In the eyes of employers, it’s essential to monitor employees’ computer and email use to protect the business. But in the eyes of employees, such monitoring is just plain spying. So who’s right—at least in the eyes of the law?
Computer Usage, Privacy & the HR Director’s Challenge
Some employees abuse their computers for non-productive and harmful ends like:
So, it’s incumbent upon employers to set restrictions on employees’ computer usage and monitor whether those limits are being obeyed. Employee and unions are apt to object to monitoring as illegal. And thanks to the new personal privacy laws, they may have a legitimate argument.
Employees enjoy some degree of privacy protection vis-à-vis their employers. But privacy rights must be balanced against the employer’s equally legitimate business interests. Thus, employers are allowed to monitor employees’ use of company computer systems for security, to prevent illegal activities and maintain productivity even if that means going into their emails and hard drives. According to a recent Alberta case, “in the information technology world today,” great harm can be done to companies “with the click of a mouse.” Accordingly, “an employer is entitled not only to prohibit use of its equipment and systems for [improper] purposes but also to monitor an employee’s use of the equipment to ensure compliance” [Poliquin v. Devon Canada Corp. ,  A.J. No. 626, June 17, 2009].
But monitoring may cross the line if the information isn’t vital or appropriate to access and there are less intrusive ways for employers to obtain it. In other words, while monitoring computer usage is generally okay, it still must be done in a “reasonable” way.
Example: An employee filed a privacy complaint with the Alberta Privacy Commissioner after discovering that his employer had installed keystroke logging software on his computer without his knowledge. The Commissioner ruled that the employer could and should have used less intrusive means to monitor the employee’s work and informed the employee that it was monitoring him [Order F2005-003, Alberta Information and Privacy Commissioner, June 24, 2005].
Basic Rule: You can access computer data as long as employees don’t have a “reasonable expectation of privacy” in the material. “Reasonable expectation” is based on 2 things:
What the employee actually expected. The employee must have what’s called a subjective expectation of privacy, i.e., he must sincerely believe that the information in his computer will be kept from his employer. Thus, employees who know that their computer data can’t be kept private have no claim. The employee’s use of passwords, hidden files, encryption and other security conventions is evidence of a subjective expectation of privacy.
Whether the employee’s privacy expectation was reasonable. A sincere expectation of privacy isn’t enough. Employees must also show that it was reasonable for them to have such an expectation. Reasonableness is an objective standard that’s based on what a person of average prudence would expect. That makes it harder for employees to argue that a privacy expectation was reasonable when the computer equipment is owned by the company; an employee has a stronger case when the data the employer accesses is stored on a personal computer that the employee owns and uses for work purposes.
HOW TO COMPLY
Trying to argue in front of a judge or arbitrator what was on an employee’s mind and what should have been on his mind is a dicey proposition. The good news is that you can put an end to any privacy expectations by your employee before they ever arise. The key: Adopt a policy stating that data kept on company computers and systems is not private and is, in fact, subject to monitoring. As long as it’s clearly written and consistently implemented, a computer use policy will make it extremely difficult for employees to claim they have a reasonable expectation of privacy in their computer files.
Example: During routine monitoring of the server and network, the IT director of an Ontario high school found a file containing nude photographs of a student on the hard drive of a laptop assigned to a teacher. The school gave the file to the police who charged the teacher with child pornography. The teacher argued that he had a reasonable expectation of privacy in the material. The court found that the teacher had a subjective expectation of privacy—the pictures were in a “grey file” under “My Documents” and the laptop was password-protected.
But it ruled that the expectation wasn’t reasonable. Although password-protected, the laptop was owned by the school. More importantly, the school’s computer use policy, which the teacher had not only signed but helped enforce made it clear that data stored on computer files weren’t private and subject to monitoring. In addition, the school board reinforced the policy by posting regular reminders on its website and issuing notices 4 times a year. So the court ruled that the teacher had no reasonable expectation of privacy in the material on his hard drive [R. v. Cole,  O.J. No. 1755, April 28, 2009].
How to Create Computer Use Policy
Although you should never adopt a model form without tailoring it to your own workplace, the Model Policy below illustrates the provisions to include in your own policy, including a clear statement that:
> All computers and information technology systems provided to employees are owned solely by the company and aren’t the employee’s property [Policy, para. 1].
> Computers and equipment must be used solely for work-related purposes. It’s also important to list prohibited uses, like surfing the web, downloading pornographic, racist, defamatory or other offensive material and downloading or transmitting confidential company information [Policy, para. 2].
> Employees have no right to expect that their files, emails and other data will be kept private [Policy, para. 3].
> The company will monitor computer usage and emails for purposes of security, network maintenance and to verify compliance with the Policy. Our Policy goes the extra step of spelling out that the company can hang onto and review emails, including showing them to third parties [Policy, para. 4].
> The obligation to obey the Policy is an implied part of the employee’s contract. Several courts have recognized that affording the Policy the status of contract is an indication to employees of its seriousness and thus easier to enforce. For example, in the Cole case, the court ruled that by acknowledging the computer use policy to be a term of employment, the teacher “waived” any privacy objections in the data he might have had [Policy, para. 5].
> Employees agree not only to obey but enforce the Policy if they become aware of potential violations. As a practical matter, requiring employees to report violations can make the policy more effective and easier to enforce. On a more subtle plane, it might also make a court less likely to side with the employee in a dispute. Note that in upholding the right to monitor spelled out in a computer use policy despite privacy concerns, both the Poliquin and Cole courts went to great pains to point out that the employees held supervisory positions and thus participated in enforcing the policy. Consequently, their violations were less easy to accept [Policy, para. 6]. How to Implement Computer Use Policy
As with any other employment policy, computer use policies are worse than useless if employees know they won’t be enforced. And if you later do decide to put your foot down, it may be too late. Employees are bound to argue that having condoned transgressions in the past, you can’t change your ways and suddenly start insisting on strict compliance now.
Example: In 2002 and 2003, a New Brunswick supervisor is warned about using his work computer to access Internet porn in violation of the company’s computer use policy. One more offence and you’re gone, he’s told. In 2005, the company suspects he’s up to his old bad habits but decides to let it go because it doesn’t have hard evidence. But when he’s busted again in 2006, the company finally makes good on its threats. The supervisor claimed that the company condoned his porn habits because it didn’t fire him in 2005. Luckily for the company, the court concludes that not bringing down the hammer due to lack of evidence in 2005 wasn’t condonation. But it agrees that condoning the behavior would have cancelled out the computer use policy and made the dismissal wrongful [Backman v. Maritime Paper Products Ltd.,  N.B.J. No. 303, Sept. 24, 2009].
You have a much better chance of defeating employee privacy claims if your organization owns the computers your employees use. But as privacy law evolves, ownership of the computers and data has become less important than the question of the means the employer uses to track and record employees’ computer activity. So you need to be careful especially when using keystroke logging and other surveillance programs that enable you to override passwords and other privacy protections to access an employee’s email, files and other data. General rule of thumb: If you’re going down the path of tracking or recording your employees’ activities, choose the method that will satisfy your objective while creating the least possible intrusion on your employees’ privacy.