Quick Guide for IT Personnel: Understanding Employee Privacy on Company-Owned Devices
In today's digital work environment, companies have more tools than ever to boost productivity and efficiency. However, this shift also brings important questions about employee privacy, especially regarding information on company-owned devices.
Many employers and IT personnel believe that if they provide employees with a company-owned device (COD), employees should not have an expectation of privacy on that device. In other words, any activity taken on the COD or any information stored on the COD is fair game for the company to view and own. Being under this mistaken assumption can be a risk to the business and IT personnel who are not familiar with what a “reasonable expectation of privacy” is, and put the company at risk of a privacy breach.
Understanding the legal aspects and potential risks is essential as businesses develop monitoring practices. This article will help employers and IT staff navigate the complexities of employee privacy in Canada, with practical examples and steps to protect your business while respecting employee rights.
When is a Reasonable Expectation of Privacy Justified?
Determining whether an employee has a reasonable expectation of privacy on company devices is a fact-specific analysis, often guided by legal precedents:
When Employees May Have a Reasonable Expectation of Privacy on COD
To start our analysis of understanding when employees have a reasonable expectation of privacy, we must begin with the seminal Supreme Court of Canada case of R. v. Cole. In this case, a school computer technician remotely accessed Cole’s hard drive, a high-school teacher, and found sexually explicit images of underage students. Among other questions, the Supreme Court had to determine whether Cole had a reasonable expectation of privacy on the COD. The Supreme Court considered that, similar to a reasonable expectation of privacy in the information contained in a personal computer, the same principle should apply in the context of COD if personal use of the COD is permitted or reasonably expected. However, the court acknowledged that the expectation of privacy is somewhat diminished in the case of COD.
The Supreme Court considered Cole’s subjective expectation of privacy under the circumstances. It concluded that Cole’s subjective expectation of privacy could “readily be inferred from his use of the laptop to browse the Internet and to store personal information on the hard drive.” Further, his expectation was objectively reasonable in accordance with section 8 of the Canadian Charter of Rights and Freedoms, where individuals have a right to maintain control of their personal information from dissemination, including information that tends to reveal intimate details of the lifestyle and personal choices of the individual. Given the type of explicit materials saved on the COD, it was more likely that Cole had an expectation of privacy.
Additionally, the school’s policies and practices permitted Cole to use the COD for personal purposes, which tilted the scale more towards a reasonable expectation of privacy. However, because Cole did not have exclusive control over the COD, this added an extra layer of balance, although not enough for the Supreme Court to ultimately determine that Cole had a reasonable expectation of privacy.
This case tells us that although ownership of a device is a relevant consideration, it is not a determinative one. Where personal use is permitted on a COD, an employee is entitled to an expectation of privacy on the COD and is afforded Charter protection.
An Expectation of Privacy on COD When Information is Stored on the Cloud
In the landmark case of York Region District School Board v. Elementary Teachers’ Federation of Ontario, the Supreme Court ruled that Ontario public school board teachers are protected from unreasonable search and seizure in the workplace under the Charter. This decision underscores the importance of respecting employee privacy, particularly when information is stored on public clouds.
The case arose when two teachers recorded their private communications regarding workplace concerns on a shared, password-protected log stored in the cloud. The school principal accessed this log without the teachers' consent by taking screenshots of their private communications on the teacher’s school-owned laptop. The laptop was open, and the documents were visible. These communications were then used to issue written reprimands to the teachers. The teachers' union filed a grievance, arguing that the search violated their right to privacy at work. The Supreme Court ultimately sided with the teachers, emphasizing that the Charter applies to public school boards and that the principal's actions constituted an unreasonable search under section 8 of the Charter.
This ruling has significant implications for employers. It highlights that employees have a reasonable expectation of privacy, even when using a COD. Employers must recognize that accessing personal information stored on public cloud services without consent can be deemed unreasonable and a violation of privacy rights.
When There is No Right to an Expectation of Privacy on COD
In a more recent BC Supreme Court case, TeBaerts v. Penta Builders Group Inc., a co-worker used the plaintiff’s computer to access old payroll tax reports. In doing so, the co-worker came across an email exchange with the plaintiff’s mother, who also worked for the company, about a new employment opportunity. Among other reasons, the plaintiff was dismissed with cause. One of the questions before the BC Supreme Court was whether the employee was entitled to a reasonable expectation of privacy, which would have resulted in the employer committing a breach of privacy, resulting in damages to the employee.
The Court did not believe the employee had a reasonable expectation of privacy for the following reasons: (a) the information was found on a COD; (b) the employer did not have policies in place outlining limited access to computers; (c) the security measures in the workplace were “very relaxed” and it was common for employees to leave their computers unlocked and passwords not closely guarded. In other words, there was no privacy culture to create an expectation of privacy. (Side note: A lack of a privacy and/or security culture can of course create significant risks, which was not what was before the court to decide).
Although the employee wanted her email communication with her mother to be private, the Court was not convinced, given the circumstances, that this expectation was reasonable.
This case shifts the expectation of privacy in the workplace to a diminished level. The Court emphasized that employees do not have an absolute right to privacy in the workplace, even if they want their email or other files to remain private. It’s important to note that this case does not suggest that the absence of policies will result in employees forfeiting their expectation of privacy. To the contrary, Cole suggests otherwise. The Court took the context in its entirety to determine that the employee did not have a reasonable expectation of privacy.
Actionable Advice To Protect Your Organization and Minimize Privacy Expectations
An organization can protect itself from employee privacy claims by being transparent about its monitoring practices and extending the purpose of monitoring to what is reasonable under the circumstances. Organizations should take the following steps to protect themselves:
Develop and Implement Clear and Comprehensive Policies
· Electronic Employee Monitoring Policy (EEM Policy) should outline whether monitoring occurs, how, when, and for what purposes. This policy should cover all forms of electronic monitoring, including email and internet usage, software, GPS tracking, and video surveillance. It should also outline why you are monitoring the employees (e.g., security purposes, productivity purposes, disciplinary purposes). You should also outline the possible monitoring consequences for workers.
· Acceptable Use Policy should clearly outline the permitted use of CODs by employees and the employer's access and monitoring of these devices. These policies must inform employees about the specific circumstances under which the employer will access information on CODs or the company network. The policy should state that any information transmitted over the company network remains the property of the employer. While personal use should be prohibited, if it is permitted, clearly advise employees that they should not expect the same level of privacy as they would on their personal devices and networks. Encourage employees to use personal devices and networks for sensitive personal communications if they wish to maintain a higher degree of privacy.
Although these policies do not guarantee that monitoring or reviewing employee personal information will always be deemed reasonable, they are an important factor to consider. Ensure the policies are clear, unambiguous and easily accessible to all employees, preferably presented at the time of job offer and upon commencement of employment. Obtain acknowledgment of receipt and understanding from employees. Also, regularly review and update these policies to reflect changes in technology and legal requirements.
Limit the Collection of Personal Information
Only collect employee data that is necessary for specific, legitimate business purposes. Avoid collecting excessive or irrelevant information "just in case." Ensure that the monitoring implemented is the least privacy-invasive method to achieve the desired business objective.
Obtain Express Consent When Necessary or Advisable
For monitoring that goes beyond typical work-related activities or involves highly sensitive personal information (e.g., biometric data, audio recording in private areas), consider obtaining explicit consent from employees. Be aware that even with consent, the collection, use, and disclosure must still be for appropriate purposes and comply with legal requirements.
Conduct Privacy Impact Assessments (PIAs)
Before introducing any new technology or monitoring capabilities that involve the collection, use, or disclosure of employee personal information, conduct a PIA to identify and mitigate potential privacy risks.
Implement Robust Security Safeguards
Protect collected employee data with appropriate physical, organizational, and technological safeguards to prevent unauthorized access, disclosure, use, or loss. Also, limit access to employee data on a need-to-know basis.
Train IT Personnel
Educate IT personnel on privacy laws, organizational policies, and the importance of implementing and maintaining privacy-protective measures.
By proactively addressing employee privacy concerns through clear policies, transparent practices, and a commitment to respecting legal obligations, organizations can mitigate the risk of privacy claims and foster a more trusting and productive work environment in the digital age.