• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Social Media and Employee Privacy
 

Social Media and Employee Privacy

on

  • 2,155 views

This is a narrow look at two issues related to social media look by employees - monitoring workplace computers and employee publication and "off duty" conduct.

This is a narrow look at two issues related to social media look by employees - monitoring workplace computers and employee publication and "off duty" conduct.

Statistics

Views

Total Views
2,155
Views on SlideShare
1,934
Embed Views
221

Actions

Likes
3
Downloads
0
Comments
0

5 Embeds 221

http://allaboutinformation.ca 132
http://danmichaluk.wordpress.com 80
http://www.slideshare.net 6
http://www.lmodules.com 2
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Employment lawyer with strong focus on information and management and privacy law issuesTwo issues in which privacy law touches on use of social media by employeesMonitoring law… tied very loosely to social media use… but time theft issue is important and topic is timely… cautionary message to employers… law is in fluxDiscipline law… when can employer sanction employees for publishing things online? cautionary message to employees… more than you thinkNot going to talk about other aspects of managing employee use of social mediaBuilt in time for questions so ask away
  • Let’s start with the basicsOur privacy law is based strongly on proportionality and balancing…The challenge is for management to deal with a claimed privacy interestBut what interests is management protecting?Employers have an unquestionable legitimate interest in looking at the information flowing through their systemsHere are the most common purposes[Briefly explain one to four. Turn over slide for five.]
  • Internal control is importantLet’s look at context – era of accountability… both public and private sector -post Enron-post Westray -post Gomrey -post Bill 168 (expanded regulation of interaction between people)Quote from National Post last week. .. “The role of investigative journalism has expanded over the years to help fill what has been described as a democratic deficit in the transparency and accountability of our public institutions.”Looking at communications is a key means of maintaining internal control – 90% of communication is electronic… picture of all activity within your businessTwo kinds of looking -audits (risk based, proactive) -investigations (targeted, reactive)Take corrective action based on what’s found -change in process or technology -change in people – terminations or lesser sanctionsAnd keep a record of diligenceSimple right? And then comes personal privacy.
  • Traditional law has been very permissiveRemember our purposesThose are usually reinforced by an acceptable use or computer use policy that says in one paragraph “YOU HAVE NO EXPECTATION OF PRIVACY”Some employers use annual acknowledgements… some use login dialog boxesBeen effective…Most law is in unionized workplaces… arbitrators have said, “I’m not even balancing interests here. An employer can look for lots of reasons it’s not reasonable for an employee to make any privacy claim.”Lakehead University case in 2009 re Google Apps outsourcing – e-mail is no more secure than a postcard
  • Watch out for shifting valuesPremised on change in permissibility of personal useTen years ago employees worked at work and went home and watched TVPolicies said “no personal use”Now employees work at work and work at home on the same devicePolicies now say “reasonable personal use”When employees are banking on your computers is it reasonable to capture their keystrokes?When employees are sending legitimate personal communications to loved ones about medical conditions… is it legitimate review their communications?Identify Lethbridge, Cole and Tfaily as showing that decision makers are struggling
  • Even if your decision-makers are okay, managers can interfere with policy enforcementIn Quon a supervisor said something like, “If you pay the overages we won’t look.”If supervisors or others in authority think that your monitoring policy is not reasonable they may undermine it
  • That was about the reasoning applied by arbitrators and courtsIn Canada we have employee privacy legislation in three provinces and for federal worksIf it applies, there is a regulatory requirement to balance interestsCollection of personal information must be reasonably necessary to meet a legitimate purposeCall this an “objective reasonableness requirement”At play in UBC spyware case of 2007 – all you needed to do to investigate time theft was look at traffic logs… you didn’t need to install spyware to capture screen imagesWrinkle from Johnson under PIPEDA… about access to personal e-mails sent about an employee… said personal e-mails are not regulated by PIPEDA because they are not sufficiently related to the commercial enterprise… like “bycatch”Perverse (though possibly correct) ruling… saying employers have very limited domain over employee e-mails, but in doing so rules out protection of privacy legislation
  • So what do employers do?Put an express condition on personal useUse routine acknowledgementsCommunicate audit results… use a newsletter… prove to employees you are lookingOne sided solution… focuses on employer right… doesn’t control to protect employee privacy
  • You create policy to address the privacy interestEspecially appropriate where regulatedList the purposes from my earlier slideWarn them still… give good notice stillSet an evidence-based standard for investigationTell them how you will go about auditsExamples-internal audit staff conduct an investigation at direction of VP-VP directs audits based on a bona fide security risk-should line manager need to find work product, e-mails will be pulled by internal audit where possibleThese will kill your no expectation argument but should still enable everything you need to do at a lower risk
  • Let’s move on to a different privacy issue – an employee’s right to live a private existence without employment-related consequenceSupported by Joseph Cohen-Lyons paper in materialsHere’s a scenarioNot so oddAnyone think this interferes with an employer’s interest?Nah. It’s blowing off steam. It’s “private” off duty conduct. Outside the workplace – no physical nexus. No intangible nexus to legitimate interests.
  • This is (sadly) what happens today.Same question. Is it private?Would it make a difference if Jack has only ten friends? What if none of them are employees?Happens all the time. This is how people blow off steam now. There’s a perception that this is somehow analogous to a barroom chat with a close friend.But let’s look at the difference. It’s clearly a publication. Often to other employees. Even if not there’s no legal or practical restriction on what recipients can do with the communication. Jack’s picture of his supervisor can be copied and mailed around.So there’s a good argument that this is about as public as it gets. Consistent with a traditional privacy law principle – a disclosure to one is a disclosure to all.
  • Now Jack’s supervisor has a beef. But why can an employer discipline that conduct.Well, there’s a nexus back to employment interests isn’t there? -impact on other employee’s rights -right to work in a safe and harassment free work environment -reasonably likely to interfere with that right-employer’s burden but…-… decision-maker may presume harm (arguable issue) -evidence of actual harm helps (give example)-Nexus is commonly derived from these three things-no case law, but these are in order of moral weight-we’re balancing again here-example tough case – employee a professional adviser… goes out and does a beer mile… better have a pretty good case for reputational harm
  • This is an issue of loyalty and fidelity, which is implicit in every employment relationshipDon’t need special status… not like a fiduciaryThis is my expression of the test that defines the scope of the dutyVery, very contextual casesNo black and whiteThere will be some easy cases, but many are hard to predictExample… student speech cases out of U.S. Third Circuit (in materials)Many employment cases will settle
  • There is developed case lawBased in public sector but theory applies to private sector employmentRecognizes a whistleblower exception to the duty of fidelityIdentify cases - Fraser of SCC 1985, Haydon of FC 2005, Read of FC 2005Employers protect themselves by having internal systems to receive reports of wrongdoingAn employee may have a duty to report internally firstEndorsed in Read and by our Supreme Court of Canada in a case called Merk – 2004Thrown somewhat into question by our broadly worded Criminal Code anti-reprisal provision – section 425.1But only provides immunity from reporting to law enforcement, not blogging, not passing things to the media, not passing things to a bloggerOf course, whistleblowing unusually means point to the pressCase from Supreme Court of Canada last week that says a court will assess whether it will honour a journalist’s promise of confidentiality on a case-by-case basisNo reason why a whistleblower couldn’t tweet it to the world anonymously… will be investigations…
  • In assessing any case there is two questionsIs there a nexus?How culpable is it?Here is a list of factors. Speak for themselves.
  • And here are some more.
  • This is a different issue, but it relates to privacy and social media use by employees.Employers have a duty to maintain a violence free workplace. Done through something called threat assessment. For an assessment to be proper it must be based on all relevant and available information.Remember Virginia Tech. Representative of common problem. Not having a complete picture. Same as Columbine. In Columbine two shooters had posted a number of violent writings online.Information on social media sites is probative. Employer’s shouldn’t discount it in conducting threat assessments.Exceptions in privacy legislation allow for this, but each piece of legislation is slightly different.

Social Media and Employee Privacy Social Media and Employee Privacy Presentation Transcript

  • Social Media Risks & Rewards - Employee Privacy v. Employer Monitoring
    Dan Michaluk
    May 11, 2010
  • Overview
    What I’ll discuss
    Monitoring business systems for misconduct
    Employee publication and “off duty” conduct
    Related issues others will discuss
    Corporate policy – Burns
    Enforcement and non-employees – Kratz/O’Keefe
  • Monitoring business systems
    Why?
    To engage in maintenance, repair and management
    To meet a legal requirement to produce
    To ensure continuity of business practice
    To improve business processes
    To maintain internal control (including preventing misconduct and ensuring legal compliance)
  • Monitoring business systems
    How businesses maintain internal control
    Conduct routine audits*
    Investigate suspicions of misconduct*
    Respond to what they find
    Keep a good record of the same
  • Monitoring business systems
    The traditional law
    Notification does count
    The employer owns the medium and has lots of good reasons to look
    E-mail communication is too insecure to expect privacy
    No balancing of interests at all
  • Monitoring business systems
    Challenge #1 – Decision-maker value shift
    LethbridgeCommunity College (2007)
    MS Hotmail e-mails retrieved through forensic analysis
    First case to impose a reasonable grounds requirement for investigation
    Value shift may also be gleaned from Cole and Tfaily (two very recent and hot Ontario cases)
  • Monitoring business systems
    Challenge #2 – Supervisor value shift
    Quontext message case heard by SCOTUS in April 2010
    Will your supervisors enforce policies they deem to be intrusive?
  • Monitoring business systems
    Change #3 – Privacy legislation
    Imposes an “objective reasonableness” requirement
    At play in UBC spyware case
    But, notably, Johnson case suggests PIPEDA does not apply to “personal” e-mails
  • Monitoring business systems
    Option #1 – Try harder to control expectation
    Personal use does not come with privacy!
    Routine acknowledgements
    Audit and communicate audit results to employees
  • Monitoring business systems
    Option #2 – Go with a purpose-based policy
    List purposes and stick with purposes
    Give the same expectation of privacy warning re personal use
    Set a evidence-based standard for investigation
    Set a protocol or procedure for audits
  • Publication and “off duty” conduct
    Bob and Sue had a long day. They go to the Dirty Dog Pub after work and, over the course of four hours, take jabs at their supervisor, Phil.
  • Publication and “off duty” conduct
    Jack had a long day. He goes home, cracks open a beer, and boots up his home computer.
    Using a picture of his supervisor taken from the company intranet and some internet based software, he alters the picture so the manager looks ridiculous.
    Jack posts it to his Facebook page. He feels good.
  • Publication and “off duty” conduct
    Nexus commonly derived from
    Impact on other employees rights
    Impact on job responsibilities
    Impact on reputation
  • Publication and “off duty” conduct
    Duty of fidelity applies when employee expression is likely to significantly affect a legitimate employer interest
    All other activity is “private”
  • Publication and “off duty” conduct
    Subject to a narrow whistleblower exception
    Serious and imminent threat to health and safety
    Illegality
  • Publication and “off duty” conduct
    Measuring gravity of offence
    Job responsibilities
    Nature and content of expression
    Visibility of expression
    Sensitivity of issue
    Truth of statements
    Steps taken to determine facts before speaking
  • Publication and “off duty” conduct
    Measuring gravity of offence
    Efforts made to raise matters internally
    Extent of reputational damage
    Impact on employer’s ability to conduct business
  • Publication and “off duty” conduct
    Review of and non-culpable employee expression
    Duty to maintain a violence free workplace
    Bill 168 promotes threat assessment based on fulsome information about threats
    Assess all relevant and available information, including information published online
    Takes steps to manage reasonably perceived threats based on sound assessment practice
  • Dan Michaluk
    daniel-michaluk@hicksmorley.com
    http://danmichaluk.wordpress.com
    http://twitter.com/danmichaluk
    http://ca.linkedin.com/in/danmichaluk
  • Social Media Risks & Rewards - Employee Privacy v. Employer Monitoring
    Dan Michaluk
    May 11, 2010