Privacy Matters

Courts, privacy commissioners and arbitrators have ruled on a wide range of workplace privacy issues and employers are watching the decisions very carefully

When star broadcaster Jian Ghomeshi was fired by the Canadian Broadcasting Corporation last October, he handed in his CBC-owned smartphone. He had shown CBC bosses a video on the smartphone that CBC said triggered its decision to dismiss him. But if Ghomeshi hadn’t chosen to share those images, would he have had a right of privacy to the content?

It’s been 13 years since PIPEDA (the Personal Information Protection and Electronic Documents Act) began to restrict how the private sector in federally regulated industries collects, uses and discloses personal information about employees.

The courts, privacy commissioners and arbitrators have tried to balance the right of employers to know and manage against the privacy rights of employees in the workplace. They’ve ruled on such issues as video surveillance of employees, monitoring of their online activity, employee access to their personnel files and privacy breaches by rogue employees.

“There have been several rulings in the last couple of years that we’ve been watching very carefully and that are relevant to the way we interact with our employees,” says Dean Dolan, Vice-President, Associate General Counsel and Privacy Officer at Walmart Canada Corp. in Mississauga, Ont.

In Canada, workplace privacy is an evolving area of jurisprudence that is covered by a complex patchwork of federal and provincial statutes as well as the common law.

In addition to PIPEDA at the federal level, privacy statutes in three provinces (Alberta, BC and Québec) regulate the collection, use and disclosure of personal information by provincially regulated private sector employers. A fourth province, Manitoba, is presently contemplating privacy legislation.

There are also statutory torts of invasion of privacy in BC, Manitoba, Newfoundland and Labrador, and Saskatchewan. Most provinces (including Ontario) have specific legislation protecting medical information. Also, every province has a separate statute that covers its public sector.

In provinces such as Ontario that lack privacy laws covering the private-sector workplace, employee privacy rights are less clear. In unionized workplaces, some arbitrators recognize employee privacy rights, while others do not. And in non-unionized workplaces, employee privacy rights are even more uncertain.

Workplace privacy took an entirely new twist in the 2012 ruling in Jones v. Tsige, when the Ontario Court of Appeal recognized a common-law tort of “intrusion upon seclusion.”

In this case, a bank employee accessed sensitive and private banking records of her husband’s ex-wife, who sued her when she learned what had happened. The court ruled that if an individual intentionally or recklessly “intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns” without a lawful reason, the former is liable for damages.

 

Jennifer Black, Counsel, Privacy, Human Rights & Labour at Air Canada in Montréal, says most employers have policies advising employees “that if you have access to personal information by virtue of your work, you should only be using that for work purposes. But when Jones came out, it helped make the consequences of not doing that much more concrete for an employee. It’s a helpful example to include in training employees.”

But the repercussions of “intrusion upon seclusion” may not be limited to rogue employees. In two recently certified class actions – Evans v. The Bank of Nova Scotia and Condon v. Canada – the plaintiffs invoke this privacy tort by claiming that institutions are vicariously liable when an employee’s behaviour compromises the personal information of clients.

These ongoing class actions, according to a Bulletin by Lisa Talbot and Molly Reynolds of Torys LLP, attempt to extend the reach of the tort to institutions that allegedly did not adequately protect personal data from privacy breaches. (So far, though, the plaintiffs have satisfied only the relatively low threshold for certification: a recognized cause of action.)

Both lawsuits  are more likely to be settled out of court than decided on their merits at trial. And the members of the class are a disparate lot — some suffered identity theft while others did not in Evans; hundreds of thousands may be entitled to varying nominal damages in Condon. Such factors make these difficult test cases for an expanded privacy tort, say Talbot and Reynolds.

“That [potentially] impacts an employer like us,” says Walmart’s Dolan. “It confirms that we have to be very diligent about safeguarding information we have about our employees and ensuring that only people who need to access that information as part of their jobs are accessing it. The same goes for certain customer information that we have as well.”

“Employers have more to fear, not from their own actions, but from the actions of rogue employees that would result in liability to the organization,” says David Fraser, a privacy lawyer at McInnes Cooper in Halifax. “Employers need to be mindful of their vicarious liability for the ‘intrusion of seclusion’ by their employees. They need to be worried about questions regarding negligent supervision of employees.”

 

Other privacy disputes arise when employers discover sensitive content on employees’ IT devices or on their social media pages.

The Supreme Court of Canada ruled in R. v. Cole in 2012 that employees have a reasonable expectation of privacy in the personal information held on their workplace computers, but employers still have a right to ensure the devices are not being misused.

As a result of the ruling, information on employees’ workplace devices, such as downloaded files, saved pictures, and web browsing history, cannot be unreasonably searched or seized by the police.

The case involved criminal charges against a teacher, Richard Cole, for possession of child pornography. During a maintenance review of a laptop computer that the school board had given Cole for work purposes, the board’s computer technician found nude photos of a student.

The laptop was seized and searched by the school board, which then turned it over to the police. The police searched the laptop without a warrant. The Supreme Court held this to be a violation of the Charter of Rights protection against unreasonable search and seizure. The court did not address the degree to which, in a civil context, an employer is entitled to monitor the computers it provides its employees.

“The SCC didn’t need to pass judgment upon the school board,” says Fraser. “This case was exclusively about the police search. The core decision doesn’t have a huge impact on legitimate workplace searches. An employer is not held to anywhere near the standard that police are in those searches.”

Nevertheless, some employers have looked to Cole for an indication of the court’s view on where the line could be drawn between personal privacy and employer monitoring of workplace IT devices, says Nancy Brennan, Vice-President, Ethics & Compliance at Encana Corporation in Calgary.

“I wouldn’t say Cole resulted in a change to our written policy, but we’ve always been very cognizant of trying to conduct inquiries or investigations in the least intrusive way possible. We’ve always had language in our privacy policy signaling to employees that, notwithstanding that there’s personal use, there shouldn’t be an absolute expectation of privacy in your use of company devices.”

“Where there is personal use of an employer computer, it underscores the need for clear policies with respect to the employer’s access to that information,” says Patricia Gallivan, an employment-law specialist and partner at Lawson Lundell LLP in Vancouver.

Adding further complexity is the trend to BYOD — employees bringing their own personal devices (e.g., smartphones, tablets and laptops) to work, or using them after hours to do company business. “The expectation would likely be that there’s a lot more privacy on your own device than on one that’s work provided,” says Black.

You have to go through a balancing of the employer’s legitimate interests versus the employee’s privacy rights, says Gallivan. “What then is an employer’s business interest in searching an employee’s personal computer? It has to be the least intrusive search possible.”

For employers seeking to ensure compliance or gather evidence of workplace misconduct, “employees’ use of their personal devices creates its own challenges,” says Brennan. “We [employers] don’t own those devices, and we may not necessarily have access to data that we might have had at one point.”

In order to have the benefit of the company’s email system installed on their personal device, says Black, the employee should have to agree to a policy that sets out the employer’s rights to access the device. For example, the company would want the right, should the device be lost, to wipe its contents remotely, even though personal information of the employee might be wiped, too.

“Walmart has developed a comprehensive policy, which states that if an employee has work material on their personal device, the employer has a limited interest in it, a limited right to that work product,” says Dolan.

Another complication is employees using social media. Even if a worker posts comments outside the workplace, the posts may have repercussions in the workplace. Employees have been disciplined or dismissed for breach of confidentiality, disloyalty or insubordination after making remarks posting about their employers.

In the 2011 arbitration case ThyssenKrupp Elevator, an elevator mechanic was fired after a video was posted online that showed him having his genitals stapled to a wooden plank. The incident took place at lunch (technically outside working hours), but it was at a worksite and employees wore the company’s uniform in the video.

Even though it wasn’t the mechanic who posted the video online and no other employees were disciplined, the Ontario Labour Relations Board upheld the dismissal. The board noted that the conduct was offensive and shocking and that the employer was easily identified in the video. The board also noted that the employer was in a safety-sensitive industry and might suffer loss of reputation.

In the 2012 arbitration Bell Technical Solutions, three employees of a Bell Canada subsidiary filed grievances after two of them were fired for comments they made on Facebook over more than a year. The postings were allegedly insulting and offensive to Bell and the employees’ supervisor.

The union contended that the postings were off-duty conduct intended as private communications. “We have a policy on social media,” says Mireille Bergeron, Assistant General Counsel at Bell Canada in Montréal. “Employees are advised that they have a duty of loyalty to the employer, and that duty doesn’t end when they leave the workplace.”

The arbitrator upheld the dismissal of one employee on the grounds that his Facebook postings were frequent, deliberate, prolonged and derogatory to both the company and the supervisor.

However, the arbitrator ruled that the other dismissed employee should be reinstated following a one-year suspension (the third employee’s five-day suspension was upheld). “It’s concerning that employees can say evil things about managers and still be reinstated,” says Bergeron.

Video surveillance has been another key battleground of workplace privacy. In 2003, railway worker Erwin Eastmond complained to the federal Privacy Commissioner that his employer, CPR, installed video cameras in the rail yard to record employees’ actions without their consent.

Prior to PIPEDA, arbitrators determined whether video recordings were admissible evidence upon which an employer could rely to discipline an employee, or whether management was exceeding the scope of its authority under the management rights clause of a collective agreement.

Now, under PIPEDA, the issue is not whether an employer can use the product of video surveillance, but whether the employer is entitled to do surveillance at all.

In the case of Eastmond, the employer contended that the surveillance was needed to prevent incidents of vandalism at the rail yard. But the Privacy Commissioner found that the incidents of vandalism were relatively minor, and that the railway “had not demonstrated a real, specific problem, only the potential for one.”

Though the Privacy Commissioner agreed with the employee by finding the video surveillance without consent was not reasonable, the Federal Court used the same test to reach the opposite conclusion in its ruling on Eastmond v. Canadian Pacific Railway, 2004 FC 852.

The court found the use of cameras in this case was reasonable, as the collection of information was not surreptitious, not continuous, not limited to employees; not for the purpose of measuring a CPR employee’s work performance; there was legitimate need for cameras in this case; the loss of privacy was minimal since CPR only viewed the video if an incident was reported; and CPR had considered alternatives. As a result, the use of video surveillance was reasonable and CPR could collect information without consent.

“What is reasonable in the eyes of one person can be unreasonable in the eyes of others,” says Fraser. “There was a decision from the Alberta Privacy Commissioner that found it reasonable to put video cameras in a change room. Other decisions by privacy commissioners have said it might be unreasonable to put video cameras in the hallways of an office.”

Employers aren’t the only ones whose video surveillance of the workplace has caused disputes. The United Food and Commercial Workers (UFCW) Union Canada was held to have invaded the privacy of managers and replacement workers whom it filmed crossing a picket line at Edmonton’s Palace Casino during a strike.

The Supreme Court of Canada, however, ruled in 2013 in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401 that recording images was a vital tool for the union to express its position. Thus, the law banning the collection and use of such images without permission – the Alberta Personal Information Protection Act (PIPA) – is unconstitutional because it unreasonably limits the union’s freedom of expression. (The Alberta government has until mid-2015 to amend the Act.)

“The ruling confirmed the propriety of video monitoring of public places, including the workplace,” says Dolan. “That case speaks to how and when and where it’s appropriate.”

 

Another privacy issue that has proven contentious is the right of employees to see their personnel records, including performance appraisals.

Employees in Alberta, British Columbia and Québec, as well as employees of federally regulated organizations, are entitled to access any of their personal information, to challenge any inaccuracies and to have them amended.

When Bell Canada employee Donald Peter Johnson demanded to see all the workplace emails between specific colleagues that mentioned him, Bell had to comply in order to satisfy PIPEDA.

“We do not advise the employees who are targeted by the request,” says Bergeron. “We just show up at their desks and conduct the search, to make sure it is not compromised. A few emails popped up. We made sure they did not contain any personal information about other employees. If they did, we crossed those sections out.”

Johnson, however, lodged a complaint that some emails had not been retained. The federal Privacy Commissioner ruled that Bell had conducted an appropriate search and that its policy of retaining deleted emails for only 49 days was acceptable.

When Johnson appealed the decision, the Federal Court ruled in 2008 (Johnson v. Bell Canada) that Bell did not need to keep deleted emails if they were unrelated to the conduct of its business.

“If it’s just an exchange of opinions on an individual, then it’s a purely personal matter and should not become part of the employee file,” says Bergeron. “It was good confirmation of exactly what we need to keep in the employee file.”

With the common law regarding employee privacy rights still developing, it is unclear whether employees of provincially regulated, private-sector employers outside Alberta, BC and Québec have a right to access their personnel files. However, in unionized workplaces, the collective agreement often has a clause entitling employees to do so.

“Our policy, on the broadest reading of privacy legislation, is that employees are entitled to see everything that the organization has about them,” says Dolan. “At any time that an employee wishes to see what’s in their personnel file, we make it available. If someone, say, has made a complaint about them, we would redact the portions of a document that can identify the other individual.” Other exceptions would include confidential commercial information or information covered by solicitor-client or litigation privilege.

As long as an employer has a reasonable basis to collect or use information about an employee, that’s still being respected, says Black. “What the case law is doing is challenging employers to make sure they truly do. Simply because you can obtain a lot of information about somebody, does that mean you should? There’s not a huge shift in what we’re allowed to do; it’s just that we’re more accountable for what we do.”