Recent Developments in Workplace Technologies and Privacy

Transcription

1 PRIVACY 2013 UPDATE PAPER 3.1 Recent Developments in Workplace Technologies and Privacy These materials were prepared by Frances C. Doyle, with the assistance of Magdalena Wojda, both of Harris & Company LLP, Vancouver, BC, for the Continuing Legal Education Society of British Columbia, May Frances C. Doyle

2

3 3.1.1 RECENT DEVELOPMENTS IN WORKPLACE TECHNOLOGIES AND PRIVACY I. Introduction... 1 II. Employee Expectation of Privacy on Work Laptops... 2 A. R. v. Cole Background Lower Court Decisions... 3 B. R. v. McNeice... 4 III. Workplace Implications of Cole and McNeice... 5 IV. GPS and Engine Monitoring of Employer Vehicles... 6 A. Is the Information Collected Personal Information? The Narrow Privacy Based Approach to Personal Information The Broad Approach to Personal Information Recent BC Decisions... 8 a. Schindler Elevator Corporation... 8 b. University of British Columbia... 9 B. Is the Collection and Use Reasonable? Labour Arbitration Cases PIPEDA BC PIPA BC FIPPA C. Workplace Implications of Schindler Elevator and UBC V. Conclusion I. Introduction We now live in a world where the workplace cannot function without technology. Organizations regularly provide employees with access to computers for use in the course of their work responsibilities, as well as mobile forms of technology, including Blackberries or other Smartphones, laptop computers and tablets. In addition, employers are attracted to new technologies that may increase workplace efficiency, protect organizational assets, or assist in the management of employee performance and conduct. As a result, privacy issues relating to workplace technologies are taking on increasing significance. Personal use of workplace technologies is endemic. Such use can blur the traditional boundaries between the workplace and home, and raise questions about the ownership of data generated on workplace technology, and an employee s expectation of privacy regarding personal information stored on workplace devices. Employees may be concerned that new technologies introduced in the workplace will intrude upon their personal privacy. Accordingly, the implementation of such technologies by an employer may be challenged by employees or unions, as a breach of privacy rights enshrined in legislation, or under a collective agreement.

4 3.1.2 Recently, two issues have garnered a great deal of attention and debate in this area: an employee s expectation of privacy in personal information stored on employer issued laptops, and an employer s right to monitor the use of work vehicles through GPS and engine monitoring. This paper discusses the recent cases generating this debate and their significance to workplaces in which these technologies are being used. II. Employee Expectation of Privacy on Work Laptops Where personal use of workplace technologies occurs, business data and personal data are stored side by side, notwithstanding the employer s ownership of the technology. Employers can have legitimate business needs to monitor and search such resources. These may include network maintenance and security; evaluation of customer service; investigation or monitoring employee conduct or performance, where necessary; determining how systems are being used, and ensuring compliance with policy and legal obligations. In attempting to meet these objectives, employers have traditionally believed that, as the owners of a workplace computer, they have an unfettered right to search or monitor the information that has been transmitted while using it, or contained or stored on the device. This stance is reflected in Poliquin v. Devon Canada Corp., 2009 ABCA 216, a case in which the Alberta Court of Appeal recognized the potential harm that can result from employee use of employer owned technologies. The Court endorsed an employer s right to monitor an employee s use of its equipment, stating at para. 49: Employers are not required to tolerate the misuse of their computers and Internet access any more than they are required to put up with serious incidents of dishonesty by employees In the information technology world today, can be disseminated to many inside and outside an organization with the click of a mouse. Accordingly, the harm done may well be far more serious and pervasive. This reality substantially increases the risks to employers flowing from the misuse of their equipment and Internet access for improper purposes. For these reasons, an employer is entitled not only to prohibit use of its equipment and systems for pornographic or racist purposes but also to monitor an employee s use of the employer s equipment and resources to ensure compliance. The Court strongly emphasized that employers can modify an employee s expectation of privacy with respect to use of employer technology by creating clear policies that explicitly limit such an expectation, stating at para. 45: The workplace is not an employee s home; and employees have no reasonable expectation of privacy in their workplace computers. It therefore follows that while employers may permit employees limited personal use of workplace computers, the employer is entitled to restrict the terms and conditions on which that use may be permitted. Devon did just that. Employees are permitted to use Devon s equipment for limited personal use, but such use must be in compliance with the Code of Conduct: App. Key Evidence, Vol. 1, A83 [emphasis added] Recently, however, the Supreme Court of Canada has been seen by some as having modified the traditional approach by declaring in R. v. Cole, 2012 SCC 53 ( Cole ) that an employee s personal information stored on employer issued computers may attract a reasonable expectation of privacy. A. R. v. Cole The Cole case arose from criminal charges laid against a high school teacher after a school technician discovered, on the teacher s school issued laptop, nude photographs of a female student. The issue on appeal was the admissibility at the teacher s criminal trial of evidence seized from the laptop.

5 1. Background The school board provided the teacher with a laptop for teaching communication technology and supervising a laptop program for students. Although the laptop was owned by the school board, the teacher had exclusive use and possession of the laptop and protected access to it by use of a password. The school board permitted teachers to use their computers for incidental personal use and to take their laptops home on weekends and vacations. Use of the laptop was governed by a school board policy permitting incidental personal use. The policy stated that all data and messages generated on or handled by board equipment are considered to be the property of [the school board] and stipulated that correspondence remained private, but was subject to access by school administrators in limited circumstances. A second policy on acceptable use prohibited inappropriate content on school computers, including sexually explicit material and warned that users subject to the policy should not expect privacy in their files. As part of his responsibility for supervising student laptop use, the teacher had the authority to remotely access data stored on student computers connected to the school network. He allegedly accessed a student s account, found nude and sexually explicit images of another grade 10 student, and copied those images onto the hard drive of his school-issued laptop. A computer technician employed by the school board also had domain administration rights for systems monitoring and maintenance purposes. In the course of these activities, the technician discovered the student images in a hidden folder on the teacher s work laptop. The technician took a screen shot of the photographs which he showed to the principal. The principal directed the technician to copy the photographs onto a disc and took possession of the teacher s laptop. They conducted further searches of the laptop and copied the teacher s temporary internet files to a second disc. His browsing history revealed that he had viewed other pornographic websites and photographs. The school board gave the two discs and the laptop to the police. The police were informed that although the teacher was allowed to use the laptop for incidental personal use, it and the data on it was school board property and there was a school board policy limiting employees privacy expectations on such data. With the school board s consent, the police searched the laptop, copied the hard drive and analyzed its contents without a warrant. The teacher was charged under the Criminal Code with possession of child pornography and unauthorized use of a computer contrary to the Code. 2. Lower Court Decisions On a pre-trial application in Ontario Provincial Court, the teacher challenged the admissibility of the evidence seized from his laptop on the ground that the searches of his computer by the school technician, the principal and the police violated his s. 8 Charter right to freedom from unreasonable search and seizure. The judge found that the teacher had a reasonable expectation of privacy in the contents of the laptop hard drive because, regardless of the official policy, employees were permitted and in practice, did, use their school issued computers for personal use. Mr. Cole had exclusive use of the laptop and password-protected access to it. The judge concluded that, while the principal was entitled to hand over the material to the police, the warrantless search and seizure of the material by the police officer constituted a breach of the teacher s s. 8 rights. As a result of the breach, he ruled that the evidence ought to be excluded pursuant to s. 24(2) of the Charter. On summary conviction appeal to the Ontario Superior Court of Justice, the judge overturned the trial judge s decision and sent the matter back for a retrial on the basis that the teacher had no reasonable expectation of privacy in his workplace laptop and accordingly, his s. 8 rights were not violated by the searches. Mr. Cole then appealed to the Ontario Court of Appeal, which restored the trial judge s ruling on admissibility, concluding that the teacher had a reasonable expectation of privacy in the personal information stored on the laptop.

6 3.1.4 The Court of Appeal concluded that the technician s search was proper as its purpose was the routine maintenance of the school s computer system. As such it was not really a search at all. The searches by the principal and the school board were also reasonable in light of the principal s overriding statutory obligation to ensure the health and safety of the students, and the school board s legitimate interest in investigating matters that threaten the well-being of students. However, the Court of Appeal found that the failure of the police to secure a warrant prior to searching the laptop s hard drive and the disc of the temporary internet files was a breach of the teacher s Charter right. The hard drive included the teacher s personal details including pictures of his spouse. The temporary internet files and browser history revealed Mr. Cole s personal interests, likes and propensities. A warrant could have easily been obtained and copying the entire contents was overly intrusive without one. As a result, the Court excluded evidence garnered from the police search of these materials. The disc containing the photographs of the student, however, was admissible. The Court of Appeal likened this evidence to photographs in an envelope, which did not require any further search by the police. In addition, the teacher had no continuing personal privacy interest in the images of a student obtained through the school system. The matter was remitted back to the Ontario Court of Justice for trial. The Ministry of the Attorney General sought leave to appeal the Court of Appeal s decision to the Supreme Court of Canada. The Supreme Court of Canada agreed with the Court of Appeal s finding that the warrantless search was a breach of Mr. Cole s rights against unreasonable search and seizure under the Charter. Even though the employer owned the computer and the system on which the acts occurred, the Court found that Mr. Cole had a reasonable expectation of privacy with regard to his personal information on the laptop. While the school board s policies diminished this expectation, they did not eliminate it. However, the Court disagreed with the Ontario Court of Appeal s finding that the laptop, the mirror image of its hard drive and the temporary internet file disc were inadmissible. The Supreme Court held that the evidence should not have been excluded because the police were acting on a good faith belief that a warrant was not necessary (because the laptop was school board property and there was a policy governing its use) and the breach was not egregious. As a result, the Court allowed the appeal, set aside the Court of Appeal s exclusionary order and affirmed the order of a new trial. While it expressly left for another day the finer points of an employer s right to monitor computers issued to employees, the Supreme Court affirmed the school board s right to seize and search the content of the teacher s laptop, and the Court of Appeal s conclusion that the school principal had a statutory duty to maintain a safe school environment and to protect students. By necessary implication, the principal exercised a lawful power to seize and search a school board issued laptop where there were reasonable grounds to believe that the laptop contained compromising photographs of a student. B. R. v. McNeice Recently, in R. v. McNeice, 2013 BCCA 98 ( McNeice ), the BC Court of Appeal considered a case similar to Cole. McNeice was a school principle who became the subject of an RCMP investigation after the police received information from international authorities that child pornography was being downloaded in the house where he was the only male resident. The police obtained a search warrant for his residence and seized two computers from the principal s home. The police then asked the Superintendent of Schools for the principal s work laptop. The laptop was owned by the school board and was assigned to the principal for his exclusive use. However, there was no policy governing or prohibiting personal use; nor was the laptop password protected. The Superintendent sought legal advice, and was advised to give the laptop to the police, which she did.

7 3.1.5 The police searched the laptop hard drive and found child pornography on temporary internet files. The files had been deleted from the laptop, but the police were able to retrieve them using special software. The police considered the evidence obtained from the school laptop to be important even though child pornography had also been located on the principal s home computers. The police were worried they could not rule out the possibility, however unlikely, that someone else at the home had accessed the child pornography. At trial, the judge conducted a voir dire to determine the admissibility of the evidence taken from the school laptop. He found that the principal did not have a reasonable expectation of privacy because the laptop belonged to the school board and Mr. McNeice had not protected it by password, nor had he used it for personal purposes other than web browsing. The judge compared deleting the cache of one s own temporary Internet files on someone else s laptop to dumping one s household garbage not at the curbside but directly into the garbage truck (cited at para. 18 of the Court of Appeal decision). As a result, he found that deleting the Internet files indicated that any expectation of privacy had been abandoned. Accordingly, he ruled the evidence admissible. The Court of Appeal ruled that the trial judge erred in finding that the principal had no expectation of privacy in the material stored on his work laptop. Rather than evidence of abandonment, the Court of Appeal found that the act of deleting the files itself can be seen as a very deliberate step toward preventing others from access to personal files (at para. 54). Relying on the Cole decision, which was released after the voir dire ruling, the Court held that the principal had a reasonable expectation of privacy regarding the deleted Internet files, and that the police search of those files without a warrant was a breach of the principal s s. 8 right to be secure against unreasonable search and seizure. Nevertheless, like the Supreme Court of Canada in Cole, the BC Court of Appeal ruled the evidence was admissible pursuant to s. 24(2) of the Charter. The Court did not consider the breach to be of the most serious kind, but rather, characterized the breach as in the mid to low range of seriousness (at para. 73). On the other hand, given the importance of the evidence, the Court found the impact of this breach on the [principal s] right to be significant (at para. 75). However, society s interest in adjudication of the merits of the case weighed heavily in favour of admitting the evidence. In the words of Chief Justice Finch who wrote the decision, accessing child pornography by a school principal is in my view clearly a matter on which all right minded persons would wish to see a full and fair trial based on all relevant evidence (at para. 78). III. Workplace Implications of Cole and McNeice Cole and McNeice demonstrate an evolution from the traditional approach to privacy on workplace computers, as expressed by the Alberta Court of Appeal in Poliquin, supra, that employees have no reasonable expectation of privacy in their workplace computers. Employers must now be aware that employees and unions may assert a reasonable expectation of privacy regarding personal information stored on workplace computers. The scope of that expectation will depend on, and may be diminished (but not eliminated) by the policies, practices and norms that govern the use of workplace computers, systems and devices. In Cole, the majority stated that while such policies may be instructive, they are not determinative in assessing whether the personal information on workplace computers is private. Making such determinations requires a contextual analysis of all of the relevant circumstances, including factors such as the terms of such policies; the actual practice in the workplace with respect to such information (as opposed to what the policies say); the type of information at issue; the reasons for access; and whether there is a less intrusive means of gathering the information at issue. While policies are not determinative, they are certainly necessary, and these decisions further underscore the benefits of implementing policies which clearly state the rights and limits of personal use of employer technology. Such polices should assert the employer s ownership of the technology;

8 3.1.6 state the rules and responsibilities affecting users, detail prohibited and authorized uses (e.g., a strict prohibition on activities that are, inter alia, unlawful, obscene, pornographic, libellous, defamatory, threatening or abusive). Such policies should also explain the purposes for which employer monitoring may take place, and the consequences of misuse. Finally, such policies should put employees on notice that they should not expect privacy on workplace devices even when they are used outside of the workplace. While the Supreme Court of Canada expressly refused to address the finer points of an employer s right to monitor computers issued to employees, these decisions do strengthen an employer s ability to assert its management right to search workplace computers where necessary for legitimate business reasons. However, the policy framework courts and arbitrators will apply when analyzing the degree of protection an employee s privacy interests on workplace technologies has evolved from none, in Poliquin, to the reasonable expectation of privacy analysis as set out in Cole. The challenge for employers will be to demonstrate how that reasonable expectation of privacy on workplace technology has been diminished by policy and the legal basis for any intrusion upon it. IV. GPS and Engine Monitoring of Employer Vehicles The issue of GPS and engine monitoring of employer vehicles has arisen in cases in a number of venues: before privacy adjudicators under various statutory regimes, labour arbitrators and the courts. Complainants in these cases say that the information collected through such technologies constitutes personal information attracting privacy protection. Whether the data collected is, in fact personal information warranting protection, and whether the employer s collection and use of this information is reasonable are typically the central issues in these types of cases. A. Is the Information Collected Personal Information? There are primarily two divergent approaches to the interpretation of personal information under privacy legislation in Canada, as discussed below. 1. The Narrow Privacy Based Approach to Personal Information The first approach endorses a privacy-based definition of personal information that connotes concepts of intimacy, identity, dignity and integrity of the individual. The Federal Court of Appeal in Canada (Information Commissioner) v. Canada (Canadian Transportation Accident Investigation and Safety Board), 2006 FCA 157, leave to appeal denied, [2006] S.C.C.A. No. 259 ( NAV Canada ) adopted this approach in interpreting the meaning of personal information under the federal Privacy Act. In that case, individuals sought access to recordings and transcripts of air traffic control communications relating to four aviation incidents which were the subject of investigations and reports by the Canadian Transportation Accident Investigation and Safety Board (the Safety Board ). The records contained information about the status of the aircraft, weather conditions, and matters associated with air traffic control communications, including remarks made by pilots and controllers. The Safety Board refused to disclose the records on the basis of the personal information exemption under the Privacy Act. On judicial review, the Federal Court ruled that the requested information constituted personal information under the relevant statutes because the information in the recordings was about an identifiable individual, since it would allow identification of the aircraft, and the location and operating initials of the specific controller involved. The Federal Court of Appeal disagreed, and allowed the appeal, finding that personal information must be understood as equivalent to information falling within the individuals right of privacy (at para. 44). The Court explained that privacy connotes concepts of intimacy, identity, dignity and

9 3.1.7 integrity of the individual (at para. 52). In considering the nature of the information at issue, the Court concluded that the information was in fact, professional and non-personal. Under this definition of privacy, the disputed information was not personal, notwithstanding that the information could lead to identifying an individual and assist in determining how an individual performed his or her duties in a particular situation. Ultimately, the Court found that the information was not about an individual because it did not match the concept of privacy and the values that concept was meant to protect (at para. 54). The Federal Court of Appeal s approach in NAV Canada was adopted in the context of a labour arbitration in Otis Canada Inc. v. International Union of Elevator Constructors, Local 1 (Telematics Device Grievance), [2010] B.C.C.A.A.A. No. 121 (Steeves) ( Otis BC ). In that case, the union filed a policy grievance alleging that the employer s use of Telematics devices in vehicles driven by its mechanics violated the collective agreement, the BC Labour Relations Code, and the mechanics privacy rights under the BC Personal Information Protection Act ( PIPA ). The employer s business was the installation and maintenance of elevators. The mechanics used the employer s vehicles to attend worksites, using cell phones to log in and out of their work days. The employer s policy prohibited personal use of company vehicles. The Telematics devices did not have GPS function, but used satellite technology to collect information about vehicles when they were operated by the mechanics, recording information such as start, stop and idle times, and the name of the vehicle operator. Arbitrator Steeves dismissed the grievance on the basis that the information collected by the devices did not constitute personal information under PIPA. The Arbitrator reviewed case law discussing privacy under the Charter and under Ontario s Freedom of Information and Protection of Privacy Act, and adopted the approach applied under federal privacy legislation in NAV Canada. He stated that the only information that was personal in the form containing the Telematics data was the name of the employee/driver/mechanic and that all of the other information on the form related to vehicle operation. Relying on NAV Canada, the Arbitrator found that the information was of a professional and non-personal nature and did not engage the individual mechanics right to privacy (at paras ). 2. The Broad Approach to Personal Information The second approach to interpreting personal information, defines the term broadly as any information that is capable of identifying an individual. Under this definition, it is not necessary to show that the information relates to one s dignity or integrity, or is captured by notions of intimacy and personal identity. The Federal Assistant Privacy Commissioner applied this approach in PIPEDA Case Summary #351, [2006] C.P.C.S.F. No. 28. In that case, the Assistant Commissioner investigated a complaint that an employer planned to install GPS units on work vehicles in order to track employee daily movements while on the job. The information collected included start and stop times, speed, location, mileage and off-shift parking location. The employer argued that since the GPS did not collect location information associated with a particular individual, it did not collect personal information, but rather information relating to company vehicles. The Assistant Commissioner disagreed, finding that because the information collected could be linked to specific employees driving the vehicles, they are identifiable even if they are not identified at all times to all users of the system (at para. 29). As a result, she concluded that the information was personal information within the meaning of the Personal Information Protection and Electronic Documents Act ( PIPEDA ). The Assistant Commissioner reached a similar conclusion in PIPEDA Case Summary # , [2009] C.P.C.S.F. No. 11, which involved a municipal transportation company which installed mobile data terminals with GPS devices in vehicles used to provide transportation services to mobility-impaired persons. The primary objectives of the system were: 1) improving dispatch efficiency and route scheduling, 2) providing clients with more accurate vehicle arrival information, and 3) emergency

10 3.1.8 location. The complainant argued that the employer was improperly collecting his personal information, namely his daily movements while on the job. Without setting out her reasoning on this point, the Assistant Privacy Commissioner appeared to accept that the information was personal information under PIPEDA based on her previous decisions in similar cases, such as PIPEDA Case Summary # Recent BC Decisions In BC, the Information and Privacy Commissioner recently adopted the broad approach to interpreting personal information involving GPS monitoring of employer vehicles, in both the private and public sector. a. Schindler Elevator Corporation In the first case, Schindler Elevator Corporation, Order F12-01 ( Schindler Elevator ), the Commissioner investigated a complaint made by a group of employees who objected to their employer s collection and use of information gathered through GPS and engine monitoring of its service vehicles. The employees operated the company s vehicles for work but kept the vehicles at home, using them to travel directly from their homes to job sites without reporting to the company s office. The monitoring technology recorded data about vehicle location and the manner in which the vehicle was being driven, including start and shut off times, distance travelled, speed travelled sharpness of acceleration and braking. The technology was not used to constantly monitor employees, but rather, generated reports only where the vehicle s use deviated from accepted norms. The employer s purposes for collecting the information included managing employee performance by managing productivity and hours of work, and ensuring employees were driving safely. The complaint alleged the data generated by the GPS and engine status data was personal information subject to the PIPA, and that the employer s collection and use of such information contravened the Act. The employer argued, among other things, that the proper approach to defining personal information was the narrow, privacy based interpretation applied in NAV Canada and Otis BC. The employer contended that the information collected was about the vehicle and not about the employee driving it. As a result, reviewing the information would not result in an invasion of the employee s privacy. The Commissioner rejected the employer s position, expressly refusing to adopt the narrow privacy based interpretation of personal information endorsed by the Federal Court of Appeal in NAV Canada and Arbitrator Steeves in Otis BC. Instead, she defined personal information under PIPA broadly as information that is reasonably capable of identifying a particular individual, either alone or when combined with other available sources of information, and is collected, used or disclosed for a purpose related to the individual (at para. 85). The Commissioner found that the disputed information met this definition since vehicles were assigned exclusively to one employee at time, and the employer maintained records of the identity of the individual operating a given vehicle at given times. Further, while the information would reveal details about the vehicle, it would also, in light of the employer s purpose for collecting the information, say something about the employee driving it such as how the employee was driving on a particular occasion, as well as how he or she drove generally (at para. 104). The Commissioner also found that the information constituted employee personal information as defined in PIPA (i.e., personal information collected, used and disclosed, solely for purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual). She stated (at para. 121):

11 3.1.9 A business is entitled to ensure, subject to applicable laws and agreements, that its employees meet productivity standards. It is also a reasonable purpose for a business to collect personal information to ensure that its employees are actually working the hours for which they are paid. It is, at least reasonable for a business to be able to ensure that its employees are, in the course of their employment, driving company vehicles lawfully and with reasonable care. I therefore find that the information is collected for purposes reasonably required to manage an employment relationship. Thus, the employer s objectives in using the monitoring technologies were for legitimate, reasonable, business purposes. Since this information was used solely for such purposes, the Commissioner found that it constituted employee information under PIPA. b. University of British Columbia Shortly after issuing her decision in Schindler Elevator, the Commissioner published University of British Columbia, Order F13-04 ( UBC ). This case involved facts similar to the facts in the Schindler Elevator case but was considered under the BC Freedom of Information and Protection of Privacy Act ( FIPPA ), since UBC is a public body within the meaning of that statute. In UBC, the employer installed GPS technology in patrol vehicles used by its Campus Security Department. The technology generated information about the location, movements, speed and ignition status of patrol vehicles driven by employees. UBC submitted arguments similar to the employer s arguments in Schindler Elevator, relying in part on the narrow, privacy based interpretation of personal information. The Commissioner again rejected this position, concluding that interpreting personal information under FIPPA should involve the same analysis she undertook in Schindler Elevator in relation to the definition of that term under PIPA. As a result, the decisions in Schindler Elevator and UBC establish that information need not fall within an individual s zone of privacy in order to constitute his or her personal information under BC s privacy statutes. Rather, information will qualify as such if it identifies an individual, and it is about that individual in light of the purposes for which the information was collected. B. Is the Collection and Use Reasonable? In cases involving complaints about the use of GPS and engine tracking technologies in the workplace, once it is established that the disputed information is personal information deserving of protection, the second issue is the reasonableness of such use. Generally, it is permissible for employers to use GPS and engine monitoring technology in vehicles driven by their employees, so long as such use is reasonable. 1. Labour Arbitration Cases Traditionally, under longstanding arbitral principles, surveillance of employees will be considered reasonable if the employer can prove that: there is a substantial problem that needs to be addressed; there is a strong possibility that surveillance will be effective; and there is no reasonable alternative to the surveillance. This test has typically been applied in arbitration cases concerning the admissibility of evidence collected though the surveillance at issue. 1 Privacy statutes have modified, or at least added to this test. 1 See, for example, Molson Canada v. Brewery, Winery and Distillery Workers Union, Local 300 (Waddington Grievance), [2012] B.C.C.A.A.A. No. 104 (Burke).

12 2. PIPEDA Under the Federal PIPEDA, the approach to assessing the reasonableness of employee surveillance was established by the Federal Court of Appeal in the leading case of Eastmond and Canadian Pacific Railway and Privacy Commissioner of Canada, [2004] F.C.J. No ( Eastmond ). The test involves a consideration of the following four factors: Is the surveillance demonstrably necessary to meet a specific need? Is the surveillance likely to be effective in meeting that need? Is the loss of privacy proportional to the benefits gained? Is there a less privacy intrusive way of achieving the same purpose? In Eastmond, the Federal Court upheld an employer s use of overt video surveillance, overturning the Federal Privacy Commissioner s decision that the employer s use of the surveillance contravened PIPEDA. The Court referred to numerous incidents of vandalism, theft, and sexual harassment of female employees that had occurred at the workplace. This evidence established that the surveillance was demonstrably necessary. As the Court stated: a reasonable person would consider [the] purposes for collecting the images of [the] employees and others on video camera appropriate in the circumstances. The Court emphasized that the employees knew where the cameras were located, and that the loss of privacy was minimal and proportional to the benefit gained. The Court also accepted the employer s evidence that alternatives to video surveillance had been considered, and were not cost effective. The Federal Assistant Privacy Commissioner applied the Eastmond test in finding that the use of GPS monitoring was reasonable in PIPEDA Case Summary 351, supra. In that case, the employer stated that it implemented the GPS monitoring system in order to remain competitive by managing productivity, ensuring safety, and protecting and managing its assets. The Assistant Commissioner found that, using GPS for these purposes was appropriate and that the loss of privacy was proportional to the benefits gained. In addition, she found that there was no less privacy intrusive way of achieving the same objectives. Similarly, in PIPEDA Summary # , supra, the Assistant Privacy Commissioner found that the use of Mobile Data Terminal ( MDT )/GPS technology for improving efficiency, increasing the quality of service and ensuring client safety were reasonable purposes under PIPEDA. She found further that these objectives could not be achieved without the use of MDT/GPS, the loss of privacy was proportional to the benefit gained and there was no less privacy intrusive way of achieving the sought improvements in safety and services. 3. BC PIPA Recently, in assessing the reasonableness of the employer s use of GPS and engine monitoring technology under PIPA in Schindler Elevator, the BC Privacy Commissioner expressly refused to adopt the Eastmond test, in favour of a more expansive and practical approach. She determined that under PIPA, the overriding criterion is reasonableness and in meeting their PIPA responsibilities, organizations must consider what a reasonable person would consider appropriate in the circumstances (at para. 139). She expanded the Eastmond test by identifying the following factors, which may expand or vary depending on the circumstances of each case: whether there is a legitimate business need to use the monitoring technology; whether the personal information collected is sensitive in nature (e.g., information revealing the health history or medical conditions of an employee, or marital status information that reveals sexual orientation);

13 the amount of personal information collected (an employer should not collect or use more personal information than is reasonably required for the stated purpose); whether the monitoring is likely to be effective in fulfilling the employer s objectives; where less privacy intrusive alternatives exist, whether the employer has given them reasonable consideration with regard to factors such as cost to the organization and effectiveness of the alternatives; and whether the monitoring is covert. Applying this more expansive approach, the BC Commissioner in Schindler Elevator found that the employer s use of GPS and engine monitoring was reasonable on the following grounds: (a) the purposes of collecting the information (i.e., to manage employee productivity and hours of work, ensure that the employees were driving lawfully and safely) were legitimate business needs; (b) the GPS data was not particularly sensitive since it arose overwhelmingly in the context of work-day activities, and it was not collected and used routinely or continuously monitored; (c) similarly, the engine status data was not sensitive information since information about when employees appear to have started or stopped work is not readily described as sensitive, and neither is the exception report information, which reveals driving behaviour falling outside employer-set parameters; (d) the engine status data was reasonably likely to be effective in ensuring employees drove safely, lawfully and in accordance with the employer s policies, since the data enabled the employer to take a more proactive approach to catching unsafe drivers; (e) the engine start and stop time data, and GPS data as to location during times when an employee is supposed to be working on a jobsite, are reasonably likely to be effective in verifying hours of work, since the employees were a mobile workforce and did not report to the employer s office or any dispatch facility before or after work; (f) the employer had not only considered, but used, the only apparent alternative, which was self-reporting in writing and by cell phone, which was done after the fact and was often inaccurate and incomplete, despite employees best efforts; (g) the monitoring was not covert; the existence of the monitoring system, what it did and how the employer used it was known to the complainants through the employer s GPS Policy and notification letter, as well as through meetings between the employer and the union before the system went live; and (h) the collection and use did not offend the employees dignity. In the result, the Commissioner concluded the collection and use of the information by the employer in Schindler, was both reasonable and authorized under PIPA. Further, between its GPS Policy and a letter to affected employees, the employer was found to have given employees adequate notice of its collection and use of the information at issue. The employees complaint was therefore dismissed. 4. BC FIPPA In UBC, the BC Commissioner also found that GPS monitoring of employees may be permissible under s. 26(c) of FIPPA, which authorizes a public body to collect personal information if the information relates directly to and is necessary for a program or activity of the public body (at para. 55). Under this section of the FIPPA, reasonableness must be considered when assessing whether the collection of an employee s personal information through GPS technology is necessary.

14 The Commissioner concluded that UBC s monitoring system was authorized under FIPPA on the basis that it related directly to UBC s campus security program; its purposes (employee safety, dispatch efficiency, vehicle maintenance and investigation of employee vehicle use where justified) were acceptable; it was efficient and reliable in meeting UBC s objectives; the information collected was not particularly sensitive; and the employees were not continuously monitored. However, since UBC failed to provide its employees or the union with notice before implementing the monitoring system, the Commissioner ordered UBC to stop collecting employees personal information in this manner until it complied with the notice requirements prescribed by FIPPA (s. 27). C. Workplace Implications of Schindler Elevator and UBC Employers can expect that if their use of GPS or engine monitoring systems is challenged under BC s privacy statutes, the information collected through these technologies will likely be found to be personal information where the data can be linked to an identifiable individual, based on the broad interpretation of this term adopted in the Schindler Elevator and UBC decisions. As a result, employers should ensure that they act reasonably in implementing and using these types of technologies. Where the reasonableness of their actions is assessed in this context, employers can expect an expanded approach, but one in which emphasis will continue to be placed on the requirement for employers to establish a legitimate business purpose for using the technology. Purposes that have been found to meet this part of the test under privacy legislation include: protecting, maintaining and managing assets; improving efficiency or quality of service; ensuring safety of employees and others; ensuring proper, lawful and safe use of employer vehicles; and managing employee productivity and hours of work. It bears noting that in the labour context, adjudicators have found similar purposes to be legitimate in assessing the permissibility of monitoring company vehicles under a collective agreement (e.g., ensuring the efficiency, security, maintenance and proper use of company vehicles): Otis BC and Otis Canada Inc., [2013] O.L.R.D. No. 217 ( Otis Ontario ). In addition, the Ontario Labour Relations Board in Otis Ontario found that the employer was entitled to monitor its vehicles at all times in order to protect its assets and ensure no off duty use of the company vehicles in accordance with its vehicle use policy. In assessing what is reasonable, it is also essential for employers to consider the sensitivity of the personal information in question. In the Schindler Elevator and UBC cases, the personal information collection was not overly intrusive; it related only to details of how the employee operated the employer s vehicle, and focused on activities during work hours. However, if an employer is collecting more sensitive information, for example, information relating to an employee s medical of financial circumstances, marital status or sexual orientation, tighter restrictions will likely be placed on what is reasonable use of such information. It is also the case that the implementation of any covert types of surveillance will be held to a higher standard. Finally, it is imperative for employers wishing to use GPS or engine monitoring technologies to provide adequate notice to employees of its intention in order to meet applicable statutory notice requirements. This can be achieved by developing and implementing policies that clearly set out the purposes for the monitoring system, how it will be used and the limits of such use and by bringing such policies to the attention of workers and their representatives.

15 V. Conclusion Lastly, the recent case law discussed in this paper highlights three issues relating to workplace privacy generally. First, workplace privacy continues be an important area as the boundaries between employees work and personal lives grows more blurred due to technology-enabled work practices and connectivity. It is vital for employers to ensure they are meeting their privacy obligations as they face new challenges relating to workplace technology. Second, as traditional legal tests relating to privacy continue to evolve and expand, employers need to examine the rights they traditionally enjoyed, and the tests they previously relied upon, through a new, privacy oriented lens. In some cases, employers may find that they need to make significant changes to their practices or policies as a result. For example, looking through a privacy oriented lens may call into question traditional workplace processes and procedures which are in place because we ve always done it that way. This type of examination may reveal collection, use and disclosure of personal information where there is no identifiable or justifiable work related need to do so. Finally, the recent cases in this area underscore the importance of maintaining current workplace policies on privacy. These policies should indicate that, as the property of the employer, workplace technology and equipment may be searched and employees should not expect privacy on workplace devices when they are used inside or outside of the workplace. In addition, if an organization plans to implement any kind of technological monitoring, it is crucial to examine the rationale through the privacy lens, and to provide employees with the appropriate notice as required by privacy legislation before any such monitoring takes place.