Surveillance is increasing throughout Canadian society. For example, organizations in the private sector and law enforcement agencies are increasingly using video cameras as a deterrent to crime and as an investigative tool. Individuals use webcams, cellphone cameras, spy tools and other recording devices to record others or even themselves in daily activities, for purposes such as monitoring the nanny, confirming spousal infidelity, cyber-bullying or making themselves into internet stars.

In this section we focus on video surveillance in the private sector. Public sector surveillance is discussed below.

Video Surveillance in the Private Sector

Video surveillance of the public by business and government has become very widespread over the past decade. Privacy laws that apply to the private sector (including PIPA (BC) and PIPEDA) require organizations to ensure that they balance the organization’s interests with the privacy rights of individuals.  These laws apply to personal information regardless of whether it is recorded or not, so that when a private sector organization engages in surveillance – regardless of whether it records the surveillance or not – it must comply with PIPA or PIPEDA.

The Privacy Commissioner of Canada, together with the Information and Privacy Commissioners of BC and Alberta  issued some useful guidelines for the use of overt video surveillance in March 2008.

These guidelines are not legally binding, but are the Commissioners’ recommendations for what organizations should do to make sure they follow the law. It is therefore strongly recommended that organizations subject to PIPA and PIPEDA follow these guidelines.

What Does a Private Sector Organization Have to do When it Uses Video Surveillance?

These guidelines specify that when organizations in the private sector use video surveillance, they must at minimum, comply with the requirements of PIPA (BC) (or PIPA (Alberta) or PIPEDA.
This means they should:

  1. post a notice about the use of the cameras which is visible at or before the time the individual enters the premises, so that the individual may chose not to enter if they do not wish to consent to being videotaped.  The organization can assume that you have consented to being videotape if you go past the notice and into the premises (this is called ‘implied consent’);
  2. limit the collection, use and disclosure of information collected by the video camera. This means that it should be positioned to capture images only of the area which is the object of the surveillance and not images of other areas, such as the sidewalk outside a retail shop, where images of passers-by could be captured;
  3. not use cameras where people have a heightened expectation of privacy, such as in washrooms or showers, and not focus them into private residences;
  4. ensure that the set-up of cameras does not allow employees to change or adjust the direction or focus to capture these types of images;
  5. ensure that the recording is used or disclosed for authorized purposes only;
  6. ensure that the operators are trained to understand their obligations under privacy law;
  7. protect the security of the information;
  8. ensure, when granting access, that the personal information of others which might be contained in the same recording is protected;
  9. keep the recording only so long as necessary to fulfil the purposes for which the information was collected and destroy it when it is no longer needed. The method of destruction should ensure that the information is obliterated so it remains secure; and
  10. retain the recording for a minimum of one year if it was used to make a decision about an individual, to enable the individual to request access.

Individuals whose images are captured on the recording have a right to request access to that recording under privacy laws.

Audio recording is generally not allowed. If the recording captures sound, the organization must consider the Criminal Code provisions dealing with intercepting private communications.

Organizations should have a video surveillance policy addressing the key issues discussed above. Organizations should also periodically assess their use of surveillance to ensure it meets the standard set out in the decisions of the Privacy Commissioner. That standard requires an organization to ask itself three questions: whether the surveillance is effective in addressing the problem it was introduced to deal with; whether the surveillance is minimally invasive or would a less privacy-intrusive way of addressing the problem be effective; and whether the problem still exists.

What You Can do If an Organization Does Not Follow These Guidelines

If you are concerned about an organization`s video surveillance activities, you can make a complaint directly to the organization. It is required by law to have a policy to receive and respond to complaints about its privacy practices.
If you are not satisfied with the response you receive from the organization, you can complain to the appropriate Privacy Commissioner.