In my last blog post, I discussed the emerging importance of coworking spaces in the post-industrial workforce. In this part two of the series, at the risk of bursting this utopian post-industrial bubble, I set out some of the more pressing employment law issues with coworking spaces: confidential information, data security, privacy and ownership of content.Continue Reading...
There is no doubt that we are in the midst of a massive shift in how we consume information and how we communicate with each other. And there is also no doubt that those under 20 who grew up not knowing any different will have a very different kind of comfort around the online universe.
Defining Online Privacy
Privacy is in the eyes of the beholder – for the very young, there is a tendency to continue to engage in frequent, open online interactions while asserting privacy rights around those online comments. For many people over a certain age (50? 60? 30?), this is totally ridiculous. You post it and it’s public. Yet a typical Boomer would be appalled if someone listened into his or her conversation at a restaurant or at a public fountain.
When so much of our personal life’s interactions are online, why not start to carve out the same sort of privacy we demand offline? The permanency of the written record only makes it more essential to think critically about what to do with all that information, not to just throw our hands up and give up.
The “public” status update may be online, but does that entitle the universe to act on that information to harm me, particularly when I’ve signaled my intention to maintain privacy over certain information through my privacy settings? Whether or not it’s easy or possible to access and act on information, should we not set some re-defined, socially acceptable (and legal) parameters around online information?
Online Privacy in the Workplace
This is the core of the privacy dilemma that employers face. In most US States, there is simply no expectation of privacy in the workplace, so employers have more flexibility around how to act upon their employee’s online information.
In Canada and Europe, however, employees have varying degrees of a right to privacy on their workplace computer and in their online life generally. Employers do not have any inherent right to read an employee’s Facebook page and discipline them for unpleasant or unpopular comments, subject to various legal tests such as the degree of economic harm on the employer’s business.
It is legal in Canada, therefore, to be a total jackass online, and it is difficult to terminate an employee because of their online life, unless your employee is otherwise breaking the law or an enforceable workplace policy, bad-mouthing the employer’s business or exercising poor behavior that specifically intersects with the job’s reputational management concerns (e.g. a firefighter being sexist or a daycare worker writing hateful comments about children).
Freedom of expression is, after all, a constitutional right in Canada.
Online Privacy in the Modern Economy
I anticipate that the generation growing up with the online world as simply an extension of their physical world - and not a public soapbox with different rules than in a restaurant or by the public fountain - will continue to carve out privacy rights in a way that makes sense to them and the online aspects of their daily, hourly lives.
Many proclaim that privacy is dead and we may as well either get over it or go off the grid. The latter is not an option if you want to participate in the economy. But giving up all privacy must surely bristle against human nature.
The Desire for Privacy Won’t Die
My unscientific sense is that most of us inherently crave some amount of privacy. Whether it’s to shield our imperfections from friends and family, to explore business or artistic ideas quietly, or to develop a potential romance without everyone staring and critiquing, the desire for privacy will not die anytime soon.
We just have to figure out how to nurture and assert privacy parameters in the modern economy and online world. And employers will have to continue to pay attention to this massive shift happening beyond the workplace to figure out how to handle expectations of privacy in the modern workforce.
I'd love to hear from you if your workplace has figured out the balance, or if you want to brainstorm about privacy policies that might help ease the way to the modern, online, e-information packed economy.
When addressing the dispute at a union's picketline, which interest trumps: your individual right to privacy or a union's right to freedom of expression?
This morning, the Supreme Court of Canada ("SCC") released a seminal case that aggressively concludes that the union's constitutional right will prevail over an individual's privacy rights arising out of the Alberta Personal Information Protection Act ("PIPA"): Information and Privacy Commissioner of Alberta, et al v United Food and Commercial Workers, Local 401.
The SCC struck down PIPA in its entirety, giving the Alberta legislature a year to amend the statute to comply with this ground-breaking decision.
The Facts on the Picketline:
- During the UFCW's 305-day lawful strike in front of an Alberta casino, both the employer and union recorded and took photos of individuals crossing the picketline;
- The union posted signs in the area of the pickline that images of persons crossing the picketline might be placed on a website called www.casinoscabs.ca;
- No recordings of the complainants were placed on the website referred to in the signs posted around the picketline.
The Privacy Complaint
Several individuals who crossed the picketline complained to the Alberta Information and Privacy Commissioner that their privacy had been violated. One of the individuals who filed a complaint was the casino's Vice-President, who complained that his image had been used in union materials, leaflets and a poster displayed at the picketline.
The individuals argued that the union contravened PIPA by collecting, using and disclosing their personal information (i.e. the recordings and photographs) without consent.
Section 2(b) of the Charter
The union responded to the complaints by asserting its constitutional right to freedom of expression under section 2(b) of the Canadian Charter of Rights and Freedoms ("Charter"). The union argued that the purpose of collecting the information had core labour relations purposes, including informing union members and the public about the strike; dissuading people from crossing the picketline; and creating training material for union members.
Under Alberta law, the Privacy Commissioner does not have the authority to decide constitutional questions of law, and so the Adjudicator was prevented from deciding on whether the union's Charter Right to freedom of expression trumped the individual's privacy rights.
The Adjudicator did, however, very nicely lay the foundation for all three upper courts to find in favour of the union. The Adjudicator concluded that the purposes for making the recordings and photos promoted the underlying purpose of the strike, namely to achieve labour relations' resolutions in favour of the union.
The Adjudicator further concluded that the collection, use and disclosure of the information was for an "expressive purpose", which feeds the upper courts helpful factual findings and conclusions, and draws upon the line of cases that support the union's Charter rights.
The Adjudicator's decision was judicially reviewed, argued at the Court of Appeal, and ultimately hear by the SCC. All three upper courts, now having access to the Charter arguments, agreed that the union's Charter rights prevailed over PIPA.
Here's a summary of the SCC's conclusions:
- PIPA's exemptions (such as a journalistic purpose or a possible investigation or legal proceeding) that could have permitted the collection, use and disclosure of information without consent did not apply to the union's activities in this case. The SCC found that since no exemption applied to the union's activities, PIPA's application was too broad, restricted the union's right to freedom of expression and thus violated the union's Charter rights.
- Once the Charter violation was found, the SCC then analyzed whether the restriction on the union's right to freedom of expression is justified in a free and democratic society (i.e. the section 1 Charter analysis). The SCC concluded that while PIPA's provisions are rationally connected to its objectives to protect privacy interests, "its broad limitations on freedom of expression are not demonstrably justified because its limitations on expression are disproportionate to the benefits the legislation seeks to promote." (paragraph 18 of the decision)
- PIPA's limitations on the collection, use and disclosure of personal information without consent did not give sufficient regard to the nature of personal information (these were images of people in public), purpose (to further the Union's Charter right to freedom of association under section 2(d)), orcontext (lawful picketline).
- Drawing on a long line of cases, the SCC reiterated that freedom of expression in the context of a lawful labour dispute is an "essential" component of labour relations.
- The SCC concluded:
 PIPA imposes restrictions on a union’s ability to communicate and persuade the public of its cause, impairing its ability to use one of its most effective bargaining strategies in the course of a lawful strike. In our view, this infringement of the right to freedom of expression is disproportionate to the government’s objective of providing individuals with control over personal information that they expose by crossing a picketline.
Status of PIPA
Upon the request of the Alberta Information and Privacy Commissioner and the Attorney General, the SCC did not cherry pick which provisions of PIPA violate the Charter. Rather, the SCC struck down PIPA in its entirety, declaring PIPA to be invalid as of 12 months from today. This gives the Alberta legislature time to revise and correct the legislation.
What about outside of Alberta?
While this case is huge news for privacy law in Alberta, it is also a seminal case for the rest of Canada. This case clearly and unambiguously concludes that any Canadian union's Charter right to freedom of expression on a pickline will trump individual privacy rights. Although privacy rights are deemed quasi-constitutional throughout the caselaw, there is no "quasi" to the constitutional rights of the Charter.
Employers and individuals crossing picketlines are not protected by privacy laws, and must govern themself accordingly. Whether you call individuals crossing a picketline a "scab" or "replacement worker", the union's Charter rights will permit images of people at the picketline to be taken and posted, provided the purpose is connected to labour relations.
Last week, I conducted a workshop on implementing a successful “Bring Your Own Device” (BYOD) program at the Canadian Institute’s Privacy Law & Compliance Conference. I met a wonderful group of privacy experts who had plenty to contribute to the discussion.
We talked about the benefits, risks and costs of permitting employees to use their personal device to perform work-related tasks, which typically includes accessing the company’s network. Over half the group was in the public sector and regularly handled very sensitive, confidential personal information.
The private sector attendees in the group had an equally strong concern about protecting highly sensitive and confidential business information. At the end of the day, most organizations, regardless of how open they may or may not be, require a certain level of security around their data, intellectual property and personal information.
So how to implement a successful BYOD program?
A couple of readers have asked to what extent US based social media cases will apply in Canada. We don't yet have a large body of social media cases in Canada (other than run of the mill termination cases involving social media), so there tends to be a lot of discussion up here about US based social media cases. Given that the US population is 10x larger than Canada’s population, it makes sense that there is simply a much larger volume of American caselaw to work with.
For novel issues in general, Canadian courts will often take into consideration cases from other countries in the Commonwealth and the US.
So for the world of social media, where many of the issues remain novel and unlitigated, US cases may be influential on our own adjudicators looking for guidance and analysis. While US cases are not a binding legal precedent, they may provide an important backdrop to a Canadian decision.
A good example is the Eagle v Morgan et al. case (for a commentary on the piece, see my recent blog post here). In that case, one of the three successful claims was for a breach of the former employee’s privacy tort of intrusion upon seclusion by appropriation of identity. However, while Dr. Eagle won certain of her legal claims, she was unable to prove any actual damages and therefore was awarded $0.
Dr. Eagle may have had a better result in Canada. Last year, the US tort of intrusion upon seclusion was introduced into our jurisprudence through the Jones v Tsige (2012 ONCA 32) case (discussion in a past blog post here). The court adopted the US tort, but with a critical difference: there is no requirement to prove harm to a recognized economic interest in Canada to be awarded damages.
Paragraph 70 and 71 of the Jones v Tsige case set out the elements of the tort as follows:
 I would essentially adopt as the elements of the action for intrusion upon seclusion the Restatement (Second) of Torts (2010) formulation which, for the sake of convenience, I repeat here:
One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.
 The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum. [emphasis added]
Thus, while Dr. Eagle failed to obtain any damage award in Pennsylvania, in Ontario at the least, she may have won her claim and received an award notwithstanding her failure to establish harm to a recognized economic interest.
Damages for the Ontario tort are capped at $20,000, so it remains to be seen whether that relatively low cap will discourage people from spending big legal fees for a fairly low win. The tort will no doubt be coupled with more fruitful claims in most situations.
There are two key concepts to take away from the relationship between the Eagle and Jones cases:
1. Canada is not a US State, and indeed a different country with different laws. Yes, really. Check on Wikipedia if you don't believe me: http://en.wikipedia.org/wiki/Canada (English) or http://fr.wikipedia.org/wiki/Canada (French).
2. US cases do influence our laws, although not as a binding legal precedent, and always filtered through our Canadian legal lens that tends to result in more employee-friendly results.
Who owns your LinkedIn content? As described in my last blog post, the battle over who owns social media content, and particularly LinkedIn connections and any other social media “customer” list, has yet to come. LinkedIn content will likely be where employers and companies may have a financial motivation to fight for the content, depending on how the social media content was used in the course of business.
The Eagle v Morgan et al decision came out in March, and is one of the few cases to date that provides some insight as to where the courts may go on social media content. This is a Pennsylvania case, but some of the underlying legal concepts may be applicable in Canada, albeit not as a direct precedent.
For a full review of the facts, see Sara Hutchins Jodka's summary on the Employer Law Report blog. For some good analysis about the case, Daniel Schwartz has discussed the case a couple of times in his blog, Connecticut Employment Law Blog.
As with most law, the case turned on its particular facts:
- Dr. Linda Eagle co-founded her banking education company and she was a key sales generator and face of the company;
- She provided her staff with her LinkedIn password, and directed them to maintain her LinkedIn account, including updating content, responding to messages, and expanding connections;
- The company heavily used senior executive LinkedIn accounts to expand the company’s network and to generate business;
- Dr. Eagle and her co-founders sold the company in October 2010, but stayed on as employees until they were terminated by the new owners the following June 2011; and
- Immediately upon termination, the company changed Dr. Eagle’s LinkedIn password, replaced her photo with that of her replacement, and changed most but not all content.
Needless to say, Dr. Eagle was ticked. She gained access to her account within a number of weeks, but only by going through LinkedIn directly.
Dr. Eagle sued her past employer for a long list of claims, winning on the following:
- unauthorized use of name
- intrusion upon seclusion by appropriation of identity
- tort of misappropriation of publicity.
For most of us mortals, we’re simply not important enough to have any sort of celebrity name that can be misappropriated for any monetary value. In this case, however, Dr. Eagle remains a leader in her field and organizations hire her for her unique skills.
The bittersweet twist in this case is that while Dr. Eagle successfully proved her first three claims, the court held that she had not established any monetary damages, and was therefore awarded $0. Although she did prove her point that the company misbehaved very badly, it is a rather hallow victory.
So who owns social media content? The Eagle case suggests that the owner of the LinkedIn profile does, even when that owner expressly directs the company’s staff to maintain and develop some of the content.
The company had unsuccessfully counter-sued Dr. Eagle, arguing that her LinkedIn connections belonged to the company. Similar to the types of arguments put forth in Phonedog, those connections are already in the public domain, making the proprietary claim a bit of a stretch.
This is why social media connections are not simply a Rolodex to which the employer can claim ownership. Social media connections/followers/friends are not particularly private, confidential or even unique. It’s a collection of relationships, which may or may not be directly related to the employer, even if the employer’s staff has developed many of those connections.
We’ve now seen a move in the law towards recognizing who may own the content, and in the absence of crystal clear employer policies, it will likely be the employee.
What remains to be seen is how to commodify content and relationships. Who cares who owns the content and relationships if they are legally worth $0. Most of us, however, have a gut feeling the value is a good deal more than $0. Social media isn’t just social – it’s business too.
Last week, a friend sent me a link to the Toronto Star article, “Bay Street law firm uses fingerprint technology to monitor employees’ comings and going”. The subtitle is, “The days of sneaking out of the office for three-hour lunch breaks will soon be over at one Bay Street law firm.”
According to the article, a Toronto firm will begin requiring all staff, except lawyers who spend much of their time with clients, to clock in and out of the office with a figure swipe. The founding partner explained that “some people were abusing the system” and that this was a way of keeping track. The system is expected to go live in November 2013.
Oh where to begin.
First, the glory days of Mad Men are over. Long liquid lunches, or any regular lunch other than a quick wolf-down in the food court, are in the past for any lawyer I know. As billable hour targets continue to creep up, as both men and women want to play a more hands on role at home, and as partnership tracks get longer and more challenging, most lawyers want to just get to it, get it done and get home. And if lawyers don’t meet target, the time entry system will shed light on the numbers and everyone can sort it out before year’s end.
Ultimately, I would think the time entry and billable hour system already serves the same purpose as any fingerprinting technology could for lawyers.
For non-time keepers, where is HR in all of this? If an assistant is regularly taking a 3 hour lunch, doesn’t anyone notice and proceed to have a discussion with him or her? If that doesn’t do the trick, then move on to some progressive discipline. At the risk of over simplifying this, I remain curious why the HR function is being outsourced to technology.
Perhaps a person is 3 hours late each day because of her medical treatments, or is taking a longer lunch to attend his AA meetings. HR’s critical role is to figure out the human element of the situation, work through any human rights issues, and apply the workplace rules and procedures. No machine can do that.
Whether or not the employer is entitled to install a finger printing system is besides the point. While technology can be an exciting tool for remote working, convenience, quick communications and seamless integration between the office and client services, it can also apparently degenerate into a vehicle for Big Brother employee surveillance in the place of an effective HR mandate.
Employees often take work-related data with them when they resign or are terminated from employment. In many cases, it is an inadvertent act that has happened over time by using their own device or email account to work after hours.
Emily Chung, technology writer from CBC News interviewed me and wrote the following piece, exploring the issue:
Most employees see nothing wrong with taking their employer's confidential data out of the office — and about half even take it with them to their next employer, a study has found.
Meanwhile, even when they are not changing jobs, a majority of employees are putting sensitive corporate information at risk by transferring confidential corporate data to their personal devices, personal email accounts and cloud services such as file transfer service Dropbox, said the report titled, "What's yours is mine: how employees are putting your intellectual property at risk"...
Click here for rest of article.
Employees have a reasonable expectation of privacy in the personal information on their workplace computers, even if that expectation can be significantly diminished with effective workplace policies and practices. However, whether such reasonable expectations extend to workplace computer evidence admitted in a criminal proceeding was addressed in last Friday’s highly anticipated Supreme Court of Canada decision of R v Cole.
In that case, a school board computer technician ran a routine system maintenance check on the computer network and he discovered photographs of a naked student on a teacher’s laptop. The technician advised the school principal. On the principal’s instructions, the technician copied the photos to a disc, obtained the computer and copied the temporary internet files onto a second disc. The laptop and both discs were then handed over to the police.
Workplace Computer Evidence Wrongly Excluded at Criminal Trial
The police reviewed the evidence, and charged Mr. Cole with possession of child pornography and unauthorized use of a computer. At trial, all of the evidence was thrown out, because the police had obtained the laptop and discs without a search warrant. At the heart of this case is whether an employee has any expectation of privacy of information on a workplace computer, which may attract Charter rights to prevent such evidence from being gathered and used against the employee in a legal proceeding.
The Supreme Court of Canada held that while Mr. Cole’s Charter right to be free from unreasonable state search and seizure had been breached, the admission of that evidence was appropriate in the circumstance and would not bring the administration of justice into disrepute.
Accordingly, the Court ordered a new trial, ordering that the evidence unlawfully obtained by the police should not be excluded in this case.
Reasonable Expectations of Privacy
Although this is a criminal law case, there are a number of employment law aspects to the matter.
First, while Canadians may reasonably expect privacy in the information found on our home computers, this decision reiterates the principle that information on work-issued computers does attract some reasonable expectation of privacy. Computers typically contain information that is “meaningful, intimate, and touching on the user’s biographical core”, attracting a protection of privacy.
Second, while workplace policies and practices may diminish an employee’s expectation of privacy, such “operational realities” around workplace policies and practices do not remove the expectation entirely. Context will matter.
Third, in this case, the employer was entitled to rely on the evidence it obtained through a standard, workplace maintenance check to discipline the employee as appropriate through its internal procedures. The school board was not, however, entitled to waive the employee’s Charter rights by handing over such evidence to the police, even if the employer had originally lawfully obtained such evidence for own human resource purposes. Only the employee could consent to disclosing the private information to the state.
Take-Away for Employers
Workplace policies are a critical tool for employers to enforce workplace standards, but they cannot be left to gather dust on an electronic shelf. In this case, the Court relied on several facts to lessen the employee’s expectation of privacy in the workplace:
- the workplace policy was up to date, asserting ownership of both the hardware and the data;
- the employer annually reminded the employees that the students’ computer use policy also applied to the employees; and
- the student policy specifically provided that email could be monitored and that users should not assume that any files stored on the network servers or hard drives of individual employer-issued computers will be private.
All of these factors diminished Mr. Cole’s expectation of privacy, but did not eliminate it. He was entitled to be free from unreasonable state search and seizure of such personal information.
Employers should not only continue to ensure their computer use, privacy, social media and electronic data policies are up to date, but it is essential that employees are informed and educated about the meaning and impact of such workplace policies so that employers can more effectively rely on such policies and practices.
Over the last couple of months, there has been an interesting debate in Canada and the US about whether an employer can ask for a social media password. For some of the highlights of the conversation in Ontario, see:
- Toronto Star article on March 20, 2012;
- Dan Michaluk at All About Information;
- Andrew Langille's blog Youth and Work; and
- David Doorey’s Workplace Law Blog, including a post that contains theOntario Human Rights Commission’s Facebook post on the issue
South of the Border
The issue originally hit the headlines when the American Civil Liberties Union complained on behalf of a Maryland correctional officer. The ACLU uploaded avideo on YouTube and asserted that the employee's privacy rights had been violated when his employer turned to the employee during a re-certification interview and demanded his Facebook password. Maryland has since passed the first US law prohibiting employers from demanding social media login information.
California, Illinois, Texas, Washington and New York have also introduced social media privacy bills, and earlier this week, the Password Protection Act of 2012 was introduced at the federal level to prohibit employers from demanding social media login information as a condition for employment.
So Should Canadian Employers Ask for Social Media Passwords?
At this point, only Nova Scotia has introduced a bill banning employers from asking for social media passwords. The first reading was in April, so it is only in at the beginning of the process.
Last week, the Ontario Office of the Information and Privacy Commissionerintroduced a guideline recommending against employers asking for social media passwords. Other provincial privacy commissioners have published similar guidelines about social media background checks.
At this point, however, there is no specific law on the issue in Canada.
I personally come down on the side of those who see this as a very, very bad idea for employers to consider, and yet if an employer merely gathers the data and does nothing with it in Ontario, it probably isn’t a technical legal violation. (See my blogs posts here and here on the privacy law gap for Ontario employee information.)
For provinces such as British Columbia, Alberta and Quebec with provincial privacy legislation, employee personal information has greater protections and asking for such information will likely cross the legal line.
Even in Ontario without specific protections for employee personal information, the problem is, of course, that for most employers, it will be very tempting to quietly pass on the candidate whose online profile indicates she is 4 months pregnant, highly politically charged, controversial, clearly a bit of a drunk (while pregnant!!), has sued her last 10 employers and believes working Friday afternoons should be banned in Canada. If the employer were conducting a regular interview, most of this information – some protected under the Human Rights Code, some not – would remain unknown until she starts running amuck in the workplace. I get why an employer would want to avoid the situation, but there are just too many landmines to worry about when demanding a social media password during an interview.
Terms of Service
The focus of the debate has been correctly centred on the discrimination and privacy concerns. Another issue receiving some, but not enough, attention is the extent to which the social media platforms themselves permit this use. Users enter into a contract with the social media in order to use their service. The services may be free, but no less legally binding.
By demanding that a candidate hand over his or her social media password information, an employer is asking that candidate to breach the terms of service with the social media provider. Facebook itself issued a statement in March condemning the practice and advising users they should not reveal their login information.
The Facebook Statement of Rights and Responsibilities includes the following statements:
- 3(5) - You [User] will not solicit login information or access an account belonging to someone else.
- 3(10) - You [User] will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.
- 4(8) - You [User] will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
Not only is the candidate prohibited from sharing his or her password, but should the HR Manager conducting the interview happen to have a Facebook account, he or she would be violating the Terms of Service of his or her own account by soliciting the login information of someone else. Arguably he or she is doing so on behalf of the employer, so vicarious liability arguments could come into play. Should there be clear company policy prohibiting the practice, however, an employer could argue that the rogue HR Manager was acting beyond his or her duties.
Either way, it all gets so messy. Why ask for the hassle for information that is frequently inaccurate, dated and irrelevant, particularly when you usually cannot legally use the more juicy information in the first place?
Dan Michaluk’s Best Practices
If you do intend on asking for social media passwords, I suggest you review Dan Michaluk’s useful “employer-friendly” post on his All About Information blog, which includes the following best practices in managing the legal risks associated with conducting social media background checks:
- Check at the end of the hiring process. This is a background check, not an evaluative process. It should come as the next to last step in the hiring process.
- Check only when there is a demonstrable need. What’s the need? What are the alternatives? Why is this the better alternative? Document your needs analysis.
- Search based on objective criteria. It will be very hard to establish the validity of a profiling exercise – i.e., an exercise in which you attempt to draw broad inferences about job performance or trustworthiness based on social media activity. Unless you have a qualified expert prepare a defensible predictive model, don’t profile. Look for objective behaviors that raise legitimate concerns in light of job responsibilities. For example, you may look for statements that a candidate for a sales or marketing position has made critical comments about your company or industry that are incompatible with becoming a representative of the company.
- Have someone other than the decision-maker search. This is a means of ensuring that the decision-maker does not see irrelevant information that may be related to a personal characteristic that is protected by anti-discrimination legislation.
- Direct a written report to the decision-maker. The report (which contains only feedback on the objective search criteria) goes in the hiring file and is part of the formal record upon which the hiring decision is made. This record is designed to assist in the defence of discrimination claims and is a record of due diligence. It makes the actual (forensic) record of the internet search irrelevant to a discrimination claim, which should minimize e-discovery risks.
- Validate negative information. Positively identifying the author of internet publications can be difficult. Validate authorship and seek an explanation.
This Too Shall Pass
Given the number of legal and practical risks, employers should be careful what they wish for. Should you feel it essential to wade into this dodgy, dangerous water, be prepared for the potential consequences.
From what I can tell anecdotally, few employers actually ask for social passwords so let’s hope this pseudo-storm will pass over as we figure out how to integrate social media into the workplace in a manner that works for both employers and employees.
Are you an employer that finds it necessary to ask for your employee's social media passwords? I'd love to hear your perspective, given the prevelance of the anti-password and login information voice.
Last Thursday, the Ontario Office of the Information and Privacy Commissioner released its new guide for online reference checks. In the face of the recent debates about whether an employer can request personal social media passwords during job interviews, the release of this document is quite timely.
The guideline is entitled, Reference Check: Is Your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile. The guideline reviews the various issues around online background checks, and provides a number of suggestions on how a candidate or employee can protect him or herself.
I attended the event last Thursday at which the Privacy Commissioner, Dr. Anne Cavoukian, unveiled the new guideline and discussed the various risks and problems associated with employers asking for social media passwords. It will be a surprise to no one that she firmly opposes requiring a candidate or employee to provide their personal social media passwords, although her reasoning was based more on privacy principles than legal prohibitions, given the ongoing gap in privacy law for provincially regulated employees in Ontario.
In her speech, Dr. Cavoukian summarized five unintended consequences of requesting and obtaining a candidate or employees' personal social media passwords:
- Accessing a candidate's personal social media profile may lead to uncontrolled secondary use of personal data, such as data regarding a candidate's friends and family.
- Once the employer is in the possession of the data, the employer becomes responsible for that data and assumes liability for the privacy issues regarding the data.
- An employer may lose out on qualified candidates who are deterred from applying for a position because of the employer's practice.
- Possible loss of reputation of the employer.
- Costs of legal liability should a claim arise regarding the use of the information gathered during the social media background check.
Most of the consequences are focused on potential risk or reputational damage. The reality is, given the privacy law gap in Ontario for non-medical employee personal information, any direct legal consequences are more likely to flow from the breach of a workplace policy, collective agreement, or contract (assuming one exists that speaks to the issue of privacy), than any specific law at this point.
I discuss the Ontario privacy law gap in an earlier post here. Until the landmark Ontario Court of Appeal decision, Jones v Tsige, was released in January, there was no employee recourse, so it will be interesting to see how the new Guidelines will be used by adjudicators as a thought-piece and articulation by the Ontario Privacy Commissioner of what the law should be for Ontario employers.
As of today, individuals can now sue for the tort of privacy in Ontario. (Thanks to Professor Doorey for the heads up in a tweet and blog post this afteroon).
The new tort is based on the following statement:
One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his or her private affairs or concerns, is subject to liability to the other for invasion of his or her privacy, if the invasion would be highly offensive to a reasonable person.
Jones v Tsige
Today the Court of Appeal of Ontario released its highly anticipated decision in Jones v Tsige, which finds that an individual can now file an action with the court based on the tort of “intrusion upon seclusion”.
In this case, one bank employee named Tsige looked into the bank account of another employee named Jones (who became involved with Tsige's ex-husband) at least 174 times over 4 years. Jones sued, lost at trial and appealed. The Ontario Court of Appeal awarded her $10,000 for the tort of intrusion upon seclusion.
Important Development in the Law
Previously, courts held that there was no right to an independent claim based on privacy, and that any privacy claims must be part of another claim, such as breach of an employment contract that contained a privacy provision. Plaintiffs therefore required another underlying action in order to also address any privacy claims.
Furthermore, given that no privacy legislation applies to non-health related personal information in most private sector workplaces in Ontario, there has been a gap in the legislation that prevented employees from filing a complaint with the Privacy Commissioner.
See my post on Privacy in the Workplace 101 from last summer for more details on the gap.
Take-Away for Employers
Employees can now take their claims of invasion of privacy directly to court. While the Jones v Tsigecase involves two employees, there is nothing that prevents an employee from taking his or her employer to court over a privacy issues.
In light of this very important development in the law, employers will want to consider whether their workplace policies, procedures and processes sufficiently address protection of privacy, now that employees have direct recourse in the courts.
Privacy in the workplace is an area that invites a broad range of views and perspectives. Whether the information relates to data on an electronic device such as an employer-provided computer or blackberry, or personal employee information such as bank account information for pay cheque deposits, we all expect some degree of privacy in the workplace.
What remains in dispute in many workplaces is where to draw the line between public space and personal privacy. The law on workplace privacy continues to evolve in a non-linear fashion, in part because of the patch-work of Canadian legislation that governs privacy. This post will outline the basic framework of law that governs privacy issues in Ontario workplaces.
Privacy Legislation in Ontario
Ontario does not have its own privacy legislation (other than for health care information) and therefore defaults to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to the commercial information of an Ontario company, but not to personal employee information, unless the employee works for a federally governed organization (banks, railroads, etc).
Here is the specific language in PIPEDA:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
If the information in question relates to health and medical information, then the Personal Health Information Protection Act (PHIPA) applies.
Privacy Case Law
To keep it interesting, the courts also continue to develop the common law on privacy. In addition to filing a claim with the applicable privacy commission office for a breach of a privacy statute, an individual or organization could instead take their matter to the courts. There is still debate, however, about whether one can file a claim in the courts based on an independent claim of a privacy breach, as opposed to adding on a privacy claim to an underlying claim such as breach of contract.
[**JANUARY 2012 ADDENDUM - see my post on Jones v Tsige regarding new developments in privacy case law in Ontario. We now have a tort of privacy in Ontario and the following commentary on caselaw is out of date.]
The court in the recent case of Jones v Tsige  ONSC 1475 (Ont. Sup. Ct) held that there is no independent right to sue for invasion of privacy. A bank employee in that case had accessed and viewed another employee's banking information 174 times. The case walks through the recent authorities on the possibility of a tort of privacy as its own actionable wrong and concludes that there is no such authority in Ontario. The court made reference to Euteneier v Lee  CanLII 33024 (Ont. C.A.), a case which noted in passing that there was no free standing right to privacy under the Charter or common law.
There is another line of cases, however, that suggests it may be time to recognize the tort of privacy. See for example, Somwar v McDonald's Restaurants of Canada Limited (2006) CanLII 202 (Ont. Sup. Ct.).
Jones v Tsige is the more recent case, so at this moment, it is likely that a party could not sue on the basis of a privacy claim alone.
Given the current state of the legislation and caselaw, for non-health related employee information in Ontario workplaces, there is a legislative and judicial gap. Often the gap is taken care of through language in a collective agreement, an employment contract, an employee handbook, workplace policies on email or computer use, or general expectations communicated to employees in the workplace.
Where the gap remains outstanding, however, companies would be wise to integrate the principles of privacy law outlined in PIPEDA throughout the organization. Privacy legislation and privacy caselaw continues to grow and it's only a matter of time before there will be some sort of express legislation or body of caselaw that requires employers to maintain a minimum level of protection of employee personal information.
In any event, Ontario companies are required to comply with PIPEDA in their commercial dealings, so it may prove difficult to defend if employee personal information is less protected than other corporate data.