An hour long presentation on "hot topics" for Canadian employers. Deals with business system monitoring, employee responsibility for "off duty" publication and background checks.
Let’s start with the basicsOur privacy law is based strongly on proportionality and balancing…The challenge is for management to deal with a claimed privacy interestBut what interests is management protecting?Employers have an unquestionable legitimate interest in looking at the information flowing through their systemsHere are the most common purposes[Briefly explain one to four. Turn over slide for five.]
Internal control is importantLet’s look at context – era of accountability… both public and private sector -post Enron -post Westray -post Gomrey -post Bill 168 (expanded regulation of interaction between people)Quote from National Post last week. .. “The role of investigative journalism has expanded over the years to help fill what has been described as a democratic deficit in the transparency and accountability of our public institutions.”Looking at communications is a key means of maintaining internal control – 90% of communication is electronic… picture of all activity within your businessTwo kinds of looking -audits (risk based, proactive) -investigations (targeted, reactive)Take corrective action based on what’s found -change in process or technology -change in people – terminations or lesser sanctionsAnd keep a record of diligenceSimple right? And then comes personal privacy.
Traditional law has been very permissiveRemember our purposesThose are usually reinforced by an acceptable use or computer use policy that says in one paragraph “YOU HAVE NO EXPECTATION OF PRIVACY”Some employers use annual acknowledgements… some use login dialog boxesBeen effective…Most law is in unionized workplaces… arbitrators have said, “I’m not even balancing interests here. An employer can look for lots of reasons it’s not reasonable for an employee to make any privacy claim.”Lakehead University case in 2009 re Google Apps outsourcing – e-mail is no more secure than a postcard
Watch out for shifting valuesPremised on change in permissibility of personal useTen years ago employees worked at work and went home and watched TVPolicies said “no personal use”Now employees work at work and work at home on the same devicePolicies now say “reasonable personal use”When employees are banking on your computers is it reasonable to capture their keystrokes?When employees are sending legitimate personal communications to loved ones about medical conditions… is it legitimate review their communications?Identify Lethbridge, Cole and Tfaily as showing that decision makers are struggling
Even if your decision-makers are okay, managers can interfere with policy enforcementIn Quon a supervisor said something like, “If you pay the overages we won’t look.”If supervisors or others in authority think that your monitoring policy is not reasonable they may undermine it
That was about the reasoning applied by arbitrators and courtsIn Canada we have employee privacy legislation in three provinces and for federal worksIf it applies, there is a regulatory requirement to balance interestsCollection of personal information must be reasonably necessary to meet a legitimate purposeCall this an “objective reasonableness requirement”At play in UBC spyware case of 2007 – all you needed to do to investigate time theft was look at traffic logs… you didn’t need to install spyware to capture screen imagesWrinkle from Johnson under PIPEDA… about access to personal e-mails sent about an employee… said personal e-mails are not regulated by PIPEDA because they are not sufficiently related to the commercial enterprise… like “bycatch”Perverse (though possibly correct) ruling… saying employers have very limited domain over employee e-mails, but in doing so rules out protection of privacy legislation
So what do employers do?Put an express condition on personal useUse routine acknowledgementsCommunicate audit results… use a newsletter… prove to employees you are lookingOne sided solution… focuses on employer right… doesn’t control to protect employee privacy
You create policy to address the privacy interestEspecially appropriate where regulatedList the purposes from my earlier slideWarn them still… give good notice stillSet an evidence-based standard for investigationTell them how you will go about auditsExamples-internal audit staff conduct an investigation at direction of VP-VP directs audits based on a bona fide security risk-should line manager need to find work product, e-mails will be pulled by internal audit where possibleThese will kill your no expectation argument but should still enable everything you need to do at a lower risk
Let’s move on to a different privacy issue – an employee’s right to live a private existence without employment-related consequenceSupported by Joseph Cohen-Lyons paper in materialsHere’s a scenarioNot so oddAnyone think this interferes with an employer’s interest?Nah. It’s blowing off steam. It’s “private” off duty conduct. Outside the workplace – no physical nexus. No intangible nexus to legitimate interests.
This is (sadly) what happens today.Same question. Is it private?Would it make a difference if Jack has only ten friends? What if none of them are employees?Happens all the time. This is how people blow off steam now. There’s a perception that this is somehow analogous to a barroom chat with a close friend.But let’s look at the difference. It’s clearly a publication. Often to other employees. Even if not there’s no legal or practical restriction on what recipients can do with the communication. Jack’s picture of his supervisor can be copied and mailed around.So there’s a good argument that this is about as public as it gets. Consistent with a traditional privacy law principle – a disclosure to one is a disclosure to all.
This is an issue of loyalty and fidelity, which is implicit in every employment relationshipDon’t need special status… not like a fiduciaryThis is my expression of the test that defines the scope of the dutyVery, very contextual casesNo black and whiteThere will be some easy cases, but many are hard to predictExample… student speech cases out of U.S. Third Circuit (in materials)Many employment cases will settle
Now Jack’s supervisor has a beef. But why can an employer discipline that conduct.Well, there’s a nexus back to employment interests isn’t there? -impact on other employee’s rights -right to work in a safe and harassment free work environment -reasonably likely to interfere with that right -employer’s burden but… -… decision-maker may presume harm (arguable issue) -evidence of actual harm helps (give example)-Nexus is commonly derived from these three things-no case law, but these are in order of moral weight-we’re balancing again here-example tough case – employee a professional adviser… goes out and does a beer mile… better have a pretty good case for reputational harm
There is developed case lawBased in public sector but theory applies to private sector employmentRecognizes a whistleblower exception to the duty of fidelityIdentify cases - Fraser of SCC 1985, Haydon of FC 2005, Read of FC 2005Employers protect themselves by having internal systems to receive reports of wrongdoingAn employee may have a duty to report internally firstEndorsed in Read and by our Supreme Court of Canada in a case called Merk – 2004Thrown somewhat into question by our broadly worded Criminal Code anti-reprisal provision – section 425.1But only provides immunity from reporting to law enforcement, not blogging, not passing things to the media, not passing things to a bloggerOf course, whistleblowing unusually means point to the pressCase from Supreme Court of Canada last week that says a court will assess whether it will honour a journalist’s promise of confidentiality on a case-by-case basisNo reason why a whistleblower couldn’t tweet it to the world anonymously… will be investigations…
This is a general model that I’ve been usingAddresses both HR and privacy compliance issues… consistent with reasonable necessity principleIdea is that you collect minimal information in the application form… devoid of anything to do with a prohibited ground of discriminationPurpose is to qualify applicant pool for an interviewOntario, “Have you been convicted of a criminal offence for which you have not been pardoned”In BC, PEI and Quebec don’t askInterview stageMore information… see the candidate so you now have knowledgeSome interviewers control risk by structuring questions (nice in defending a case)Background check… deal with fitness for work in light of restrictions related to protected personal characteristics… functional testing, criminal background checks, and now INTERNET CHECKS
When reputation (and online reputation) is an indication of how effective a person is going to be at a job I think it’s something that should be doneIf not, it is more questionableIf you do it here are the best practices-third bullet is most important-fourth bullet makes what the searcher saw either irrelevant or of minimal probative value
Our phones started ringing off the hook in the new yearNot really a privacy issue but driven by privacy concerns related to accuracy of reporting4.2 fingerprints on file and 50% have more than one name attached to itName and d.o.b. query is an insufficient guarantor of accuracyWe can’t complete the check… up to 120 days for fingerprint verificationVulnerable sector checks include other information… include sensitive information about certain sexual offences that have been pardonedGive to individual first… employer can get… but individual has an opportunity to simply walk away from the offer after reviewing the report
About managing name and dob check problemApplication of human rights legislation makes a big differenceNot uniform protection across Canada-BC, Quebec and PEI have protection-Federal and Ontario shouldn’t for name and DOB check because not checking for provincial offences convictions and criminal convictions that have been pardonedSet a clear term whatever you want to doStill have an option to hire-subject to declaration and other due diligence-if they give a false declaration you’d likely have a good cause case
If HR legislation applies you (essentially) have a duty to do a case-by-case analysisWeigh the risk… make a decision on a case-by-case basis
Standard form CPIC response for a name and dob check is very qualified nowSuggests that employers should conduct a local checkCPIC is a roll-up of local forces dataTakes timeR. v. Horne by Ontario’s Justice Fairgrievelast July-11 convictions discovered after guilty plea and before sentencing dating back two years-Law times article quotes a crown saying CPIC is about two years out of date
So employers may seek local checksNot standardAccording to Swaigen article police databases include – complainant, victim, suspect, person of interest, chargesSo if you’re a regulated employer concerned about consent and necessityOtherwise you can ask and getLeaves people in position some may feel is unfairTadros… problems after a consensual check… argument that consent wasn’t clear enoughNo human rights protection either according to the Ontario HRTLive policy issue for the most part