• SCC Confirms Risks of Employee Privacy are Real and Manageable
  • October 31, 2012 | Author: Ranjan K. Agarwal
  • Law Firms: Bennett Jones LLP - Toronto Office ; Bennett Jones LLP - Calgary Office ; Bennett Jones LLP - Toronto Office
  • In a widely anticipated decision on the issue of workplace privacy, the Supreme Court of Canada released reasons in R v Cole on October 19, 2012. The Supreme Court confirmed that, in circumstances where personal use is permitted or reasonably expected, employees can have a reasonable expectation of privacy in personal data stored on devices owned by their employer.1

    While the existence and scope of an employee’s privacy expectation will depend on the “totality of the circumstances”, including workplace policies, it is now abundantly clear that an employer’s ownership of electronic systems and equipment will not be determinative. Nor will policies against personal use always govern when the actual customs and practices of the workplace depart from those policies.

    Contrary to any suggestion otherwise, the decision does not mean that employees have an automatic right of privacy or that employers are forbidden from monitoring the electronic activities of their employees. Rather, the decision confirms that employers who articulate and implement clear policies and procedures addressing the use of the employer’s systems are able to control and monitor how their electronic equipment and systems are being used. The scope of any employee privacy expectation, if it exists at all, will be determined in the context of the employer’s stated policies and practices as implemented in the workplace.

    There are a variety of reasons why employers are permitted and encouraged to monitor the activities of their employees involving their electronic systems. These include assessing productivity, confirming the appropriate use of intellectual property, or conducting investigations related to the employer’s statutory obligations, such as the duty to ensure a harassment-free workplace under applicable human rights or health and safety legislation. In this case, the school board employer was expressly authorized to review the employee’s information on its systems under its statutory obligation to ensure a safe school environment.

    In the absence of a clear policy that permits monitoring, the Cole decision could open the door for an employee to argue that their reasonable expectation of privacy should prevail over the employer’s obligation to review e-mails or other data stored on a workplace computer. This means employers should carefully consider and implement technology use policies that are clear, express, and unambiguous-and take meaningful and consistent steps to those policies.

    R v Cole
    Richard Cole, a former teacher, was arrested and charged with possession of child pornography that was discovered on his work-issued laptop. Among the images were nude photos of a student at the school that the student had forwarded to a classmate. The teacher accessed the photos from the classmate’s laptop in the course of his job and then downloaded those photos to a separate laptop issued by the school board to the teacher.

    While the policy governing Cole’s use of the work-issued laptop allowed for “incidental personal use”, the policy stipulated that teachers’ e-mail correspondence remained private, but subject to access by school administrators if specified conditions were met. The policy did not address privacy in other types of files, but it did state that “all data and messages generated on or handled by board equipment are considered to be the property of [the school board]”.

    In the course of routine maintenance, the employer discovered the photos and searched the laptop. The employer copied the photos of the student and Cole’s Internet history (which showed visits to a number of child pornographic sites) onto a disc. The disc and laptop were then provided to the police. Believing they had the consent of the employer, as owner of the laptop, the police searched the content of the computer and the disc without first obtaining either a warrant or the employee’s express consent.

    At trial, Cole’s lawyer successfully argued that the evidence should not be admitted due to the failure of the police to obtain a warrant to justify the search of the laptop. The decision of the trial judge was twice overturned on appeal.

    In its May 2011 decision, the Ontario Court of Appeal acknowledged the right of the employer to undertake the search of the teacher’s computer. However, with respect to the search by the police, the court ruled that some of the evidence was obtained in breach of the Cole’s privacy rights and his rights against unreasonable search and seizure under the Canadian Charter of Rights and Freedoms2. In determining whether to exclude the evidence, the Court of Appeal sought to balance the harm of admitting the evidence obtained in breach of the Charter with the potential to bring the administration of justice into disrepute. The Court of Appeal ultimately elected to exclude temporary Internet files, the laptop, and the mirror image of its hard drive taken by police.

    In a 6-1 decision, the Supreme Court of Canada overturned the Court of Appeal and its exclusion of the evidence gathered in the police search. While the majority agreed that Cole’s Charter rights had been breached by the police, they disagreed with the balancing analysis conducted by the Court of Appeal and with its assessment of the severity of the Charter breach. In the result, the Court admitted all of the evidence that was excluded by the lower courts and returned the matter for a new trial.

    Employers Can Limit and Diminish Employee Privacy Expectations
    In Cole, the court determined that an employee’s expectation of privacy at work in the context of a criminal matter will be determined by an assessment of the “totality of the circumstances.” That assessment has four components: (1) the subject matter of the search; (2) whether the employee has a direct interest in the subject matter; (3) whether the employee had a subjective expectation of privacy in the subject matter; (4) whether the expectation was objectively reasonable.

    While the above inquiry is focused on assessing a Charter breach and not one that will apply to most employers, it is nevertheless clear from its components that employers have the power to limit or diminish employee privacy by governing their reasonable expectations. However, the court was clear that it will not be sufficient to simply institute a blanket policy against personal use if the employees are otherwise permitted to treat the employer’s equipment as if it were their own. Such practices risk allowing the employee to expect a zone of privacy into which the employer will not tread.

    At this workplace, and somewhat unusually, Cole (and all other employees) had express permission to use his work-issued laptop computer for incidental personal purposes. Cole browsed the Internet and stored personal information on his hard drive. The court found such information exposed the employee’s likes, interests, thoughts, activities, ideas, and searches for information. This data, commonly generated through very ordinary personal use, was consistently found to be intimate and personal information worthy of protection by all levels of court. However, while the court found that the employees can have a reasonable expectation of privacy in that type of personal information, it also confirmed that this expectation can be modified by the “operational realities” of the workplace such as the policies, practices, and customs of the workplace.

    The following is a list of steps employers can take to modify operational realities in their workplace to ward off creeping expectations of employee privacy:

    • Assert Powers of Ownership & Review: Employers should make it clear in offer letters, policies, and manuals that the employer owns, and may review, all communications on the employer’s systems.

    • Require Annual Certification: Employees should annually certify their understanding of the relevant policies on technology use and their acceptance that no expectation of privacy exists in the workplace and that all data generated may be reviewed. To the extent any personal use is permitted, employers should make clear that all equipment is provided for business purposes and subject to review.

    • Prohibit Personal Use: Employers should expressly instruct employees not to store anything they do not want reviewed on their workplace computer. Employers who aggressively prohibit and guard against personal use will have the least to fear from potential employee privacy claims.

    • Govern Use of Social Media: The data associated with Facebook and other social media is inherently personal and intensely biographical (i.e. the type of information courts will zealously protect). Employers should consider whether blocking such social media from their workplace systems is feasible.

    • Limit Exclusive Use: If issuing laptops, tablets, or other devices, employers can reduce expectations of privacy by requiring employees to return or periodically exchange workplace devices so that it is made clear that personal information cannot be stored on the company’s systems.

    • Monitor Personal Use: While an outright ban on personal use may not be feasible in all circumstances, if personal use is going to be permitted, employers should set clear parameters about what type of personal use is permissible and make it clear that such use may be monitored.

    Determine the Approach to Personal Use, Then Educate and Enforce

    The risks presented by creeping employee privacy are real, but not always apparent. In addition to undermining an employer’s statutory obligations under applicable human rights and safety legislation, employees (current or departing) may abuse electronic devices to remove confidential information, to make misrepresentations in e-mail communication, or otherwise tamper with the company’s electronic systems. In those types of circumstances, employers cannot allow individuals an opportunity to draw the curtain of employee privacy to obstruct a review of company e-mail or electronic equipment. Rather, employers need to create a culture where the defence of employee privacy has no place.

    The best method to guard against creeping privacy expectations is consistent education and enforcement of the employer’s policies on technology use. Employers need to ensure their employees understand and are regularly reminded that their use of electronic equipment may be monitored and, in appropriate cases, disciplined.

    As it concerns personal use, employers will need to decide for themselves what is the correct approach for their organizational and competitive environments. Employers can either deny all personal use of company equipment (and discipline employees as appropriate) or they can continue to permit personal use, so long as employees are educated that no zone of privacy exists on the employer’s electronic equipment and that personal use may be monitored by the employer.

    The Cole decision follows on the heels of two recent Ontario Court of Appeal decisions addressing the privacy rights of employees in the workplace.3 Employers should continue to monitor the evolving developments in this area.

    1. Bennett Jones LLP previously released a client update on this case when the matter was before the Ontario Court of Appeal. See “Ontario Court Decision Affirms Need for Express Technology Use Policy,” May 2, 2011.
    2. Significantly, employers should note that the decision of the courts to exclude the evidence turned on the application of the Charter, which does not generally apply to private sector employers.
    3. Jones v Tsige, 2012 ONCA 32; R v Ward, 2012 ONCA 660.