There are few, if any, employers that can operate without computers. It’s equally true there are very few employers that can operate without allowing employees access to computers and all the associated accoutrements, such as email and the Internet.
Regrettably, along with such access comes abuse. There is always that one employee… or two or three. Computers have given individuals the ability to do very disturbing, damaging and sometimes illegal things at work using work equipment, and those same employees typically claim they are entitled to do so on the basis of their fundamental right to privacy.
Many employees believe personal information, images or files they store on work computers belong to them, and the employer has no right to look at or keep them. The same holds true with respect to email and Internet. Many employees are aghast to learn an employer has been reading their personal emails, written and sent during working hours on work computers, or investigating what websites they have been visiting.
In contrast, many employers believe they have an unfettered right to monitor employee computer use and employees have absolutely no expectation of privacy with respect to the use of company computers. Further still, some employers feel paralyzed by privacy laws and believe they have no right to reign in offending employees without getting into trouble.
So, who is winning this tug of war — at least from a legal standpoint?
In a union context, employees have privacy rights either at law or contained within a collective agreement. On the other hand, arbitrators also recognize unionized employers typically have a right to monitor employee conduct, including computer use, pursuant to the general management rights found in most collective agreements.
At the statutory level, federally regulated employers are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). It is generally accepted this act is not applicable to provincially regulated employers for constitutional reasons. (But Alberta, British Columbia and Quebec have enacted similar provincial privacy legislation that does apply to provincially regulated firms.)
PIPEDA protects personal information from collection, use and disclosure without implicit or explicit consent, unless there are reasonable grounds to believe personal information may be useful in an investigation of the violation of an agreement or any laws. The Federal Privacy Commission has held the information an employer might capture using electronic surveillance tools, such as keystroke monitoring, may be caught under the privacy legislation if it can be attributed to an identifiable person.
Federal and provincial privacy commissions have held monitoring of employee computer use, particularly surreptitious monitoring, should only be undertaken in limited circumstances, and usually as a last resort after other less privacy-invasive attempts have been made to deter the unwanted conduct.
There is a general misconception the tort of invasion of privacy exists at common law but, to the contrary, there is no such tort... yet. In Ontario, no employee to date has successfully sued civilly and received damages for invasion of privacy.
There has been at least one employee, however, who got around the lack of a privacy-based cause of action and, instead, successfully sued on the basis of constructive dismissal when her employer installed a video camera in her office and, thereby, breached its implied duty of good faith. (See Colwell v. Cornerstone Properties Inc., 2008 CarswellOnt 7702 (Ont. S.C.J.))
Video surveillance is deemed to be at the top end of what is considered privacy invasive and, therefore, typically receives greater scrutiny by the courts. Nevertheless, it is not too great a stretch to imagine a similar finding in the case of an employee’s use of a work computer, particularly if the employer has not provided sufficient warnings the employee has no expectation of privacy.
Cole decision about state intervention
The 2011 decision of the Court of Appeal of Ontario in R. v. Cole did cause a bit of a scare for employers in terms of its ability to protect against misuse of work computers by employees. Cole was a high school teacher assigned to monitor student use of the school’s computers and, in so doing, he accessed a student’s email account which contained nude photographs of another student. Cole downloaded the photos to the school’s laptop and saved them in a hidden file. The police were called in and, upon further investigation of the computer, discovered Cole had also visited pornographic websites and stored other pornographic images on the school’s computer. Cole was charged with possession of child pornography.
The admission of the evidence found on the computer was at issue in the criminal trial. Cole argued the manner with which the evidence was obtained — absent a warrant — was a violation of his right to be free from unlawful search and seizure. What was discouraging to most employers was the Court of Appeal’s finding Cole did have a reasonable expectation of privacy with respect to his use of the school’s computer primarily because there were no policies expressly stating the school had the right to search the computers.
What must be remembered, however, is the case dealt with state intervention and, therefore, the Charter of Rights and Freedoms, which is not engaged in a situation where a non-government employer examines an employee’s computer use. In other words, the Cole case does not stand for the proposition that employers are not entitled to monitor or investigate what employees are doing on work computers.
What should be taken from the Cole decision is employers must be reasonable in their approach and provide clear warnings to employees that their computer use may be subject to monitoring and what is stored on the computer is the property of the employer.
Best practices in monitoring employees
Privacy laws are continually evolving and the trend is moving toward increasing privacy rights. Accordingly, all employers, even those that are non-union and provincially regulated, should implement the following best practices to ensure monitoring and investigative activities will be upheld if put to the test:
•Establish, publicize and enforce written policies for employees governing the use of computers (or any company equipment).
•Have policies that expressly and very clearly identify:
•what types of uses are permitted and, conversely, prohibited
•there is no reasonable expectation of privacy with respect to specific uses such as email, Internet searches or downloading
•all computer data storage and use is subject to random monitoring by the employer, including any personal information stored on the computer
•the consequences for failing to abide by the policy.
•Before conducting a surreptitious investigation of an employee’s computer, consider whether simply confronting the employee first is appropriate and may deter future unwanted conduct.
•If an employer has good reason to believe an employee is engaging in criminal conduct, such as viewing child pornography on a work computer, contact the police.
Bettina Burgess is a senior associate who focuses on employment and labour law as well as commercial litigation at Gowlings in Waterloo, Ont. She can be reached at email@example.com or (519) 569-4557.