Wednesday, June 15, 2011

Canada: Ontario Courts Weigh in on Workplace Privacy Rights

By Trevor Lawson and Brian Wasyliw, McCarthy Tetrault LLP, Toronto, Ontario, Canada



Overview




There currently exists a patchwork of privacy legislation which applies, in varying degrees, to private sector organizations in Canada. In all Canadian jurisdictions, there exists some form of privacy legislation that protects the confidentiality of personal information and limits the manner in which private sector organizations may collect, use and disclose personal information in the course of their commercial activities and, in some Canadian jurisdictions, in relation to their employees. To date, the Province of Ontario has not enacted privacy legislation generally applicable to provincially-regulated private sector organizations in relation to the personal information they collect, use and disclose in the course of their commercial activities or in relation to their employees. In the absence of such legislation, Ontario courts have been increasingly called upon to weigh on the nature and extent of individual privacy rights in Ontario.



Court of Appeal: Employees May Have Expectation of Privacy in the Workplace



In a recently released decision, The Court of Appeal for Ontario concluded that employees may have a reasonable expectation of privacy when using a computer and other equipment provided by their employer for work-related purposes. The Court’s decision in R. v. Cole[1] arose in relation to criminal charges against a teacher (Cole) for possession of child pornography. During a system maintenance review, the school board’s computer technician discovered nude photographs of an underage female, whom the technician believed to be a student of the school. These images were stored on a laptop computer that had been provided to Cole by the school board for work-related purposes. The technician advised school administration of this discovery, and the laptop was seized and searched by the school board.



The school board provided police with the laptop and discs containing Cole’s Internet browsing history and copies of the images in question. The police searched the laptop and the discs without a warrant. The trial judge excluded all of the evidence seized from the laptop and the discs, finding that Cole had a reasonable expectation of privacy in the contents of the laptop and, accordingly, police required a warrant to conduct a search. The trial judge’s decision was overturned on appeal to a judge of the Ontario Superior Court of Justice, who concluded that Cole did not have a reasonable expectation of privacy in the contents of the laptop. The Court of Appeal for Ontario was then called upon to decide this issue.



Why Should Employers Pay Attention to this Decision?



As noted above, the Court of Appeal’s decision arose in relation to a criminal proceeding. Accordingly, the Court was called upon to consider whether the school board and/or the police breached Cole’s right, under section 8 of Canada’s Charter of Rights and Freedoms, to be free from unreasonable search and seizure. For the purposes of its decision, the Court assumed that the school board was subject to the Charter. As such, the Court’s analysis of the school board’s conduct does not have direct application to private-sector employers, who are not subject to the Charter.



However, the Court’s analysis provides some extremely useful insight regarding the Court's approach to the issue of whether employees have a reasonable expectation of privacy in the workplace. Specifically, this decision provides a helpful reminder to all employers of the importance of having clear and unambiguous policies regarding the use of company Internet and e-mail systems, workplace computers (including laptop computers) and other electronic devices provided to employees for work-related purposes. It also clarifies the limitations on an employer’s ability to control the use of its e-mail and Internet systems, computers and other electronic devices.



The Court of Appeal concluded in this case that Cole had a "limited" reasonable expectation of privacy in the personal use of the laptop provided to him by the school board. Although the laptop was owned by the school board, issued for employment purposes and had access to the school network, the school board had granted teachers permission to use their laptops for personal use (including storing personal information on the hard drive) and teachers employed passwords to exclude others from gaining access to laptops. It was significant to the Court that the school board had not implemented a clear and unambiguous policy to advise teachers that their laptops were subject to general or random monitoring and/or search. Accordingly, the evidence seized from the laptop (other than the images of the underage student) and the discs containing Cole’s Internet browsing history were not admissible at trial.



The Court of Appeal found that Cole’s reasonable expectation of privacy was "limited" because he did not have a reasonable expectation of privacy with respect to access to the hard drive of his laptop by the school board’s technician for the limited purpose of maintaining the technical integrity of the school board’s information network and laptop. Given that this was the context in which the technician discovered the images of the underage student and provided them to police, those images were admissible at trial.



Do Employees Have a Reasonable Expectation of Privacy in the Workplace?



The Court of Appeal concluded that employees may have a reasonable expectation of privacy in relation to computers provided to them by their employers, which may be "limited" in certain circumstances. Whether or not such an expectation exists, and if so, the extent of that expectation is to be determined on the totality of the circumstances in each case. The factors that will generally be considered when determining whether an employee has a reasonable expectation of privacy, and the extent of that reasonable expectation, include the following:



· Who has possession or control of the property or place that is searched?
· How is the property or item used?
· How is access, including the right to admit or exclude others from the place or property, regulated?
· What is the individual’s subjective expectation of privacy?
· Is that expectation reasonable, from an objective perspective?



The Court of Appeal noted the following factors in concluding that Cole had a reasonable expectation of privacy in relation to the contents of the laptop:



· Cole had exclusive possession of the laptop and took steps to protect it using a password;
· the school board had provided explicit permission for the laptop to be used for personal use in its written policy;
· teachers had permission to take the laptops home on evenings, weekends and summer vacation;
· there was no evidence that the board actively monitored teachers’ use of their laptops; and
· perhaps most importantly, there was no clear, unambiguous policy permitting the school board to monitor or search teachers’ laptops. The school board’s policy did not advise that information stored on the laptop was subject to search and did not address monitoring, except in relation to e-mail.



What Can Employers Take from this Decision?



Private sector employers will not be subject to a Charter analysis regarding the search of employees’ computers. It is likely however that courts, arbitrators and administrative tribunals will consider the Court of Appeal's reasoning in this case when addressing issues of privacy in the workplace involving private sector employers. While ownership of the property in question has historically been considered to be a significant factor in determining whether a reasonable expectation of privacy exists, it appears that, going forward, ownership may only be a starting point of the analysis.



Accordingly, it is extremely important that employers take additional steps to limit any reasonable expectation of privacy that employees may have in relation to workplace Internet and e-mail systems, computers and other electronic devices provided to them for work-related purposes. To that end, employers should consider:



- implementing a clear and comprehensive policy regarding employees’ rights to access and use the employer’s data and computer systems and equipment; such policy should include a very clear statement advising employees that they should not have any expectation of privacy with respect to data that might be located on a computer or network and clearly advise employees of the reasons for which the employer may access that information;
- ensuring that employees acknowledge that they have read, understand and agree to abide by the policy; this can often be done on the electronic device itself, and should be set to regenerate at a regular interval where an employee is required to again acknowledge their acceptance and agreement to abide by the policy;
- clearly advising employees that copies of employer-owned data remain the employer’s property regardless of where such data is stored; and
- clearly advising employees of any limitations that are desired regarding personal use of employer’s data and computer systems and equipment — for example, regarding unlawful activity or offensive materials.



This policy, like all work-related policies, should be carefully drafted, periodically reviewed and updated as required. Employers should also conduct regular monitoring to ensure compliance with the policy. All employees, including supervisors, should be held to the same standard and violations should be dealt with in a consistent manner.



Court of Appeal to Weigh in on Whether to Recognize Tort of Invasion of Privacy



Workplace privacy rights were also squarely engaged in a recent decision from the Ontario Superior Court of Justice. In the case of Jones v. Tsige[2], Justice Whitaker determined that there is no freestanding tort claim for invasion of privacy existing in Ontario. In other words, an individual cannot sue another person (including another individual or their employer) solely on the basis that their privacy has been invaded by that person.



In this case, Ms Tsige, a bank employee, had accessed the financial records of Ms Jones, also an employee of the same bank (although at a different branch) approximately 174 times over a span of four years. Although Ms Tsige viewed the information, at no point did she make any attempt to print, copy or memorialize the information. There was no business or employment related reason for Ms Tsige to access these records. As it turns out Ms Tsige later indicated that she was reviewing this information in order to determine whether or not her current common law spouse had made, or was making, any support payments to Ms Jones, who is his ex-wife. These events came to light when the bank discovered Ms Tsige’s activities.



Lawsuit Filed for ‘Invasion of Privacy’


Ms Jones sued Ms Tsige for this invasion of her privacy and it fell to Justice Whitaker to determine whether such a suit could be advanced in Ontario. Ultimately, Justice Whitaker determined that it could not. Courts in Ontario have struggled for many long years regarding the existence of an independent cause of action for the invasion of privacy. Justice Whitaker canvassed several prior judicial decisions that had come down on both sides of the issue. Justice Whitaker also noted that:



· Ontario has passed legislation that addresses certain privacy rights, primarily in relation to the collection of personal information by government and public sector organizations[3].
· the federal government has passed legislation which imposes obligations on the bank in relation to the protection of Mr. Jones’ personal information from unlawful use or disclosure
[4]; However, none of legislation cited by Justice Whitaker creates any right for a person to advance a civil action against another person who is alleged to have invaded their privacy rights.
· four other Provinces have enacted legislation to specifically create a statutory tort for the invasion of privacy
[5], and that right also exists in Quebec under its civil law regime;
· Ontario could have enacted legislation similar to these other Provinces, but has to date decided not to do so.



No Common Law Tort of ‘Invasion of Privacy’ Recognized in Ontario (Yet)



Ultimately Justice Whitaker concluded that there was no tort of invasion of privacy existing at common law in Ontario. He noted as follows:



“I would also note that this is not an area of law that requires "judge-made" rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.
I conclude that there is no tort of invasion of privacy in Ontario. ………”


Ms. Jones is currently pursuing an appeal to the Court of Appeal for Ontario, which will likely provide that Court with its next opportunity to weigh on the issue of privacy rights. We also expect that Ontario Courts will continue to be called upon to define the nature and extent of workplace privacy rights in Ontario in the absence of legislation in Ontario which squarely addresses this issue.

[1] 2011 ONCA 218 (CanLII)
[2] 2011 ONSC 1475 (CanLII)
[3] Personal Health Information Protection Act, 2004 S.O. 2004, c. 3; Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31; Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56
[4] Personal Information Protection and Electronic Documents Act, 2000, c. 5 ("PIPEDA"). In relation to the collection of personal information from employees, PIPEDA applies only to private-sector organizations which fall within the definition of a “federal work, undertaking or business” under Canada’s Constitution Act, 1982 (e.g. banking institutions, airlines, railways and telecommunications companies). PIPEDA does not apply to provincially-regulated private sector organizations in relation to personal information collected from employees.
[5] . Newfoundland and Labrador, British Columbia, Saskatchewan and Manitoba.