Privacy Protection in the Digital Workplace



Similar documents
Social Media In the Workplace

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Cloud Computing: Privacy and Other Risks

Insurance Journal. Defending Until the End When Does the Duty to. Volume 1, Issue 3 Editor Keoni Norgren. May 1, 2013

POLICE RECORD CHECKS IN EMPLOYMENT AND VOLUNTEERING

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Digital Evidence meets the Charter: Peer-to-Peer (P2P) File-Sharing Networks

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

Taking care of what s important to you

Privacy Law in Canada

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

How to write a policy to prevent. Harassment. by Louise Pohl

This agreement applies to all users of Historica Canada websites and other social media tools ( social media tools or social media channels ).

PHIPA Potpourri. Judith Goldstein, Legal Counsel Information and Privacy Commissioner/Ontario. IPC Mediators April 21, 2015

What is involved if you are asked to provide a Police Background Check?

Federation of Law Societies of Canada. Ottawa, November 26, 2013

Human Resources People and Organisational Development. Disciplinary Procedure for Senior Staff

How To Use The Blog Safely And Responsibly

SURVEILLANCE AND PRIVACY

Privacy Update Recent Updates in Privacy Law

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Workplace Anti-Harassment Policy (Alberta)

Privacy Law in Canada

Dundalk Institute of Technology. Acceptable Usage Policy. Version 1.0.1

3. Consent for the Collection, Use or Disclosure of Personal Information

Employment and Labour Law in Canada

Employment Contracts: tips, traps and techniques (613) (613)

I. Issues Surrounding /Computer Monitoring and Searches of an Employee's Property

Queensland WHISTLEBLOWERS PROTECTION ACT 1994

Virginia Commonwealth University Police Department

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

Personal Information Protection Act Information Sheet 11

ORDER MO-2114 Appeal MA York Regional Police Services Board

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

HIGH SCHOOL FOR RECORDING ARTS

Computer Facilities and External Networks Acceptable Use by Students

The Credit Reporting Act

SASKATCHEWAN OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER INVESTIGATION REPORT F Saskatchewan Workers Compensation Board

Crimes (Computer Hacking)

REVIEWED BY Q&S COMMITTEE ON THE 4 TH JUNE Social Media Policy

CHAPTER 124B COMPUTER MISUSE

Supreme Court of Canada Creates New Test for Police to Search Cell Phones Without a Warrant

SAMPLE RETURN POLICY

A Manager s Guide to Reasonable Accommodation

DISCIPLINE RUTLAND. limited by guarantee. Registered in England and Wales.

Canadian Employment Law Overview for U.S. Employers

Law Office Searches: A Primer 1. Ian R. Smith Fenton, Smith Barristers Toronto, Ontario

Internet & Technology Usage in the Networked Workplace: Legal Implications

Cloud Computing Contracts. October 11, 2012

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

Glasgow Kelvin College. Disciplinary Policy and Procedure

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

PRAIRIE SPIRIT SCHOOL DIVISION NO. 206, BOX 809, 121 KLASSEN STREET EAST, WARMAN, SK S0K 4S0 -- PHONE: (306)

Strategies for occupational therapists to address elder abuse/mistreatment

Court Record Access Policy

Data controllers and data processors: what the difference is and what the governance implications are

PIPA and the Hiring Process

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

POLICY. Responsible Use of Social Media

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

INTERNET, AND COMPUTER USE POLICY.

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Protecting your privacy

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

POLICY: INTERNET AND ELECTRONIC COMMUNICATION # 406. APPROVAL/REVISION EFFECTIVE REVIEW DATE: March 2, 2009 DATE: March 10, 1009 DATE: March 2014

BASIC CONCEPTS IN EMPLOYMENT LAW

USE OF INFORMATION TECHNOLOGY FACILITIES

British Columbia Personal Information Protection Act. Frequently Asked Questions:

Terms of Service. Your Information and Privacy

Disciplinary and Dismissals Policy

Index All entries in the index reference page numbers.

FIDELITY APPLICANT PRIVACY AND PROTECTION NOTICE

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F December 18, 2015 CALGARY POLICE SERVICE. Case File Number F6681

GPS Tracking of Employees: Balancing Employees Right to Privacy with Employers Right to Know

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Conditions of Use. Communications and IT Facilities

Policy on the Security of Informational Assets

Transcription:

Privacy Protection in the Digital Workplace We as a society don t tolerate discrimination in the workplace, or harassment. Why would we tolerate invasion of privacy? 1 By Pat Flaherty and Sarah Whitmore Privacy has been described by the Supreme Court of Canada as an essential component of what it means to be free. 2 Protection of an individual s right to privacy is predicated on the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain. 3 The importance of privacy has been acknowledged as a fundamental human right; but just as no other recognized human rights or Charter rights are absolute, the right to privacy must also yield to competing rights in certain circumstances. In the workplace, the employer s rights to monitor quality control and employee productivity as well as to ensure a safe and harassment-free workplace often warrant an incursion on employees rights to privacy. Governing the appropriate balance to be struck between employers rights and employees privacy interests is a patchwork of privacy legislation, individual employment contracts, Charter rights, and the newly recognized tort of intrusion upon seclusion. 4 As technology has advanced and facilitated the spread of information and the ease with which organizations can communicate and store personal information, the need for employers to monitor their employees has become more acute. Employees use of computers, the Internet, email, and social media at work (for work-related and non-work-related purposes) presents new concerns for employers, including the effect of such use on productivity, workplace harassment, and their liability for their employees online activities. Employers may be found liable for their employees online defamatory remarks, copyright and trademark infringement, harassment, and other illegal conduct in the course of employment. Workplace harassment may be more readily facilitated through the use of company email or through the sharing of hateful or offensive material from the Internet. As a result of these concerns, many employers take the position that monitoring their employees computer usage and online activities is necessary to detect activity that may negatively affect the business. Furthermore, employers may have a duty to monitor employees in order to meet the legal occupational health and safety obligations to provide a harassmentfree and non-discriminatory workplace. 5 This paper was originally presented at The Law Society of Upper Canada's Special Lectures 2012: Employment Law and the New Workplace in the Social Media Age program on April 25 and 26, 2012. 1 A. Zborosky, Personal Information Privacy and Electronic Document Act From the Perspective of Employees and Unions (Address to the Canadian Bar Association Mid-Winter Meeting, February 2004) at 7. 2 R. v. O Connor, [1995] 4 S.C.R. 411 at para. 113. 3 R. v. Tessling, 2004 SCC 67 at para. 23. 4 On January 18, 2012, the Ontario Court of Appeal recognized a private right of action for intentional intrusion upon one s seclusion, though the court avoided calling the new nominate tort one of invasion of privacy in Jones v. Tsige, 2012 ONCA 32 [Jones]. 5 R. Gary Dickson, QC, and Sandra Barreth, Privacy Laws and Virtue Testing in the Workplace (Presentation for the Canadian Bar Association, Saskatchewan Branch), 3 February 2006 at 8.

- 2 - On the other hand, the digital workplace also presents new and increased risks to employees privacy. A reality of the digital workplace is that employees use employer-owned technology to send and share personal information over the Internet, email, and social-media sites. For example, employees communicate with other employees and unrelated third parties over their employer s email server; they store their financial records on their employer-owned computers; they access and use social-media sites from their employer s Internet network; and they use employer-owned smart phones and other PDAs as if the devices were their own. These practices and other new technologies have also given employers the ability to more readily track or monitor their employees personal information and performance. Technologies exist to allow employers to scan emails, track Internet usage, monitor keystrokes, search hard drives, and monitor an employee s movements on and off the job. As a result, the quantity and accessibility of employees personal information in the workplace have exponentially increased, giving rise to greater concern for their privacy rights. This paper examines the balance that is currently being struck in the private sector digital workplace between Canadian employers rights to monitor their employees to ensure performance and workplace safety, on the one hand, and employees rights to privacy, on the other. More specifically, we focus on the employer s right to monitor employees use of email, social media, and company-owned computers and vehicles. We also consider the issue of employers conducting background checks on prospective employees via social media. Before examining these various issues, we outline the legislative framework surrounding Canadian employees privacy rights in the workplace. A. Privacy Rights in the Canadian Workplace A private sector employee s right to privacy is contained in a patchwork of rights codified in various pieces of legislation and arising from the common law. The nature and scope of protection given to an employee s personal information vary according to the province and sometimes the sector in which the employee is working. In Ontario and several other provinces, 6 there is a gap in legislative protection for private sector employees privacy rights. These provinces have not enacted private sector privacy legislation of general application, and, as discussed below, the federal privacy legislation does not extend to provincially regulated private sector employers collection, use, and disclosure of employees personal information. 1) Federal Legislative Protection Canada s main private sector privacy legislation is the federal Personal Information Protection and Electronic Documents Act. 7 PIPEDA applies to all collection, use, and/or disclosure of personal information in the course of commercial activity by an organization and imposes several main privacy-related obligations on organizations subject to its provisions. 8 Personal information is defined broadly in PIPEDA and currently includes information about an employee other than name, title, and business address and telephone number. 9 PIPEDA has limited application in most workplaces. With respect to personal information about employees, consistent with the constitutional division of powers in Canada, PIPEDA applies only to federally regulated employers (those engaged in a federal work, undertaking or business and employers in the three territories). Consequently, PIPEDA does not apply to provincially regulated employers. 6 The only provinces that have enacted provincial privacy legislation of general application are British Columbia, Alberta, and Quebec. 7 S.C. 2000, c. 5 [PIPEDA]. 8 PIPEDA, s. 4(1)(a). 9 PIPEDA, s. 2(1) definition of personal information. Note that the amendments to PIPEDA currently pending before Parliament as Bill C-12 amend this definition to remove the exclusion of the stipulated employee information from the definition of personal information. However, Bill C-12 also adds a definition of business contact information (which includes name, position or title, work address, phone and fax number, email address, and similar information) that is exempted from the obligations in part I of PIPEDA to the extent that the business contact information is used to communicate with the employee in relation to their employment. Further, section 4(1)(b) of PIPEDA is amended to make clear that personal information collected from an applicant for employment is subject to the same obligations as employee information.

- 3-2) Provincial Legislative Protection With the exception of employment related to federal works, undertakings, and businesses governed by PIPEDA, the provinces have jurisdiction over matters pertaining to employment. Quebec, Alberta, and British Columbia have each enacted privacy legislation 10 that regulates the collection, use, and disclosure of employees personal information by organizations that are not otherwise federally regulated. As an aside, each of these laws has been deemed substantially similar to PIPEDA by the federal privacy regulator, the Privacy Commissioner of Canada, though the manner in which they deal with employees personal information is not uniformly consistent with PIPEDA. These provincial laws apply to employees personal information in private sector organizations within each of those provinces, but they do not regulate the personal information of employees working for federally regulated employers; that personal information is regulated by PIPEDA. Outside Quebec, Alberta, and British Columbia, therefore, a legislative gap exists with respect to the rules governing the protection of employees personal information in the non-federally regulated private sector workplace. 3) Differences between PIPEDA and the Provincial Legislation Under PIPEDA, employers may collect, use, and disclose employees personal information only for purposes that a reasonable person would consider appropriate under the circumstances and, in most cases, only when the employee s consent has been obtained. 11 The legislation in British Columbia and Alberta is similar and provides that employers can collect, use, and disclose employee personal information only for purposes that are reasonable and only once the employee has been notified before or during the collection. 12 Neither the BC PIPA nor the Alberta PIPA requires employers to seek the consent of employees before using or disclosing their employees personal information. 13 In Quebec, the onus on employers is more stringent. The Quebec Act requires that prior to collecting employee information, an employer must inform the employee of the purpose for which the information will be collected, the manner in which it will be used, and who will have access to it. 14 4) The Criminal Code and Surveillance The Criminal Code of Canada 15 contains an offence that applies to employers workplace surveillance and monitoring. Section 184 of the Code makes it an offence to wilfully intercept a private communication. 16 Intercept includes listening, recording, or acquiring a communication. The meaning of private communication involves a fact-specific inquiry centred on the expectation of privacy associated with the nature of the communication. Therefore, if the employer has the employee s express or implied consent, it is unlikely that a court would find that the employee had an expectation of privacy in the communication. A recent phenomenon relating to surveillance is the use of GPS data as a method of monitoring employees who make use of employer-owned vehicles. The collection of GPS data likely constitutes the collection of personal information concerning the employee insofar as it shows an employee s movements and whereabouts. GPS tracking of federally regulated employees is therefore subject to PIPEDA. The Office of the Privacy Commissioner of Canada (Office) has considered employers collection of personal information through GPS and set out a tripartite test to determine if the collection is reasonable under PIPEDA: 10 An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q. c. P-39.1 [Quebec Act]; Personal Information Protection Act, S.A. 2003, c. P-6.5 [Alberta PIPA]; and Personal Information Protection Act, S.B.C. 2003, c. 63 [BC PIPA]. 11 PIPEDA, s. 5(3) and Principle 4.3. 12 BC PIPA; Alberta PIPA. 13 This stands in contrast to the general provisions in both the BC PIPA and the Alberta PIPA, which simply require consent before the collection, use, or disclosure of personal information. 14 Quebec Act, s. 8. 15 R.S.C. 1985, c. C-46 [the Code]. 16 Ibid., s. 184.

- 4-1. Is the measure demonstrably necessary to meet a specific need and is it likely to be effective in meeting that need? 2. Is the loss of privacy proportional to the benefit gained? 3. Is there a less privacy-invasive way of achieving the same end? 17 In addition, the Office has described reasonable purposes for the use of GPS tracking to include the following: 1. managing safety and development (e.g., allowing for follow-up when vehicles were stationary for an inordinate period of time and allowing for the management of dangerous driving habits); 2. promoting asset protection and management (e.g., allowing for the recovery of stolen vehicles and reducing the wear on vehicles through better route management); and 3. enhancing customer service (e.g., through improved scheduling services and driver/dispatch communications). 18 It is not considered reasonable to use GPS tracking as a method of determining employee performance unless the employer has a clear policy outlining an appropriate process of warnings, and progressive monitoring is established and made clear to employees. Employees in the private sector who are not protected by PIPEDA, provincial privacy regimes, or rights under a collective bargaining agreement must resort to the common law for protection, including perhaps to the newly minted tort of intrusion upon seclusion (described in further detail below) if they wish to complain about their employer s use of GPS tracking. The use of GPS devices to track employees in non-employer vehicles is an entirely different manner and engages other common law rights protected under laws of trespass and nuisance. 5) Human Rights Legislation Provincial human rights legislation, such as that in Ontario, may provide some degree of protection for employees personal information resulting from the requirement that employers approach all aspects of employment (hiring, training, discipline, and firing) in a manner that does not discriminate on a prohibited ground (race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, age, record of offences, marital status, family status, or disability). 19 This requirement has led many employers to avoid collecting personal information from employees that relates to these aspects. An employer that obtains this information could be vulnerable to an allegation that subsequent employment decisions relating to the employee were based on that information. B. The Common Law Approach to Employers Rights and Employees Privacy In Ontario and all the other provinces that do not have private sector privacy legislation private sector employees privacy interests are governed largely by a combination of common law protections of privacy and contractual provisions. Applicable contractual provisions may be found in the employment agreement or may be stand-alone policies of employers that bind employees. Employers in all provinces and sectors have always been permitted (and are often encouraged) to put in place clear workplace privacy and computer-use policies, including policies that stipulate how personal information will be collected, used, and disclosed and delineate permissible use of employer-supplied technology (such as PDAs, computers, and other devices) that can collect and preserve employee personal information and the personal information of nonemployees with whom the employee deals. Where these policies are permissible and enforced, courts have held that an employee s privacy rights are not infringed by an employer who monitors the employee in 17 PIPEDA Case Summary #2006-351. 18 PIPEDA Case Summary #2006-351. 19 Ontario Human Rights Code, R.S.O. 1990, c. H.19 at s. 5(1).

- 5 - accordance with the terms of the policy. 20 In addition, employees have no reasonable expectation of privacy regarding information stored on work-issued devices if the employer implements a policy that indicates otherwise. 21 Private sector employers in the provinces that lack provincial privacy legislation have a wider latitude to monitor their employees compared with their counterparts in federally regulated sectors or in British Columbia, Alberta, and Quebec. However, a recent decision of the Ontario Court of Appeal may have filled, at least partly, the legislative gap and extended greater protection to employees privacy interests in those provinces. On January 18, 2012, the Ontario Court of Appeal confirmed the existence of a right of action for intentional breach of privacy rights the tort of intrusion upon seclusion. 22 Following US privacy jurisprudence, the court ruled that to make out the tort of intrusion upon seclusion, the plaintiff must plead and prove that (1) the defendant intentionally or recklessly intruded on the plaintiff s private affairs or concerns; (2) there was an absence of lawful justification; and (3) the intrusion, viewed objectively, was highly offensive, causing distress, humiliation, or anguish. Proof of loss is not an element of the cause of action. 23 The court took steps to restrict the application of the cause of action to deliberate and significant invasions of personal privacy. 24 However, given the potential power imbalance that exists in the employer-employee relationship and the nature of the personal information about employees that is often readily available to employers, misuses of personal information in the workplace might be argued to fall within the sphere of conduct that the court had envisioned as giving rise to liability. As a result, depending on the circumstances including whether the employer has policies established permitting the collection, use, or disclosure of employees personal information the tort of intrusion upon seclusion may apply to breaches of privacy in the digital workplace. If the employer has a clear policy that permits it to monitor employees computer usage and online activities, an employee who has been subjected to such monitoring will be unable to use the intrusion upon seclusion cause of action. 25 Therefore, the court s reasoning reinforces the need for employers to maintain clear and consistently enforced computer-use and Internet policies. C. Protection of Personal Information in the Workplace under the Charter The Supreme Court of Canada has recognized a right to privacy subsumed in sections 7 and 8 of the Charter. 26 Employees who are engaged by state actors may have Charter protection for their privacy interests in the workplace. This protection was considered by the Ontario Court of Appeal in Cole, 27 discussed in greater detail below. However, it is important to note that private sector employers are not directly subject to the Charter. Finally, the common law of employment still must develop in a manner that is consistent with Charter values, including the recognized right to privacy thereunder. D. Examples of the Balance between Employers Rights and Employees Privacy Interests A review of three recent decisions (one each in respect of employers governed by PIPEDA, by provincial privacy legislation, and by the Charter) indicates that emails or social-media messages concerning an employee can fall within the definition of personal information 28 and that employees have an expectation of privacy regarding information stored on company-owned computer equipment if the 20 R. v. Cole, 2011 ONCA 218 [Cole]. 21 Ibid. at para. 48. 22 Jones, above note 4. 23 Ibid. at para. 71. 24 Ibid. at para. 72. 25 In these cases, the employee would be unable to make out the second element of the cause of action, which requires that the intrusion occurred without lawful justification, see para. 71 in Jones, above note 4. 26 R. v. Dyment, [1988] 2 S.C.R. 417 at 427; Hunter v. Southam Inc., [1984] 2 S.C.R. 145 at 158-159. 27 Above note 20. 28 Bell Canada v. Johnson (2008), 70 C.P.R. (4th) 1 (Fed. Ct.) [Bell Canada].

- 6 - employer does not have a privacy policy in place that indicates otherwise. 29 As a result, unreasonable monitoring of an employee s digital activities may amount to a breach of privacy laws or the Charter (where applicable) in appropriate circumstances. The cases suggest that monitoring may be reasonable if the employer suspects that the employee is or has been engaged in fraud, breach of the employment contract (including time theft) or some other unlawful activity. Where less intrusive means are unavailable to investigate these issues, it is more likely that the employer s monitoring would be considered reasonable. Finally, where the employer has a clear and consistently enforced policy in place, monitoring may be viewed as more acceptable. 1) Bell Canada v. Johnson: Employees Work Emails Are Personal Information In Bell Canada, 30 the Federal Court of Canada determined that PIPEDA does not require employers to provide employees with access to all emails stored on the employer s network that relate to the employee and that contain personal information concerning the employee. Johnson, an employee of Bell Canada, made an access request under PIPEDA seeking emails concerning me in this company from all sources. The court observed that there was no issue that emails sent in the course of business are accessible through PIPEDA; the question was whether personal emails sent by employees at work were accessible. Since the court determined that the exemption for personal information used solely for personal purposes found in section 4(2)(b) applied only to individuals, it focused its analysis on section 4(1). That section provides that PIPEDA applies only to personal information collected, used, or disclosed in the course of commercial activities or about an employee that the organization collects in connection with a federal work, undertaking or business. The court held that only information collected because the organization has a commercial need for it is captured by PIPEDA: Information collected in connection with the operation of the business requires that there be a business purpose for the information. There is none with respect to personal emails. The implication of the court s decision is that employee emails are private, personal information, meaning that PIPEDA does not permit an employer s collection, use, or disclosure of these types of emails without the employee s consent, because there is no commercial need for the employer to do so. Even when an employee has consented, the collection, use, or disclosure must be reasonable in order to comply with PIPEDA. 2) Alberta Privacy Commissioner Order: Use of Keystroke Monitoring Technology May Be Reasonable in Certain Circumstances In a public-sector case in Alberta, 31 the Alberta Information and Privacy Commissioner determined that a regional library s installation of keystroke monitoring technology on one of its employees computers was unreasonable in the circumstances and contravened the Alberta Freedom of Information and Protection of Privacy Act. 32 The commissioner observed that the library s undisclosed use of the software amounted to surveillance of the employee. The use of the software may have been reasonable if the employee was suspected of committing fraud using the library-owned information technology equipment; however, on the facts of the case, there were less intrusive means available to the library for managing the employee and therefore the monitoring breached the Act. Although this decision emanates from the public sector, it demonstrates that, in certain circumstances, employers subject to privacy legislation may be permitted to monitor their employees computer usage without providing the employees with advance notice. 33 29 Cole, above note 20. 30 Above note 28. 31 Alberta Information and Privacy Commissioner Order F2005-003 available at www.oipc.ab.ca/ims/client/upload/f2005-003.pdf. 32 R.S.A. 2000, c. F-25. 33 The Alberta Act requires that public bodies that collect personal information inform the individual of the purpose for which the information is collected, the legal authority for the collection, and the contact information of an employee of the public body who can answer questions about the collection (s. 34(2)).

- 7-3) R. v. Cole: Employees May Expect Privacy of Information Stored on Employer-Owned Computers In Cole, a high school teacher was charged with possession of child pornography and unauthorized use of a computer contrary to the Criminal Code. While conducting regular server maintenance, a computer technician accessed the teacher s school-board-issued laptop and found sexually explicit images of an underage student. The technician copied the photos onto a disk and reported his findings to the principal, who then asked the teacher to hand over the laptop. A second search of the computer was conducted by a school board official who copied the temporary Internet files onto another disk. Both disks and the laptop were turned over to the police, who then performed a warrantless search and charged the teacher under the Criminal Code. The Court of Appeal determined that the teacher s Charter rights were breached by the police but not by his employer. In reaching its decision, the court found that the teacher had a reasonable expectation of privacy regarding personal material he stored on his work-issued laptop. The court relied on the trial judge s findings of fact that the teacher and his colleagues used their computers to regularly store sensitive personal information and that although the school board owned the computer, it gave de facto control of the computers to the teachers. Moreover, the school board did not have a clear policy in place permitting it to monitor, search, or otherwise police the teacher s laptop use. Although it was lawful for the police to look at the disk containing images of the student, it was unlawful for the police to copy the laptop s entire hard drive or to search the disk containing the temporary Internet files. The lack of exigency, the teacher s privacy interests over his browsing history, and the broad nature of the search contributed to the unreasonableness and unlawfulness of the police search under section 8 of the Charter. With respect to the school board, the court concluded that neither the technician s search nor the school board official s search breached the teacher s Charter rights, since the first search occurred during routine maintenance and the second search constituted reasonable follow-up to the initial findings. a) Implications of the Cole Decision The implications of Cole for private sector employers are not necessarily far-reaching. First, the decision arose out of a criminal proceeding, so although the case creates a helpful precedent for employees whose workplace privacy is breached through a warrantless police search, it does not create any new sources of liability for employers. Second, the case was decided in the Charter context and the court s analysis assumed that the Charter applied to the school board. The court s analysis thus applies only to employers subject to the Charter. Despite the limited direct application this case may have for private sector employers, the court s reasoning still provides important lessons for them. Most important, the decision in Cole clarifies that an employee s privacy interests are not simply negated because the employer owns the technology used by the employee. Employers can no longer rely on the mere ownership of property to insulate themselves from claims that employees have a reasonable expectation of privacy regarding their personal information stored on employer-issued technology. 34 The court s reasoning in Cole also highlights the importance for employers of having a clear, consistently enforced computer-usage and/or computer-monitoring policy in place to minimize employees privacy expectations. E. Conducting Background Checks via Social Media The digital workplace has also transformed the hiring process. Employers are no longer restricted to the references given by prospective employees and can instead conduct their own online research. A 2009 US poll found that 45 percent of employers conducted background checks via some form of social media throughout their hiring process. 35 These background checks can include a variety of actions but may be as simple as viewing a candidate s Facebook profile or reading the person s blog posts; or the checks may be 34 Lisa Talbot, Litigation: Privacy in the Private Sector Workplace (2011) Commercial Litigation Review 9:2 at 16. 35 Elizabeth Denham, Work and Play in the Age of Social Networking, 12 May 2010.

- 8 - as thorough as hiring an organization to search for every bit of information on social media about the prospective employee. 36 When employers or organizations hired on behalf of employers search social media for individuals, the collection, use, or disclosure of that information is subject to PIPEDA and the provincial private sector privacy legislation. 37 Individuals in provinces that lack private sector privacy legislation have recourse for improper social-media background checks under PIPEDA, because the provisions relied upon in this circumstance are not specific to the employee-employer relationship. As a result of an ever-increasing use of social media and the development of online personalities, employers must now be wary of the possibility that their employees may have online personas that would negatively impact the business. What better time to weed out these employees than at the interview stage? However, despite the potential perceived benefits to conducting background checks through social media, the risks associated with these checks mean that employers who misuse this hiring technique may run the risk of breaching privacy legislation. Researching social media on a person may produce a huge amount of irrelevant or inaccurate information. Canadian privacy legislation requires organizations to take steps to ensure that the information they are collecting is accurate. 38 Breach of the accuracy requirement amounts to breach of the legislation. 39 Furthermore, the Federal Court of Canada has awarded damages, albeit a modest amount, to an individual for inaccurate information disclosed by an organization. 40 A recent decision of the BC Information and Privacy Commissioner provides useful insight into when these background searches may be permissible. 41 The commissioner launched an investigation into the BC New Democratic Party after the media reported that the party had requested all leadership candidates Facebook passwords (and other social-media passwords) in order to conduct a background search to vet the candidates social-media usage for inappropriate material. The party s explanation for the background searches was the desire to avoid repeating the situation that had occurred in the 2009 provincial election, when a candidate was forced to withdraw after inappropriate Facebook photos were discovered on his profile. The investigation concluded that although the NDP had obtained the candidates consent and had identified the purpose for its request, as required under the BC PIPA, the collection was nonetheless unreasonable and therefore a breach of that Act. The commissioner explained that reasonableness must be assessed in light of various factors, including the purpose of the collection and surrounding circumstances, the quantity and type of information collected, and the uses to which the information would be put. The surrounding circumstances in this case included the fact that collecting information on a particular person s Facebook account will result in obtaining third-party information that concerns people who have not consented to the collection and that is often likely to be inaccurate or out of date. This decision suggests that if a social-media background check is somehow confined to exclude any thirdparty information and steps are taken to check the accuracy or timeliness of the information, these checks may be permissible under privacy legislation. It also seems unlikely that individuals who determine that they have been the target of social-media background searches would have a right of action against the organization for intrusion upon seclusion. Depending on the quantity and scope of information collected, it is at least arguable that an organization is lawfully entitled to review the contents of a prospective employee s social-media usage in order to assess the employee s suitability for employment. Furthermore, given the proliferation of employers that are using social media for background checks as part of their hiring processes and the reality that information on social-media sites concerning individuals is often 36 Guidelines for Social Media Background Checks, October 2011, at 1. 37 Ibid. at 2. 38 For example, Schedule 1 to PIPEDA, Principles 4.6 and 4.6.1. 39 Nammo v. Transunion of Canada Inc., 2010 FC 1284 at paras. 33, 43. 40 Ibid. 41 P11-01-MS Summary of the Office of the Information and Privacy Commissioner s Investigation of the BC NDP s use of social media and passwords to evaluate candidates.

- 9 - posted by the individual, it seems unlikely that a reasonable person would conclude that there was a highly offensive intrusion into the individual s private affairs capable of causing distress, humiliation, or anguish. F. Conclusion and Lessons Learned This review of cases suggests that Canadian employers in the private sector would be wise to implement and consistently enforce clear policies that permit them to monitor their employees computer and Internet usage. The policy can be a stand-alone document or can be included as terms in the employment agreement or as part of an employee code of conduct. What is important is that the policy clearly state the reasons that might give rise to the employer s monitoring. For example, these reasons could include protecting (1) the integrity of data; (2) the monitoring systems; (3) the confidentiality of information and data belonging to the company, its employees, clients, suppliers, and so on; (4) the company s compliance with applicable laws (including intellectual property laws); and (5) employees and the workplace environment from harassment and discrimination. 42 These policies enable employers to ensure quality control, productivity standards, and a safe and harassment-free workplace, while also providing employees with clear guidelines and expectations. 42 Talbot, above note 34 at 17.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information