Ontario employers should use a broad definition of the term “employee electronic monitoring” if they don’t want to run afoul of proposed changes to provincial labour law, says a Toronto privacy lawyer.
That, said Daniel Michaluk, is because there isn’t a definition in the proposed act of “electronic monitoring”.
“It will create issues for employers trying to implement this,” predicted Michaluk, a partner in the Borden Ladner Gervais law firm who practices in privacy and cybersecurity law, unless the proposed legislation is amended in committee before being passed.
Section 41.1.1 of the proposed Bill 88 — known as the Working for Workers Act, introduced last week, obliges any employer in the province with more than 25 employees to have a written policy explaining how and in what circumstances the firm electronically monitors employees. The policy also has to state how the data collected is used.
To be safe, Michaluk said employers should assume the term includes data collected from a wide range of technologies: Standard endpoint data, data from endpoint detection and response (EDR) agents, data generated from mobile device management (MDM) applications, company-owned vehicle telematics, and, of course, network behaviour analytics and video surveillance footage. It could even include logging website traffic on a web server, he said.
Note that mobile device management applications could cover not only company-owned devices but also employee-owned devices if that is mandated by the employer.
Employers must provide copies of the policy to all employees, as well as to employees assigned by temporary help agencies.
“What’s interesting is before the province created any legislation that governs privacy in the workplace, they created a more targeted piece of legislation,” Michaluk said. The Conservative government of Doug Ford has talked about bringing in a provincial private sector privacy law, but no legislation has as yet been introduced.
Among Canadian jurisdictions, only B.C., Alberta and Quebec have private sector legislation obliging firms to give notice to employees of the collection of personal information.
Ontario employers shouldn’t find the obligation onerous, Michaluk said. “It should be feasible to inventory of all these technologies without too much work and display them to employees. If we have mature systems for network security we should have inventoried this already.”
In fact, he said, it would be a matter of good data governance. “We ought to be governing our use of these technologies and more specifically the network [in the workplace] anyway.”
“If we don’t have an immediate view of what data we’re collecting across the network, let’s go do that as a matter of governance. Forget compliance. Even disclosing that [to employees] is good governance because you’re telling your users what’s going on.
“The real benefit is it may cause your users’ behaviour to change. It may cause them to understand you’ve got a network that records all sorts of data of users for legitimate uses and they should take their personal use of the network somewhere else.”
In a blog Michaluk and an associate offered detailed advice to employers on the proposed legislation. For example, for security reasons, there’s no need to disclose the software the company uses. To comply with the proposed law – unless it changes – employers could create a simple table like the one below:
They also noted that electronic monitoring in Ontario is permissible unless there is an agreement with employees that forbids it.
To meet the law, firms should update their hardware and software inventory, Michaluk said, as well as their acceptable use of corporate networks policies.