Heavy-handed Net policies push privacy boundaries

It's difficult to find an employee who has not used company time to surf the Net for the latest sports scores or find that perfect gift for a special someone. But is this something companies should be actively monitoring and disciplining staff about? Does an employer or HR department have the right to monitor what employees are doing on the Net to see if they’re indeed “goofing off?” Given that online use at work is relatively new, there really is no easy answer, according to several technology experts.

“I don’t think we’ve been clear at all of what is in bounds and what is out of bounds,” says Ian Turnbull, president of Laird and Greer Management Consultants. “I would argue that we’ve probably gone too far saying that the company is all knowing and all seeing and has complete access.”

With the amount of workers using the Net, surveillance is creeping to the top of many business agendas. Data released by Neilson/NetRatings two years ago found people were spending twice as much time online at work as surfers did at home.

As a result, organizations resorted to electronic surveillance to monitor the misuse of online access. A study released by the Privacy Foundation, a non-profit organization based in Colorado, found that 14 million employees were under continuous surveillance in 2000. While these statistics are American-based, Canada is following closely behind.

“What we’re seeing is more attempted control by corporations. I think companies are going to the extreme with Internet monitoring,” says Turnbull. “If an employer said to me, ‘You cannot use our technology at any time for personal activities when you’re working for us, I wouldn’t want to work there and I hope I’m not the exception to the rule.”

An analogy can be made to the use of the phone at work. Legislation prevents monitoring a phone conversation, including voice-mail messages, unless there is consent from at least one participant or the conversation or message is clearly not private.

So why would online access be any different?

There are many reasons employers would want to monitor employee’s e-mail and Internet use, says Rita Mason, lawyer and author of the report “Privacy of e-mail and Internet use in the workplace,” published in the Canadian Employment Law Guide. Primarily because an employer may be liable for the contents of a worker’s e-mail or Web sites accessed.

Reasons for monitoring often stem from the desire to discover whether employees are engaging in any wrongdoing. For example, downloading inappropriate or illegal material from the Internet, sending threatening or derogatory e-mail to co-workers about supervisors or other co-workers, or otherwise using
e-mail or the Internet for their own personal use during work hours, Mason states.

The justification for Internet surveillance is much more complex for federally regulated organizations. The Privacy Commissioner of Canada, George Radwanski, is opposed to electronic monitoring. The federal privacy law, in reference to electronic documents, states an organization may collect, use or disclose personal information only for purposes a reasonable person may deem appropriate.

In Radwanski’s 2001 report, Workplace privacy in the age of the Internet, the commissioner writes, “Employees don’t renounce their right to privacy when they enter the workplace. Privacy doesn’t disappear when we leave our private homes and go into public space or someone else’s private space. My definition of privacy is the right to control access to one’s person and to information about oneself. You carry a core of privacy with you, wherever you are. Your privacy can be violated when someone listens in on a telephone conversation. Or when your employer looks into things that are no one’s business but your own.”

Federally regulated organizations have to be careful, says Lorene Novakowski, partner with the law firm Fasken Martineau DuMoulin. The Privacy Commissioner has said employees can make claims against their employer if they feel their privacy rights have been violated.

But a recent case in Toronto where two men were arrested for possessing child pornography on their workplace computers underscores the growing concern employers have with the misuse of online access. Toronto police made it clear an employer may be held liable if it knows an employee has offensive material on a workplace computer, but does nothing about it.

Some organizations have been caught because they didn’t give their workers guidance on how to use online access, says Robert Garigue, vice-president and chief information security officer for BMO Financial Group. Companies find themselves in situations where access was not used appropriately and they have to scramble to create a policy.

“You can’t go to the extreme though, then you’re making good employees pay for the bad actions of one or two,” he says.

BMO blocks access to “some of the dubious sites that are high-risk,” such as Playboy.com and other well-known pornographic sites. The organization also has Internet policies in place that detail what is appropriate and inappropriate use of the Net. An e-mail is sent out to all employees several times a year reminding them to be aware of the policies and HR also talks to staff about proper conduct in the workplace, including rules around the Net. But Garigue says the most common way to find out if Internet access is being abused is to ask management.

“Technology will not replace the relationship between the employee and manager. You find out very quickly who the slackers are,” Garigue says. “Managers who manage correctly will notice this. They should notice if this person is spending a lot of time on the Internet and not getting their job done.”

Michael Geist, a University of Ottawa law professor, says companies considering using electronic surveillance must create a company policy and make sure all employees are aware of it.

“You’d be surprised how many companies don’t do that,” he says. “Once employees are aware that trading MP3 files is inappropriate, much of that activity stops.”

If an employer feels the need to implement an electronic surveillance device, it should go with what is least intrusive. The urge to simply latch on to the most ubiquitous surveillance technology is not the best approach, Geist says. It will raise serious privacy and potential liability concerns based on the invasion of privacy.

“Employers will install these kinds of equipment without thinking about the privacy consequences and they aren’t thinking about how it impacts their organizations.”

Latest stories