The issue of employees’ misusing company computers is commonplace. In 2000, Xerox was monitoring all of its 92,000 employees’ computer usage and terminated 40 employees in the United States for accessing pornography on work time . Similarly, the luxury automobile company, Rolls Royce, suspended 14 employees for inappropriate use of the work internet computers . Closer to home, the RCMP very recently suspended a long-standing officer for adult material found on his work computer .
Yet, despite the frequency of these events, there remains very little case law in British Columbia on the subject of spyware surveillance. Largely the issue is raised in an arbitration context in union employment, for which there are distinguishing factors such as provisions in the collective agreements that address the subject.
On the legislative front, however, the applicable law on the subject is found in the Personal Information Protection Act (“BCPIPA”). The BCPIPA, it should be noted, has been ruled substantially similar to its federal counterpart, the Protection of Personal Information and Electronic Documents Act (“PIPEDA”). Therefore, the BCPIPA supersedes in British Columbia. It is also noteworthy that the BCPIPA, unlike the PIPEDA, is not restricted to public works; it applies instead to “all organizations” (s. 3).
Also noteworthy in the BCPIPA is an interesting clause, section 13, concerning the collection, use and disclosure, without consent of employee, personal data that essentially states that consent is not required for reasonable collection of information, so long as notification is given. Section 13 reads, in part:
COLLECTION OF EMPLOYEE PERSONAL INFORMATION
13 (1) Subject to subsection (2), an organization may collect employee personal information without the consent of the individual.
(2) An organization may not collect employee personal information without the consent of the individual unless
(b) the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.
(3) An organization must notify an individual that it will be collecting employee personal information about the individual and the purposes for the collection before the organization collects the employee personal information without the consent of the individual.
The onus is on the employer to establish that the personal information it is collecting about its employees, through installation of monitoring software on the company-owned computers, is “reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual”. Moreover, the employer is required to “notify” the employee, in advance, that it will be collecting employee personal information [S.13 (3)].
An example of where the employer was found to have violated the statute with its spyware surveillance is Re University of British Columbia . In that case, the university had a policy that allowed some incidental personal internet usage so long as it did not interfere with an employee’s work. However, the university suspected a particular employee was spending too much time on personal internet usage and investigated by placing spyware on the employee’s computer. The results led the university to terminate the employee, which led to wrongful dismissal arbitration. The Privacy Commission held that the university had acted unreasonably, particularly in not first warning the employee about the impugned behaviour, and in violation of the notice requirements of the Act. The Commissioner came short of ordering the evidence inadmissible at the arbitration, but strongly suggested that using such evidence was inappropriate and would undermine the privacy legislation in place.