Data privacy on work devices
By John Hyde
Can employees continue to expect reasonable privacy?
By John Hyde
EDITOR’S NOTE: ‘Grey Zone: Not all employment law is black and white’ is a weekly series, in partnership with John Hyde of Hyde HR Law in Toronto. This series takes a deeper look at issues in which senior workplace leaders and HR professionals need to consider legal implications.
Recently and suddenly, it has become normal to work, shop, communicate, run errands and entertain ourselves — all without leaving the house.
For better or worse, this means that our devices have now become the main conduit through which we live our lives. Much, if not most, of this occurs on phones and computers belonging to employers.
This raises questions about who has the right to access this information.
Employers can — fairly easily — monitor nearly all of the information that flows through their employees’ work devices.
Many people mistakenly assume that the law places clear limits on employers’ ability to do so. This is not the case: for the most part, digital eavesdropping by employers remains legally suspect, but untested.
More and more, employees are complaining their privacy rights have been violated by their employers’ digital surveillance: snooping on personal e-mail accounts, monitoring web activity — even tracking location data.
The thing is, despite rising tensions, the laws haven’t moved substantially as it relates to the issue.
We may be on the cusp of change.
General right to privacy
In Ontario, no written law exists governing employees’ general rights to privacy vis-à-vis their employers.
Rather, every individual has a common-law right to privacy where it is “reasonable” to expect it.
As of 2014, the Ontario Court of Appeal confirmed that individuals can sue for damages where an invasion of their privacy would be considered “highly offensive,” causing “distress, humiliation or anguish.”
Reasonable expectation of privacy on work devices
Historically, an employer’s ability to monitor employee work devices was, more or less, absolute.
In 2009, the Alberta Court of Appeal bluntly stated that “the workplace is not an employee’s home; and employees have no reasonable expectation of privacy in their workplace computers.”
More recently, courts have acknowledged at least some expectation of privacy on work computers, where employees are permitted personal use.
In 2012, the Supreme Court of Canada acknowledged that computers — including work computers — are used for personal purposes, and may contain the details of our financial, medical and personal situations, and “highly revealing and meaningful information” about an individual’s personal life.
An employee’s expectation to privacy on a work device, it held, is “reasonable” but “diminished.”
Extent of employee privacy
Following the Supreme Court’s tepid endorsement of employees’ digital privacy, other court decisions to date have adopted a very restrained approach to employees’ digital privacy rights.
In a recent B.C. case, an employee had been dismissed based (in part) on private e-mails that she had exchanged with her mother. A co-worker discovered the e-mails when using the employee’s work computer to access old payroll tax reports.
The court held that the e-mails did not justify the employee’s dismissal. However, it did not find the employer liable for breaching the employee’s privacy. According to the court, even though the employee “likely” wanted the email exchange to remain private, her expectations in that regard were not “reasonable.”
Among other things, the computer belonged to the employer; the employer had not told the employee that her activities on that computer would be private; and the employee had been “very relaxed” with her security, having left the computer unlocked and her passwords unguarded.
In a subsequent case, a fired employee’s claimed damages for her employer’s “intrusion upon seclusion” was dismissed. The employer had downloaded files from an employee’s personal iCloud account while searching her computer, and then circulated some of those files internally.
The court held that the employer was not liable for damages for breach of the employee’s privacy, in part because the download had happened “unintentionally.”
Consequences and takeaways
The consequences for employers who are in breach of employees’ privacy rights remain unclear, as courts are still working out the specifics of the law in this area.
Arguably, an employer who seriously violates an employee’s reasonable expectation of privacy can be sued for wrongful dismissal and tort damages. Short of egregious conduct however, the specific consequences for violating employees’ rights to digital privacy are unclear — there may not be any at all.
Employees, in turn, should know that privacy is not a good defence for improper behaviour.
In R. v Cole, the Supreme Court permitted the criminal prosecution of an employee based on evidence surreptitiously gathered from his work computer — even though the employee’s constitutional rights had been violated by the search.
It is unclear what protection — if any — the “reasonable” but “diminished” expectation of privacy on work computers provides, where there is a question of employee wrongdoing.
As of yet, the courts have provided only a very rough outline of employee privacy rights on work devices.
Until there is clarity — either through the courts or the legislature — the only way to avoid being sidelined by the “grey” is to have up-to-date workplace policies relating to work devices.
John Hyde advises management on all aspects of employment and labour law, including representation before administrative tribunals, collective agreement negotiation, arbitrations, wrongful dismissal defence and human rights.