Employee interests versus management authority
Question: Can an employer view an employee’s personal email, text messages and files if they are on company computers and equipment as part of an investigation into misconduct or otherwise?
Answer: In the hierarchy of privacy rights, information does not command quite the degree of protection as does bodily integrity. In fact, some of the first cases to deal with this issue held that an employer’s ownership of the equipment used in the workplace gave it the right to monitor the use of that equipment with little concern for the employees’ interests at all. However, the increasing importance given to privacy rights in general, the enactment of information privacy legislation and the adoption of Charter of Rights and Freedoms values in interpreting private law contracts suggest that there is considerable risk in assuming that such a view will prevail.
At the current time, and speaking broadly, the answer to the question whether the employer may access its employees’ personal electronic communications depends largely on the reasonableness of the employer’s actions in the circumstances.
Assessment of reasonableness in turn takes into account such factors as the nature and legitimacy of the employer’s concerns leading to the monitoring, the necessity of the monitoring process vs. some less intrusive means of obtaining the information at issue and any reasonable expectations that employees may have that their private communications will remain private while they are making use of employer-owned hardware, software and Internet services.
Accordingly, any employer wishing to access private employee communications should take steps to insure that such access can be seen as a legitimate exercise of management authority that properly balances the employer’s needs with its employees’ interests.
A crucial step in this process is to put in place a computer use policy that makes it clear to employees the employer’s computer equipment and technology is provided for business purposes, its use will be subject to monitoring and that any such monitoring will include employer access to any personal communications carried out with or on the equipment. The policy should also clearly define what uses are acceptable and unacceptable and indicate the potential for discipline up to and including termination for unacceptable use. As well, it should require the employees’ written acknowledgement of their awareness of and consent to the policy as a condition of access to the equipment.
The employer should insure that a monitoring process is crafted that meets the employer’s legitimate needs without being overly intrusive. For example, examination of the content of personal emails, text messages and personal files will likely be regarded as unreasonable if the same object can be achieved through resort to a computer log, lists of URLs or message headers.
In deciding when and who to monitor, a consistent, even-handed approach should be adopted, keeping in mind the existence of reasonable grounds to suspect misuse will carry far greater weight in justifying an employer invasion of privacy than the mere possibility that misuse might be uncovered. Intrusive searches into all employees’ personal communications will not be appropriate if less intrusive means exist to identify problem communications for more detailed investigation.
The absence of an acceptable use policy does not preclude an employer from accessing personal electronic communications on its own equipment, particularly where there are grounds to suspect an improper or illegal use of an employer’s computers. An employee downloading pornography or using the employer’s email system to sexually or racially harass co-workers will be hard-pressed to establish a reasonable expectation of privacy in relation to such uses. However, in less obvious cases, the existence of a policy goes a long way to establishing that monitoring was reasonable in the event, such as if a complaint is made under federal or provincial privacy legislation or the admissibility of evidence of misuse is challenged in a grievance arbitration or wrongful dismissal action.
A case of computer monitoring did result in a successful complaint under the Alberta Freedom of Information and Protection of Privacy Act in Parkland Regional Library. The Alberta Privacy Commissioner allowed an employee’s breach of privacy complaint where his employer had, without the employee’s knowledge, installed a keystroke logging program on the employee’s computer to track his productivity. The Privacy Commissioner found the employer’s conduct was overly intrusive and unnecessary, in the circumstances, to resolve the productivity problem the employer had identified. In addition, the employer had acted inconsistently in singling out the employee for investigation when others in the workforce had similar problems. Significantly, the Privacy Commissioner did not rule out the possibility that keystroke logging might be justified in different circumstances where no less intrusive means could be identified to deal with a legitimate management issue.
Admissibility of an employee’s personal emails was at issue in Lethbridge College v. Lethbridge College Faculty Assn. In this case, the employer had terminated the employee for engaging in improper sexual relationships with three of his students. At the hearing of his grievance against the termination, the employer sought to use evidence of emails from its email system and from the employee’s Hotmail account, stored on a computer provided by the college. The union challenged the evidence as inadmissible, relying on the Alberta Freedom of Information and Protection of Privacy Act, the Criminal Code and general arbitral principles relating to unreasonable searches.
The arbitrator rejected the union’s submissions and held that the evidence was admissible. Despite some expectation of privacy by the employee in relation to his Hotmail account, neither his right of privacy nor the employer’s right of access to its own equipment was absolute. Again, a balancing process was employed, with the employer’s right to search the contents of a computer owned by it to be balanced against the employee’s expectation of privacy in using that computer and his private Hotmail account.
The balancing of these interests led the arbitrator to conclude the employer’s actions were reasonable because:
•The employer had probable cause to suspect the employee’s misconduct and his use of the college’s email system in furtherance of that misconduct.
•There was no less invasive means of gathering the information.
•The search did not violate the Criminal Code or privacy legislation. Even if the emails could be defined as personal information for the purposes of the Freedom of Information and Protection of Privacy Act, it was information that could be collected for and used in the arbitration under the legislation.
As the facts of each individual case will determine the ultimate result, and as the case law continues to evolve in this area, it remains to be seen whether employer’s rights to monitor personal communications on its own equipment will become more closely confined. It has been frequently shown that non-business related computer use is a serious problem in many workplaces. The prudent employer will monitor its services and equipment as needed but will do so in a transparent fashion, in pursuit of legitimate business needs, in accordance with a well-drafted computer use policy and without invading personal privacy any more than is reasonably necessary for the purpose sought to be achieved.
For more information see:
•Parkland Regional Library, Office of the Alberta Information and Privacy Commissioner Decision No. F2005-003 (June 24, 2005), Frank Work — Adj.
•Lethbridge College v. Lethbridge College Faculty Assn., 2007 CarswellAlta 1839 (Alta. Arb. Bd.).
