TD’s plan to monitor some staff has exposed a legal gap: in much of Canada, an employer can watch you work and owes you little more than a notice.
Then Toronto-Dominion Bank told some of its staff that software would soon be watching how they worked, the employees did what most people do when handed that news.
They asked what exactly it would track, whether it could be used against them, and whether they had any say. The more uncomfortable answer, in much of Canada, is that the law gives them very little leverage to refuse.
The bank’s move, reported by Reuters in an exclusive earlier this month, applied to employees in its financial-crimes and risk-management functions.
They were told TD would deploy a tool called WorkiQ to track how they spent their time across web browsers, internal messaging, meeting apps, and other work software.
On the call, staff raised the obvious questions about privacy, about what the tool would capture, and about whether the data could feed into performance reviews.
TD described the deployment as “standard practice across the industry,” and said it uses automated tools in various parts of the business to improve insights and allocate resources.
There was a second, more striking element. According to an internal memo seen by Reuters, TD had initially planned to collect employees’ mouse movements, keystrokes, and other actions to use as training data for artificial intelligence, then scaled that back after weeks of pushback from staff.
The detail rhymes with what has been happening at Meta, which deployed a programme to capture keystrokes and mouse clicks on employee machines, also for AI training, and which paused the tool in June after a data-security scare.
The new frontier of workplace monitoring is not just measuring productivity. It is harvesting the way people work as raw material for models.
What makes the Canadian case distinct is the legal vacuum around it. The country’s federal privacy law, PIPEDA, does not apply to provincially regulated employers in provinces that lack their own substantially similar legislation, which includes Ontario, where much of the financial sector sits.
In those provinces, employee protection is assembled from a patchwork of employment-standards rules, common-law privacy torts, contracts, workplace policies, and, where they exist, collective agreements.
There is no single statute a worker can point to and say the surveillance crosses a line.
Ontario went furthest of any province, and even that is modest. Since October 2022, employers with 25 or more staff must have a written policy stating whether and how they electronically monitor employees.
The catch is in the wording. The law requires disclosure, not restraint. It compels an employer to tell workers what it is doing, but it does not give workers a new right to object, to limit the monitoring, or to keep the data out of a performance file. Telling someone they are being watched is not the same as protecting them.
The contrast with Europe is sharp. Under the EU’s data-protection regime, monitoring of the kind TD described runs into the principle of purpose limitation, the rule that data gathered for one reason cannot be quietly repurposed for another.
Repurposing employees’ everyday digital activity into AI training data is precisely the move that European rules are built to challenge. A Canadian worker in Ontario has no comparable instrument to reach for.
None of this makes TD an outlier. Employee monitoring spread quickly through the remote-work years, and banks, with their compliance obligations, have more reason than most to watch what staff do.
The tools have advanced faster than the rules meant to govern them, and in much of Canada the rules were never strong to begin with.
For the employees on that TD call, the answer to how much of their workday belongs to their employer is, for now, mostly up to the employer.
You must be logged in to post a comment Login