“Life trumps privacy.”
These are not my words. It’s a line from a 2007 practice tool published by the British Columbia and Ontario privacy commissioners entitled “Emergency Disclosure of Personal Information by Universities, Colleges and other Educational Institutions.” The tool focuses on the disclosure of personal information to prevent safety-related harm, an issue that privacy commissioners are sensitive to because privacy regulation often comes under attack as causing or contributing to a violent incident. Commissioner Cavoukian also wrote an editorial in the Washington Post following the 2007 Virginia Tech shootings and spoke to the CBC’s The Fifth Estate in 2009 after the Nadia Kajouji suicide at Carleton University – both times arguing that privacy legislation does not impede threat management.
This is relevant today because privacy and safety is back in the news. The National Post published an article yesterday about Travis Baumgartner’s Facebook posting. About two weeks before the multiple murder in which he is implicated occurred, Baumgartner posted, ““I wonder if I’d make the six o’clock news if I just starting popping people off.”
Employers do not have a duty to routinely monitor the internet for signs of concerning employee behavior.To assert such a duty is to take an employer’s duty to provide a safe work environment too far. Monitoring would be costly, difficult to do effectively and, as noted in the article, raise privacy issues.
Employers do, however, have a duty to “know what they know” about troubled employees and others who frequent the workplace. There are too many stories about concerning behaviors that were observed by other employees in the workplace and that were not assessed except in hindsight of a catastrophe. Employers must have means by which troubling behaviors exhibited by employees and others are reported and properly assessed. This has become the clear best practice, one that developed out of the landmark 2002 report of the U.S. Secret Service and U.S. Department of Education.
And what if an employee simply reports another employee’s Facebook posting as being of concern? It should be assessed. And once there is a legitimate reason to assess, employers must be thorough and gather relevant information from all available sources, including the Internet. Employers can’t afford to draw artificial lines between behavior inside and outside of the workplace in assessing a legitimate concern.
I’d like to say that privacy laws do not stand in the way of collecting personal information in the course of a threat assessment, but that’s not necessarily the case. Ontario’s provincial public sector privacy legislation, in particular, contains a very restrictive “indirect collection” prohibition. Law enforcement can collect personal information from third-parties without consent in order to assess a threat, but institutions acting in a “civilian” capacity cannot. There are ways to manage the prohibition through policy but, nonetheless, the legislation should be changed. After all, life trumps privacy.