In one Internet second, an estimated 7,672 tweets are posted, 61,247 Google searches are submitted, and 2,604,001 emails are sent. A lot of this happens at the workplace. A lot of this is the workplace. But a lot of this is also the blurred line between workplace and personal space.
Technology has changed nearly everything in our lives. With growing numbers of flexible work arrangements, remote employees, and individuals working after hours, the balance between an employee’s expectation of privacy and an employer’s need to ensure that work is being done efficiently and safely becomes increasingly difficult to manage.
Individuals expect some privacy at work, even if they are using their employer’s equipment, but employers also need to ensure that technology is being used for proper purposes. Less than a decade ago, employers had broad rights to monitor employees’ use of technology and networks, frequently tying ownership of information to ownership of property. But times were different a decade ago; Apple was about to launch the iPhone, Facebook and Twitter went global, Kindle and Android were released, and Google bought YouTube. Technology changed, the law needed to as well.
In 2012, the Supreme Court of Canada decided R. v. Cole, 2012 SCC 53, a criminal case where a high school teacher was accused of having illegal content on his employer-issued laptop. In finding that the circumstances supported the objective reasonableness of the accused’s subjective expectation of privacy, the Court held, “Computers that are reasonably used for personal purposes – whether found in the workplace or the home – contain information that is meaningful, intimate, and touching on the user’s biographical core. Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected. Ownership of property is a relevant consideration, but is not determinative.”
An employer who provides technology to its employee does not gain the right to intrude upon the employee’s privacy. This is particular true for information that touches on the employee’s “biographical core.” The approach of labour arbitrations has been to consider whether there are adequate reasons for breach of employees’ privacy rights, alternative and non-intrusive measures for achieving accountability, and whether employees are informed of acceptable use policies that are fair and non-discriminatory. Additionally, where information is publicly available, such as on an employer intranet, there is no expectation of privacy.
So how to reconcile employees’ privacy rights with an employer’s right to manage the workplace? There should be a clear written policy, signed and agreed to by employees, which sets out expectations and acceptable use. An effective policy should be reasonable and include, at minimum, the following parameters:
- a statement that technology provided by the employer, including “bring your own device” technology, is for work purposes;
- guidelines for acceptable personal use, including express limitations for uses that are inappropriate such as abusive and offensive communications;
- a clear prohibition against uses contrary to legislation and legal obligations, for example, human rights codes and use of copyright material; and
- an express warning that employees who breach the policy may be subject to discipline.
In all cases, the employer should narrow the scope of when access to employee information and devices, including employer-issued devices, is necessary. If employers allow workplace computers for personal use, then employees have a reasonable expectation of privacy. A prudent employer will implement policies and procedures for addressing business needs while respecting employees’ privacy expectations. The balance is best considered against the test of reasonableness and there is no question that employers who snoop on employees without justification will be found to have acted unreasonably.