Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference.
“I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday.
If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work.
If management doesn’t have a good reason, she said, or if the reason is based on speculation or rumors, intrusive monitoring runs the risk of an invasion of privacy lawsuit.
Co-panellist Daniel Michaluk, a partner in the Hicks Morley Hamilton Stewart Storie LLP law firm put, it more bluntly. “Tell people if you really want do something private, put it on your own device.”
As for trying to use computing monitoring to improve productivity, he said should be done the old-fashioned way: “Just manage your people; talk to them.”
Co-incidentally the conference was held on the day the federal privacy commissioner released a report on 10 ways employers can stop staff from snooping through personal data they hold.
Phillips, who acts for unions, and Michaluk, who represents management, were sometimes on opposite sides of the cases they presented before the privacy law conference run by the Canadian Institute. For example, Michaluk believes employers have broad rights to protect the enterprise, while Phillips believes management needs to protect employee privacy rights.
However, more often than not they agreed — in fact, neither like so-called bring your own device (BOYD) policies, which allow staff to buy their own devices that store both personal and corporate data.
Phillips dubbed BOYD “bring you own disaster.” Questions such as when does the employer have the right to search or monitor the device, and how to protect corporate information “leads to a lot of messiness.”
Michaluk said employers almost have to promise users full device privacy, which, he admitted, “makes me really nervous, but that’s the price for BYOD.”
Employers don’t have unlimited rights, even over PCs, laptops and other devices they own and provide to staff, they pointed out.
In 2012 the Supreme Court of Canada recognized a teacher who was caught with pornographic photos of underage students on the school board-provided laptop he used had an expectation of privacy. The images had been discovered during routine IT maintenance. The board gave the laptop to police, who went through the device without a search warrant and then charged the teacher.
At trial the defence argued the images shouldn’t be allowed into evidence because there was no warrant. The police argued no warrant was needed because the laptop belonged to the board. The Supreme Court disagreed, and ruled the teacher’s Charter rights were violated, which usually means evidence is disallowed. However, it allowed the evidence because it would not bring the administration of justice into disrepute.
Phillips noted the court ruled the teacher only had a limited expectation of privacy in this case — but an expectation nevertheless. The fact the board had behavior policy wasn’t enough to over-ride that privacy right that couldn’t be violated without a search warrant.
So, Phillips warned chief privacy officers, just because a corporately-owned computer has popup consent form on login allowing the employer to monitor use of the device doesn’t necessarily mean employees don’t have an expectation of privacy in what they’re doing with it.
Michaluk said having clear corporate behavior policies is important. This should spell out the employer will monitor company devices for legitimate reasons (technical maintenance/repair); to meet a legal requirement to produce information (for a court); to ensure work continuity (in case an employee is sick); to improve business process, productivity or enhance security; and to prevent misconduct and ensure compliance with the law.
In addition, he added, staff should be told a password is for identifying network users, not to protect employee privacy.
He also pointed out that employers have always monitored corporate networks for security — which is different from continuous employee monitoring.
Both noted court or adjudicated cases that have conflicting outcomes. For example a Canadian union was told by a provincial justice department official that a member was affiliated with a motorcycle gang. The union confirmed it and fired the staffer after reading his email –but that violated his privacy rights, said an adjudicator, who tossed out the email evidence.
Michaluk said the employer should have found other ways first to investigate the allegation before going into the employee’s email. “There should be processes, protocols for systematic review of data so you can respect personal privacy,” he said.
Phillips has a pending case her case, involving an employee who lost their own USB key in the office. It was found by a staffer who turned it over to a manger, who roamed through the contents over several days, including looking at personal files. Something as found and the employee was dismissed. There was no reason to investigate the individual, no suspicion of misconduct, said Phillips. “The manager went in and just snooped.”
“I’m not going to defend that one,” said Michaluk.
As for employers’ ability to control what staff post on their own social media sites, Phillips noted employees have right to their opinions, but where comments affect or harm other employees or the organization’s reputation the employer may have right to investigate and discipline.
Michaluk offered six tips for employers looking into social media posts of job candidates: Check at the end of the hiring process, and only when there’s a demonstrable need; search only on objective criteria (don’t just search around the Internet); have someone other than the person who’s doing the hiring do a search; have that person send a written a report to the decision maker on the criteria being sought; and validate the negative information found.