There has been lots of talk about employee privacy and employer work systems since the Ontario Court of Appeal’s March 22nd judgement in R. v. Cole. Here is, for example, some commentary that Michael Power posted yesterday on his privacy blog, Dot Indicia.
I wrote an article entitled Employer Access to Employee E-mails in Canada that was published in the September 2009 issue of the Canadian Privacy Law Review. Here is my own position on what employers need to do, a position reinforced by the Cole decision:
The tension demonstrated in the above noted cases is likely to take some time to be resolved. The uncertainty alone, however, is good reason for employers to re-think their approach to managing employee computer use. It is less clear what to do.
One approach is to give employees clearer notice. If more permissive rules on personal use are the basis for changed expectations, employers may work harder to ensure employees are making informed choices about the sacrifice of privacy associated with personal use. Under this approach, computer use policies need not change much at all; the solution lies more in their implementation and, more specifically, in communication measures such as periodic acknowledgements, log-in notices and the like.
While the “clearer notice” approach is appealing in its simplicity, it is also somewhat risky given the relationship between permissive personal use rules and acceptable workplace privacy norms. For one, managers sensitive to the type of “private” content generated by personal use might resist and send inconsistent messages about policy. This practical risk is well-illustrated by a much-discussed case in which a California court held that a public employer violated several employees’ privacy rights by auditing their text messages. This outcome was based on a finding that a supervisor had implemented an informal process of allowing employees to pay for “overage” charges as a means of avoiding text message audits. But even if managers can be suitably controlled, a court or labour arbitrator may still reject a policy that permits personal use and relies strictly on notice. Personal use and zero privacy don’t sit well together, so a clear “no privacy” notice might not always convince an adjudicator that an expectation of privacy is unreasonable.
The more cautious employer will implement a new form of computer use policy that reserves the right to meet all legitimate purposes identified above, but also includes privacy controls to ensure that use of more sensitive types of information on its system (e.g. the content of e-mails and information revealing of keystrokes) is based on reasonable necessity. I am not suggesting that management fetter its rights in a manner that sacrifices management interests. If an employer, for example, feels that investigations based on “reasonable suspicion” instead of “reasonable grounds” are justified, then it should promulgate policy that contemplates investigations based on a reasonable suspicion. Likewise, if an employer feels that routine and/or random audits are justified, it should promulgate a policy that contemplates routine and/or random audits. In some circumstances — where employment privacy legislation applies for example — proof of business justification might be required, but an employer faced with a policy challenge should be well-positioned to argue that the chosen approach is measured and moderate compared to the traditional type of policy that has met with arbitral and court approval.
Here is a link to the full article. Reprint courtesy of LexisNexis.