This bulletin provides an update on our June 11, 2012 Davis LLP Privacy Bulletin, Privacy of Employee Records on an Employer's System. It addresses a recent Supreme Court of Canada (SCC) decision that commented on employee privacy rights.
In R v. Cole, 2012 SCC 53, the SCC considered the application of the Charter to an employer’s search, seizure, and subsequent delivery to the police of an employer-issued laptop, and the information contained. The case has implications for employers with respect to the privacy interests of employees who may incidentally use a company-owned computer for personal purposes.
The Facts of R. v. Cole
Mr. Cole was a teacher. He was issued a laptop by his employer, primarily so that he could monitor the network activity of students. A school technician detected malware which he traced to Mr. Cole’s laptop. In the course of his investigation, the technician discovered a hidden folder containing photographs of a naked underage student. The technician notified the school principal, who copied the images to a disk. After discussing the matter with school board officials, the principal seized the laptop. The technician then created a second disk, this time containing broader information, including temporary internet files reflecting Mr. Cole’s browsing history. The Principal delivered the laptop to the police, who later made a mirror copy of its hard drive. Mr. Cole challenged the admissibility of that evidence in his criminal trial arguing that he had a reasonable expectation of privacy in his personal records contained on his work computer, that the search and seizure by the police was unreasonable under the Charter, and that the evidence should be excluded.
The employer had two policies in place:
[A] A Policies and Procedures Manual that asserted employer ownership over not only the hardware, but also data stored on it: “Information technology systems and all data and messages generated on or handled by board equipment are considered to be the property of [the board], and are not the property of the users of the information technology”. The Manual allowed for incidental personal use, and stipulated the teacher’s email correspondence remained private, but subject to access by school administrators in limited circumstances.
[B] An Acceptable Use Policy, written for and signed by students. Mr. Cole was aware that the Acceptable Use Policy also applied to teachers and that those subject to the Policy “should not expect privacy in their files”. The laptop was protected by a password, but the contents were accessible to network technicians without the password while Mr. Cole was connected to the school network.
The SCC found that the school’s actions were reasonable in the circumstances for its purposes as an employer, given its obligation to protect students. However, the police had seized the information without a warrant for criminal trial purposes and that search and seizure was unreasonable and contrary to the Charter. The school could not consent to the police action on behalf of its employee Mr. Cole. The majority of the Court found that the evidence should not be excluded in the criminal trial, notwithstanding the unreasonable search and seizure.
The Court held that an individuals “specific interests, likes, and propensities” recorded via internet browsing histories fall at the very core of the “biographical information” protected by privacy legislation and the Charter. This is true even where an employer owns the computer system on which the browsing occurred. The Court found that because the school’s policy allowed for incidental personal use, Mr. Cole had a higher expectation of privacy than he might have otherwise had, but still had a diminished expectation of privacy.
This is an important point for employers: an employer that expressly allows personal use will imply an increased expectation of privacy. A policy limiting or excluding personal use diminishes that expectation, but does not eliminate it.
The reasonableness of an employee’s expectation of privacy can only be determined by examining all factors including the nature of the information on the computer, the policies and practices of the employer, and the operational context.
The Court held that Mr. Cole had a diminished expectation of privacy. That diminished expectation justified the school’s actions and its decision to alert the police once the photographs had been discovered. However, it did not justify the police viewing the content of the laptop and using the information for criminal proceedings without a warrant.
Lessons for Employers
Employers have a range of business reasons for monitoring the use and content of their computer systems. Even though the Court said it would leave the “finer points of an employer’s right to monitor computers issued to employees” to another day, the Court did provide a number of key takeaway points for employers:
• Browsing history revealing the “specific interests, likes, and propensities” of an employee is at the core of privacy rights. Employers should exercise caution in directly accessing such information, doing so only to address legitimate employer interests where no less invasive approach is effective.
• Computer use policies should be clear, with respect to both what and to whom they apply. Best practices would be to remind employees of those policies from time-to-time rather than allow a sense of privacy to develop as a result of ongoing personal use.
• Allowing for personal use of employer equipment may increase the expectation of employee privacy, although whether an employee has a reasonable expectation of privacy is contextual and will depend on all relevant factors. A policy prohibiting all personal use of an employer’s equipment will not necessarily rule out a court finding some expectation of privacy. Such a prohibition may also be unrealistic or undesirable.
• Employers who are dealing with an unusual situation involving retrieval of employee data from the employer’s technology should seek specific legal counsel.