I spent most of the day today at the Canadian Institute’s Meeting Your Privacy Obligations conference. It was a very good show, and I managed to catch great presentations by Frank Work, Robin Gould-Soil (of TD Financial Group) and David Fraser. I did a “hot issues” style presentation on workplace privacy. Two thirds of the content is refined from the slides I posted yesterday, but there’s an additional part on background checks. Notes are in the slides over at Slideshare.
I presented at Insight’s Social Media – Risks & Rewards conference this morning on two narrow issues related to employee use of social media technology and privacy – monitoring workplace systems for misuse (a favorite, as you know) and the right of an employer to control employee “off duty” publication. The audience seemed sophisticated, and I regret that I couldn’t stay. Thanks to the audience for the discussion and the organizers for the invite. Slides are below, with slides and notes over at Slideshare.
On January 27, 2010 I’ll be giving a presentation entitled “Everything You need to Know About Workplace Privacy” at the HRPA’s 20X Annual Conference and Trade Show.
I designed the presentation today around the following topics:
- Employee privacy rights – the patchwork quilt
- How to run an internet background check
- Why and how your acceptable use policy needs to change
- Yes, you can transfer that data to the U.S., but…
- How to manage the risk of communicable diseases in the workplace
I’m looking forward to the opportunity to touch on these hot issues and have also left lots of time for questions. If you’re an HR professional who’s attending the conference please consider joining my session.
On July 4th, Arbitrator Craven partially upheld a policy grievance which challenged the expansion of an employer’s in-plant video surveillance system but nonetheless gave a strong endorsement to the employer’s purpose for using video surveillance.
The grievance was about the expansion of a system video cameras in a meat packing plant. The system featured un-monitored, high resolution cameras, some of which were fixed on work areas. It recorded digital images which were retained as long as disk space permitted and apparently not based on a fixed retention period.
Although there was some ambiguity about the purpose of the system, Aribitrator Craven ultimately found that the purpose of the system was, “to investigate plant security, industrial discipline and food safety incidents that come to the Employer’s attention by other means than monitoring the video in real time or viewing or sampling the recordings.” He held this investigatory purpose was legitimate. He also made clear that the employer was not using the cameras to “systematically collect information about employees or to identify occasions for discipline.”
Arbitrator Craven’s distinction between using cameras to support an investigation and using cameras to monitor is strong. He suggests that an investigatory purpose is more likely to be upheld as a legitimate exercise of management rights and less likely to be objectionable because of its intrusiveness. On the intrusiveness issue, he explains:
Indeed, it is a misnomer to describe what the camera system does as ‘observation’ at all. It merely optically, mechanically and electronically collects, transmits and records digital information which does not constitute ‘observation’ until a human observer views the displayed or recorded images. If the cameras continued to operate but no-one viewed the images, we might still describe what was happening as ‘surveillance,’ but surely not as ‘observation.’ It is the potential for observation, not its inevitable realization, that underlies the weak analogy between camera and supervisor. (Compare the characterization of electronic surveillance as ‘inhuman’ (page 30) and indeed ‘fundamentally anti-human (page 29) in Re Puretex Knitting Co. Ltd. and Canadian Textile and Chemical Union (1979) 23 L.A.C. (2d) 14 (Ellis).)
As the Union presents its case, the main argument to the intrusiveness of the video surveillance sys-tem is its capacity for monitoring employees, whether in real time or by systematic subsequent review of the recordings. I accept the Employer’s evidence that it does not monitor employees.
Arbitrator Craven focuses on the use of the cameras rather than their mere presence. Not surprisingly then, he was uncomfortable about the lack of:
- policy-based restrictions on the use of data (i.e. about the risk of “scope creep”);
- the absence of a formal data retention rule; and
- (most interestingly) the absence of rules governing union access to data.
Based on a separate finding that the employer had breached a technological change provision in its collective agreement by not engaging in discussions with the union when it expanded the system, he ordered the employer to meet with the union to engage in discussions, implying that the parties should deal with his concerns by way of mutual agreement.
Cargil Foods, a Division of Cargill Ltd. v. United Food and Commercial Workers International Union, Local 633 (Privacy Grievance),  O.L.A.A. No. 393 (Craven) (QL).
On September 24th the Office of the Information and Privacy Commissioner for British Columbia held that the University of British Columbia violated the British Columbia Freedom of Information and Protection of Privacy Act by conducting a “reasonable grounds investigation” of an employee’s personal computer use.
The employee, an engineering technician, had a history of productivity problems. Although the University adduced evidence that it was managing the
employee’s performance, the complainant countered with evidence that he used his computer for non-work-related purposes openly and that and that the University tolerated this. The University’s acceptable use policy also allowed for “incidental personal use” within some restrictions.
The University decided to investigate the employee’s computer use after receiving a complaint about the his untimely service. It started by collecting the log file that listed websites visited. This showed a significant number of non-work-related websites, so the University then used software (spyware) to collect data that allowed it to identify the period of time the grievor spent on non-work-related sites. The spyware also captured screen shots in two minute intervals and, as a result, captured the employee’s personal correspondence, his bank account number and other information about his personal finances.
The adjudicator held that the University was not authorized to collect the log file, the more detailed information collected by the spyware and the screenshots. Her decision is significant for three reasons.
First, the adjudicator applied the contextual necessity test recently articulated by Commissioner Loukidelis in Order F07-10 (my report here). In this test, necessity is assessed in the entire context and in light of the privacy-protective purpose of the Act. In discussing this test, the adjudicator held that an employer must not necessarily exhaust all less intrusive means of meeting a legitimate objective to meet the necessity test, but that this is one factor to consider in the analysis.
Second, the adjudicator’s reason for finding that the collection of screen shots was violative rules out the collection of screen shots as an investigatory tool unless the content of the websites is the basis for the investigation – e.g. for pornography investigations. She said:
Information which reveals the complainant’s specific activities on non-work related websites is not, in this case, directly related to UBC’s human resources activities. As UBC notes, this is not a case involving an allegation that an employee accessed inappropriate material on the internet. The specifics of the complainant’s banking transactions, or his personal correspondence, are not relevant to any program or activity of UBC’s. The GESS Report, therefore, has some information that is relevant to managing the complainant’s employment, and some information which is not.
Third, in finding it was not necessary for the University to collect the log data and information about the amount of time the employee spent on non-work-related sites, the adjudicator relied heavily on the University’s permissive approach to personal use. In light of this approach, she held that the next necessary and reasonable step would have been to put the employee on notice of his misconduct rather than conduct surreptitious surveillance.
It is difficult to understand how the surreptitious collection of information about an employee’s internet use can be necessary in the absence of any attempt to question the employee about his activity, especially when the supervisor was aware of that activity and the complainant knew the supervisor was aware of it.
While it would be easy to frame this case as a message to employers about the harms of condoning personal use, there may be more to it than first meets the eye. This is because the foundations of workplace computer use are arguably changing. Not only are the internet applications used in day-to-day living more pervasive, the rise of “Web 2.0” is starting to blur the line between personal use and business use. One may also argue that employees in some sectors (especially professionals) are spending more and more of their waking day working. So can the reasonable employer afford to do anything but condone personal use? And what does this do to the idea, accepted widely in the existing case law, that an employee should have no expectation of privacy on a work computer system? This case may signal a next wave in workplace monitoring litigation in which some of these questions will be raised and answered.