I spoke today at the Schedule 2 Employers’ Group virtual speakers series about privacy and the pandemic. It was a good chance to describe all of the ways we use information to manage the risk of workplace exposure to COVID-19. We looked closely at the major information flows – screening, location tracking, exposure notification – and I even did a little riff on defense in depth. Slides below for your viewing pleasure.
I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.
Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.
I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.
As the gig economy rises, work for more than one employer is becoming more common, and work across multiple employers has been common in the health care sector for some time. What, then, is an employer to do if its employee has taken sick leave but may be working for their other employer? Can the employer simply ask the other employer if the employee is at work?
There are some discipline cases in which unions have not challenged such questioning and others in which employers have asked for employee consent to make the inquiry. Last July, Arbitrator Brian Sheehan of Ontario entertained and dismissed what I believe to be the first privacy breach allegation on point, though he did so in quite a qualified manner.
The employer’s inquiry was apparently based on a mere suspicion. Mr. Sheehan explained, “For Ms. Valentin, the grievor’s relatively significant level of absenteeism, in addition to Ms. Valentin’s perception that there was a pattern of the grievor being absent from work on days before or after her scheduled days off was suspicious.”
To aggravate the situation, when the employer called the other workplace it received the information it was seeking plus some editorial – that the grievor’s “attitude stinks.”
Mr. Sheehan nonetheless declined to find a privacy breach. He said:
As to the Union’s privacy argument, factually, I do not find that claim particularly compelling. Based on the Employer’s understanding of the facts as of September 2014, it had, in my view, a reasonable basis to investigate the grievor’s work history at Villa Leonardo. The Union’s primary complaint was that the Employer should have initially sought to obtain the information from the grievor. On this point, while as previously noted the grievor was fairly forthcoming with respect to her work history at Villa Leonardo, she was in fact mistaken as to her work history in relation to some of the days in question. At the same time, the Employer arguably should have followed the approach in the Province of Alberta, supra, case and sought the grievor’s consent to obtain the relevant documentation from Villa Leonardo.
At the end the day, however, the extent of the nature of the invasion of the grievor’s privacy relates to the Employer asking a third party the work history pertaining to the grievor. Seeking such information is definitively on the lower end of the spectrum of the privacy interests of an individual that warrant protection, and that interest is far removed from the surreptitious electronic surveillance that was in dispute in the cited Domain Forest Products, supra, and Ebco Metal Finishing Ltd., supra, cases. In this regard, any breach of the grievor’s privacy interest was, in my view, de minimis in nature; such that, I am not inclined to issue any sort of declaration or sanction.
This is best understood as a discouragement to employers, without an actual finding based on an application of the de minimis non curat lex principle: the law will not concern itself with trifles.
No arbitrator is bound to follow another arbitrator, but employers can take some comfort in this award. If they have a reason not to ask for consent (and are prepared to articulate it if challenged) they may decide to unilaterally seek information from another employer about whether an employee was or was not at work during a period of time. The risk of liability is low.
On April 27th, Arbitrator Knopf ordered that $3,000 in damages be paid to a grievor for breach of privacy and harassment because:
- the grievor’s personnel file contained an inexplicable notation that the grievor advised his supervisor that he injured his penis while cooking nude at home; and
- the employer contacted the grievor’s doctor to confirm the doctor’s signature without justification and without consent.
Ms. Knopf said that these claims were “serious enough to warrant damages, buy they were not profoundly damaging to [the grievor’s] reputation or harmful to his privacy, nor did they have a negative impact on his benefit claims, status in the workplace or reputation in general.”
Arbitrator Stout’s April 28th decision has received ample coverage, but I’d like this site to be a relatively complete repository of privacy damages awards. Mr. Stout ordered an employer to pay $25,000 in general damages after a supervisor disclosed an employee’s visual disability to three other employees after learning of the disability in a prior arbitration proceeding. The supervisor apologized orally and in writing, which presumably mitigated the breach. He did not testify, however, and Mr. Stout inferred that the disclosure was undertaken as retaliation for the outcome of the prior arbitration, a significant aggravating factor. The grievor also suffered distress that required him to undergo medical treatment and the employer “did very little” to remedy the breach in its response (e.g., discipline on the supervisor).
On November 12th, British Columbia labour arbitrator Stan Lanyon dismissed a policy grievance that challenged the implementation of a video surveillance system in an equipment production and maintenance plant.
Surveillance cases are driven by their facts, but Arbitrator Lanyon did dismiss a union argument that overt and covert surveillance are equally invasive: “covert surveillance is more a more egregious violation of privacy because it is capable of causing more distress, anguish and embarrassment.”
As significantly, he held that surveillance systems can be justified without evidence of “a past history of serious breaches of safety, or security issues.”
Finally, Arbitrator Lanyon recognized a difference between using cameras for disciplinary (or supervisory) purposes and using video surveillance footage in the investigation of incidents. This distinction is not clearly drawn in some case law (and employer policies), but is important.
Those interested in privacy damages decisions should note this March 21, 2014 arbitration decision that just came to my attention. In it, an arbitrator awarded $1,750 to each employee affected by an employer’s admittedly wrongful sniffer search of a remote work camp. He also awarded $2,250 to an employee affected by a false positive and who testified to the strain that the event cause him. Here is the core of the reasoning:
The effect of the Employer’s violation of privacy rights on employee health, welfare, social, business or financial positions in the present case may be viewed as negligible, particularly given that, by the end of the day in question, every employee knew they were not in any trouble as a result of the search. There were, however, no doubt some lasting effects given that the trust relationship between the Employer and employees was violated, and the Employer did not make acknowledgment of any wrongdoing for a period of over two years subsequent to the violation. Unlike the situation considered by Arbitrator Sims, there was no timely admission of error or apology aimed at rectifying the mistrustful environment caused by the Employer’s improper search.
In the present case the Employer did nothing up until Counsel’s opening statement at these arbitration proceedings that would have served to calm “the employees’ anxieties over the Employer’s attitude towards their right to privacy”, and employees were for a very lengthy period of time left with the impression that Manager Billingsley conveyed at the demonstration to the effect that the Employer was not only unapologetic, but that it had every right to enter and search residences without notification or the presence of its occupants. Further Manager Annibal’s evidence at these proceedings did not include an unequivocal admission that employee privacy was violated, and he left it open as to whether such was the case when he stated he was “sorry if he violated anyone’s privacy.” Despite the opening statement made at these proceedings by Counsel for the Employer over two years after the unlawful incident occurred, little of sincere substance was conveyed to quell the distress and annoyance suffered by the employees as a result of the improper search.
Another factor in the present case that bears on the matter of appropriate remedy is the previous settlement in 2005 between parties on the precise topic of Employer searches without reasonable cause. As a result of this settlement it would be reasonable to conclude the Employer was attuned to the matter of employee privacy rights and unreasonable searches. The Union and its members had a right to rely on the substance of this settlement agreement as protection against further searches without reasonable cause.
I accept the circumstances of the present case warrant an award of damages in the amount of $1,750 to each employee covered by the grievance except Mr. Moretti, who is entitled to $2,250. For clarity, employees are entitled to the damages whether or not they were scheduled to be at Kemano during the week the search occurred. The circumstances do not warrant the cease and desist order sought by the Union.
Note the emphasis on the lack of an early, genuine apology.
Rio Tinto Alcan and Unifor, Local 2301 (Kemano), Re, 2014 CarswellBC 4251.
Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
On January 5th, Arbitrator Norman of Saskatchewan held that an employer breached its collective agreement by periodically deploying drug detection dogs to screen people entering its mine.
Arbitrator Norman held that the process intruded on a reasonable expectation of privacy based on evidence that the dogs would likely identify off-duty drug use. Though Arbitrator Norman characterized the search invited by a dog sniff as minimally intrusive (and less intrusive than the sampling of bodily substances), he nonetheless held that the employer’s safety-related process was unreasonable. He drew heavily from the Supreme Court of Canada’s Irving Pulp and Paper decision, stating:
The prior threshold stage in the justificatory argument limiting rights under the Charter sets the bar very high; calling for proof of a pressing and substantial objective demonstrably justifiable in a free and democratic society, for the challenged measure. Under ‘Charter values’ analysis, I take the threshold bar to have been set by Irving as “… evidence of enhanced safety risks, such as evidence of a general problem with substance abuse in the workplace.”
While many might agree with the outcome, this reasoning is questionable. The resolution of privacy issues call for a highly contextual balancing of interests. Irving speaks to a particular balance that relates to universal random drug and alcohol testing, a process Arbitrator Norman reasons is relatively intrusive; Irving establishes no “bar” to meet in implementing other safety measures in the workplace whether or not they are related to drug and alcohol use. Moreover, the reference above to the Oakes test is flawed; under a Charter analysis (if such analysis is necessary), the question of whether a search is an “unreasonable search” is distinct from the question of justification under section 1 and Oakes.
On December 4th, Arbitrator Andrew Sims ordered the Edmonton Police Service to pay a grievor $5,000 in damages for breach of privacy.
The case arises out of the Service’s handling of an intense interpersonal conflict between the grievor, a police detective, and his staff sergeant. The conflict led to a formal review in which the reviewing investigator recommended the grievor’s transfer to a new unit due to interpersonal problems, the responsibility for which was borne by the grievor and others. Before the Service addressed the recommendation, however, the grievor and his staff sergeant had an altercation.
The altercation invited an immediate decision to pursue the recommended transfer. Although the formal review had raised no concerns about the grievor’s mental health, when a superintendent met with the grievor to advise him of the transfer she became concerned about his mental health on account of his reaction.
The superintendent raised the need for a psychological assessment, which the grievor undertook grudgingly but voluntarily. While this assessment was pending the superintendent met with the department and implied that the grievor was mentally unwell, in essence conveying the same opinion that was the basis for the pending assessment. In the end, a psychologist determined the grievor was “psychologically intact and functional.”
Based on the following analysis, Arbitrator Sims ordered the Service to pay $5,000 in damages:
Had the Employer described to a work group a physician’s diagnosis of a co-worker, that it had obtained in its role as employer, disclosure would clearly be a breach of the employee’s right to privacy of their personal medical information. To anticipate a diagnosis, based only on personal observations, however genuine the concerns,and to discuss that in public, is just as serious a breach of privacy. Arrangements were underway to get the grievor assessed. Implying anything as to his state of health pending that assessment was inappropriate and unnecessary. The decision was made to transfer the grievor based on the problems he was having with his Staff Sergeant and the Unit Review. This was decided before the health concerns arose from the interview. Given that, there was really no need to go into whether the grievor had health issues at all. The emphasis on the grievors “H.R. issues” had the effect of adding undue emphasis to the suggestion that the broader issues in the unit, which were serious in themselves, were due to the grievor’s health issues. That too was unjustified given the more balanced assessment in the unit review itself. The grievor’s reputation amongst his peers, his need and ability to interact with them in future, and his sense of employment security were all impacted by the excessive commentary during this meeting. While I accept that the comments were made out of genuine (although to a significant degree unfounded) concern, they amounted to a breach of privacy and caused harm to the grievor’s privacy interests. Police officers are particularly dependent upon their reputation amongst their peers. Any suggestion of mental problems or unreliability can seriously hurt their working relationships and their careers. I find these breaches of privacy sufficiently serious to justify financial compensation which, based on a review of the authorities discussed above, I award at $5,000.