What's needed in the employer policy? What are potential risks to the new rules?
Near the end of February, the Ontario government announced – as part of several major changes related to the workplace such as the “right to disconnect” and worker mobility – that it would introduce legislation that will require employers to tell employees if and how they are being monitored electronically — for both in-person and remote work.
Organizations would have to have a written policy in place that outlines out how electronic devices such as company computers, cell phones and GPS systems are being tracked. They would also have to disclose why they’re collecting the information.
Canadian HR Reporter spoke with three legal experts — Daniel Michaluk, a partner at BLG in Toronto, Melanie McNaught, a partner at Filion Wakely Thorup Angeletti in Toronto, and Ben Hahn, a barrister and solicitor at Whitten & Lublin in Toronto — to get their take on the proposed changes, and how employers should prepare.
Q: Why is there a need for this kind of legislation?
Michaluk: “I don't think there was a real problem to address. I do a lot of support for employers with all sorts of technology implementations… and I never perceive there to be a whole lot of monitoring for employee for performance purposes going on, which was, I think, what the government mentioned in one of its releases, that this was in response to the idea that employees were working at home and in response, masses of employers monitoring their performance through electronic means. I do not think that's the case.
“If there's a trend at all towards more monitoring, it's driven by data security. There's a great need for a high level of visibility into corporate networks, and in particular into what's called in that data security field, endpoints, the things that users are using. Those are the devices where, oftentimes, a cyber attack will start... So there's lots of new technologies for monitoring what's going on on endpoints, but that's for security purposes, not for productivity purposes.”
McNaught: “We saw that concern with the government's previous legislation about the so-called ‘right to disconnect’… with more employees working from home, the boundaries between personal and work are being blurred. And sometimes employees may be doing personal stuff that they wouldn't necessarily do on their work computer in their office. But it could still be monitored, depending on how the employer monitors communication, or keystrokes or whatever it is that the employee is doing.
“I also, frankly, think it's a bit of a populist move, to try to get some votes for the upcoming elections. I think if the government were really concerned about privacy, they would pass broad privacy legislation which… we don't have in Ontario.”
Hahn: “Greater transparency, I think, helps with all employee-employer relations. I haven't an insight into whether employers are so frequently tracking their employees through electronic means that it was a necessary step, but I don't think it can harm.”
Q: How will this new requirement impact employers?
Hahn: “For most employers, this is probably not a major issue.
“But for employers who are implementing all sorts of elaborate monitoring that they haven't been telling their employees about, I think maybe they've got more of a concern in terms of how to position it, how to handle it, what to put in their policy. Because they may have a human resources, relationship management sort of issue that comes to a head as a result of the legislation.
“Some employers may sit down and say, ‘Look, we really liked tracking everybody when they didn't know about it. But we're going to have an uprising on our hands when we tell everyone that we've been tracking them, so maybe we should stop tracking them. And that way, we don't have to say that we are doing that.’
“In terms of what they do have to disclose, it isn't even all that onerous; it's really just a description of what's been monitored, and the purposes for which the information is gathered. So it can be a very brief policy and it will comply.”
McNaught: “There's no general privacy legislation that applies to provincially regulated private sector employment relationships in Ontario... So many employers in Ontario haven't been required to have such a policy before and may not have. And some of them may not even think that what they're doing is electronically monitoring their employees.
“They may, for instance, monitor their computer system for unusual activity, and that might catch some employee communications or something like that. But is that electronically monitoring employees? I don't know, it's not defined in the bill. But it may well be.
“Employers will really need to think about what they're doing that might be considered electronic monitoring, and then make sure that employees are aware of it, which as a matter of transparency, and good employee relations they should have been doing before, but they weren't required to.”
“It's important to note that in the legislation right now, employees can only file complaints about the failure to have a policy or the failure to provide a copy to them. So [they] can't complain about the contents of the policy or electronic monitoring itself.”
Read more: One global company faced backlash when it notified at-home employees in the U.K. that it would be using webcams to monitor their performance.
“It doesn't actually prohibit employers from electronic monitoring. And it explicitly says that it doesn't prevent employers from using that information that they might get from monitoring. But it just requires employers to be transparent with employees about what they're doing.
“So, going forward, employers in Ontario are going to need to think about whether some of the things they are doing are electronic monitoring. And if it is, then they're going to need to be sure that they tell employees and their policy what they're doing, and what the purpose for doing.”
Michaluk: “[Crafting a comprehensive policy like this] will be new for almost every employer. This is not to say that they don't provide some level of transparency with certain types of technology, but this is an impetus to look at everything that may constitute electronic monitoring, and then be transparent about that.
“Where I think most employers are doing is that they'll have an acceptable use policy, and most of them will have a privacy section in it that discloses in very generic terms that the network is subject to monitoring, and that ‘Your use of our network shall not be associated with any expectation of privacy.’
“So now there's an impetus to be much more specific in the level of disclosure.”
Q: How is electronic monitoring defined in the legislation?
Michaluk: “They don't define ‘electronic monitoring,’ which is quite an amorphous concept, when you think about it. I think it's going to draw on a lot of different technologies. So that's the burden that faces employers is actually thinking through what all those technologies are.
“I would say that electronic monitoring should be defined in a way that's a little more narrow, and at least precise, so we know what we're talking about.”
Hahn: “The act doesn't really give us a definition so it's open to interpretation. Things that come to mind for me are keystroke monitoring. Basically, any kind of monitoring of a worker’s activities through the work terminal that they're frequently using... In other words, knowing what an employee is doing or not doing on the device that they've been provided to perform their work.
“At least to the extent that some employers might be out there with secret cameras, secret GPS pucks or keystroke monitoring or other forms of monitoring through an electronic device, this policy would require them to be transparent about that, and reveal that to employees.”
Q: What are the benefits to having such a policy?
Michaluk: “The upside of this is that employers do have reason to tend to governance of their networks. So they will benefit from the exercise of gathering data to create the policy, they may learn of things about their network that haven't been inventoried yet.
“The bigger positive issue, too, is that it should, if done, well change user behaviour... one of the issues that can frustrate the administration of corporate networks is personal use of corporate systems. It's permitted almost universally, personal use, because it's hard to prohibit, but it can complicate things when you have people's personal information coursing through your network, it makes your access to information on your network a little more tricky.
“So [this regulation] may have the effect of driving that personal use off of the corporate network. I think that's a good thing. You're going to have this information that you're going to present to employees that tells them the degree of monitoring, it may change their behaviour, and drive some personal use off of the network, which is absolutely a good thing for employers.”
Q: Are there any downsides to having such a policy?
Michaluk: “A lot of monitoring goes on for cybersecurity and data security purposes, and if you are too detailed about how you are monitoring traffic, you may create additional risk. Because you're telling people — who are potential adversaries, the threat actors — exactly what you're doing inside of your network. That's never a good thing because if they know exactly what you're doing to protect yourself, they may have a means of circumventing that means of protection.”
McNaught: “There's a couple of reasons why they might be concerned. First, they may be investigating a suspected breach of a law so they might not want to say, ‘Hey, by the way, we are monitoring your communications,’ because that would tip off the person that says that they may be investigating.
“And in some cases, there are proprietary interests that an employer may have in how they monitor what employees are doing, to ensure that the information is not misused, like credit card information and stuff like that. But I think that employers can get around it just by stating in general terms how and why they may be monitoring. They don't need to say, ‘We are monitoring these three employees.’ They could say, ‘We monitor for suspected criminal activity,’ for instance.
“If the employer has hidden cameras, they may prefer not to reveal where those cameras are, but they may be required to as a matter of being transparent with their employees.
“They might also be concerned about morale issues or pushback from employees on the surveillance that they're doing. So, I guess the best policy is always not to do something that you wouldn't want your employees to know about. If the employer is concerned about pushback, maybe they need to think about whether they should continue to do this, the monitoring that they have been doing.