Employment lawyer with strong focus on information and management and privacy law issuesTwo issues in which privacy law touches on use of social media by employeesMonitoring law… tied very loosely to social media use… but time theft issue is important and topic is timely… cautionary message to employers… law is in fluxDiscipline law… when can employer sanction employees for publishing things online? cautionary message to employees… more than you thinkNot going to talk about other aspects of managing employee use of social mediaBuilt in time for questions so ask away
Let’s start with the basicsOur privacy law is based strongly on proportionality and balancing…The challenge is for management to deal with a claimed privacy interestBut what interests is management protecting?Employers have an unquestionable legitimate interest in looking at the information flowing through their systemsHere are the most common purposes[Briefly explain one to four. Turn over slide for five.]
Internal control is importantLet’s look at context – era of accountability… both public and private sector -post Enron-post Westray -post Gomrey -post Bill 168 (expanded regulation of interaction between people)Quote from National Post last week. .. “The role of investigative journalism has expanded over the years to help fill what has been described as a democratic deficit in the transparency and accountability of our public institutions.”Looking at communications is a key means of maintaining internal control – 90% of communication is electronic… picture of all activity within your businessTwo kinds of looking -audits (risk based, proactive) -investigations (targeted, reactive)Take corrective action based on what’s found -change in process or technology -change in people – terminations or lesser sanctionsAnd keep a record of diligenceSimple right? And then comes personal privacy.
Traditional law has been very permissiveRemember our purposesThose are usually reinforced by an acceptable use or computer use policy that says in one paragraph “YOU HAVE NO EXPECTATION OF PRIVACY”Some employers use annual acknowledgements… some use login dialog boxesBeen effective…Most law is in unionized workplaces… arbitrators have said, “I’m not even balancing interests here. An employer can look for lots of reasons it’s not reasonable for an employee to make any privacy claim.”Lakehead University case in 2009 re Google Apps outsourcing – e-mail is no more secure than a postcard
Watch out for shifting valuesPremised on change in permissibility of personal useTen years ago employees worked at work and went home and watched TVPolicies said “no personal use”Now employees work at work and work at home on the same devicePolicies now say “reasonable personal use”When employees are banking on your computers is it reasonable to capture their keystrokes?When employees are sending legitimate personal communications to loved ones about medical conditions… is it legitimate review their communications?Identify Lethbridge, Cole and Tfaily as showing that decision makers are struggling
Even if your decision-makers are okay, managers can interfere with policy enforcementIn Quon a supervisor said something like, “If you pay the overages we won’t look.”If supervisors or others in authority think that your monitoring policy is not reasonable they may undermine it
That was about the reasoning applied by arbitrators and courtsIn Canada we have employee privacy legislation in three provinces and for federal worksIf it applies, there is a regulatory requirement to balance interestsCollection of personal information must be reasonably necessary to meet a legitimate purposeCall this an “objective reasonableness requirement”At play in UBC spyware case of 2007 – all you needed to do to investigate time theft was look at traffic logs… you didn’t need to install spyware to capture screen imagesWrinkle from Johnson under PIPEDA… about access to personal e-mails sent about an employee… said personal e-mails are not regulated by PIPEDA because they are not sufficiently related to the commercial enterprise… like “bycatch”Perverse (though possibly correct) ruling… saying employers have very limited domain over employee e-mails, but in doing so rules out protection of privacy legislation
So what do employers do?Put an express condition on personal useUse routine acknowledgementsCommunicate audit results… use a newsletter… prove to employees you are lookingOne sided solution… focuses on employer right… doesn’t control to protect employee privacy
You create policy to address the privacy interestEspecially appropriate where regulatedList the purposes from my earlier slideWarn them still… give good notice stillSet an evidence-based standard for investigationTell them how you will go about auditsExamples-internal audit staff conduct an investigation at direction of VP-VP directs audits based on a bona fide security risk-should line manager need to find work product, e-mails will be pulled by internal audit where possibleThese will kill your no expectation argument but should still enable everything you need to do at a lower risk
Let’s move on to a different privacy issue – an employee’s right to live a private existence without employment-related consequenceSupported by Joseph Cohen-Lyons paper in materialsHere’s a scenarioNot so oddAnyone think this interferes with an employer’s interest?Nah. It’s blowing off steam. It’s “private” off duty conduct. Outside the workplace – no physical nexus. No intangible nexus to legitimate interests.
This is (sadly) what happens today.Same question. Is it private?Would it make a difference if Jack has only ten friends? What if none of them are employees?Happens all the time. This is how people blow off steam now. There’s a perception that this is somehow analogous to a barroom chat with a close friend.But let’s look at the difference. It’s clearly a publication. Often to other employees. Even if not there’s no legal or practical restriction on what recipients can do with the communication. Jack’s picture of his supervisor can be copied and mailed around.So there’s a good argument that this is about as public as it gets. Consistent with a traditional privacy law principle – a disclosure to one is a disclosure to all.
Now Jack’s supervisor has a beef. But why can an employer discipline that conduct.Well, there’s a nexus back to employment interests isn’t there? -impact on other employee’s rights -right to work in a safe and harassment free work environment -reasonably likely to interfere with that right-employer’s burden but…-… decision-maker may presume harm (arguable issue) -evidence of actual harm helps (give example)-Nexus is commonly derived from these three things-no case law, but these are in order of moral weight-we’re balancing again here-example tough case – employee a professional adviser… goes out and does a beer mile… better have a pretty good case for reputational harm
This is an issue of loyalty and fidelity, which is implicit in every employment relationshipDon’t need special status… not like a fiduciaryThis is my expression of the test that defines the scope of the dutyVery, very contextual casesNo black and whiteThere will be some easy cases, but many are hard to predictExample… student speech cases out of U.S. Third Circuit (in materials)Many employment cases will settle
There is developed case lawBased in public sector but theory applies to private sector employmentRecognizes a whistleblower exception to the duty of fidelityIdentify cases - Fraser of SCC 1985, Haydon of FC 2005, Read of FC 2005Employers protect themselves by having internal systems to receive reports of wrongdoingAn employee may have a duty to report internally firstEndorsed in Read and by our Supreme Court of Canada in a case called Merk – 2004Thrown somewhat into question by our broadly worded Criminal Code anti-reprisal provision – section 425.1But only provides immunity from reporting to law enforcement, not blogging, not passing things to the media, not passing things to a bloggerOf course, whistleblowing unusually means point to the pressCase from Supreme Court of Canada last week that says a court will assess whether it will honour a journalist’s promise of confidentiality on a case-by-case basisNo reason why a whistleblower couldn’t tweet it to the world anonymously… will be investigations…
In assessing any case there is two questionsIs there a nexus?How culpable is it?Here is a list of factors. Speak for themselves.
And here are some more.
This is a different issue, but it relates to privacy and social media use by employees.Employers have a duty to maintain a violence free workplace. Done through something called threat assessment. For an assessment to be proper it must be based on all relevant and available information.Remember Virginia Tech. Representative of common problem. Not having a complete picture. Same as Columbine. In Columbine two shooters had posted a number of violent writings online.Information on social media sites is probative. Employer’s shouldn’t discount it in conducting threat assessments.Exceptions in privacy legislation allow for this, but each piece of legislation is slightly different.
Transcript of "Social Media and Employee Privacy"
Social Media Risks & Rewards - Employee Privacy v. Employer Monitoring<br />Dan Michaluk<br />May 11, 2010<br />
Overview<br />What I’ll discuss<br />Monitoring business systems for misconduct<br />Employee publication and “off duty” conduct<br />Related issues others will discuss<br />Corporate policy – Burns<br />Enforcement and non-employees – Kratz/O’Keefe<br />
Monitoring business systems<br />Why?<br />To engage in maintenance, repair and management<br />To meet a legal requirement to produce<br />To ensure continuity of business practice<br />To improve business processes<br />To maintain internal control (including preventing misconduct and ensuring legal compliance)<br />
Monitoring business systems<br />How businesses maintain internal control<br />Conduct routine audits*<br />Investigate suspicions of misconduct*<br />Respond to what they find<br />Keep a good record of the same<br />
Monitoring business systems<br />The traditional law<br />Notification does count<br />The employer owns the medium and has lots of good reasons to look<br />E-mail communication is too insecure to expect privacy<br />No balancing of interests at all<br />
Monitoring business systems<br />Challenge #1 – Decision-maker value shift<br />LethbridgeCommunity College (2007)<br />MS Hotmail e-mails retrieved through forensic analysis<br />First case to impose a reasonable grounds requirement for investigation<br />Value shift may also be gleaned from Cole and Tfaily (two very recent and hot Ontario cases)<br />
Monitoring business systems<br />Challenge #2 – Supervisor value shift<br />Quontext message case heard by SCOTUS in April 2010<br />Will your supervisors enforce policies they deem to be intrusive?<br />
Monitoring business systems<br />Change #3 – Privacy legislation<br />Imposes an “objective reasonableness” requirement<br />At play in UBC spyware case<br />But, notably, Johnson case suggests PIPEDA does not apply to “personal” e-mails<br />
Monitoring business systems<br />Option #1 – Try harder to control expectation<br />Personal use does not come with privacy!<br />Routine acknowledgements<br />Audit and communicate audit results to employees<br />
Monitoring business systems<br />Option #2 – Go with a purpose-based policy<br />List purposes and stick with purposes<br />Give the same expectation of privacy warning re personal use<br />Set a evidence-based standard for investigation<br />Set a protocol or procedure for audits<br />
Publication and “off duty” conduct<br />Bob and Sue had a long day. They go to the Dirty Dog Pub after work and, over the course of four hours, take jabs at their supervisor, Phil.<br />
Publication and “off duty” conduct<br />Jack had a long day. He goes home, cracks open a beer, and boots up his home computer. <br />Using a picture of his supervisor taken from the company intranet and some internet based software, he alters the picture so the manager looks ridiculous. <br />Jack posts it to his Facebook page. He feels good.<br />
Publication and “off duty” conduct<br />Nexus commonly derived from<br />Impact on other employees rights<br />Impact on job responsibilities<br />Impact on reputation<br />
Publication and “off duty” conduct<br />Duty of fidelity applies when employee expression is likely to significantly affect a legitimate employer interest<br />All other activity is “private”<br />
Publication and “off duty” conduct<br />Subject to a narrow whistleblower exception<br />Serious and imminent threat to health and safety<br />Illegality<br />
Publication and “off duty” conduct<br />Measuring gravity of offence<br />Job responsibilities<br />Nature and content of expression<br />Visibility of expression<br />Sensitivity of issue<br />Truth of statements<br />Steps taken to determine facts before speaking<br />
Publication and “off duty” conduct<br />Measuring gravity of offence<br />Efforts made to raise matters internally<br />Extent of reputational damage<br />Impact on employer’s ability to conduct business<br />
Publication and “off duty” conduct<br />Review of and non-culpable employee expression<br />Duty to maintain a violence free workplace<br />Bill 168 promotes threat assessment based on fulsome information about threats<br />Assess all relevant and available information, including information published online<br />Takes steps to manage reasonably perceived threats based on sound assessment practice<br />
Dan Michaluk<br />firstname.lastname@example.org<br />http://danmichaluk.wordpress.com<br />http://twitter.com/danmichaluk<br />http://ca.linkedin.com/in/danmichaluk<br />
Social Media Risks & Rewards - Employee Privacy v. Employer Monitoring<br />Dan Michaluk<br />May 11, 2010<br />