by Barbara A. McIsaac, Helen Gray, and Daniel Pugen
McCarthy Tetrault
An employee’s expectation of privacy in the workplace is a big issue these days, especially with respect to the use of company computers.
Employers are often faced with questions like these: Is an employee entitled to privacy over e-mail and other data created and stored on a computer used for work or personal purposes? What rights does an employer have to access that information? The answer to these questions can depend on whether the employee has a reasonable expectation of privacy over the information stored on a given computer.
What is a reasonable expectation of privacy?
Two criteria must be established to show a reasonable expectation of privacy. First, an employee must subjectively expect some level of privacy, which is usually demonstrated through steps taken to protect the information in question, such as making a password or moving the data off company servers. Second, the employee’s expectation of privacy must be objectively reasonable.
Determining whether these criteria are present involves asking key questions such as:
- Who owns the physical equipment on which the data is stored?
- Has the data been transferred to the employer’s system or network?
- Does the employer have an Internet or computer policy that provides for employer access to information?
- How is the data arranged on the computer? Is employer data segregated from other material on the employee’s personal computer?
- Has the employee attempted to password-protect his or her computer and/or selected files?
Employer’s ownership of the computer
An employer’s ownership of a computer used by an employee for work purposes is strong evidence that an employee does not have a reasonable expectation of privacy over data stored on that computer or other data generated by personal use.
Several Canadian arbitrators have ruled that employees who use an employer system to send and receive e-mail messages and to post messages on discussion boards have no right to privacy. It has been held that an employee cannot expect to have any right of privacy when using the employer’s e-mail and Internet facilities.
Ownership is such a significant factor that in one case the arbitrator found that where a terminated employee had used the employer-owned laptop both at home and at work to access his Hotmail e-mail account, any reasonable expectation of privacy over his Hotmail e-mail account was trumped by the employer’s right to search its own property.
Employer policies
Another significant factor in determining if a reasonable expectation of privacy exists is whether the employer has a policy governing e-mail and Internet use. In one case, the existence of an employer’s policy against the use of the e-mail system for unacceptable purposes, and a clear “log-on warning” that the system would be monitored in accordance with the policy, was found to undermine an employee’s expectation of privacy.
Employee’s ownership of the computer
If the employee owns the computer personally but uses it for work purposes, does a reasonable expectation of privacy exist with respect to the data stored on that computer? In Canada, the answer to this question is unclear.
In the United States, certain decisions have favored an employer’s right of access where an expectation of privacy is not objectively reasonable. For example, there was no reasonable expectation of privacy over the files stored on an individual’s own laptop that had been connected to a military base network with a shared drive.
Similarly, there was no reasonable expectation of privacy over the information stored on an employee’s computer where an employee voluntarily brought his own computer to work to use for work purposes and took no steps to password-protect the data.
Lessons for employers
Many employers wish to monitor employee use of computers and networks for a variety of legitimate reasons, including preventing the collection and dissemination of improper/illegal material (e.g. pornography) and preventing employee theft of time associated with prolonged personal use of the Internet and e-mail.
Even though there is some uncertainty in the law in Canada, there are some simple steps that can be taken to help prevent employees from claiming a reasonable expectation of privacy:
- Employers should implement clear-cut and comprehensive policies governing their right to access data and systems. If an employer does not want an employee to have a reasonable expectation of privacy over any data found on a computer, then this should be clearly stated.
- Employees should be required to acknowledge that they have read, understood, and agree to abide by the policies.
- “Log-on” or “I Agree” statements and acknowledgements, which must be accepted before the computer or Internet can be used, can be a useful tool in this regard.
- Employers should also make clear that copies of employer-owned data remain the employer’s property regardless of where the data is stored.
- Finally, employers may manage employee privacy expectations over information stored on laptops by providing company laptops to employees for offsite work, so that, if necessary, the employer can justify a search of the computer (because of its ownership interest).
I heard that Canadian employee data could not be stored on a remote server or leave the country in any way . Is this true? If it is on a web based server it could be viewed from any computerin the world.