In the eyes of employers, it’s essential to monitor employees’ computer and email use to protect the business. But in the eyes of employees, such monitoring is just plain spying. so who’s right—at least in the eyes of the law? This article will provide some answers. more specifically, it will explain how far you can go to monitor employees’ computer usage without violating their privacy rights. and it will show you how to create a Computer Use Policy that establishes your organization’s right to conduct electronic monitoring in a way that minimizes its liability risks.

Most employees need a computer, internet access and email (which we’ll refer to collectively as “computers”) to do their job. But some employees abuse their computers for non-productive and harmful ends like:

• Web surfing, social networking and other personal activities;
• Downloading, viewing and sending pornographic, racist and other offensive material;
• Communicating messages that demean colleagues, the company and customers;
• Misappropriating confidential or proprietary information; and
• Carrying out business activities that are illegal or a conflict of interest.

So, it’s incumbent upon employers to set restrictions on employees’ computer usage and monitor whether those limits are being obeyed. Employee and unions are apt to object to monitoring as illegal. and thanks to the new personal privacy laws, they may have a legitimate argument.

What the Law Requires

To understand where the lines are drawn, you need to know where employee privacy rights come from.

Federal: The federal PIPEDA law limits the right of employers to collect, use and disclose personal information about their employees. Although PIPEDA applies in many parts of Canada, the privacy protections for employees apply only to employers who are federally regulated.

AB, BC and QC: These 3 provinces have their own personal privacy laws that apply to employees.

Other Provinces & Territories: In the other jurisdictions where PIPEDA applies, it grants privacy rights to a business’s customers and other third parties but not to its employees. But just because employees in MB, NB, NL, NT, NS, NU, ON, PE, SK and YT don’t have privacy rights under PIPEDA doesn’t necessarily mean they don’t have privacy rights at all. Privacy protections for employees in these jurisdictions might come from:

• The Charter;
• The terms of a collective agreement; and/or
• Common law, i.e., non-statutory law made by judges in deciding court cases.

The Bottom Line: all Canadian employees enjoy some degree of privacy protection vis-à-vis their employers.

But privacy rights aren’t absolute and must be balanced against the employer’s equally legitimate business interests. thus, employers are allowed to monitor employees’ use of company computer systems for security, to prevent illegal activities and maintain productivity even if that means going into their emails and hard drives. according to a recent Alberta case, “in the information technology world today,” great harm can be done to companies “with the click of a mouse.” accordingly, “an employer is entitled not only to prohibit use of its equipment and systems for [improper] purposes but also to monitor an employee’s use of the equipment to ensure compliance” [Poliquin v. Devon Canada Corp.].

But monitoring may cross the line if the information isn’t vital or appropriate to access and there are less intrusive ways for employers to obtain it. In other words, while monitoring computer usage is generally okay, it still must be done in a “reasonable” way.

Example: an employee filed a privacy complaint with the Alberta Privacy Commissioner after discovering that his employer had installed keystroke logging software on his computer without his knowledge. the Commissioner ruled that the employer could and should have used less intrusive means to monitor the employee’s work and informed the employee that it was monitoring him [Order F2005-003].

As the HR director, you need to understand what is and isn’t permissible. Basic Rule: you can access computer data as long as employees don’t have a “reasonable expectation of privacy” in the material. “Reasonable expectation” is based on 2 things:

What the employee actually expected. The employee must have what’s called a subjective expectation of privacy, i.e., he must sincerely believe that the information in his computer will be kept from his employer. thus, employees who know that their computer data can’t be kept private have no claim. the employee’s use of passwords, hidden files, encryption and other security conventions is evidence of a subjective expectation of privacy.

Whether the employee’s privacy expectation was reasonable. A sincere expectation of privacy isn’t enough. Employees must also show that it was reasonable for them to have such an expectation. Reasonableness is an objective standard that’s based on what a person of average prudence would expect. That makes it harder for employees to argue that a privacy expectation was reasonable when the computer equipment is owned by the company; an employee has a stronger case when the data the employer accesses is stored on a personal computer that the employee owns and uses for work purposes.

How to Comply

Trying to argue in front of a judge or arbitrator what was on an employee’s mind and what should have been on his mind is a dicey proposition. the good news is that you can put an end to any privacy expectations by your employee before they ever arise. the key: Adopt a policy stating that data kept on company computers and systems is not private and is, in fact, subject to monitoring. As long as it’s clearly written and consistently implemented, a computer use policy will make it extremely difficult for employees to claim they have a reasonable expectation of privacy in their computer files.

Example: During routine monitoring of the server and network, the IT director of an Ontario high school found a file containing nude photographs of a student on the hard drive of a laptop assigned to a teacher. the school gave the file to the police who charged the teacher with child pornography. the teacher argued that he had a reasonable expectation of privacy in the material. the court found that the teacher had a subjective expectation of privacy—the pictures were in a “grey file” under “My Documents” and the laptop was password-protected.

But it ruled that the expectation wasn’t reasonable. Although password-protected, the laptop was owned by the school. more importantly, the school’s computer use policy, which the teacher had not only signed but helped enforce made it clear that data stored on computer files weren’t private and subject to monitoring. In addition, the school board reinforced the policy by posting regular reminders on its website and issuing notices 4 times a year. so the court ruled that the teacher had no reasonable expectation of privacy in the material on his hard drive [R. v. Cole].

Although you should never adopt a model form without tailoring it to your own workplace, the Model Policy on page x illustrates the provisions to include in your own policy, including a clear statement that:

• All computers and information technology systems provided to employees are owned solely by the company and aren’t the employee’s property [Policy, para. 1].
• Computers and equipment must be used solely for work-related purposes. It’s also important to list prohibited uses, like surfing the web, downloading pornographic, racist, defamatory or other offensive material and downloading or transmitting confidential company information [Policy, para. 2].
• Employees have no right to expect that their files, emails and other data will be kept private [Policy, para. 3].
• The company will monitor computer usage and emails for purposes of security, network maintenance and to verify compliance with the Policy. our Policy goes the extra step of spelling out that the company can hang onto and review emails, including showing them to third parties [Policy, para. 4].
• The obligation to obey the Policy is an implied part of the employee’s contract. several courts have recognized that affording the Policy the status of contract is an indication to employees of its seriousness and thus easier to enforce. For example, in the Cole case, the court ruled that by acknowledging the computer use policy to be a term of employment, the teacher “waived” any privacy objections in the data he might have had [Policy, para. 5].
• Employees agree not only to obey but enforce the Policy if they become aware of potential violations. As a practical matter, requiring employees to report violations can make the policy more effective and easier to enforce. on a more subtle plane, it might also make a court less likely to side with the employee in a dispute. Note that in upholding the right to monitor spelled out in a computer use policy despite privacy concerns, both the Poliquin and Cole courts went to great pains to point out that the employees held supervisory positions and thus participated in enforcing the policy. Consequently, their violations were less easy to accept [Policy, para. 6].

As with any other employment policy, computer use policies are worse than useless if employees know they won’t be enforced. and if you later do decide to put your foot down, it may be too late. Employees are bound to argue that having condoned transgressions in the past, you can’t change your ways and suddenly start insisting on strict compliance now.

Example: In 2002 and 2003, a New Brunswick supervisor is warned about using his work computer to access Internet porn in violation of the company’s computer use policy. one more offence and you’re gone, he’s told. In 2005, the company suspects he’s up to his old bad habits but decides to let it go because it doesn’t have hard evidence. But when he’s busted again in 2006, the company finally makes good on its threats. the supervisor claimed that the company condoned his porn habits because it didn’t fire him in 2005. Luckily for the company, the court concludes that not bringing down the hammer due to lack of evidence in 2005 wasn’t condonation. But it agrees that condoning the behavior would have cancelled out the computer use policy and made the dismissal wrongful [Backman v. Maritime Paper Products ltd.].

Conclusion

You have a much better chance of defeating employee privacy claims if your organization owns the computers your employees use. however, lawyers tell the Insider that as the privacy law evolves, ownership of the computers and data has become less important than the question of the means the employer uses to track and record employees’ computer activity. so you need to be careful especially when using keystroke logging and other surveillance programs that enable you to override passwords and other privacy protections to access an employee’s email, files and other data. General rule of thumb: if you’re going down the path of tracking or recording your employees’ activities, choose the method that will satisfy your objective while creating the least possible intrusion on your employees’ privacy.

Poliquin v. Devon Canada Corp., [2009] a.J. No. 626, June 17, 2009

R. v. Cole, [2009] O.J. No. 1755, April 28, 2009

Order F2005-003, Alberta Information and Privacy Commissioner, June 24, 2005

Backman v. Maritime Paper Products ltd., [2009] N.B.J. No. 303, Sept. 24, 2009

Subscribe Now to Just Cause — Canada’s leading FREE eNewsletter for HR Professionals

This article comes to you from Just cause, the FREE eNewsletter that keeps Canadian HR Professionals up-to-date on what’s happening in HR every week Just Cause brings you practical, proven “how-to” HR help, ideas, and tips you can use to make your job as an HR professional easier – along with the latest Federal and Provincial HR news and new developments. plus, as a Just Cause subscriber, you get free special reports, special offers on audio conferences, webinars, and many other products and services for the HR professional.

Remember, Just cause is absolutely FREE to Canadian HR Professionals.  Enter your subscription to Just cause TODAY

• 0 Comments