Workplace privacy: “People don’t understand”

No wonder then when Borden Ladner Gervais LLP recently ran a seminar on workplace privacy in Toronto in the wake of a much publicized Supreme Court of Canada ruling that has divided privacy lawyers over its significance, the turnout out was nearly twice as much as expected. “Privacy is on people’s minds,” says Robert Weir, an employment lawyer who led the seminar.  “People don’t understand it, don’t get it.”

The privacy legal environment in Canada is bewildering. Privacy is governed by a patchwork of privacy legislation, individual employment contracts, and Charter rights that have sought to strike the appropriate balance between employers’ rights to monitor employees and employees’ rights to privacy. What’s more, the nature and scope of protection given to an employee’s personal information varies according to the provinces; only Alberta, British Columbia, and Quebec have enacted privacy legislation. And while there is a fairly rich body of Canadian labour arbitration decisions on employee privacy rights on workplace computers, Canadian jurisprudence emanating from the appellate level is sparse, points out Daniel Michaluk, a leading privacy lawyer with Hicks Morley Hamilton Stewart Storie LLP.

That’s why all eyes were on the nation’s highest court. In a ruling hailed by some as significant and bemoaned by others for failing to provide the kind of clarity employers hoped for, the Supreme Court unanimously held in R. v. Cole 2012 SCC 53 that employees have a diminished, but reasonable, expectation of privacy in personal information stored on an employer-issued computer, “at least where personal use is permitted or reasonably expected.” While an employer’s ownership of a laptop, its workplace policies and practices, and the technology in place can diminish an employee’s reasonable expectation of privacy, it does not eliminate it, added the Supreme Court. “Whatever the policies state, one must consider the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation,” wrote Justice Fish for the majority.

The ruling, however, fell short of meeting expectations. The Court’s expectation of privacy is principled and broad, providing no clear-cut guidelines that may help employers or employees to navigate the murky concept surrounding privacy. Or as Justice Fish put it: “I leave for another day the finer points of an employer’s right to monitor computers issued to employees.” Dean Dolan, vice-president, associate general counsel and privacy officer at Wal-Mart Canada Corp. said that privacy experts are a “little bit frustrated” because the SCC “didn’t dive in definitively to make a decision in the privacy area.”

Nevertheless, like other privacy lawyers, Dolan describes the ruling as an authoritative first step. Michaluk, who represented the Canadian Association of Counsel to Employers who were interveners in the case, concurs. Depicting the decision as an evolution in privacy law, Michaluk says the ruling is significant because the expectation of privacy in the workplace has been recognized. “It isn’t necessarily preclusive though because it is only the starting point, it is only a condition for making a privacy claim,” notes Michaluk. “The court said nothing about what employers can and cannot do despite that privacy claim.”

Indeed, though the Supreme Court found that employees have a diminished, but reasonable, expectation of privacy, it does not restrict management from acting in spite of that right. And that is viewed by privacy experts as a positive development for employers even though many will now have to face the fact that the simple “no expectation of privacy” disclaimer no longer holds true. “The old view that we give you a laptop and we can do whatever the heck we want is clearly not supported by the Supreme Court,” says Winnipeg privacy lawyer Brian Bowman, past chair of the Canadian Bar Association’s National Privacy and Access Law Section. “The ownership of the device is not in itself determinative in respect of accessing data on the devices.”

Where the issue becomes even more complicated is with the advent of a growing new trend that encourages, if not compels, employees to bring their own personal devices such as smart phones, tablets, and laptops to work to perform work-related tasks. Some 48 per cent of U.S. workers are allowed to use personal devices for work, according to the National Cyber Security Alliance and McAfee in an October 2012 report. In Canada that figures rests at 28 per cent, and is expected to top 35 per cent in two years.

While security is obviously one of the top concerns for employers, if only because sensitive data is literally walking out the company door day in, day out, the bring-your-own-device (BYOD) trend also raises a host of workplace privacy dilemmas, none of which have yet been addressed by the courts. That was one of the hot topics at the BLG seminar, and one that Wal-Mart Canada has grappled with. “We kind of finally have accepted the fact that it’s going to happen and so we developed a comprehensive policy which states that if you have work material on your personal device we as an employer have a limited interest in it, a limited right to that work product,” says Dolan.

But whether such a policy will hold up in court is anybody’s guess. One privacy lawyer said he had no idea if employers are allowed to look at the devices since there are issues of personal privacy connected with employer monitoring of a personal device. At the very least employers will have to wrestle with the fact that the expectation of privacy with personal devices is far greater than it is with company-issued devices, says Bowman. “The onus is clearly on employers to proactively educate their staff about what their rights  are and how their privacy may be diminished in the workplace,” says Bowman, a partner with Pitblado LLP in Winnipeg.

In fact it could be argued that an employee’s privacy is diminished even outside of the workplace thanks to the pervasive presence of social media. Generally what employees do on their own time is their own business except when it has dire consequences on the employer. Employers are entitled to protect their assets, investment, reputation and brand as well as have a duty to provide a safe and harassment-free working environment. Social media highlights the tension between an employee’s right to privacy and the employer’s right to manage.

“Certainly if you are trying to manage your employee’s use of social media in the workplace, that is one thing but from a privacy law perspective what is challenging is that much of the social media usage by employees is occurring after work hours,” says Bowman. Numerous employees have been disciplined or fired on grounds that include breach of the duty of loyalty, breach of confidentiality and insubordination after making questionable comments through social media. In one case the British Columbia Labour Relations Board upheld the dismissal of two employees who made “offensive, insulting and disrespectful comments” about their supervisors on their Facebook accounts.

“Employees complain about work – let’s face it but ten years ago employees would have had that conversation in a bar after work and it would have died,” remarks Weir. “Now it stays there forever and it makes much easier for employers to discipline employees because there is a clear record of what they are saying. Employees have to be careful right now about what they think is private and what they think is off-duty.” All the more reason, says Bowman, for employers to develop and implement social media policies that extend beyond the work hours. “Social media policies go a long way to reminding and educating employees of their existing obligations and what’s proper and improper.”

But even when employers put in place clear workplace privacy and computer-use policies, it should take steps to assess the potential for employees to access and abuse information pertaining to other employees, customers and the general public. An Ontario Court of Appeal ruling rendered last year that recognized a new tort relating to privacy rights, or “intrusion upon seclusion” as they describe it, serves as a stark reminder over the importance of taking such steps. In Jones v. Tsige, 2012 ONCA 32, the appeal court ruled that to make out a tort of intrusion upon seclusion, the plaintiff must prove that the defendant intentionally or recklessly intruded upon the plaintiff’s private affairs or concerns to the degree that a reasonable person would find highly offensive. Proof of loss is not necessary to recover damages.

The ruling, according to some privacy lawyers like Dolan, opens the door for potentially costly litigation and increased risk for Ontario employers. Weir agrees. “When employers are thinking about going to look into their employee’s emails even randomly, there is a potential liability now for employers in terms of how they deal with their employee’s privacy so having a clear policy and complying with that policy is important to address that liability,” says Weir.

With a growing number of employees  who have integrated the Internet and social media into every aspect of their work and personal lives, there is no escaping that privacy matters will loom large for in-house counsel. As Bowman points out “on the one hand there has been a growing expectation of privacy, yet on the other what is seen as public and private has changed between generations.” The challenge for in-house counsel, says Dolan, is to keep on top of a sector that is constantly evolving – and “that’s tough.”