Employee Privacy Expectations and Employer Systems – Two Options

There has been lots of talk about employee privacy and employer work systems since the Ontario Court of Appeal’s March 22nd judgement in R. v. Cole. Here is, for example, some commentary that Michael Power posted yesterday on his privacy blog, Dot Indicia.

I wrote an article entitled Employer Access to Employee E-mails in Canada that was published in the September 2009 issue of the Canadian Privacy Law Review. Here is my own position on what employers need to do, a position reinforced by the Cole decision:

The tension demonstrated in the above noted cases is likely to take some time to be resolved. The uncertainty alone, however, is good reason for employers to re-think their approach to managing employee computer use. It is less clear what to do.

One approach is to give employees clearer notice. If more permissive rules on personal use are the basis for changed expectations, employers may work harder to ensure employees are making informed choices about the sacrifice of privacy associated with personal use. Under this approach, computer use policies need not change much at all; the solution lies more in their implementation and, more specifically, in communication measures such as periodic acknowledgements, log-in notices and the like.

While the “clearer notice” approach is appealing in its simplicity, it is also somewhat risky given the relationship between permissive personal use rules and acceptable workplace privacy norms. For one, managers sensitive to the type of “private” content generated by personal use might resist and send inconsistent messages about policy. This practical risk is well-illustrated by a much-discussed case in which a California court held that a public employer violated several employees’ privacy rights by auditing their text messages. This outcome was based on a finding that a supervisor had implemented an informal process of allowing employees to pay for “overage” charges as a means of avoiding text message audits. But even if managers can be suitably controlled, a court or labour arbitrator may still reject a policy that permits personal use and relies strictly on notice. Personal use and zero privacy don’t sit well together, so a clear “no privacy” notice might not always convince an adjudicator that an expectation of privacy is unreasonable.

The more cautious employer will implement a new form of computer use policy that reserves the right to meet all legitimate purposes identified above, but also includes privacy controls to ensure that use of more sensitive types of information on its system (e.g. the content of e-mails and information revealing of keystrokes) is based on reasonable necessity. I am not suggesting that management fetter its rights in a manner that sacrifices management interests. If an employer, for example, feels that investigations based on “reasonable suspicion” instead of “reasonable grounds” are justified, then it should promulgate policy that contemplates investigations based on a reasonable suspicion. Likewise, if an employer feels that routine and/or random audits are justified, it should promulgate a policy that contemplates routine and/or random audits. In some circumstances — where employment privacy legislation applies for example — proof of business justification might be required, but an employer faced with a policy challenge should be well-positioned to argue that the chosen approach is measured and moderate compared to the traditional type of policy that has met with arbitral and court approval.

Here is a link to the full article. Reprint courtesy of LexisNexis.

2 thoughts on “Employee Privacy Expectations and Employer Systems – Two Options

  1. I honestly do not see how this case has become such a big deal for employers.

    An employee has a reasonable expectation of privacy even in their work computer. That’s something the Privacy Commissioner has been saying for years.

    That reasonable expectation is limited becuase of the employer’s ongoing right of access. An employer–even one who is arguably bound by the Charter, which most of us are not–can access the employee’s computer so long as they have justification to do so. Again, is this new?

    The advice is that employers should more tightly manage their employees’ expectations of privacy through controls and policies? To what end? The employer still has everything they need–the ability to access the employee’s computer for any legitimate justification. If they try to gain any more than that through controls and policies, they’re going to run into trouble with the Privacy Commissioner anyway.

    The lesson from this case is that the police should get a warrant, rather than assuming that the employer has permission to turn over the employee’s computer. That’s a novel turn in criminal procedure, but what’s the lesson for employers?

    It seems to me a bit of a Cheshire cat case. The more I look at it, the less I see.

  2. Thanks, as always, Kevin.

    I mostly agree. The case is good for employers and bad for police, which is not the message that’s being channeled by many.

    Notwithstanding the part about implied rights in Cole – just wonderful for employers – I do feel it behooves employers to be more express in dealing with the right of access by policy. It used to be that policies said “no expectation of privacy” and that’s it. There’s no problem, in my view, in making personal use conditional on certain management rights and committing to stay within them. At a minimum, it may save an employer from unnecessary litigation given the very real phenomenon of rising subjective expectations.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.