical breach response plans that withstand scrutiny.

Author: Juliette Omonigho

Osuji & Smith: Calgary Employment, Business & Family Lawyers / About Author
Founded in 1980, Osuji & Smith: Calgary Employment, Business & Family Lawyers is a diverse, fast-growing, award-winning Calgary full-service law firm with a focus on Employment Law, Civil Litigation, Real Estate, Family & Divorce, Personal Injury, Immigration, Business and Corporate, Wills and Estate.
More posts by Osuji & Smith: Calgary Employment, Business & Family Lawyers