When Privacy Interests Clash with Surveillance and Testing
INSIGHT, Western Region Labour Relations
February 24-25, 2004 Vancouver
by Leo McGrady, Q.C., Maria Koroneos and Janet Lennox
McGrady, Baugh & Whyte
TABLE OF CONTENTS
(Note: With all Table of Contents hyperlinks you can use your browser back button to come back to the top of the page to select another link)When Privacy Interests Clash with Surveillance and Testing INTRODUCTION PART 1: VIDEO SURVEILLANCE RATIONALES FOR VIDEO SURVEILLANCE
Employee Fraud Protection of Property SecurityBUT DOES THE REALITY OF VIDEO SURVEILLANCE LIVE UP TO EXPECTATIONS?
The Frailties of Identification Evidence Problems of Reliability Poor Image Quality Limited Camera Coverage Temporal Gaps Handling of Taped EvidenceARIBTRAL JURISPRUDENCE & VIDEO SURVEILLANCE
Differing Arbitral Tests The Test for Specific Video Surveillance of an Employee The Tests for General Video Monitoring that is Covert The Test for General Video Monitoring that is Overt General Observations Regarding the Use of Videotape Surveillance Evidence in Labour Arbitrations Video Surveillance of a Specific Employee General Video Monitoring – Covert and Overt Arbitral Analysis vs. Privacy Analysis: Points of Divergence? Reasonableness Collective Agreement vs. Privacy Laws Inadvertent Images or Images Captured by Cameras Installed for One Purpose but Used for a Different PurposePART 2: INTERNET AND E-MAIL MONITORING WHO’S DOING WHAT ONLINE?
Statistics Can monitoring do more harm than good?REASONS FOR MONITORING METHODS OF MONITORING THE STATUS QUO ON MONITORING CRAFTING A PIPA-FRIENDLY POLICY
Purpose Methods of collection and data collected What would constitute a breach of policy? The value of training Consequences for breach of policyPIPA: THE SHIFT FROM EXPECTATION OF PRIVACY TO REASONABLE SURVEILLANCE
Is it reasonable to expect privacy? Moving forwardHOW PIPA PROTECTS EMPLOYEES
Personal Information The Work Product Exception ConsentDISCIPLINE CASES: WOULD A PIPA ANALYSIS MAKE A DIFFERENCE? CONCLUSIONS
Surveillance technology is a growth area. It is becoming increasingly sophisticated, affordable, and available. It is no wonder in such circumstances that more and more employers are choosing to use it to monitor their employees. And there is a panoply of choice: hidden cameras, key-stroke monitoring, and Internet activity logs are but a few of the work-place monitoring tools on the market.
As interest in workplace monitoring gathers momentum, so, too, has Canadian society’s commitment to personal privacy rights. In 2000, the federal government brought in the Personal Information Protection and Electronic Documents Act (PIPEDA), pushing provinces to follow suit by making the federal statute apply by default in the absence of the introduction of substantially similar provincial legislation. In British Columbia, the Legislature responded by passing the Personal Information Protection Act, in force as of January 1, 2004.
This paper will explore the growing clash between workplace monitoring and privacy, especially in light of the new privacy legislation in the province. In particular, it will focus on two case studies: video surveillance and Internet/e-mail surveillance.
PART 1: VIDEO SURVEILLANCE
RATIONALES FOR VIDEO SURVEILLANCE
Commonly advanced rationales for work-related video surveillance are:
Employers cite the need for video surveillance to prevent and to detect employee fraud. To that end, employers sometimes hire investigators to videotape employees perceived to be abusing work-related benefits, such as disability payments, WCB benefits, or sick leave. Typically, the goal of the investigator is to prove that the employee under investigation is well enough to return to work.
Protection of Property
In addition, employers commonly view video surveillance as a means to protect their property. For example, hidden cameras are justified on the basis that they will prevent certain kinds of crime, like theft or vandalism.
Employee time is seen as employer property as well. While employers will not typically cite the need to prevent employee’s theft of time as a reason to install video surveillance equipment in the workplace, they will not hesitate to use cameras installed for security reasons to discipline employees for taking extended breaks.
More interestingly, some employers have shown themselves willing to take a more aggressive stance on the issue. For example, the City of Vancouver hired an investigator to conduct targeted video surveillance of a specific employee suspected of doing personal business on company time.
A final rationale for the use of covert video cameras or digital cameras in the workplace is that the devices promote security. Hospitals, for instance, are one place where fixed cameras are characterized as a means to provide "security for both staff and patients".
BUT DOES THE REALITY OF VIDEO SURVEILLANCE LIVE UP TO EXPECTATIONS?
The Frailties of Identification Evidence
The promise of video surveillance is that it will capture an incontrovertible, objective record of events. Such a record, it is thought, will lay the truth bare. However, many of frailties that plague regular witness identification evidence pose problems in video surveillance evidence as well.
These frailties were discussed in B.C. Transit and Independent Canadian Transit Union, Local 2,  B.C.C.A.A.A. No. 148. This was a grievance in which the grievor sought reinstatement after having been terminated for theft. The employer had justified his termination on the basis of video tape evidence which it claimed showed the grievor as the thief. No less than six witnesses identified the grievor from video surveillance tapes as the suspected thief, including the Supervisor of Physical Security for B.C. Transit, who had been a member of the R.C.M.P. for eight years. A seventh said he would have identified the suspect as the grievor had he been shown only the third video tape put to him. The employer also called the Co-ordinator of the Forensic Video Unit of the Vancouver Police Department as a "trained observer". This witness said that after observing the grievor walk into the building where the grievance was being heard, "the consistencies were very strong" between the gait of the grievor and the suspect on the video tapes. The video tapes the witnesses were viewing to identify the suspect had been taken at night, supplemented by an infra-red illuminator.
The union’s submissions highlighted the problems with identification evidence, including that taken from video tapes:
¶111 Counsel submitted that the law has recognized that there are inherent difficulties and frailties in eye witness identification and the same concerns apply to identification from video tapes. Some principles may be derived from the authorities, such as Regina vs. Edwardson (1999), 79 C.C.C. (3d) 508 (B.C.C.A.) at 7, 9-11, and Regina vs. Todish (1985), 18 C.C.C. (3d) 159 (Ont C.A.) at 2-3 as follows:
¶112 Here the Union was not suggesting any form of conspiracy or that witnesses such as Messrs. Yuen, Louie or Harper are dishonest or liars. This was a case of a number of people being convinced of their mistaken conclusions.
¶113 Counsel for the Union submitted that from established law as to identification of a wrongdoer through video tape evidence, certain principles should be drawn and applied:
After viewing a portion of a video tape tendered by the Union, taken during the day and clearly depicting the grievor in the same work area, the arbitrator concluded at para. 140 of the award that the images of the suspected thief relied on by the employer were not similar to the images taken of the grievor during the day. He found, not surprisingly, that the employer had failed to meet the exacting onus of clear and cogent evidence to justify placing a senior employee’s career in jeopardy.
Problems of Reliability
Superimposed over the regular concerns tribunals and courts have with identification evidence are issues of reliability. Surveillance video or digitally captured images may be of poor quality, incomplete, or improperly handled.
Poor Image Quality
The problem of the honest but mistaken witness in B.C. Transit, supra, was exacerbated by the poor quality of the video tape evidence. Arbitrator McDonald wrote in para. 132 that the tapes were "…not of good clarity, the images of the thief were of limited resolution and there were no distinct facial features of the thief recorded."
A similar problem arose in British Columbia v. BCGSEU (Henry Grievance) (1999), 82 L.A.C. (4th) 382 (Lanyon, Q.C.) where a hidden camera was installed to catch a petty thief who also operated under the cover of night. There was only one light illuminating the evening scene that the camera was set to record, and the images captured on the videotape were "snowy". In addition, the videotapes had deteriorated over time. Ultimately, the arbitrator ruled the tapes were admissible, unlike in the earlier criminal proceeding. However, critical to this decision was the fact that the grievor had identified himself on one of the tapes: para. 40.
Limited Camera Coverage
Another reliability issue in regard to video surveillance evidence relates to camera coverage. In the Henry Grievance, supra, for instance, the angle of the camera was such that it did not show the Flying Club’s cash drawer or the suspect’s hands. The evidence was, therefore, circumstantial only. In Canada Safeway Ltd. v. United Food and Commercial Workers Union, Local 1518 (Varley Grievance),  B.C.C.A.A.A. No. 135, Award No. X-027/03 (McConchie), the security cameras only covered certain areas of the store. The Union argued that the recorded images were unreliable because they did not always have both Mr. Varley and Mr. Huesmann completely in view. The Union argued that the alleged assault of Mr. Varley by Mr. Huesmann could have taken place out of the range of the security cameras. The arbitrator in Safeway admitted the digital images into evidence but concluded at para. 96 the recordings were of "limited value". The arbitrator wrote at para. 123:
Although…the Employer may have felt that the recordings would put the matter of culpability beyond doubt, they have not had that effect. That is because the recordings do not, in fact, contradict [the grievor’s] story…This leaves the issue squarely where it might have been even without the admission of the tapes: what is the credibility of these witnesses?
The union, in Safeway, supra, also argued that the images captured by the store’s security cameras were unreliable and, therefore, inadmissible in the arbitral proceeding because of the temporal gaps inherent in them. To explain, the technology at issue was not traditional video cameras but rather motion activated digital cameras that recorded three images every two seconds when something was moving within their range. If the cameras were inactive, it could take up to six seconds for them to begin recording once they detected movement. The union characterized the digital recordings as a "slide show". Arbitrator McConchie stated at para. 93: "There is no question that there is a much greater potential for ‘gaps’ in the digital recordings because of their slower speed. Greater care must be taken to ensure that too much is not read into a digital sequence." He agreed with the union that there was "…a distinction to be made between these types of digital recordings and videotape recordings." Nevertheless, he admitted the images into evidence, although according them little weight.
Handling of Taped Evidence
In Safeway, supra, the union also argued at para. 80 that the digital images from the store’s security cameras had no probative value because "…the Employer arbitrarily selected the data it would rely upon when it transferred data from the in-store computer to the investigator’s laptop computer". The security investigator checked into the alleged assault by accessing the digital images captured from the cameras from the supermarket’s hard drive. Using a special computer program, he then transferred the data to his laptop. However, because digital images take up large amounts of memory, he saved only those images in which both the grievor and Mr. Huesmann appeared in camera view at the same time. The union’s position was that by editing the images in this way, the employer destroyed potentially probative evidence. It argued at para. 80 that because this data was destroyed at an early stage of the investigation, it did not have an opportunity to review "…this data to determine if fairness required its inclusion".
ARIBTRAL JURISPRUDENCE & VIDEO SURVEILLANCE
Arbitrators have long grappled with the need to balance employee privacy rights against the use of video surveillance or closed circuit television systems. The comments of Arbitrator Ellis from 25 years ago, in the Puretex Knitting Ltd. and Textile and Chemical Union (1979), 23 L.A.C. (2d) 14 at 29-30 remain relevant today:
In the use of electronic surveillance, it is apparent that we confront conflicting social values of considerable importance. There is, on the one hand, the principle of the right to privacy and beyond that, the more general idea, of which the right to privacy is only one facet, of the crucial importance of preserving and nurturing the historically fragile concept of human dignity…On the other side of the issue are simply considerations of efficiency in dealing with social problems.
Differing Arbitral Tests
Over time, several arbitral tests have emerged, the content and application of which depend on the nature of the video surveillance at issue. Broadly speaking, arbitrators are faced with three different categories of video monitoring cases:
The Test for Specific Video Surveillance of an Employee
Arbitrator Vickers (now Vickers J.) penned what would become the widely accepted test to be applied cases of video surveillance of specific employees in Re Doman Forest Products Ltd. and New Westminister Division and International Woodworkers, Local 1-357 (1990), 13 L.A.C. (4th) 275:
In subsequent rulings, arbitrators have come to consider the third branch of the test as more properly a part of the first. Thus, the test applied by Arbitrator Sullivan in Vancouver (City) v. CUPE, Local 15,  B.C.C.A.A.A. No. 86, Award No. A-030/03 was:
The Tests for General Video Monitoring that is Covert
The Vickers test is not, however, universally applied in the second category of grievances, that is, where the employer uses a general video surveillance system that surreptitiously tapes activities at the workplace. In fact, a review of arbitral jurisprudence reveals that there is no consensus about the test to apply to this category of case.
Arbitrators Glass and Taylor in Extra Foods v. United Food & Commercial Workers International Union, Local 1518,  B.C.C.A.A.A. No. 377, Award No. X-082/02 and X v. Y (Z Grievance),  B.C.C.A.A.A. No. 292, Award No. A-214/02 both used the Vickers test as the starting point of their analysis of whether videotape evidence taken from a hidden stationary camera installed to catch a meat thief ought to be excluded for violating the employees’ privacy.
Arbitrator Lanyon Q.C. favoured a completely different approach in British Columbia v. British Columbia Government and Service Employees’ Union (Henry Grievance) (1999), 82 LA.C. (4th) 382, one which focused solely on the relevancy and the reliability of the evidence. The issue of the grievor’s privacy rights appear not to have been argued or considered.
In the Henry Grievance, the president of the Abbotsford Flying Club installed a hidden camera to deal with problems of petty theft. Mr. Henry, a Commercial Transport Inspector at the Motor Vehicle Branch, was not employed by the Flying Club but used its facilities. On two occasions when money went missing, there was videotape showing a man thought to be Mr. Henry in front of the cash drawer. His hands and the cash drawer itself were not visible because of the camera angle. The Flying Club forwarded the tapes to the police, at which point Mr. Henry was charged with two counts of theft under $5,000. The tapes were excluded at the criminal trial because the Flying Club’s president could not identify other people shown on the tape, the quality of which was admittedly "snowy". The same tapes made their way to the employer, who dismissed Mr. Henry.
At the hearing of the disciplinary grievance, Arbitrator Lanyon, Q.C. admitted the video tapes, reasoning:
Yet another analysis was put forth in Unisource Canada Inc. v. Communications, Energy and Paperworkers’ Union of Canada, (CEP), Local 433,  B.C.C.A.A.A. No. 309, Award No. A-209/03 (Kelleher). In this case, the union launched a grievance in relation to nine security cameras ostensibly installed by the employer to prevent theft, vandalism and to improve workplace security. Arbitrator Kelleher stated that the appropriate test for surreptitious surveillance is that taken from St. Mary’s Hospital and H.E.U. (1997), 64 LA.C. (4th) 282 (Larson) at para. 48, namely that such covert monitoring can only be justified where:
The Test for General Video Monitoring that is Overt
An entirely different analysis is applied in disciplinary grievances which involve general security systems installed with the knowledge of employees. An award that illustrates the dominant test applied in this final category of video monitoring cases is Canada Safeway Ltd. v. United Food and Commercial Workers Union, Local 1518 (Varley Grievance),  B.C.C.A.A.A. No. 135. Arbitrator McConchie wrote at para. 91 of the award: "…the real test for the introduction of surveillance evidence of this kind (namely, from a known security system as opposed to from the specific surveillance of an employee in particular circumstances) is one of relevance of the facts depicted on the tape."
At issue in Safeway was whether one employee was lying when he claimed that his co-worker had struck him in the face during a dispute. The employer sought to introduce a series of digital images taken from the store’s visible security cameras to justify its decision to dismiss the grievor.
Clearly, the broad relevancy test used in Safeway is much more lenient than those posited in decisions such as St. Mary’s or Doman that consider the issue of the reasonableness of surveillance.
General Observations Regarding the Use of Videotape Surveillance Evidence in Labour Arbitrations
A review of arbitral decisions of all three categories of video surveillance cases reveals the following:
Video Surveillance of a Specific Employee
General Video Monitoring – Covert and Overt
Arbitral Analysis vs. Privacy Analysis: Points of Divergence?
As has been demonstrated, arbitrators have considerable experience balancing privacy rights against the desire of employers to use video surveillance as a management tool. However, with the passage of new privacy legislation in the province, the question becomes how will arbitral jurisprudence differ, in content as well as in application, from the analysis emerging under new privacy laws.
One possible point of divergence may arise in situations involving general video monitoring systems that are known to employees. The arbitral analysis regarding this kind of evidence is based solely on relevancy. However, the privacy analysis demands an inquiry into whether the video monitoring was reasonable.
As Professor Michael Geist points out in his paper, Computer and E-Mail Workplace Surveillance in Canada: the Shift from Reasonable Expectation of Privacy to Reasonable Surveillance prepared for the Canadian Judicial Council in March 2002, one of the limits on surveillance activities under the federal Personal Information Protection and Electronic Documents Act is the statute’s reasonableness clause. Such a clause restricts surveillance activities to those a reasonable person would consider appropriate, making mere employee consent insufficient to justify unlimited surveillance.
Section 11 of the new British Columbia Personal Information Protection Act ("PIPA") imports the concept of reasonableness. The provision begins: "Subject to this Act, an organization may collect personal information only for the purposes that a reasonable person would consider appropriate in the circumstances…" [emphasis added]
The reasonableness standard is also explicitly incorporated into the PIPA provisions dealing with the collection, use, and disclosure of employee personal information: ss. 13, 16, and 19. For example, s. 16(2)(b) states: "An organization may not use employee personal information without the consent of the individual unless … (b) the use is reasonable for the purpose of establishing, managing or terminating an employment relationship between the organization and the individual." [emphasis added]
Employee knowledge of the existence of video cameras and lack of union opposition to their installation does not vitiate an employer’s obligation to ensure that video surveillance is conducted in a reasonable manner. And privacy commissioners may well have a more stringent notion of what is reasonable. Video surveillance which is implemented as a preventative measure rather than to deal with an existing problem may not be reasonable even if it is known to employees and not objected to by the union. For instance, the federal privacy commissioner in PIPEDA Case Summary #114 (23 January 2003) concluded that a railway’s decision to implement a general digital video surveillance system to "reduce vandalism and theft, liability for property damage, and minimize threats to staff safety" was an unreasonable intrusion on employee privacy even though the cameras were known to employees, positioned away from work areas, and trained on areas of access.
In his decision, the federal privacy commissioner applied the following test:
His ruling that the use of security cameras violated the federal privacy statute revolved, in part, around his finding that the incidents of vandalism were relatively minor, the risk from liability claims unclear, and the actual threat to security was "in question". In sum, the commissioner determined that the railway had not demonstrated the existence of a real, specific problem, only the potential for one, which did not suffice to warrant the intrusion into employee privacy that the cameras posed.
Collective Agreement vs. Privacy Laws
Another potentially interesting problem is a clash between a term of a collective agreement and privacy laws. Arbitrators often start their analysis of whether video tape evidence is admissible by referring to the collective agreement: see Safeway, supra, at para. 75 and Unisource, supra, at para. 48. However, language in a collective agreement must be viewed in light of the reasonableness requirement in the British Columbia privacy statute.
The American case of Cramer v. Consolidated Freightways Inc., 255 F.3d 683 (9th Cir. 2000) is interesting in that regard. In this case, the employer trucking company installed microphones, hidden cameras, and two-way mirrors in an employee restroom, ostensibly to detect and deter drug use among its drivers. One of the drivers accidentally discovered the hidden surveillance devices, and two employee class action suits followed: one alleging invasion of privacy and the other for both invasion of privacy and the infliction of emotional distress.
Counsel for Consolidated Freightways argued that video surveillance was covered by the collective agreement and, therefore, the employee lawsuits were statute barred as a result of a federal labour statute, Labor Management Relations Act, 29 U.S.C., 185. The 9th U.S. Circuit Court of Appeal rejected this argument, holding that the particular collective agreement did not contemplate the surreptitious videotaping undertaken by the employer. The Court remanded the matter to state court.
One of two judges in the majority, Circuit Judge Fisher, went on to write in Part IV of his reasons that even if the collective agreement had contemplated the use of hidden surveillance to detect drug use among drivers, such a provision would not trump California criminal law making the installation and monitoring of two-way mirrors in restrooms illegal. In his analysis, because a collective agreement cannot sanction an illegal action, contract terms which violate state penal law were "irrelevant to the plaintiffs’ claim of privacy violation."
Inadvertent Images or Images Captured by Cameras Installed for One Purpose but Used for a Different Purpose
A further possible divergence between arbitral and privacy analysis may be what use can be made of inadvertently captured images. Two of the foundational privacy principles meant to be enshrined in privacy legislation are the principles of identifying purposes and of limiting use. The principle of identifying purpose means that an organization must identify a purpose to justify the collection of personal information at or before the time it begins to gather that data. The principle of limiting use requires organizations to use the personal information they have gathered only for the purposes for which it was collected, absent consent.
These basic privacy principles seem incompatible with arbitral decisions such as Nanaimo General Hospital and Vancouver General Hospital, suprae, which conclude that data from cameras established for one purpose (e.g. security in a hospital) can be used for an entirely different purpose (e.g. disciplinary grievances).
The federal privacy commissioner’s comments in PIPEDA Case Summary #114 are illustrative in this regard. In his ruling, the commissioner considered more than just the digital cameras installed purportedly to deter theft and vandalism that were the subject of the complaint. He said of the railroad’s operational system, video cameras used to monitor train movements, the system was appropriate in the circumstances but nevertheless expressed concern over the use of information collected from one of the operational systems in a disciplinary action. He stated that had this incident formed part of the complaint before him, he would have been "strongly inclined to look upon such usage with disfavour".
While s. 13 of the new B.C. privacy statute explicitly allows employer to collect personal information about its employees if collection is reasonable for the purposes of "establishing, managing or terminating an employment relationship" without employee consent, it does not address the situation where personal information collected for one purpose (e.g. security or for operational reasons) inadvertently captures information relevant to employment issues.
PART 2: INTERNET AND E-MAIL MONITORING
WHO’S DOING WHAT ONLINE?
It may be of interest to know how computer resources are commonly being used in the workplace. In a recent Ipsos-Reid survey, the following statistics were gathered with respect to Internet use at work. It is important to note that the survey did not specify that time at work necessarily meant during hours where the employee was expected to be working.
Percentage of workers work who admit to using Internet access for personal reasons
Percentage of online time spent for personal reasons
Below is a table of the percentage of the people surveyed who had done the following activities via Internet access at work:
Sent and received personal e-mails
Checked news and sports headlines
Comparison shopped for offline purchases
Conducted online banking
Made online purchases
Visited porn sites
Statistics such as these have led to increased web and e-mail monitoring in the workplace and a corresponding threat to our everyday privacy.
A 2001 study by America Management Association revealed that almost 80% American companies deploy web-tracking. A more recent study revealed that more than half of US companies engage in some form of e-mail monitoring and that 22% of the 1100 companies surveyed had terminated an employee for e-mail misuse.
Yet, aside from watching for illegal activity, one of the world’s largest private software companies, SAS Institute, does not monitor web use, raising the question; Is it necessary to monitor employee use for anything other than illegal usage?
Can monitoring do more harm than good?
Studies have shown that employee job satisfaction can decrease as a result of electronic monitoring. In her article, "When Work Morphs into Play: Using Constructive Recreation to Support the Flexible Workplace", Professor J. Oravec supports the position that because jobs today demand high levels of creativity and mental flexibility, use of the Internet and "online recreation" can assist employees in gaining fresh perspectives that can be beneficial to an employer. Permitting employees to use the computer for personal reasons allows them to become more familiar with software and computer applications. Prof. Oravec says that online recreation can be constructive when it is "in synch with pending work responsibilities allowing individuals to use time not consumed by workplace demands in ways that equip them to face future tasks with greater energy and expanded perspectives." Online recreation can also serve to sharpen employee’s computer skills that would otherwise go unused or become stale. These are persuasive reasons for allowing an employee to use electronic resources freely during down-time in the workday.
Monitoring electronic activity and reviewing the information collected upon suspicion or indication of illegal usage is reasonable. But is the continuous collection and review of an employee’s use of electronic resources acceptable under B.C. privacy laws today?
The issue of monitoring electronic activity in the workplace raises more questions than answers. A number of these questions will appear, many unanswered, throughout this paper. The questions are intended to provoke thought on the issues and on the application
of B.C.’s new private sector privacy legislation, the Personal Information Protection Act (PIPA). Hopefully, the answers to the questions raised will become clearer as decisions come from arbitrators, labour boards and the courts.
This paper will touch upon the rationale and methods of workplace monitoring; offer suggestions for crafting a PIPA friendly policy; examine whether such a policy under PIPA adequately protects employees; and review several recent discipline decisions with an eye to the future application of PIPA.
REASONS FOR MONITORING
Employers will offer many reasons for monitoring web and e-mail usage:
Some of the above reasons are compelling, but the rationale for and methods of workplace monitoring should not go unchallenged. Although we often hear of how computer technology has simply created new methods for old offences, that same technology has also spawned new and effortless ways for employers to intrude upon an employee’s privacy.
METHODS OF MONITORING
There are many ways that electronic activity can be monitored in the workplace:
The list of sniffers and trackers, with names such as SpyAgent, Shadow, Silent Watch and Sentinel is "unnerving, if not Orwellian."
Fundamental principles of privacy demand that there be limits on when it is acceptable for employee electronic activity to be monitored. However, employer’s rights, which seem to directly clash with our developing notions of privacy rights, cannot be ignored. An employer may argue that the computer is a company tool and therefore the data created from its use is the employer’s property. If this is so, does it follow that the use of this property carries no expectation of privacy? Or are e-mail communications more like personal phone calls or letters?
THE STATUS QUO ON MONITORING
To date we have been unable to locate a definitive ruling on who owns personal e-mail created while at work, or for that matter, the data created from web usage when surfing on company time. Until PIPA, employee surveillance in the private sector was essentially unregulated in British Columbia. Determining whether workplace monitoring was appropriate depended on the nature of the monitoring, the nature of the activity (work-related or personal), and the employee’s awareness of the monitoring.
To be deemed lawful, employer’s policies or rules needed to be reasonable and factors such as the implementation of the policy and whether the policy was clearly communicated were considered. Obviously, policy played an essential role in the analysis.
PIPA mandates that an organization develop a policy that meets the organization’s obligations under the Act. The policy must be reasonable and the collection, use and disclosure of personal information must be consented to, either expressly or by implication, in order to be permissible.
CRAFTING A PIPA-FRIENDLY POLICY
Basically, an e-mail and web use policy should apply to everyone who uses the employer’s Internet and e-mail resources and should address the following:
The purpose(s) of monitoring should be specific in the policy, for example, loss of productivity, time theft, protection from liability risks, misuse of the equipment, or potential virus damage that can be costly to the company. There is suggestion that "blanket" purposes and random monitoring would not be acceptable or in compliance with the Act.
Methods of collection and data collected
Employees should be made aware of the type of data collected; whether it be keystroke numbers, number of e-mails sent per day, length of the e-mail message, or cookies and data files that are kept on the computer’s hardware. Further, the employee should be made aware of the circumstances under which collected data will be reviewed or used. For example, if the company’s policy is to routinely monitor and review e-mails for viruses, the policy should say so.
What would constitute a breach of policy?
A primary goal of having a policy is to establish acceptable use guidelines. The policy should stipulate the limits of usage; whether it is that the electronic resources are strictly for business use or that some personal use is permitted. A reasonable use policy will be one that conforms to the company’s purpose and corresponds with the employee’s job duties.
It is important to ensure that users of electronic resources understand that e-mail communication is subject to the same laws, regulations and policies as other communications, both written and verbal. In all circumstances, e-mail and web use should be legal, ethical, and respectful; it must not be harassing, abusive, threatening or sexual, and it includes jokes, cartoons, attachments and web links. Providing employees with concrete information upon which they can judge whether their activity complies with stated policies can be invaluable.
The value of training
In tandem with implementing a policy, basic web and e-mail training should be considered. It is a common, and probably costly, mistake to assume a fair degree of computer and Internet sophistication or savvy. A lot of time and money is spent on cleaning computers, protecting them from viruses and dealing with "crashes" due to viruses. An employer should consider training employees on how viruses are disguised in e-mail communication, how viruses can be spread via e-mail communication without the awareness of the sender and certain "red flags" that can be identified with respect to general e-mail use.
Users should be educated with respect to the types of websites that exist and what Internet use will result in "alerts". Sometimes the most innocuous search request will produce strange and unexpected results that could result in a tag on the search.
Users should be reminded that workplace e-mail addresses are usually connected to the place of employment and the company’s name often appears in the sender’s address. The result is that the communication might have the appearance of coming directly from the company. Would you write a love letter on company letterhead? Finally, users should be aware that attachments and links, although not seen on the screen, form a part of the communication.
Consequences for breach of policy
The risk of discipline should be clear and the range of consequences should be set out; from letters of reprimand, limitations on use, termination, to prosecution as a result of illegal usage, including the fact that suspected violations may be referred to the police. The policy should also include the possibility of the company taking action against the employee for losses suffered because of illegal activity or breach of policy.
As a final point, a reasonable policy should include a clause about incidental and occasional personal use. A policy that prohibits all personal use is not reasonable or realistic in today’s computerized workplace.
PIPA: THE SHIFT FROM EXPECTATION OF PRIVACY TO REASONABLE SURVEILLANCE
Even though it may not be wise to assume so, there is a general understanding in Canadian society today about what constitutes acceptable or legal Internet and e-mail use at work. There is even the understanding that by their very nature, the security of e-mail communications or privacy of Internet searches is not guaranteed. However, there is no comparable general understanding of what level of privacy to expect at the workplace.
Some arbitrators have insisted that electronic surveillance must be sensitive to the employee’s interests in personal privacy and human dignity and the way in which and the purposes for which surveillance devices are deployed will play a part in the analysis of whether an employee’s privacy has been invaded.
Is it reasonable to expect privacy?
What if you are not sending illegal messages, what if you are not surfing the net during work hours – can you expect that your e-mail communications and Internet data will not be monitored?
In R v. Weir  AJ No. 155, pornographic e-mail messages and attachments were seized from Weir’s home computer, when the police were tipped-off by the Internet service provider that was repairing his computer. The court determined that e-mail communications over a personal Internet connection do carry a reasonable expectation of privacy but because of the manner in which technology is managed, e-mail is vulnerable and the degree of privacy diminished. The court held that the search warrant and seizure were valid and that the e-mail evidence was admissible. Weir was convicted.
The issue of privacy in e-mail communications at the workplace is complicated by the notion that the e-mail message itself may not belong to the employee.
In Treasury Board (Solicitor General Canada – Correction Service) and Briar (Re), 116 L.A.C. (4th) 418 (Taylor), discussed again at page 26 of this paper, it was held that in an investigation of e-mail misuse there was no reasonable expectation of privacy.
Michael Geist, a law professor at the University of Ottawa, suggests that the rules for workplace surveillance are moving away from an assessment of "reasonable expectation of privacy toward deciding whether the surveillance itself is reasonable." The reasonableness clause found in most private-sector privacy legislation sets a limit on workplace surveillance.
Criteria with respect to how to judge reasonableness hopefully will come with the developing jurisprudence. In his paper prepared for the Canadian Judicial Council, Professor Geist puts forth some factors to be considered when determining reasonableness: the target of the surveillance, its purpose, alternatives to surveillance, technology and methods used, and the adequacy of the notice given to employees.
PIPA does signify a shift away from expectation of privacy to reasonable surveillance, but will its application make any difference?
HOW PIPA PROTECTS EMPLOYEES
The focus of PIPA is not on the employment relationship, but it is nonetheless applicable to the clash between privacy interests and business interests in the workplace.
Section 2 of PIPA defines its purpose as follows:
The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
The definition of "personal information" in PIPA is expansive, and any information in any form that can be attributed to an individual falls within the definition. E-mail and electronic data should fit into this category. However, there are exceptions that would leave this information, and indeed all personal information, vulnerable to collection and inspection beyond that which might be expected.
The Work Product Exception
The definition of "personal information" specifically excludes "work product information". Is electronic data created at work an employee’s work product and therefore not subject to the protection of the legislation?
PIPA is modeled on, and is supposed to be substantially similar to PIPEDA. In a paper on workplace privacy, Information and Privacy Commissioner, David Loukidelis compares the treatment of work product under PIPEDA and based on federal decisions states that "one could expect that an employee’s work product, in the sense of information created through one’s employment activities, would not be considered information "about" the individual employee within the meaning of PIPEDA." The Commissioner goes on to say that the treatment of "workproduct" by the Federal Privacy Commissioner is not clear, as in the recent decision PIPEDA Case Summary #114, January 23, 2003 (discussed in Part 1 of this paper) he appears to have treated video surveillance as a collection of "personal information."
We will have to wait and see how this plays out in front of the British Columbia Information and Privacy Commissioner and labour arbitrators, but for the sake of the analysis below, we will proceed on the basis that electronic data, including e-mails, is personal information.
PIPA prohibits the collection, use and disclosure of personal information without consent of the individual, express or implied (s. 6). Consent is not valid (s. 7) unless the purpose of the collection is disclosed (s.10(1)(a)). This would appear to provide adequate protection to any personal information, including the collection of electronic data created at work. However, purpose of collection does not have to be disclosed (s. 10(3)) in circumstances of deemed consent (s. 8(1)), because the purpose is obvious (s. 8(1)(a)).
So basically an employer can monitor the use of electronic resources for any "obvious" purpose without the express consent of the employee. Further, if an organization provides notice that it intends to collect personal information and the individual does not decline to have the personal information collected, the collection, use and disclosure, if reasonable, is permitted (s. 8(3)).
Consider the scenario where a warning page that outlines a company’s policy in regard to the collection of electronic data pops up each time an employee logs on to a computer. Is this collection valid under PIPA?
What if the above policy screen does not state that one of the purposes for the collection of the data is to track employee time and that when collecting and reviewing the data, the employer determines that theft of time has occurred based on the time spent conducting Internet searches? The employer then proceeds with discipline and uses the personal information collected as evidence. Would this be a valid collection and use under PIPA? Implied consent provisions tell us that this may be so.
Would this fall under section 7(3) which states that consent is not valid if it is obtained by false or misleading information or deceptive practices? Not likely if it can be shown that the discovery of the time-theft was incidental.
What if the employer’s policy states that if something is found during a routine scan that is contrary to policy, it will be acted upon? Would the above scenario then constitute a valid collection and use of personal information?
Privacy issues with respect to workplace monitoring of electronic resources will arise most often in discipline cases. PIPA has yet to be applied to the employment or unionized labour setting. To date we have been unable to find any court decisions that deal head-on with employer monitoring of e-mail and Internet use.
DISCIPLINE CASES: WOULD A PIPA ANALYSIS MAKE A DIFFERENCE?
As PIPA is modeled on the PIPEDA, it may be useful to begin by examining how that legislation has been applied.
In Treasury Board (Solicitor General Canada – Correction Service) and Briar (Re), 116 L.A.C. (4th) 418 several employees were disciplined for e-mailing pornographic materials. The employees claimed a privacy interest and a section 8 Charter violation (search and seizure). In rejecting the employees’ claim, the Board referenced the employer’s proper-use policies and a clear log-on warning. Further, the employer was acting on a complaint; it was not a random surveillance. Most interestingly, the Board stated, "These are e-mail communications over which the grievors lost control once they pressed "Send"."
The following principles can be taken from this decision:
The following recent example of a situation involving employee monitoring, shows us how complicated the matter can get.
In January 2004 the ten month computer-use investigation launched by the Yukon government involving the Public Service Commission and the Public Service Alliance of Canada/Yukon Employees’ Union was finally resolved. The investigation cost more than $100,000. The process "spiraled out of control" and at the end of the investigation, 96 workers had been punished. The discipline ranged from a letter of reprimand to a 20-day suspension.
The stated standard was that receipt of just one e-mail containing objectionable material would lead to investigation. Key points examined were the nature and volume of the material, the recipients and senders, and the key distributors.
In the face of numerous grievances and appeals, the parties decided to refer the matter to Arbitrator Vince Ready and a mediated settlement resolved the matter. At the end of the day two employees will not get their jobs back. Suspensions were reduced by more than 50%: 20 day suspensions were reduced to 7, 15 days to 5, 10 days to 3, 5 days to 2, and 1 day to a letter of reprimand. Letters of reprimand stood.
In British Columbia v. British Columbia Government and Service Employees’ Union (Morris Grievance)  BCCAAA No. 152 (July 9, 2003) the employee leaked a confidential document in violation of the employers standards. During the employers investigation a series of e-mails between the grievor and another individual included "disloyal, derogatory, and defamatory statements" regarding her supervisor and the manager of the branch (QL page 3). Arbitrator Ready applied the Wm. Scott principles as the guiding arbitral framework in determining that the dismissal was excessive, substituting it with a six month suspension and one-year of probation. Most interestingly, Arbitrator Ready finds that the derogatory e-mails "were intended to be entirely private" and that "[m]odern technology has simply documented comments that in previous times would have been relegated to the "office gossip" category" (QL page 8).
In Public Service Employees Relations Commission v. B.C.G.E.U. (Bains Grievance)  BCCAAA No. 197 (June 25, 2003, K.F. Nordlinger), the employee Bains was terminated from his position as an Auxiliary Correctional Officer for disclosing confidential information to an inmate that could jeopardize the safety of another inmate, disclosing a confidential investigation to the officer who was being investigated and failing to disclose the extent of his relationship with an inmate. His termination letter stated that his misconduct was not an aberration and that his ingrained behaviour was antithetical to the requirements of the job. The employer then stated that this conclusion was "supported by [his] excessive and inappropriate use of the Government e-mail system." The misuse involved sending inappropriate jokes to co-workers and outside addresses, sending personal e-mail to his girlfriend and sending tasteless and lewd photos and stories. Aside from the inappropriate use of the e-mail system, the other incidents relied upon were not proven. Thus, the Arbitrator had to determine the appropriate discipline for the misuse of the e-mail system.
Seven months prior to confronting Bains with the misuse of the e-mail, the employer had sent the following e-mail message to all staff:
This is a reminder that the e-mail system is for government-related business only. I appreciate the need to circulate messages to as wide an audience as possible and therefore the temptation to use the all-staff mailing list is convenient. However, this is not an appropriate use of both the e-mail system nor the mailing list.
The employer’s Internet usage policy stated:
Internet usage must be able to survive public scrutiny and/or disclosure. Users must avoid accessing sites that might bring the Public Service into disrepute, such as those that carry offensive material.
In finding that termination was excessive and that Bains should be issued a written reprimand and reinstated, the Arbitrator considered the following factors:
Would it have made any difference to the outcome if the Employer had outlined the risk of discipline in the policy? Would an analysis of the PIPA been necessary? We see that there is no discussion of privacy issues.
In Public Service Employee Relations Commission v. BCGEU  BCCAAA No. 359 (August 9, 1999, H.A. Hope, Q.C.) the employee was given a two-day suspension for "attempted inappropriate access to the Internet". The employer’s Internet use policy prohibited access to offensive sites. The employer’s records showed two hits on inappropriate sites. Claiming curiosity, the employee looked at a directory called "100 Hot" and "landed" on two titles, but did not actually access a sex-related site. The employee had no discipline record. Arbitrator Hope found that the breach of policy was "technical in nature" and reduced the penalty to a letter of reprimand.
In Westcoast Energy Inc. v. Communications, Energy and Paperworkers’ Union or Canada, Local 686B  BCCAAA No. 423 (October 1, 1999, K. Albertini), the employee was terminated for sending four anonymous e-mail messages to a female employee of the company that were found to be harassing. Company policy was that Internet and e-mail use was for company business only and that it was not acceptable to use these services for anything other than business purposes, both during and outside normal business hours. The female employee became concerned and a sniffer that could trace transmissions was installed on her computer. In finding that this case was "borderline" and that the employee should be reinstated (time missed was recorded as a suspension and equaled 6 months), the arbitrator considered that the employee had no discipline record over 24 years of employment, the act of sending inappropriate messages on the company computer was not as rare as one might expect, and that the employee had brought a considerable loss of income and shame upon himself. Letters of apology were a condition of the reinstatement.
In Camosun College v. CUPE Local 2081  BCCAAA No. 490 (November 15, 1999, Germaine) negative comments about faculty were distributed on a Union e-mail list of over 100 individuals. The employee was suspended, and upon completion of an investigation, the employee was dismissed. In upholding the dismissal, the arbitrator found that the employee had no reasonable expectation of privacy in the e-mail and that the distribution of the e-mail constituted insubordination and a breach of the duty of fidelity. The grievor’s disciplinary record and failed attempts at corrective discipline were factors in this decision.
In British Columbia Government and BCGEU  BCCAAA No. 535 (November 17, 1998, S. Kelleher, Q.C.) the employee has accessed offensive websites using the employer’s computer – at home. The employee had agreed to the employer’s Internet usage agreement:
…I also agree that personal use will not include inappropriate behaviour such as access to or downloading from offensive sites….I understand that my use of the Internet is identifiable by others as a Government activity….I understand that my usage may be monitored without further warning and that inappropriate usage may be cause for disciplinary action up to and including dismissal or cancellation of contract.
Arbitrator Kelleher found that the misconduct was serious and that the one-day suspension was not excessive.
Would the language of the above usage agreement survive a PIPA analysis, keeping in mind the shift from reasonable expectation of privacy to reasonable surveillance? In this case, the employee had no expectation privacy but was subject to blanket monitoring. Would this be reasonable surveillance?
In CUPE, Local 2950 and University of British Columbia  BCCAAA No. 501 (October 30, 1998, J.E. Dorsey), the employee, a University Archives Assistant and a computer enthusiast, was suspended for 3 days and conditions on his use of computers at work were imposed. The University had a web and e-mail use policy that stated e-mail and Internet accounts were primarily for work, but allowed personal e-mail use within limits. Prior to going on vacation, it was agreed that the Systems Division would rebuild his computer, as it had been "crashing". During the repairs, a large bookmark file (twice the usual size) was identified and examined. A folder containing links to offensive websites was found. The employee claimed that it was his son’s folder, as they shared a computer at home. Through extensive computer investigations, it was determined that the file was the part of the employee’s personal files that were brought back and forth from home to work – and installed on his work computer. There was no evidence that he had accessed or downloaded pornographic material with the employer’s computers. It was accepted that if the employee had intended to hide the files before having his computer serviced, he had the computer savvy to do so. Arbitrator Dorsey found that the employee did not knowingly include inappropriate links on the employer’s computer and ordered that the suspension and conditions be removed.
The passage of PIPA was a much heralded event by many who had been part of the extensive consultative process prior to its drafting. We had differed from the majority view, in our critical assessment of its value to employees and unions. These assessments were expressed in our earlier paper on the topic.
However we should acknowledge that our criticisms have been modified somewhat by our research, and by discussions we have had with a wide range of colleagues in preparation for this paper. We are somewhat encouraged in our view of the Act. We say that because of the prospects of a more rigorous and searching review of many aspects of employer conduct occasioned by resort to the PIPA reasonableness standards in complaints or grievances advanced by unions and employees to the Privacy Commissioner and to arbitrators.
F:35(91) Insight Paper (Feb 25, 2004)