Posted on February 12, 2013 by Lisa Stam

Fingerprint Technology to Replace HR?

Last week, a friend sent me a link to the Toronto Star article, “Bay Street law firm uses fingerprint technology to monitor employees’ comings and going”.  The subtitle is, “The days of sneaking out of the office for three-hour lunch breaks will soon be over at one Bay Street law firm.”

According to the article, a Toronto firm will begin requiring all staff, except lawyers who spend much of their time with clients, to clock in and out of the office with a figure swipe.  The founding partner explained that “some people were abusing the system” and that this was a way of keeping track. The system is expected to go live in November 2013.

Oh where to begin.  

First, the glory days of Mad Men are over.  Long liquid lunches, or any regular lunch other than a quick wolf-down in the food court, are in the past for any lawyer I know.  As billable hour targets continue to creep up, as both men and women want to play a more hands on role at home, and as partnership tracks get longer and more challenging, most lawyers want to just get to it, get it done and get home.  And if lawyers don’t meet target, the time entry system will shed light on the numbers and everyone can sort it out before year’s end.  

Ultimately, I would think the time entry and billable hour system already serves the same purpose as any fingerprinting technology could for lawyers.

For non-time keepers, where is HR in all of this? If an assistant is regularly taking a 3 hour lunch, doesn’t anyone notice and proceed to have a discussion with him or her? If that doesn’t do the trick, then move on to some progressive discipline.  At the risk of over simplifying this, I remain curious why the HR function is being outsourced to technology. 

Perhaps a person is 3 hours late each day because of her medical treatments, or is taking a longer lunch to attend his AA meetings. HR’s critical role is to figure out the human element of the situation, work through any human rights issues, and apply the workplace rules and procedures.  No machine can do that.

Whether or not the employer is entitled to install a finger printing system is besides the point. While technology can be an exciting tool for remote working, convenience, quick communications and seamless integration between the office and client services, it can also apparently degenerate into a vehicle for Big Brother employee surveillance in the place of an effective HR mandate.   

Tags: , , ,
Posted on February 8, 2013 by Lisa Stam

Data Privacy When Employees Leave

Employees often take work-related data with them when they resign or are terminated from employment.  In many cases, it is an inadvertent act that has happened over time by using their own device or email account to work after hours.

Emily Chung, technology writer from CBC News interviewed me and wrote the following piece, exploring the issue:

Employees often take private data when they leave:  Intentions not malicious, but practice still poses risk to companies

Most employees see nothing wrong with taking their employer's confidential data out of the office — and about half even take it with them to their next employer, a study has found.

Meanwhile, even when they are not changing jobs, a majority of employees are putting sensitive corporate information at risk by transferring confidential corporate data to their personal devices, personal email accounts and cloud services such as file transfer service Dropbox, said the report titled, "What's yours is mine: how employees are putting your intellectual property at risk"...

Click here for rest of article.

 

 

Tags: , , , ,
Posted on October 23, 2012 by Lisa Stam

Privacy and Porn on Workplace Computers

Privacy and Porn on Workplace ComputersEmployees have a reasonable expectation of privacy in the personal information on their workplace computers, even if that expectation can be significantly diminished with effective workplace policies and practices.  However, whether such reasonable expectations extend to workplace computer evidence admitted in a criminal proceeding was addressed in last Friday’s highly anticipated Supreme Court of Canada decision of R v Cole

In that case, a school board computer technician ran a routine system maintenance check on the computer network and he discovered photographs of a naked student on a teacher’s laptop.  The technician advised the school principal.  On the principal’s instructions, the technician copied the photos to a disc, obtained the computer and copied the temporary internet files onto a second disc.  The laptop and both discs were then handed over to the police.

Workplace Computer Evidence Wrongly Excluded at Criminal Trial

The police reviewed the evidence, and charged Mr. Cole with possession of child pornography and unauthorized use of a computer.  At trial, all of the evidence was thrown out, because the police had obtained the laptop and discs without a search warrant.  At the heart of this case is whether an employee has any expectation of privacy of information on a workplace computer, which may attract Charter rights to prevent such evidence from being gathered and used against the employee in a legal proceeding.

The Supreme Court of Canada held that while Mr. Cole’s Charter right to be free from unreasonable state search and seizure had been breached, the admission of that evidence was appropriate in the circumstance and would not bring the administration of justice into disrepute.

Accordingly, the Court ordered a new trial, ordering that the evidence unlawfully obtained by the police should not be excluded in this case.

Reasonable Expectations of Privacy

Although this is a criminal law case, there are a number of employment law aspects to the matter. 

First, while Canadians may reasonably expect privacy in the information found on our home computers, this decision reiterates the principle that information on work-issued computers does attract some reasonable expectation of privacy.  Computers typically contain information that is “meaningful, intimate, and touching on the user’s biographical core”, attracting a protection of privacy. 

Second, while workplace policies and practices may diminish an employee’s expectation of privacy, such “operational realities” around workplace policies and practices do not remove the expectation entirely.  Context will matter.

Third, in this case, the employer was entitled to rely on the evidence it obtained through a standard, workplace maintenance check to discipline the employee as appropriate through its internal procedures.  The school board was not, however, entitled to waive the employee’s Charter rights by handing over such evidence to the police, even if the employer had originally lawfully obtained such evidence for own human resource purposes.  Only the employee could consent to disclosing the private information to the state.

Take-Away for Employers

Workplace policies are a critical tool for employers to enforce workplace standards, but they cannot be left to gather dust on an electronic shelf.  In this case, the Court relied on several facts to lessen the employee’s expectation of privacy in the workplace:

  • the workplace policy was up to date, asserting ownership of both the hardware and the data;
  • the employer annually reminded the employees that the students’ computer use policy also applied to the employees; and
  • the student policy specifically provided that email could be monitored and that users should not assume that any files stored on the network servers or hard drives of individual employer-issued computers will be private.

All of these factors diminished Mr. Cole’s expectation of privacy, but did not eliminate it.  He was entitled to be free from unreasonable state search and seizure of such personal information. 

Employers should not only continue to ensure their computer use, privacy, social media and electronic data policies are up to date, but it is essential that employees are informed and educated about the meaning and impact of such workplace policies so that employers can more effectively rely on such policies and practices. 

Tags: , , , , ,
Posted on May 11, 2012 by Lisa Stam

Terms of Service and Employee Social Media Passwords

Over the last couple of months, there has been an interesting debate in Canada and the US about whether an employer can ask for a social media password. For some of the highlights of the conversation in Ontario, see:

South of the Border

The issue originally hit the headlines when the American Civil Liberties Union complained on behalf of a Maryland correctional officer.  The ACLU uploaded avideo on YouTube and asserted that the employee's privacy rights had been violated when his employer turned to the employee during a re-certification interview and demanded his Facebook password. Maryland has since passed the first US law prohibiting employers from demanding social media login information.

California, Illinois, Texas, Washington and New York have also introduced social media privacy bills, and earlier this week, the Password Protection Act of 2012 was introduced at the federal level to prohibit employers from demanding social media login information as a condition for employment.


So Should Canadian Employers Ask for Social Media Passwords?

At this point, only Nova Scotia has introduced a bill banning employers from asking for social media passwords.  The first reading was in April, so it is only in at the beginning of the process.

Last week, the Ontario Office of the Information and Privacy Commissionerintroduced a guideline recommending against employers asking for social media passwords.  Other provincial privacy commissioners have published similar guidelines about social media background checks.

At this point, however, there is no specific law on the issue in Canada.

I personally come down on the side of those who see this as a very, very bad idea for employers to consider, and yet if an employer merely gathers the data and does nothing with it in Ontario, it probably isn’t a technical legal violation.  (See my blogs posts here and here on the privacy law gap for Ontario employee information.) 

For provinces such as British Columbia, Alberta and Quebec with provincial privacy legislation, employee personal information has greater protections and asking for such information will likely cross the legal line. 

Even in Ontario without specific protections for employee personal information, the problem is, of course, that for most employers, it will be very tempting to quietly pass on the candidate whose online profile indicates she is 4 months pregnant, highly politically charged, controversial, clearly a bit of a drunk (while pregnant!!), has sued her last 10 employers and believes working Friday afternoons should be banned in Canada. If the employer were conducting a regular interview, most of this information – some protected under the Human Rights Code, some not – would remain unknown until she starts running amuck in the workplace. I get why an employer would want to avoid the situation, but there are just too many landmines to worry about when demanding a social media password during an interview.

Terms of Service

The focus of the debate has been correctly centred on the discrimination and privacy concerns. Another issue receiving some, but not enough, attention is the extent to which the social media platforms themselves permit this use. Users enter into a contract with the social media in order to use their service. The services may be free, but no less legally binding. 

By demanding that a candidate hand over his or her social media password information, an employer is asking that candidate to breach the terms of service with the social media provider.  Facebook itself issued a statement in March condemning the practice and advising users they should not reveal their login information.

The Facebook Statement of Rights and Responsibilities includes the following statements: 

  • 3(5) - You [User] will not solicit login information or access an account belonging to someone else.
  • 3(10) - You [User] will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.
  • 4(8) - You [User] will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

Not only is the candidate prohibited from sharing his or her password, but should the HR Manager conducting the interview happen to have a Facebook account, he or she would be violating the Terms of Service of his or her own account by soliciting the login information of someone else. Arguably he or she is doing so on behalf of the employer, so vicarious liability arguments could come into play. Should there be clear company policy prohibiting the practice, however, an employer could argue that the rogue HR Manager was acting beyond his or her duties. 

Either way, it all gets so messy. Why ask for the hassle for information that is frequently inaccurate, dated and irrelevant, particularly when you usually cannot legally use the more juicy information in the first place?

Dan Michaluk’s Best Practices

If you do intend on asking for social media passwords, I suggest you review Dan Michaluk’s useful “employer-friendly” post on his All About Information blog, which includes the following best practices in managing the legal risks associated with conducting social media background checks:

  1. Check at the end of the hiring process. This is a background check, not an evaluative process. It should come as the next to last step in the hiring process.
  2. Check only when there is a demonstrable need. What’s the need? What are the alternatives? Why is this the better alternative? Document your needs analysis.
  3. Search based on objective criteria. It will be very hard to establish the validity of a profiling exercise – i.e., an exercise in which you attempt to draw broad inferences about job performance or trustworthiness based on social media activity. Unless you have a qualified expert prepare a defensible predictive model, don’t profile. Look for objective behaviors that raise legitimate concerns in light of job responsibilities. For example, you may look for statements that a candidate for a sales or marketing position has made critical comments about your company or industry that are incompatible with becoming a representative of the company.
  4. Have someone other than the decision-maker search. This is a means of ensuring that the decision-maker does not see irrelevant information that may be related to a personal characteristic that is protected by anti-discrimination legislation.
  5. Direct a written report to the decision-maker. The report (which contains only feedback on the objective search criteria) goes in the hiring file and is part of the formal record upon which the hiring decision is made. This record is designed to assist in the defence of discrimination claims and is a record of due diligence. It makes the actual (forensic) record of the internet search irrelevant to a discrimination claim, which should minimize e-discovery risks.
  6. Validate negative information. Positively identifying the author of internet publications can be difficult. Validate authorship and seek an explanation.

This Too Shall Pass

Given the number of legal and practical risks, employers should be careful what they wish for. Should you feel it essential to wade into this dodgy, dangerous water, be prepared for the potential consequences. 

From what I can tell anecdotally, few employers actually ask for social passwords so let’s hope this pseudo-storm will pass over as we figure out how to integrate social media into the workplace in a manner that works for both employers and employees.

Are you an employer that finds it necessary to ask for your employee's social media passwords?  I'd love to hear your perspective, given the prevelance of the anti-password and login information voice.

Tags: , , , ,
Posted on May 7, 2012 by Lisa Stam

New Ontario Social Media Reference Check Guidelines

Last Thursday, the Ontario Office of the Information and Privacy Commissioner released its new guide for online reference checks.  In the face of the recent debates about whether an employer can request personal social media passwords during job interviews, the release of this document is quite timely.

The guideline is entitled, Reference Check:  Is Your Boss Watching?  The New World of Social Media:  Privacy and Your Facebook Profile.  The guideline reviews the various issues around online background checks, and provides a number of suggestions on how a candidate or employee can protect him or herself. 

I attended the event last Thursday at which the Privacy Commissioner, Dr. Anne Cavoukian, unveiled the new guideline and discussed the various risks and problems associated with employers asking for social media passwords.  It will be a surprise to no one that she firmly opposes requiring a candidate or employee to provide their personal social media passwords, although her reasoning was based more on privacy principles than legal prohibitions, given the ongoing gap in privacy law for provincially regulated employees in Ontario. 

In her speech, Dr. Cavoukian summarized five unintended consequences of requesting and obtaining a candidate or employees' personal social media passwords:

  1. Accessing a candidate's personal social media profile may lead to uncontrolled secondary use of personal data, such as data regarding a candidate's friends and family.
  2. Once the employer is in the possession of the data, the employer becomes responsible for that data and assumes liability for the privacy issues regarding the data.
  3. An employer may lose out on qualified candidates who are deterred from applying for a position because of the employer's practice.
  4. Possible loss of reputation of the employer.
  5. Costs of legal liability should a claim arise regarding the use of the information gathered during the social media background check.

Most of the consequences are focused on potential risk or reputational damage.  The reality is, given the privacy law gap in Ontario for non-medical employee personal information, any direct legal consequences are more likely to flow from the breach of a workplace policy, collective agreement, or contract (assuming one exists that speaks to the issue of privacy), than any specific law at this point. 

I discuss the Ontario privacy law gap in an earlier post here.  Until the landmark Ontario Court of Appeal decision, Jones v Tsige, was released in January, there was no employee recourse, so it will be interesting to see how the new Guidelines will be used by adjudicators as a thought-piece and articulation by the Ontario Privacy Commissioner of what the law should be for Ontario employers.

 

Tags: , , ,
Posted on January 18, 2012 by Lisa Stam

New Tort of Privacy in Ontario

As of today, individuals can now sue for the tort of privacy in Ontario.   (Thanks to Professor Doorey for the heads up in a tweet and blog post this afteroon).

The new tort is based on the following statement:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his or her private affairs or concerns, is subject to liability to the other for invasion of his or her privacy, if the invasion would be highly offensive to a reasonable person.

Jones v Tsige

Today the Court of Appeal of Ontario released its highly anticipated decision in Jones v Tsige, which finds that an individual can now file an action with the court based on the tort of “intrusion upon seclusion”. 

In this case, one bank employee named Tsige looked into the bank account of another employee named Jones (who became involved with Tsige's ex-husband) at least 174 times over 4 years.  Jones sued, lost at trial and appealed.  The Ontario Court of Appeal awarded her $10,000 for the tort of intrusion upon seclusion.

Important Development in the Law

Previously, courts held that there was no right to an independent claim based on privacy, and that any privacy claims must be part of another claim, such as breach of an employment contract that contained a privacy provision.  Plaintiffs therefore required another underlying action in order to also address any privacy claims.

Furthermore, given that no privacy legislation applies to non-health related personal information in most private sector workplaces in Ontario, there has been a gap in the legislation that prevented employees from filing a complaint with the Privacy Commissioner.

See my post on Privacy in the Workplace 101 from last summer for more details on the gap.

Take-Away for Employers

Employees can now take their claims of invasion of privacy directly to court. While the Jones v Tsigecase involves two employees, there is nothing that prevents an employee from taking his or her employer to court over a privacy issues. 

In light of this very important development in the law, employers will want to consider whether their workplace policies, procedures and processes sufficiently address protection of privacy, now that employees have direct recourse in the courts.

Tags: ,
Posted on July 5, 2011 by Lisa Stam

Privacy in the Workplace 101

Privacy in the workplace is an area that invites a broad range of views and perspectives.  Whether the information relates to data on an electronic device such as an employer-provided computer or blackberry, or personal employee information such as bank account information for pay cheque deposits, we all expect some degree of privacy in the workplace. 

What remains in dispute in many workplaces is where to draw the line between public space and personal privacy.  The law on workplace privacy continues to evolve in a non-linear fashion, in part because of the patch-work of Canadian legislation that governs privacy.   This post will outline the basic framework of law that governs privacy issues in Ontario workplaces.

Privacy Legislation in Ontario

Ontario does not have its own privacy legislation (other than for health care information) and therefore defaults to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).  PIPEDA applies to the commercial information of an Ontario company, but not to personal employee information, unless the employee works for a federally governed organization (banks, railroads, etc). 

Here is the specific language in PIPEDA:

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

If the information in question relates to health and medical information, then the  Personal Health Information Protection Act (PHIPA) applies.

Privacy Case Law

To keep it interesting, the courts also continue to develop the common law on privacy.  In addition to filing a claim with the applicable privacy commission office for a breach of a privacy statute, an individual or organization could instead take their matter to the courts. There is still debate, however, about whether one can file a claim in the courts based on an independent claim of a privacy breach, as opposed to adding on a privacy claim to an underlying claim such as breach of contract.

[**JANUARY 2012 ADDENDUM - see my post on Jones v Tsige regarding new developments in privacy case law in Ontario.  We now have a tort of privacy in Ontario and the following commentary on caselaw is out of date.]

The court in the recent case of Jones v Tsige [2011] ONSC 1475 (Ont. Sup. Ct) held that there is no independent right to sue for invasion of privacy.  A bank employee in that case had accessed and viewed another employee's banking information 174 times.  The case walks through the recent authorities on the possibility of a tort of privacy as its own actionable wrong and concludes that there is no such authority in Ontario.  The court made reference to Euteneier v Lee [2005] CanLII 33024 (Ont. C.A.), a case which noted in passing that there was no free standing right to privacy under the Charter or common law.

There is another line of cases, however, that suggests it may be time to recognize the tort of privacy.  See for example, Somwar v McDonald's Restaurants of Canada Limited (2006) CanLII 202 (Ont. Sup. Ct.).

Jones v Tsige is the more recent case, so at this moment, it is likely that a party could not sue on the basis of a privacy claim alone. 

The Gap

Given the current state of the legislation and caselaw, for non-health related employee information in Ontario workplaces, there is a legislative and judicial gap.  Often the gap is taken care of through language in a collective agreement, an employment contract, an employee handbook, workplace policies on email or computer use, or general expectations communicated to employees in the workplace. 

Where the gap remains outstanding, however, companies would be wise to integrate the principles of privacy law outlined in PIPEDA throughout the organization.  Privacy legislation and privacy caselaw continues to grow and it's only a matter of time before there will be some sort of express legislation or body of caselaw that requires employers to maintain a minimum level of protection of employee personal information. 

In any event, Ontario companies are required to comply with PIPEDA in their commercial dealings, so it may prove difficult to defend if employee personal information is less protected than other corporate data. 

 

Tags: , , , ,