After six months’ notice that they had to be prepared, all provincially-regulated employers with more than 25 workers today must have a written policy describing how they electronically monitor staff. Among those to be included in the worker count are homeworkers and probationary employees, some trainees, employees on definite term or specific task contracts of any length and those on a leave of absence.
Daniel Michaluk, who focuses on privacy and cybersecurity law at Borden Ladner Gervais, said today he believes most medium and large firms in the province are prepared, judging by the number of requests to review proposed policies he has received. He’s not sure, however, about the readiness of small firms.
It shouldn’t be hard to create a policy with a list of the types of IT monitoring and what each does in generic terms, he added. A company could create a chart of its tools (for example “endpoint detection”) and a brief description of what each does (“monitors the use of workstations and compares it against a baseline to detect abnormal use”).
“The trick is to get a balance between detail and high-level information.”
“I think you can achieve meaningful information without getting into technical specifications,” he added.
But a policy that has only a brief sentence that says ‘We monitor the network and therefore you should have no expectation of privacy’ is “inadequate,” he said.
The policy “is not necessarily the end of the dialogue between an employer and their employees,” he stressed. “It could be the starting point … You invite inquiries and you should be prepared to answer them.”
An employer can have different policies for different employees. For example, provincial guidance says, a retail employer may have one policy that applies to its office staff and a different policy that applies to its in-store sales staff.
The obligation to have a policy is part of the Employment Standard Act. Note that as of January 1, 2023, business consultants and information technology consultants will no longer be covered by that act and will no longer be subject to electronic monitoring policy requirements.
The act doesn’t establish a right for employees not to be electronically monitored by their employer. Nor does it create any new privacy rights for employees. The government of Doug Ford has talked about bringing in privacy legislation but hasn’t so far.
Nor does the legislation define electronic monitoring. However, provincial guidance released in August says it includes all forms of employee and assignment employee monitoring that is done electronically. Some examples include where an employer:
- uses GPS to track the movement of an employee’s delivery vehicle
- uses an electronic sensor to track how quickly employees scan items at a grocery store check-out
- tracks the websites that employees visit during working hours
The policy must state
- a description of how and in what circumstances the employer may electronically monitor employees
- the purposes for which the information obtained through electronic monitoring may be used by the employer
- the date the policy was prepared
- the date any changes were made to the policy.
In a blog earlier this year the Bennett Jones law firm noted the law does not limit the employer’s use of the information gathered through electronic monitoring. An employer can rely on the information to discipline or terminate an employee.
