|
Has anyone not used their company laptop, desk computer, or “crack-berry” to send a personal email? Many employees also have personal information stored on their company-supplied laptop or other electronic device supplied by their employer. Most employers tolerate what is often described in the policy manual as “reasonable personal use” of such electronic devices supplied to employees.
The question then becomes whether employees who store personal information or send personal emails on the company-supplied laptop or blackberry have any reasonable expectation of privacy over such information or emails.
A recent decision of the Ontario Court of Appeal, R. v. Cole, received much attention in the media. There were breathless claims that this decision changed the rules by which Ontario employers should operate when employees are supplied electronic devices for a mix of business and implied (tolerated) personal use. Yet close analysis demonstrates that, in the HR context, not much has changed. Most employers likely have already addressed employee privacy expectations (more specifically, the lack thereof) in the IT policy. Some policy wording options in that regard are discussed ahead in this article.
The Facts of R. v. Cole
R. v. Cole addressed employee privacy in the context of a teacher of a school-board found to have stored on his employer-supplied laptop “nude, sexually explicit images of a girl…believed to be an underage student at the school”. The teacher, Mr. Cole, was charged with possession of child pornography and unauthorized use of a computer, contrary to the Criminal Code.
The question for the Court of Appeal was if a police search of the laptop and a disk with files from the laptop breached Mr. Cole’s Charter rights, because he had an expectation of privacy in his mixed business and personal use of the employer-supplied laptop. If his Charter rights were breached, this could exclude certain evidence from Mr. Cole’s criminal trial. Ultimately, the Court excluded from evidence the laptop and the disk. The Court stated in part as follows in its reasons for decision:
“…the Appellant had a reasonable expectation of privacy from state intrusion in the personal use of his work computer and in the contents of his personal files on its hard drive. However, his expectation of privacy was modified. He had no expectation of privacy with respect to access to his hard drive by his employer’s technician for the limited purpose of maintaining the technical integrity of the school’s information network and the laptop…the search by the technician, the principal and the school board officials did not breach….the Charter. The technician was acting within the scope of his functions when he came across the student photographs and thus did not violate the Appellant’s modified privacy interest. The principal and the school board officials acted reasonably under the authority of the Education Act to protect students and a safe learning environment” [emphasis added].
The interpretation by the media, of an immutable expectation of privacy on the part of employees when using office-supplied electronic devices, does not accurately reflect this decision. Rather, the Court concluded that, absent a search warrant (which likely could have been obtained based on the photos the principal supplied to the police), the police had no right to search the laptop or disk supplied to them by school-board authorities. The Court, however, specifically concluded that the photos given to the police by the principal, obtained when the technician investigated certain anomalies on the laptop, were admissible evidence in Mr. Cole’s criminal trial. The school-board’s search of the laptop was, accordingly, not faulted by the Court.
Lessons from Cole in the HR Context—what privacy rights?
For HR purposes the issue is whether employers may monitor employees’ use of electronic devices, monitor email use, and search these devices if necessary. As discussed above, most employers have realized that, unlike King Canute in his futile attempt to hold back the tide, it is practically impossible to prohibit personal use of technology devices, including sending and receiving personal emails. Most company policies thus permit “reasonable personal use” and a “reasonable amount of personal email, so long as this does not interfere with work demands”. To be fair, if employees are expected to check their blackberries and use their laptops after regular work hours, part of that quid pro quo is, for this additional productivity, employees making some personal use of all these latest and greatest gadgets supplied to them.
In the Cole decision, the Court of Appeal found that the school-board had “no clear privacy policy relating to…laptops”. The policy limited the IT department’s access to emails to “trouble-shooting purposes”, and also stipulated prior requests for the user’s permission if any access to the laptop was required. |
Clear Policy, Clearly and Consistently Enforced can Avoid Grief
In my opinion the school-board’s policy was wholly inadequate to protect the employer’s interests. The policy failed to make clear what, if any, privacy an employee should expect when using employer-supplied electronic devices. Because of this inadequate policy (indeed, the absence of a policy which specifically addressed the right of the employer to monitor or search electronic devices), the Court concluded that personal use made of laptops given to school-board employees, including some employees keeping banking and other personal information thereon, led to a modified expectation of privacy arising.
Yet employers can make it clear that, while reasonable personal use is permitted, employees should have no expectation of privacy regarding their office-supplied laptop, blackberry, or other similar electronic device. Your policy could specifically indicate that:
- All items on the corporate network are the property of the corporation and thus may be reviewed by management without notice,
- management and the IT department reserve the right to examine the employees’ email, personal file directory, hard drive, disks, files, and all other information stored on the company’s information systems, including on any portable electronic devices loaned to the employee by the corporation, which “loan” is made for primarily corporate purposes and corporate use, with reasonable and limited personal use permitted,
- the employer may periodically and randomly audit and monitor communications, items saved, sent, or otherwise on the corporate server, or office-supplied equipment’s hard drive, with thus no expectation of privacy arising for any such items on the part of the employee,
- “inappropriate” files will be deleted immediately, and employees are subject to disciplinary action up to and including dismissal for inappropriate use of any employer-supplied technology.
Addressing the final point above, “inappropriate” is subjective and in the eye of the beholder. What some may find “inappropriate” may not bother others. Thus, be as specific as possible when defining what means “inappropriate” in your company. One definition of “inappropriate” could be files or items which contain viruses, and any data, audio, or visual files that are illegal, constitute hateful speech, contain pornographic, sexual, or nude photos, harassing or other inappropriate statements or images. The rationale is that such material on a company-supplied electronic device could cause the company legal, reputational, and business-interruption risks.
If your company does not currently have a comprehensive policy, as part of its implementation you might offer employees an amnesty period, to allow many of your employees an opportunity to purge their computers. After the amnesty period, however, ongoing, consistent enforcement of your policy is necessary.
Be Obviously Consistent in Policy Enforcement—But, be Reasonable Too
Consistent enforcement of all HR policies is required. If there is no will to enforce policies, most companies are better off not having any, because a policy not enforced, which employees know they can flout, will likely cause the employer difficulty in any adjudicative proceeding.
For example, in years past some employers had policies prohibiting all personal use of company-supplied technology. Yet such policies were routinely ignored by most employees and routinely not enforced by most employers. If such a policy was still “on the books”, in my opinion no Ontario Judge, nor any Arbitrator or Adjudicator, would likely be persuaded to uphold it, unless the employer could demonstrate consistent enforcement (and even then I am not certain of enforceability). Again, however, if such a tough policy were in place, it could well also have a very negative impact on employee morale, making it not worth the fight. Reasonable policies, which encourage employee buy-in and which can be well justified, will be more easily implemented and upheld.
A clear statement of reasonable IT policy, consistently enforced, should provide employers with the right to ensure that, while employees are making some accepted personal use of office-supplied equipment, the employer is not subjected to business, legal, or reputational risks through inappropriate use.
I am always pleased to review your HR policies and procedures, discuss implementation of them (especially if there are changes for which “notice” may be required), or assist with your HR or other legal issues on a pro-active basis.
As many of you know, Ricketts Harris is a full service law firm, offering a range of services to fit your business and personal legal needs. Visit our web-site at www.rickettsharris.com
|
