Just when is an organization’s e-mail system a record of its conscience? And if it is, does this justify routine e-mail surveillance?
People haven’t been talking about e-mail surveillance in the workplace for some time now. Even video surveillance is a little passe, with far sexier monitoring technologies like GPS, biometrics, keystroke monitoring and RFID implants taking centre-stage.
The reality is that there’s never been a business case for routine monitoring of employee e-mails. Who’s got the time to read through employee e-mails? With broad “no expectation of privacy” statements in almost every employer’s computer use policy backed by a practical restraint on doing anything more than reasonable grounds searches, the law on e-mail monitoring has seemed in balance for the last half-decade.
Is this about to change? Here is some evidence that the answer is “yes.” First, we heard about the aggressiveness of the United States domestic security program since 9/11. Professor Daniel Solove’s recent article does a fine job of describing its “Total Information Awareness” project, a data-mining initiative. Then back in April, Fortune 500 retailer came under some heat when a fired security worker exposed the extent of the company’s surveillance activity, which apparently includes (or included) software-supported monitoring of its computer systems. My last piece of evidence in anecdotal. A forensic accountant friend of mine suggested to me a few week’s back that data-mining software is in use in at least some organizations as part of their corporate governance initiatives.
Assuming that routine e-mail monitoring is coming into its time, when is it likely to be justified?
To start, Canadian labour arbitrators (the only Canadian decision-makers who have regularly had the opportunity to address the validity of e-mail surveillance) have taken a different approach to computer systems surveillance than other forms of surveillance. Rather, than balance business interests against employee privacy rights, they’ve arguably applied a more employer-friendly approach that has centred on the property rights of a system owner: “It’s your property so you can assert absolute control over users’ expectation of privacy.” This approach may seem offensive to privacy advocates, but it’s consistent with the balancing approach when one considers competing legal duties and whether the employer will be deemed (in an assessment of whether it has discharged such duties) to have constructive knowledge of the transitory and non-business communications made through its system.
Take the duty to provide a harassment-free workplace for example. Starting with the Supreme Court of Canada’s Robichaud case, courts and tribunals have placed a very high standard of due dilligence on employers to root out and stop workplace harassment. The premise is that employees are vulnerable and only the employer (who controls the workplace) has the ability to protect. Although the standard is not one of strict liability, any employer that receives a harassment complaint, searches for responsive e-mails and only then discovers a harmful and longstanding dialogue should be very concerned. Is it any coincidence that some of the hardest-fought e-discovery cases in the United States – including the Zubulake case – are harassment cases?
As offensive as routine e-mail monitoring seems, I wouldn’t rule it out. Your average corporate counsel today will squirm if you ask her what she thinks is being sent over her company’s computer system. At least under Canadian harassment law, the corporate computer system is treated as a record of the corporate conscience. Constructive knowledge is presumed and, in my view, very difficult to rebut. The ideal e-mail system would file all business e-mails into a logical structure and immediately obliterate everything else, but the greatest document management system in the world won’t achieve this ideal. Does this make routine monitoring a justifiable alternative?
I plan on following this post with another on college and university computer systems, constructive knowledge and the duty of care to prevent incidents of catastrophic violence like what happened at Virginia Tech. I feel very cool about the use of routine surveillance in this context. Please come back to hear why.