Recovering electronic devices from a dismissed employee

Privacy issues to consider

Colin Gibson

Question: Are there any liability risks regarding privacy if an employer confiscates a work laptop or mobile device from a dismissed employee that is full of the employee’s personal files?

Answer: The liability risks surrounding personal files on employer-owned electronic devices that were used by a dismissed employee are governed by privacy legislation.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs private sector employers, except those in provinces with substantially similar legislation: British Columbia, Alberta, and Quebec. This discussion will focus on the federal PIPEDA; please refer to your provincial legislation if applicable.

Personal files on a dismissed employee’s work-issued electronic devices are the employee’s “personal information,” which is defined as information about an identifiable individual, where there is a possibility that an individual could be identified through that information. Privacy legislation imposes strict obligations on organizations regarding the collection, use, disclosure, and retention of personal information.

When an employer recovers electronic devices which contain personal files, this amounts to the collection of personal information. Organizations have obligations under PIPEDA with regard to the collection, use and disclosure of personal information:

• Organizations are responsible for personal information under their control.

• The purpose of the collection, use, or disclosure of the information must be one that a reasonable person would consider appropriate in the circumstances.

• The knowledge and consent of the individual are usually required before personal information may be collected.

• The collection of personal information must be limited to that which is necessary for the purpose identified.

• Personal information must not be used or disclosed for purposes other than those for which it was collected.

• Personal information must be retained only as long as is necessary.

• Personal information must be as accurate, complete, and as up-to-date as is necessary for the purposes for which it is to be used.

• Personal information must be protected by security safeguards.

• An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.

• Upon request, an individual must be informed of the existence, use, and disclosure of her personal information and be given access to that information

In most cases, there is no reasonable or appropriate purpose that would permit an employer to retrieve and view personal files on an electronic device recovered from a dismissed employee. Further, it is likely the individual has not consented to the collection of such personal information and it would therefore be in contravention of PIPEDA.

A dismissed employee has the right to inquire about and gain access to the personal information the organization has in its possession within 30 days. If a person were to discover that her former employer had collected personal information from electronic devices, the employee could make a complaint to the Privacy Commissioner.

Under PIPEDA, organizations must develop policies and procedures that protect the rights established by the act. A best practice is to include language in a privacy policy specifying that employer-owned electronic devices are not to be used for personal purposes, and that employees should have no expectation of privacy with regard to the information stored on such devices.

When an employee is dismissed or resigns, ask if they have personal information on the devices they are returning. If they do, arrangements should be made to delete it and, if requested, provide a copy.

Colin Gibson is a partner with Harris and Company in Vancouver. He can be reached at (604) 891-2212 or cgibson@harrisco.com.

Latest stories