Monday, May 23, 2022

Proposed Ontario employee electronic monitoring disclosure law may help firms: Lawyer

Ontario employers should use a broad definition of the term “employee electronic monitoring” if they don’t want to run afoul of proposed changes to provincial labour law, says a Toronto privacy lawyer.

That, said Daniel Michaluk, is because there isn’t a definition in the proposed act of “electronic monitoring”.

“It will create issues for employers trying to implement this,” predicted Michaluk, a partner in the Borden Ladner Gervais law firm who practices in privacy and cybersecurity law, unless the proposed legislation is amended in committee before being passed.

Section 41.1.1 of the proposed Bill 88 — known as the Working for Workers Act, introduced last week, obliges any employer in the province with more than 25 employees to have a written policy explaining how and in what circumstances the firm electronically monitors employees. The policy also has to state how the data collected is used.

To be safe, Michaluk said employers should assume the term includes data collected from a wide range of technologies: Standard endpoint data, data from endpoint detection and response (EDR) agents, data generated from mobile device management (MDM) applications, company-owned vehicle telematics, and, of course, network behaviour analytics and video surveillance footage. It could even include logging website traffic on a web server, he said.

Note that mobile device management applications could cover not only company-owned devices but also employee-owned devices if that is mandated by the employer.

Employers must provide copies of the policy to all employees, as well as to employees assigned by temporary help agencies.

“What’s interesting is before the province created any legislation that governs privacy in the workplace, they created a more targeted piece of legislation,” Michaluk said. The Conservative government of Doug Ford has talked about bringing in a provincial private sector privacy law, but no legislation has as yet been introduced.

Among Canadian jurisdictions, only B.C., Alberta and Quebec have private sector legislation obliging firms to give notice to employees of the collection of personal information.

Ontario employers shouldn’t find the obligation onerous, Michaluk said. “It should be feasible to inventory of all these technologies without too much work and display them to employees. If we have mature systems for network security we should have inventoried this already.”

In fact, he said, it would be a matter of good data governance. “We ought to be governing our use of these technologies and more specifically the network [in the workplace] anyway.”

“If we don’t have an immediate view of what data we’re collecting across the network, let’s go do that as a matter of governance. Forget compliance. Even disclosing that [to employees] is good governance because you’re telling your users what’s going on.

“The real benefit is it may cause your users’ behaviour to change. It may cause them to understand you’ve got a network that records all sorts of data of users for legitimate uses and they should take their personal use of the network somewhere else.”

In a blog Michaluk and an associate offered detailed advice to employers on the proposed legislation. For example, for security reasons, there’s no need to disclose the software the company uses. To comply with the proposed law – unless it changes – employers could create a simple table like the one below:

Graphic from Canadian law firm describing how a company's electronic monitoring technology can be described
Source: Borden Ladner Gervais

They also noted that electronic monitoring in Ontario is permissible unless there is an agreement with employees that forbids it.

To meet the law, firms should update their hardware and software inventory, Michaluk said, as well as their acceptable use of corporate networks policies.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.