Employers who are regulated by privacy legislation need to reckon with privacy commissioner oversight in conducting searches of their work systems for evidence of misconduct. This is the clear lesson from the recent and much-discussed Calgary Police Service order of the Alberta OIPC that dealt with the service’s unauthorized access to an employee’s personal e-mail account.
The facts are simple. The service embarked on an internal sexual misconduct investigation that included a review of an employee’s work e-mail account. It conducted a search for the word “password” as a matter of protocol because the sending and receiving of passwords through e-mail is indicative of a number of common IT security problems. The service found a message to an outsider containing the employee’s password to her personal e-mail account, a communication the service said “seemed odd.” Given the employee had also sent “snippets” of confidential service records to others internally, the service accessed the personal account on a theory that the employee was leaking confidential information through the personal e-mail account. It happened to find evidence of work-related sexual misconduct and used it to discipline the employee. The employee later complained to the OIPC under Alberta’s public sector privacy legislation.
The OIPC was not impressed with the service’s professed basis for using the password to access the employee’s personal account, particularly given the investigator had no mandate to determine whether the employee had committed a breach of confidence. It upheld the employee’s complaint.
The result is no surprise. Taking a step in an investigation as intrusive as gaining unauthorized access to a personal e-mail account based significantly on the discovery of a communication that “seemed odd” is problematic. The record shows that the service was clearly on a fishing expedition, and despite the OIPC’s finding, its approach still signals respect for management’s right to investigate. The OIPC says, for example, “It might be policy for IT to check for data leakage whenever a Public Body employee is being investigated for inappropriate email or computer use, but this cannot extend, without cause, to an employee’s personal email account.”
The simple lesson from the case for employers who are subject to employment privacy regulation – far from all employers – is to develop and implement controls to structure the process of searching work systems for evidence of misconduct. Who authorizes a search? What’s the scope? What routine searches should be conducted? What should the investigator do if he or she finds evidence of wrongdoing that is out of scope? Who is responsible for securing evidence and how? Organizations should have clear answers to these questions before embarking on an IT search.