An hour long presentation on "hot topics" for Canadian employers. Deals with business system monitoring, employee responsibility for "off duty" publication and background checks.
3. Monitoring business systems Why? To engage in maintenance, repair and management To meet a legal requirement to produce To ensure continuity of business practice To improve business processes To maintain internal control (including preventing misconduct and ensuring legal compliance)
4. Monitoring business systems How businesses maintain internal control Conduct routine audits* Investigate suspicions of misconduct* Respond to what they find Keep a good record of the same
5. Monitoring business systems The traditional law Notification does count The employer owns the medium and has lots of good reasons to look E-mail communication is too insecure to expect privacy No balancing of interests at all
6. Monitoring business systems Challenge #1 – Decision-maker value shift LethbridgeCommunity College (2007) MS Hotmail e-mails retrieved through forensic analysis First case to impose a reasonable grounds requirement for investigation Value shift may also be gleaned from Cole and Tfaily (two very recent and hot Ontario cases)
7. Monitoring business systems Challenge #2 – Supervisor value shift Quontext message case heard by SCOTUS in April 2010 Will your supervisors enforce policies they deem to be intrusive?
8. Monitoring business systems Change #3 – Privacy legislation Imposes an “objective reasonableness” requirement At play in UBC spyware case But, notably, Johnson case suggests PIPEDA does not apply to “personal” e-mails
9. Monitoring business systems Option #1 – Try harder to control expectation Personal use does not come with privacy! Routine acknowledgements Audit and communicate audit results to employees
10. Monitoring business systems Option #2 – Go with a purpose-based policy List purposes and stick with purposes Give the same expectation of privacy warning re personal use Set a evidence-based standard for investigation Set a protocol or procedure for audits
11. Publication and “off duty” conduct Bob and Sue had a long day. They go to the Dirty Dog Pub after work and, over the course of four hours, take jabs at their supervisor, Phil.
12. Publication and “off duty” conduct Jack had a long day. He goes home, cracks open a beer, and boots up his home computer. Using a picture of his supervisor taken from the company intranet and some internet based software, he alters the picture so the manager looks ridiculous. Jack posts it to his Facebook page. He feels good.
13. Publication and “off duty” conduct Duty of fidelity applies when employee expression is likely to significantly affect a legitimate employer interest All other activity is “private”
14. Publication and “off duty” conduct Nexus commonly derived from Impact on other employees rights Impact on job responsibilities Impact on reputation
15. Publication and “off duty” conduct Whistleblower exception for speaking publicly Serious and imminent threat to health and safety Illegality Subject to the “report up the ladder” principle (Merk) Criminal Code immunity for reports to law enforcement and regulators Not for blogging or tweeting Not for giving information to mainstream media
17. Background check developments Internet searches Do it at the end, not the beginning Question, “Is it necessary? What’s relevant?” Set objective criteria for a non-decision maker search agent Create a business record of the search
18. Background check developments Access to the CPIC database Enforcement of name and d.o.b. check rule due to privacy/accuracy concerns About 120 days from a “we can’t complete the check” answer Commercial service providers can’t conduct vulnerable sector checks Release of vulnerable sector report to applicant first
19. Background check developments Where no human rights regulation Response = “we can’t complete the check” = lapse of offer Option to hire anyway Get a declaration and apply due diligence Weigh need to hire against risk in light of controls Make completion of check condition clear
20. Background check developments Where human rights regulation You must weigh need to hire against risk in light of controls Get a declaration and apply due diligence Make completion of check condition clear
21. Background check developments Pressure to use local checks CPIC results are very qualified Ontario criminal case highlights staleness of CPIC data
22. Background check developments Risks of local checks Much broader information Non-standard information See Tadros(Ont. C.A.) about disclosure of withdrawn charges At the same time, Ontario HRT has said charges are not protected in MyTrak Health Systems
24. Key issues in workplace privacy Dan Michaluk May 12, 2010
Hinweis der Redaktion
Let’s start with the basicsOur privacy law is based strongly on proportionality and balancing…The challenge is for management to deal with a claimed privacy interestBut what interests is management protecting?Employers have an unquestionable legitimate interest in looking at the information flowing through their systemsHere are the most common purposes[Briefly explain one to four. Turn over slide for five.]
Internal control is importantLet’s look at context – era of accountability… both public and private sector -post Enron -post Westray -post Gomrey -post Bill 168 (expanded regulation of interaction between people)Quote from National Post last week. .. “The role of investigative journalism has expanded over the years to help fill what has been described as a democratic deficit in the transparency and accountability of our public institutions.”Looking at communications is a key means of maintaining internal control – 90% of communication is electronic… picture of all activity within your businessTwo kinds of looking -audits (risk based, proactive) -investigations (targeted, reactive)Take corrective action based on what’s found -change in process or technology -change in people – terminations or lesser sanctionsAnd keep a record of diligenceSimple right? And then comes personal privacy.
Traditional law has been very permissiveRemember our purposesThose are usually reinforced by an acceptable use or computer use policy that says in one paragraph “YOU HAVE NO EXPECTATION OF PRIVACY”Some employers use annual acknowledgements… some use login dialog boxesBeen effective…Most law is in unionized workplaces… arbitrators have said, “I’m not even balancing interests here. An employer can look for lots of reasons it’s not reasonable for an employee to make any privacy claim.”Lakehead University case in 2009 re Google Apps outsourcing – e-mail is no more secure than a postcard
Watch out for shifting valuesPremised on change in permissibility of personal useTen years ago employees worked at work and went home and watched TVPolicies said “no personal use”Now employees work at work and work at home on the same devicePolicies now say “reasonable personal use”When employees are banking on your computers is it reasonable to capture their keystrokes?When employees are sending legitimate personal communications to loved ones about medical conditions… is it legitimate review their communications?Identify Lethbridge, Cole and Tfaily as showing that decision makers are struggling
Even if your decision-makers are okay, managers can interfere with policy enforcementIn Quon a supervisor said something like, “If you pay the overages we won’t look.”If supervisors or others in authority think that your monitoring policy is not reasonable they may undermine it
That was about the reasoning applied by arbitrators and courtsIn Canada we have employee privacy legislation in three provinces and for federal worksIf it applies, there is a regulatory requirement to balance interestsCollection of personal information must be reasonably necessary to meet a legitimate purposeCall this an “objective reasonableness requirement”At play in UBC spyware case of 2007 – all you needed to do to investigate time theft was look at traffic logs… you didn’t need to install spyware to capture screen imagesWrinkle from Johnson under PIPEDA… about access to personal e-mails sent about an employee… said personal e-mails are not regulated by PIPEDA because they are not sufficiently related to the commercial enterprise… like “bycatch”Perverse (though possibly correct) ruling… saying employers have very limited domain over employee e-mails, but in doing so rules out protection of privacy legislation
So what do employers do?Put an express condition on personal useUse routine acknowledgementsCommunicate audit results… use a newsletter… prove to employees you are lookingOne sided solution… focuses on employer right… doesn’t control to protect employee privacy
You create policy to address the privacy interestEspecially appropriate where regulatedList the purposes from my earlier slideWarn them still… give good notice stillSet an evidence-based standard for investigationTell them how you will go about auditsExamples-internal audit staff conduct an investigation at direction of VP-VP directs audits based on a bona fide security risk-should line manager need to find work product, e-mails will be pulled by internal audit where possibleThese will kill your no expectation argument but should still enable everything you need to do at a lower risk
Let’s move on to a different privacy issue – an employee’s right to live a private existence without employment-related consequenceSupported by Joseph Cohen-Lyons paper in materialsHere’s a scenarioNot so oddAnyone think this interferes with an employer’s interest?Nah. It’s blowing off steam. It’s “private” off duty conduct. Outside the workplace – no physical nexus. No intangible nexus to legitimate interests.
This is (sadly) what happens today.Same question. Is it private?Would it make a difference if Jack has only ten friends? What if none of them are employees?Happens all the time. This is how people blow off steam now. There’s a perception that this is somehow analogous to a barroom chat with a close friend.But let’s look at the difference. It’s clearly a publication. Often to other employees. Even if not there’s no legal or practical restriction on what recipients can do with the communication. Jack’s picture of his supervisor can be copied and mailed around.So there’s a good argument that this is about as public as it gets. Consistent with a traditional privacy law principle – a disclosure to one is a disclosure to all.
This is an issue of loyalty and fidelity, which is implicit in every employment relationshipDon’t need special status… not like a fiduciaryThis is my expression of the test that defines the scope of the dutyVery, very contextual casesNo black and whiteThere will be some easy cases, but many are hard to predictExample… student speech cases out of U.S. Third Circuit (in materials)Many employment cases will settle
Now Jack’s supervisor has a beef. But why can an employer discipline that conduct.Well, there’s a nexus back to employment interests isn’t there? -impact on other employee’s rights -right to work in a safe and harassment free work environment -reasonably likely to interfere with that right -employer’s burden but… -… decision-maker may presume harm (arguable issue) -evidence of actual harm helps (give example)-Nexus is commonly derived from these three things-no case law, but these are in order of moral weight-we’re balancing again here-example tough case – employee a professional adviser… goes out and does a beer mile… better have a pretty good case for reputational harm
There is developed case lawBased in public sector but theory applies to private sector employmentRecognizes a whistleblower exception to the duty of fidelityIdentify cases - Fraser of SCC 1985, Haydon of FC 2005, Read of FC 2005Employers protect themselves by having internal systems to receive reports of wrongdoingAn employee may have a duty to report internally firstEndorsed in Read and by our Supreme Court of Canada in a case called Merk – 2004Thrown somewhat into question by our broadly worded Criminal Code anti-reprisal provision – section 425.1But only provides immunity from reporting to law enforcement, not blogging, not passing things to the media, not passing things to a bloggerOf course, whistleblowing unusually means point to the pressCase from Supreme Court of Canada last week that says a court will assess whether it will honour a journalist’s promise of confidentiality on a case-by-case basisNo reason why a whistleblower couldn’t tweet it to the world anonymously… will be investigations…
This is a general model that I’ve been usingAddresses both HR and privacy compliance issues… consistent with reasonable necessity principleIdea is that you collect minimal information in the application form… devoid of anything to do with a prohibited ground of discriminationPurpose is to qualify applicant pool for an interviewOntario, “Have you been convicted of a criminal offence for which you have not been pardoned”In BC, PEI and Quebec don’t askInterview stageMore information… see the candidate so you now have knowledgeSome interviewers control risk by structuring questions (nice in defending a case)Background check… deal with fitness for work in light of restrictions related to protected personal characteristics… functional testing, criminal background checks, and now INTERNET CHECKS
When reputation (and online reputation) is an indication of how effective a person is going to be at a job I think it’s something that should be doneIf not, it is more questionableIf you do it here are the best practices-third bullet is most important-fourth bullet makes what the searcher saw either irrelevant or of minimal probative value
Our phones started ringing off the hook in the new yearNot really a privacy issue but driven by privacy concerns related to accuracy of reporting4.2 fingerprints on file and 50% have more than one name attached to itName and d.o.b. query is an insufficient guarantor of accuracyWe can’t complete the check… up to 120 days for fingerprint verificationVulnerable sector checks include other information… include sensitive information about certain sexual offences that have been pardonedGive to individual first… employer can get… but individual has an opportunity to simply walk away from the offer after reviewing the report
About managing name and dob check problemApplication of human rights legislation makes a big differenceNot uniform protection across Canada-BC, Quebec and PEI have protection-Federal and Ontario shouldn’t for name and DOB check because not checking for provincial offences convictions and criminal convictions that have been pardonedSet a clear term whatever you want to doStill have an option to hire-subject to declaration and other due diligence-if they give a false declaration you’d likely have a good cause case
If HR legislation applies you (essentially) have a duty to do a case-by-case analysisWeigh the risk… make a decision on a case-by-case basis
Standard form CPIC response for a name and dob check is very qualified nowSuggests that employers should conduct a local checkCPIC is a roll-up of local forces dataTakes timeR. v. Horne by Ontario’s Justice Fairgrievelast July-11 convictions discovered after guilty plea and before sentencing dating back two years-Law times article quotes a crown saying CPIC is about two years out of date
So employers may seek local checksNot standardAccording to Swaigen article police databases include – complainant, victim, suspect, person of interest, chargesSo if you’re a regulated employer concerned about consent and necessityOtherwise you can ask and getLeaves people in position some may feel is unfairTadros… problems after a consensual check… argument that consent wasn’t clear enoughNo human rights protection either according to the Ontario HRTLive policy issue for the most part