November 12, 2011by Israel Foulon LLP
In R. v. Cole1, Ontario Court of Appeal recently rendered a decision that addresses an employee’s reasonable expectation of privacy related to the use of technology on employer owned equipment.
In this case, the accused was a high school teacher who was provided with a laptop computer to be used in teaching a technology course and for the purposes of supervising a laptop program for students. In order to supervise the laptop program, the accused was given remote access to the data stored on the computers within the school network. One of the school’s computer technicians responsible for maintaining the integrity of the school network identified an unusual pattern of network use by this particular teacher. The laptop was then investigated by the school board’s IT staff by accessing the hard drive remotely. The contents of the laptop hard drive included nude photographs of a 16 year old girl. The school principal was advised of the photographs in order to identify that the images were of a student who attended at the high school. The teacher returned the laptop to the school when he was asked to do so but refused to provide the password. The computer technician accessed the computer again and copied relevant material from the laptop hard drive onto discs. The laptop and the discs were given to the police.
In deciding that the teacher, as an employee of the school board, had a reasonable expectation of privacy related to the contents of the laptop, the Court based the decision on the following factors:
he had exclusive possession of the laptop;
the laptop was password protected by a password he created;
the school board policy permitted personal use of the computer;
he had permission to take the laptop home on evenings, weekends and summer vacations;
there was no evidence the board actively monitored teachers’ use of laptops; and
the board had no clear and unambiguous policy to monitor, search or police the teacher’s use of the laptop.
The school board policy did prohibit inappropriate content on the school computer, including sexually explicit material but the policy did not address the issue of privacy except in relation to e-mails. The policy warned teachers that e-mail communications may be searched to maintain the integrity of the system or if inappropriate use was suspected but the language was specific to e-mails only. Students at the school were required to sign an Acceptable Use Agreement (“AUA”), which clearly stated that all material on the laptop, including the hard drive would be monitored, however the AUA was not signed by teachers or staff. It was not sufficient that the principal communicated at staff meetings that the same rules which applied to students applied to staff.
The Court found that the accused had a reasonable expectation of privacy in the information stored on the hard drive of the laptop, which was subject to the limited right of access by his employer’s technicians performing work-related functions. Therefore there was no expectation of privacy related to this limited type of access. Since the school board’s technician stayed within the “implied right of access” the Court held that the school board was within its legal right to inspect the laptop.
What this case highlights for employers is the need to have a technology use policy that addresses the issue of employee privacy and sufficiently permits an employer to monitor the appropriate use of technology by employees.
It is an offence under section 184(1) of the Criminal Code to intercept a private communication by electro-magnetic, acoustic, mechanical or other device. It is not an offence if the party intercepting the private communication has the express or implied consent of the person sending the message or of the recipient. It is therefore important for an employer to communicate a workplace technology policy to its employees which explicitly states that electronic communications will be monitored by the employer. This will provide the employer with a defence to an allegation that that the employee had a reasonable expectation of privacy.
“personal information” is defined as information about an identifiable individual (excluding the name, title or business address or phone number). In Ontario, an employer may only collect, use or disclose personal information that a reasonable person would consider appropriate in the circumstances.
Shred-Tech Corp. v. Viveen
A breach of privacy in Ontario was recognized in law as a tort in the 2006 case, Shred-Tech Corp. v. Viveen2, after employees learned that their employer secretly videotaped their activities. The Court stated that in recognizing the privacy rights of employees, the intentional tort of breach of privacy provides a remedy for the breach of that right.
When analyzing a claim for the tort of breach of privacy, in the absence of consent to obtain, collect or disclose personal information, the Court will consider whether there are legal process or public interest reasons for information being collected, acquired or disclosed. If there are, the legal process or public interests will be weighed against an employee’s privacy interests to determine whether a breach of privacy has occurred. The Court will determine whether information is deemed to be private based on an assessment of what a reasonable person would consider private.
Crookes v. Newton
The Supreme Court of Canada will be delivering a decision in an appeal from the British Columbia Court of Appeal, Crookes v. Newton3, which will answer whether a person may be held liable for defamation in the event that they provided a hyperlink on their website to a defamatory article. If a company website contains a hyperlink, the company should be aware of any controversial content contained on the website it links to.
Creating or Updating a Technology Use Policy
A customized a technology use policy (“TUP”) ensures an employer has the right balance of protection without placing unnecessary limitations on its employees.
1. In order to decide whether to limit technology use at work or what boundaries to place on technology use, consider the following:
a. Does access to technology at work benefit the business:
Researching product material and costs
Search of physician name or contact details
Search government websites such as WSIB
Use of social media to market and promote business
Search social networking sites when considering whether to hire a particular employee candidate
b. Will placing a ban or limit on using technology at work send employees the message that they are not trusted to use technology responsibly?
c. Is it appropriate to limit the use of technology only during work hours?
2. To protect an employer’s right to monitor technology use, an employer should do an inventory of all equipment used by its employees to communicate and/or store data electronically so that it can be addressed specifically in the TUP.
3. Know the technology used to ensure that the TUP addresses the entire contents of information, images and videos sent from and stored on all electronic devices. There are various ways for inappropriate content to find its way onto a computer’s hard drive or the company network, including:
memory sticks, USB mass storage keys
portable hard drives
4. Consider whether it is appropriate or necessary to monitor social media sites used by employees. Social networking sites include: Facebook; Twitter; and LinkedIn.
Social Networking Sites
Employees will likely consider the content of these sites to be personal but they should be made aware that there is no reasonable expectation of privacy if the site can be accessed without permission. Social networks allow users to upload profiles, post comments and images, join networks, groups and add contacts. Social networking sites have varying levels of privacy settings which are set by the user.
Employees may not understand that what is posted on their social networking sites may have employment implications. Concerns for employers related to social networking sites include:
An unprofessional image of an employee may harm the reputation of the employee and the employer
Confidential information may be shared
Posting of inappropriate or negative comments about the employer
Human Rights allegations (harassment and discrimination)
Occupational Health and Safety Act violation for harassment in the workplace
Use of company brand or logos in a way that is inappropriate or which depicts the company in a negative way
The content of materials posted on these sites may be used as evidence in litigation4
When creating/updating a workplace technology policy it is recommended that employers include:
The purpose of the policy
computer use by employees in the course of business
who is covered by the policy
expectations regarding compliance with the policy
Acceptable and prohibited use of workplace technology;
Limitations if any on personal use
Types of websites that are prohibited
words that could be construed as offensive to others
to delete and not forward e-mails received with inappropriate content
messages which are discriminatory or a form of harassment are prohibited and subject to investigation
company owned electronic devices (list all equipment) are not to contain inappropriate material, which includes but is not limited to:
sexually explicit depictions or content
promotion of violence
A statement that employees do not have a reasonable expectation of privacy when using workplace technology
The method and frequency of monitoring, specifying the information collected, how it is stored and who has access to the information
If social networking sites will be monitored, be clear about the content that would be considered inappropriate
That the employer owns everything stored or created on its electronic equipment (list equipment), which includes but is not limited to personal data and intellectual property
State penalties that will be imposed for violating the TUP
when steps may be skipped in progressive discipline model
examples of what would be cause for termination
Rolling out an updated TUP or a new TUP:
There is often a disconnect between what an employer believes to be an employee’s reasonable expectation of privacy and an employee’s actual expectation. It is therefore important that when the TUP is distributed, employees receive training on the new policy or are given time to read through the policy thoroughly with an opportunity to ask questions before having them sign to acknowledge that they read and understood the contents of the policy.
Remind employees annually of the contents of the TUP. The reminder can be sent out electronically with an electronic accept option to acknowledge that they read the TUP and accept the conditions of technology use.
If employees are aware that the technology they use is monitored on a regular basis, they are less likely to abuse their privileges.
Enforcing the TUP
It is important that the TUP is enforced consistently. If the policy is knowingly breached and overlooked, it will be more difficult to justify a termination or serious discipline when there is a more concerning breach. Employers may also be subject to allegations of discrimination if it is selective about when the policy is enforced.
Process for Reporting Breach
Employees should be informed about who to contact to report a violation of the TUP without fear of reprisal. There is a greater chance that employers will learn of the existence of harmful content on social networking sites if there is an anonymous reporting mechanism.