SCC Confirms Risks of Employee Privacy are Real and Manageable

by Bennett Jones LLP
Contact

In a widely anticipated decision on the issue of workplace privacy, the Supreme Court of Canada released reasons in R v Cole on October 19, 2012. The Supreme Court confirmed that, in circumstances where personal use is permitted or reasonably expected, employees can have a reasonable expectation of privacy in personal data stored on devices owned by their employer.1

While the existence and scope of an employee’s privacy expectation will depend on the “totality of the circumstances”, including workplace policies, it is now abundantly clear that an employer’s ownership of electronic systems and equipment will not be determinative. Nor will policies against personal use always govern when the actual customs and practices of the workplace depart from those policies.

Contrary to any suggestion otherwise, the decision does not mean that employees have an automatic right of privacy or that employers are forbidden from monitoring the electronic activities of their employees. Rather, the decision confirms that employers who articulate and implement clear policies and procedures addressing the use of the employer’s systems are able to control and monitor how their electronic equipment and systems are being used. The scope of any employee privacy expectation, if it exists at all, will be determined in the context of the employer’s stated policies and practices as implemented in the workplace.

There are a variety of reasons why employers are permitted and encouraged to monitor the activities of their employees involving their electronic systems. These include assessing productivity, confirming the appropriate use of intellectual property, or conducting investigations related to the employer’s statutory obligations, such as the duty to ensure a harassment-free workplace under applicable human rights or health and safety legislation. In this case, the school board employer was expressly authorized to review the employee’s information on its systems under its statutory obligation to ensure a safe school environment.

In the absence of a clear policy that permits monitoring, the Cole decision could open the door for an employee to argue that their reasonable expectation of privacy should prevail over the employer’s obligation to review e-mails or other data stored on a workplace computer. This means employers should carefully consider and implement technology use policies that are clear, express, and unambiguous–and take meaningful and consistent steps to those policies.

R v Cole

Richard Cole, a former teacher, was arrested and charged with possession of child pornography that was discovered on his work-issued laptop. Among the images were nude photos of a student at the school that the student had forwarded to a classmate. The teacher accessed the photos from the classmate’s laptop in the course of his job and then downloaded those photos to a separate laptop issued by the school board to the teacher.

While the policy governing Cole’s use of the work-issued laptop allowed for “incidental personal use”, the policy stipulated that teachers’ e-mail correspondence remained private, but subject to access by school administrators if specified conditions were met. The policy did not address privacy in other types of files, but it did state that “all data and messages generated on or handled by board equipment are considered to be the property of [the school board]”.

In the course of routine maintenance, the employer discovered the photos and searched the laptop. The employer copied the photos of the student and Cole’s Internet history (which showed visits to a number of child pornographic sites) onto a disc. The disc and laptop were then provided to the police. Believing they had the consent of the employer, as owner of the laptop, the police searched the content of the computer and the disc without first obtaining either a warrant or the employee’s express consent.

At trial, Cole’s lawyer successfully argued that the evidence should not be admitted due to the failure of the police to obtain a warrant to justify the search of the laptop. The decision of the trial judge was twice overturned on appeal.

In its May 2011 decision, the Ontario Court of Appeal acknowledged the right of the employer to undertake the search of the teacher’s computer. However, with respect to the search by the police, the court ruled that some of the evidence was obtained in breach of the Cole’s privacy rights and his rights against unreasonable search and seizure under the Canadian Charter of Rights and Freedoms2. In determining whether to exclude the evidence, the Court of Appeal sought to balance the harm of admitting the evidence obtained in breach of the Charter with the potential to bring the administration of justice into disrepute. The Court of Appeal ultimately elected to exclude temporary Internet files, the laptop, and the mirror image of its hard drive taken by police.

In a 6-1 decision, the Supreme Court of Canada overturned the Court of Appeal and its exclusion of the evidence gathered in the police search. While the majority agreed that Cole’s Charter rights had been breached by the police, they disagreed with the balancing analysis conducted by the Court of Appeal and with its assessment of the severity of the Charter breach. In the result, the Court admitted all of the evidence that was excluded by the lower courts and returned the matter for a new trial.

Employers Can Limit and Diminish Employee Privacy Expectations

In Cole, the court determined that an employee’s expectation of privacy at work in the context of a criminal matter will be determined by an assessment of the “totality of the circumstances.” That assessment has four components: (1) the subject matter of the search; (2) whether the employee has a direct interest in the subject matter; (3) whether the employee had a subjective expectation of privacy in the subject matter; (4) whether the expectation was objectively reasonable.

While the above inquiry is focused on assessing a Charter breach and not one that will apply to most employers, it is nevertheless clear from its components that employers have the power to limit or diminish employee privacy by governing their reasonable expectations. However, the court was clear that it will not be sufficient to simply institute a blanket policy against personal use if the employees are otherwise permitted to treat the employer’s equipment as if it were their own. Such practices risk allowing the employee to expect a zone of privacy into which the employer will not tread.

At this workplace, and somewhat unusually, Cole (and all other employees) had express permission to use his work-issued laptop computer for incidental personal purposes. Cole browsed the Internet and stored personal information on his hard drive. The court found such information exposed the employee’s likes, interests, thoughts, activities, ideas, and searches for information. This data, commonly generated through very ordinary personal use, was consistently found to be intimate and personal information worthy of protection by all levels of court. However, while the court found that the employees can have a reasonable expectation of privacy in that type of personal information, it also confirmed that this expectation can be modified by the “operational realities” of the workplace such as the policies, practices, and customs of the workplace.

The following is a list of steps employers can take to modify operational realities in their workplace to ward off creeping expectations of employee privacy:

  • Assert Powers of Ownership & Review: Employers should make it clear in offer letters, policies, and manuals that the employer owns, and may review, all communications on the employer’s systems.
  • Require Annual Certification: Employees should annually certify their understanding of the relevant policies on technology use and their acceptance that no expectation of privacy exists in the workplace and that all data generated may be reviewed. To the extent any personal use is permitted, employers should make clear that all equipment is provided for business purposes and subject to review.
  • Prohibit Personal Use: Employers should expressly instruct employees not to store anything they do not want reviewed on their workplace computer. Employers who aggressively prohibit and guard against personal use will have the least to fear from potential employee privacy claims.
  • Govern Use of Social Media: The data associated with Facebook and other social media is inherently personal and intensely biographical (i.e. the type of information courts will zealously protect). Employers should consider whether blocking such social media from their workplace systems is feasible.
  • Limit Exclusive Use: If issuing laptops, tablets, or other devices, employers can reduce expectations of privacy by requiring employees to return or periodically exchange workplace devices so that it is made clear that personal information cannot be stored on the company’s systems.
  • Monitor Personal Use: While an outright ban on personal use may not be feasible in all circumstances, if personal use is going to be permitted, employers should set clear parameters about what type of personal use is permissible and make it clear that such use may be monitored.

Determine the Approach to Personal Use, Then Educate and Enforce

The risks presented by creeping employee privacy are real, but not always apparent. In addition to undermining an employer’s statutory obligations under applicable human rights and safety legislation, employees (current or departing) may abuse electronic devices to remove confidential information, to make misrepresentations in e-mail communication, or otherwise tamper with the company’s electronic systems. In those types of circumstances, employers cannot allow individuals an opportunity to draw the curtain of employee privacy to obstruct a review of company e-mail or electronic equipment. Rather, employers need to create a culture where the defence of employee privacy has no place.

The best method to guard against creeping privacy expectations is consistent education and enforcement of the employer’s policies on technology use. Employers need to ensure their employees understand and are regularly reminded that their use of electronic equipment may be monitored and, in appropriate cases, disciplined.

As it concerns personal use, employers will need to decide for themselves what is the correct approach for their organizational and competitive environments. Employers can either deny all personal use of company equipment (and discipline employees as appropriate) or they can continue to permit personal use, so long as employees are educated that no zone of privacy exists on the employer’s electronic equipment and that personal use may be monitored by the employer.

The Cole decision follows on the heels of two recent Ontario Court of Appeal decisions addressing the privacy rights of employees in the workplace.3 Employers should continue to monitor the evolving developments in this area.

For assistance in reviewing or developing policies and procedures to ensure your company is able to effectively review and monitor employee activity on your electronic systems, please contact members of our employment services practice.

 

Notes
  1. Bennett Jones LLP previously released a client update on this case when the matter was before the Ontario Court of Appeal. See “Ontario Court Decision Affirms Need for Express Technology Use Policy,” May 2, 2011.
  2. Significantly, employers should note that the decision of the courts to exclude the evidence turned on the application of the Charter, which does not generally apply to private sector employers.
  3. Jones v Tsige, 2012 ONCA 32; R v Ward, 2012 ONCA 660.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bennett Jones LLP | Attorney Advertising

Written by:

Bennett Jones LLP
Contact
more
less

Bennett Jones LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.