Category: Workplace Privacy

Facebook’s Graph Search: New Privacy Concerns?

According to a CBC News article (here), early reviews of Facebook’s new Graph Search feature are raising privacy concerns.  The search feature appears to be eerily effective in mining Facebook users’ information in responding to search queries.

For employers who may be considering using social media to verify information about current or prospective employees, the depth of information revealed by Graph Search highlights the risk that obtaining information through social media could amount to an invasion of privacy, or conflict with human rights laws (see the Ontario Human Rights Commission’s policy on using Facebook information).  Employers should tread carefully before using social media to obtain information about current or prospective employees, since the resulting information (even if obtained inadvertently) could create unanticipated liabilities.

BC commissioner uses fleet management complaint to answer BIG questions about PIPA

On December 19th, the British Columbia Office of the Information and Privacy Commissioner dismissed a complaint about the collection and use of vehicle location and operation data for the purpose of managing employee performance. In doing so, the OIPC opined broadly on the meaning of “personal information” and “work product information” and on the standard of reasonableness for collecting and using employee personal information under BC PIPA.

The case deals with an elevator company and its field mechanics. The mechanics objected to the company’s collection of data about service vehicle location and data about service vehicle operation – e.g., distance travelled, speed and incidents of harsh braking. The company argued this information is not regulated by BC PIPA at all because it is not “personal information” or, alternatively, is “work product information.”

The OIPC rejected the company’s primary argument and held that vehicle location and operation data is personal information. In doing so it rejected a narrow definition of personal information that requires personal information to be “about an identifiable individual” in that it reveals something private or intimate about the individual – a concept accepted in some case law and loosely related to the “biographical core” concept featured in Charter search and seizure jurisprudence. Instead, the OIPC said that information about an identifiable individual is personal information if it “is collected, used or disclosed for a purpose related to the individual.”

The OIPC also rejected the company’s alternative argument and held that vehicle location and operation data is not work product information. It reasoned that vehicle location and operation data is not “prepared or collected” by an individual in the course of work and that, generally, data that is automatically recorded “without directed conscious input by an individual” is not work product information.

While these principles favour privacy protection, the OIPC also demonstrated respect for employer interests in finding the company’s collection and use of employee personal information was reasonable for its purposes. The OIPC expressly rejected a four part reasonableness test (generally disliked by employers) in favour of a more flexible “reasonableness in all the circumstances” test:

The assessment of reasonableness will occur in the context of the established purposes for the employer’s collection, use or disclosure and thus should have some regard to that context. But the assessment may also address a number of other possible considerations.

As part of its reasonableness discussion, the OIPC also noted that an organization need not adopt the least privacy-intrusive alternative regardless of cost or consequences (though should be able to demonstrate that it has given “reasonable consideration” to less intrusive alternatives).

Schindler Elevator Corporation (Re), 2012 BCIPC 25 (CanLII).

Alberta arbitrator says employer’s broad direction to report personal legal troubles reasonable

On July 13th of last year, Arbitrator Sims held that an employer could promulgate and rely upon a policy that requires employees to report legal troubles with the potential to affect the their ability to work or, more generally, the company’s interests.

The policy language at issue read as follows:

Involvement in a legal matter

If you are involved in a legal matter or a police case which has the potential to affect your ability to perform your job or harm the interests of TELUS, you must immediately inform your manager.

Arbitrator Sims held that this language, read in the context of the employer’s entire ethics policy, was a reasonable means of enabling the employer to assess whether potential risks to its interests needed to be addressed. He was impressed that the employer offered employees a confidential ethics line to seek guidance on their reporting duty, but the decision does not appear to rest on this fact.

Telus Communications Inc v Telecommunication Workers Union, 2012 CanLII 51085 (AB GAA).

The other side of the balance: employer interests, work systems and R v Cole

Here’s a link to a essay that describes the impact of the Supreme Court of Canada’s in R v Cole – the work system privacy case. I appeared with my colleague Joseph Cohen-Lyons on behalf of the Canadian Association of Counsel to Employers, and the paper represents the intellectual end point of a great experience. Whether you agree with the position or not, I hope it sparks some ideas!

Alberta OIPC deals with use and disclosure of work e-mails in recent order

On September 11, 2012 the Alberta Office of the Information and Privacy Commissioner upheld a complaint that dealt with an employer’s retrieval and use of e-mails from its work e-mail system. The decision suggests that information in e-mails from a work e-mail system that are accessed and used as reasonably required for an employment-related purpose are regulated as “employee personal information” under Alberta PIPA regardless of their content.

Background

The employer is a union who temporarily employed the complainant as a business agent. Towards the end of his employment, the complainant applied for selection into a permanent position by way of a job competition. On his last day of employment, while the competition was underway, some members of the internal evaluation committee for the competition reviewed the complainant’s e-mails; at times the OIPC decision frames this review as being for the (routine) purpose of performance assessment and at other times it frames the review as investigatory (and in response to some specified concerns).

Upon review of the e-mails, the committee members discovered an e-mail received by the complainant that invited him and a member of the selection committee to a meeting about “defeating” the employer’s president and another candidate for the position. This e-mail and 13 others of a similar kind were of concern to the employer because they suggested its job competition process would not produce a fair result. Later, the employer’s president read parts of the 14 e-mails aloud at a meeting of the general membership to support an executive committee recommendation to disband the internal evaluation committee.

Issue

The complainant argued that the employer’s use and disclosure of his e-mails contravened Alberta PIPA. Apparently he did not take issue with the employer’s search itself given the e-mails in question were all sent and received on the employer’s system.

Decision

Most importantly, the OIPC held that the employer’s initial use of the 14 e-mails was a use of “employee personal information.” It said:

While the E-mails were not always in relation to the Complainant’s own employment duties, they were in relation to the affairs of the Organization, which is sufficient for them to “relate” to the parties’ employment relationship.

Therefore, when the Organization initially reviewed the E-mails for the purpose of evaluating the Complainant’s performance as Relief Business Agent, the Organization was, in that particular context, reviewing the Complainant’s personal employee information. In further reference to the definition of “personal employee information”, the E-mails were “reasonably required” by the Organization in that they were part of the record of the Complainant’s performance, which he was reasonably required to create by virtue of his 89-day trial period in the position. Nothing turns on the fact that some of the E-mails were not in relation to the Complainant’s specific duties, as the fact that he sent or received them was still relevant to his overall performance.

This reasoning suggests that an employer’s purpose in dealing with e-mails on its system (even “personal use” e-mails) will govern how the information in the e-mails is characterized under the Act. The review of system e-mails for an employment-related purpose will generally mean the information in the e-mails qualifies as “personal information,” but provided the review is reasonably required, the same information will also qualify as “employee personal information.” This is of critical significance to Alberta employers because consent is not required to collect, use and disclose employee personal information under Alberta PIPA unless an exception to this general rule applies.

One such exception, which the OPIC held was engaged in this case, is an exception for a failure to provide “reasonable notification that the information is going to be used and of the purpose for which the information is going to be used.” In essence, the OIPC held the employer lost the ability to rely on the more liberal rules that apply to the use and disclosure of employee personal information under Alberta PIPA because it had no acceptable use or other policy to make the employee aware that his e-mails might be reviewed for an employment-related purpose or otherwise. Most Alberta employers will have an applicable policy, but to avoid the fate that befell this employer they should ensure their policies articulate the specific business purposes for which e-mails may be accessed. (For more on this point, see here.)

Please note that there is more to this complicated decision than the aspects that I’ve covered here, including content on the scope of the so-called “investigations exemption.” Ultimately, the employer was not able to establish that it was properly authorized to use the e-mails for either its employment-related purpose or its (secondary) administrative purpose.

Order P2012-06 (Alberta OIPC, 12 September 2012).

Hat tip to Barbara McIssac, who is now blogging with a team of BLG lawyers at The Law of Privacy in Canada Blog. Welcome to the blawgosphere!

Union does not get access to employer info for monitoring adherence to CA

On May 14th, Arbitrator Lanyon held that a union has no right to access employer records for the purpose of monitoring adherence to a collective agreement unless the right is contained in the collective agreement itself. He distinguished British Columbia and Ontario case law that establishes a right of access to bargaining unit member contact information that flows from a union’s representational rights, stating:

I conclude that the Millcroft and P. Suns lines of authority apply specifically to the provision of contact information; for example, the names and addresses of employees. However, these decisions cannot be read to compel an employer to provide information whose sole purpose is to assist the union in monitoring the terms and conditions of the collective agreement. Therefore, the B.C. Labour Relations Code does not compel employers to disclose documents whose whole purpose is to assist the union to monitor provisions of the collective agreement outside the grievance/arbitration procedure. If there is such an obligation on an Employer it must be found within the terms of the collective agreement.

In this case, Arbitrator Lanyon held a teachers’ federation had no right to information about occasional teacher assignments under its agreement with a school board. It’s not clear why this analysis was necessary, but Arbitrator Lanyon also held that individual privacy interests weighed against disclosure.

Mount Arrowsmith Teachers’ Association and School District 69 (Lanyon, 14 May 2012).

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.

Ontario Biometric Timekeeping System Jurisprudence now Strongly Favours Employers

On August 29th, another Ontario labour arbitrator dismissed a biometric timekeeping system grievance. Arbitrator Susan Tacon dismissed the grievance on some rather strong evidence adduced by the employer, but did make the following general comment about the very conservative IKO Industries case (which the Ontario Superior Court of Justice – Divisional Court upheld as reasonable):

With respect, I also do not find the reasoning in IKO Industries, supra, compelling. The standard for establishing an “invasion” of privacy is set so low and the business rationale must be so critical to the company that no other system is possible. The test really espoused in IKO Industries, supra, is that any infringement of privacy, however minor, will outweigh a legitimate business rationale which is not essential to the continued operation of the company. In my view, that approach undermines the concept of proportionality, unduly weakens the management rights clause in practical terms and is not consistent with the weight of the arbitral jurisprudence. In any event, for reasons which will be given infra, the decision is distinguishable on the facts.

The weight of arbitral authority in Ontario now strongly favours the adoption of biometric timekeeping systems provided the chosen system has a number relatively common security features to protect against misuse and secondary use of biometric data and provided the chosen system does not invite a violation of any uniquely restrictive collective agreement terms. Employers who run through the security-related considerations with a checklist-like tool and seek input from counsel on the effect of their collective agreements will gain a very strong appreciation of the risks associated with adoption. In many cases, employers will be safe to proceed.

Gerdau Ameristeel v. United Steelworkers, Local 8918 (Biometric Scan Grievance), [2011] O.L.A.A. No. 405 (Tacon) (QL).

Ontario Arbitrator Okays Collection of Driver’s License Numbers for Driving Safety Program

On May 11th Arbitrator David McKee held that an employer could collect driver’s license numbers to check the driving records of employees who drive personal vehicles in the course of their duties.

Arbitrator McKee had previously allowed the employer to conduct driving record checks on employees who drive company owned vehicles. In this decision, he holds that it is reasonable to conduct the same check on employees who drive personal vehicles in the course of their duties (and who are reimbursed by the employer for doing so) regardless of the extent to which they actually drive. Arbitrator McKee bases his conclusion on a contextual balancing of interests that stresses the following factors:

  • the information at issue (the DL number and information in the driving record) is “not extraordinarily sensitive”
  • the employer had taken steps to protect employee privacy in administering the program (i.e., by using an external service provider to conduct the check and only receiving driving record information for a class of “high risk” drivers)
  • the employer established a legitimate, albeit general, interest in promoting safe driving and a safety-conscious public image
  • the employer did not discipline employees with bad driving records but, rather, used the information to mitigate risk through training and management

Arbitrator McKee’s approach is pragmatic. Citing Justice Whitaker’s recent Jones v. Tsige decision, he says, “There is no legal doctrine that gives a particular weight or priority to everything that can be characterized as a privacy right.”

Union Gas Ltd. v. C.E.P., 2011 CarswellOnt 7295.

Administrators Have No Place in the Bedrooms of Plan Members

When a pension plan member divorces his or her spouse, often the accrued pension benefits are the single largest family asset.  H0w a pension benefit is divided varies by jurisdiction, with some jurisdictions entitling the former spouse to all of the benefits accrued during the period of marriage.  What’s more is that some jurisdictions allow former spouses to “unlock” the divided interest prior to the member’s retirement, rather than requiring the monies to continue to be used only for pension benefits.

But what happens when a couple decides they want to access the accrued pension benefits and are willing to go through with a divorce to get access?  What if the couple just happens to reconcile shortly after the benefits have been transferred?  Can an administrator investigate and question the validity of the divorce?  Apparently not.

In 2009, Continental Airlines filed a lawsuit against nine of its pilots claiming that the pilots filed fake divorces in order to receive early distribution of their pension benefits.  Many of the pilots continued to cohabitate with their ex-spouses, and in many instances they did not inform any of their family or friends that they had gotten a divorce.  Continental sought restitution to the pension plan of the benefits that were distributed to the spouses on the basis that the divorces were “shams”.  The trial court dismissed Continental’s claim, holding that Continental did not have the right to investigate employees’ divorces in order to decide whether those divorces were authentic.

The 5th U.S. Circuit Court of Appeals recently dismissed Continental’s appeal of the lower court decision.  The Court of Appeal agreed with the lower court that the relevant legislation (ERISA) does not authorize an administrator to consider or investigate the subjective intentions or good faith underlying a divorce.  On the contrary, the legislation requires benefits be divided in satisfaction of a qualifying marriage breakdown order that has met the necessary prescribed criteria, of which the divorce being done in good faith is not a factor.  Therefore, the administrator could not interfere by investigating the bona fides of the divorces.  Only where a court finds that a divorce is, in fact, a sham could an administrator refuse to pay out the divided pension.

Counsel for the pilots are championing the decision as a victory for employee privacy rights, given the restrictions on administrator’s abilities to investigate plan members’ family relationships.