Some aspects of employer’s electronic monitoring policy were reasonable, others not, arbitrator rules
The Facts:
When an employer introduced a new electronic monitoring policy, the union filed a grievance claiming that it was an unreasonable exercise of management rights.
On November 17, 2022, Rideauwood Addiction and Family Services, a substance use treatment centre in Ottawa, sent the bargaining agent for its employees its new Electronic Monitoring Policy, introduced in response to the enactment of Bill 88, the Working for Workers Act, 2022 (discussed in Lancaster’s Workplace Privacy Law, eAlert No. 51, March 6, 2023) with an effective date of December 2022. The policy provided in part:
The personal and electronic information that is collected through electronic monitoring shall only be used for the purpose for which it was collected…. Generally speaking, the forms of electronic monitoring outlined … are used for ensuring network security, facility security, protection of client information and data, productivity and appropriate use monitoring, to support performance evaluation and/or corrective action, to detect malicious, high risk or unlawful activity or activity in breach of our policies and procedures, to monitor network performance, and to prevent security incidents from occurring.
The policy outlined the “activities and procedures” it monitored, including: performing audits on its client record management system to assess employee performance management; monitoring all e-mails sent from @rideauwood.org accounts using the employer’s networks and equipment, while “reserv[ing] the right” when “circumstances warrant” to monitor “personal e-mail accounts (non rideauwood.org) accessed through the [employer’s] networks when these emails pertain to Rideauwood”; reviewing records of the duration and time of all cell phone calls and text messages to monitor expenses as well as to identify inappropriate equipment usage; and monitoring employee network and computer activity, including “Office 365 applications, app activity […], downloaded documents and accessed websites, etc.” The policy further provided that “only authorized staff may examine such usage/records for business-related issues,” and that “[a]ll information collected through electronic monitoring will be securely stored and protected.”
All employees were issued laptops for conducting their work. As well, employees who worked in the community were given cell phones for safety reasons, for situations in which they could not access Wi-Fi to use the computer-based phone system. Employees who worked on site or from home did not receive mobile phones, and instead used the employer’s organization phone app for work-related calls, which was a computer-based phone system that used Voice over Internet Protocol (VoIP).
On December 13, 2022, the union filed a grievance, alleging that the new policy was an unreasonable exercise of management rights.
The employer’s Organizational Social Media/Internet policy (Policy 6.01) provided in part that “Rideauwood employees and contractors are directed to use their personal or organization-supplied cell phones only for business purposes during regular business hours” and that “Rideauwood employees are strictly prohibited from using cell phones for any other available purpose (e.g., Internet access, gaming, texting, music) during operational hours. These functions may be used during scheduled breaks or lunch periods in non-working areas.” As well, Policy 6.03, pertaining to Network Security, stated in part that “[n]on work-related activity on the internet, including e-mail and social media sites, shall be conducted on an individual’s own time, outside of regular hours. During this time, these guidelines shall remain in force.” The Computer Technology Acceptable Use Agreement, which employees signed upon being issued a work- issued laptop, stated in part that “[p]ersonal use of Rideauwood-provided computer technology is to be of an appropriate nature that will not incur additional cost or increased risk to Rideauwood. Such technology is not to be used to access or promote inappropriate sites, including but not limited to pornography, racism, hatred or any illegal activities.” Finally, the Rideauwood Cell Phone Agreement stated: “The primary use of the service and device shall be for Rideauwood-related business. Personal use of the cellular device is not permitted. You are responsible for making good judgments on how best to use this resource.”
The Arguments:
The union submitted that the electronic monitoring policy intruded on individual privacy rights in an unreasonable manner that was inconsistent with the parties’ collective agreement and the test set out in Lumber & Sawmill Workers’ Union, Local 2537 v. KVP Co. Ltd., [1965] O.L.A.A. No. 2 (QL), which requires, among other things, that an employer’s policy be clear, unequivocal, and reasonable. Specifically, the union objected to the policy’s provisions that monitored private and confidential personal information, arguing that employees have a reasonable expectation that such information will remain private. In this regard, the union cited the Supreme Court of Canada’s decision in R v. Cole, 2012 SCC 53 (CanLII) (reported in Lancaster’s Headlines, October 23, 2012), which affirmed the right to “informational privacy,” as “the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others.” The union further contended that the policy was overly broad, enabling employer surveillance of internet usage, personal e-mails, web history, apps, and social media, without a demonstrable business purpose. Finally, it maintained that the policy was not “clear and unequivocal” due to undefined protocols for securing and storing the monitored information.
Pointing to its clear legal obligation to protect the confidentiality of the personal health information and identifies of the vulnerable clients it served, the employer argued that it had a duty to ensure high levels of security and monitoring of electronic information. It maintained that monitoring employees’ e-mails related to Rideauwood and sent from personal accounts, alongside e-mails from @rideauwood.org accounts, was justified, noting that employees had the option to control which personal e-mails could be monitored by choosing to send them via their own data network instead of the employer’s Wi-Fi, and thus any privacy concerns were “self-inflicted.”
The Decision:
Arbitrator Randi Abramsky allowed the grievance in part, ruling that the portions of the policy related to cell phones and e-mails were a reasonable exercise of management rights, with some clarifications, but that the policy’s approach to monitoring internet and network use was unreasonable.
Setting out the issue before her as “whether the [policy], as written, is a reasonable exercise of management rights, and consistent with the KVP standards,” Abramsky noted that this required “balancing the employees’ objectively reasonable expectations of privacy against the legitimate interests of the employer.” Before conducting this exercise, Abramsky reviewed the employer’s policies regarding phone and computer use, and found that personal use of work-issued computers was not completely prohibited but was instead prohibited during work/operational hours, and that the computer use policy did not prohibit personal use of employer-issued devices, but instead directed that any use be “of an appropriate nature.”
Turning to the reasonableness of the monitoring policy, beginning with cell phones, Abramsky opined that, for work-related call records and texts, Rideauwood had “a significant interest in monitoring to ensure client information and data are protected, to assess appropriate use and consistency with policies, and performance evaluation.” However, she reasoned that the employer’s interest in monitoring personal call records and texts made over its network and Wi-Fi was more limited. In contrast, Abramsky determined that the employees’ reasonable expectation of privacy for both work-related and personal call records and texts on the employer’s networks was diminished because the policy overtly informed employees of the surveillance. Moreover, Abramsky considered the fact that employees could choose to avoid using the employer’s network to definitively tilt the balance in the employer’s favour. Accordingly, she held that the policy as it pertained to cell phone calls and texts was a reasonable exercise of management rights, provided the employer did not collect the actual content of the call, but merely recorded the call and duration, stating:
…[E]mployees have a choice in regard to personal calls and texts — use your personal cellphone and data and the call/text remains private. While this may represent a change and an inconvenience to staff, employees have some responsibility in relation to private calls and texts to modify their approach, if the privacy of such calls and texts is important to them.
…
… If the content of the calls is collected and stored, and therefore able to be retrieved, there may be privacy concerns about private calls. … [T]he content of business calls — provided employees are notified that the content of such calls may be collected, stored and monitored — would be a reasonable exercise of management rights. In regard to private calls, the balance would favour the employee except in specific, limited circumstances that pertain to significant employer interests. This issue, however, must be clarified. Employees must be made aware if the content of calls — both work and personal — is collected, stored and possibly reviewed.
Similarly, with respect to e-mails, Abramsky identified choice as a key factor in assessing the policy’s reasonableness, opining:
Based on the view that only personal emails sent using the [e]mployer’s WiFi or networks are monitored (and not any other private email), employees appear to have a choice: use their own email accounts, on their own devices and networks, and ensure the privacy of their messages, or use the [e]mployer’s network and risk monitoring.
The [u]nion asserts that it is common for employees to check their personal emails while at work. I am sure that is true, but employees can choose how they send and receive personal emails while at work, and on what device. With knowledge of the [e]mployer’s monitoring practices, an employee may make an informed choice. Having to use a personal device for personal emails may represent a change for some, it is not an undue burden. If an employee considers it to be so, however, they can choose to use the [e]mployer’s equipment, WiFi or network, with the knowledge that the email may be monitored.
Although Abramsky held that the policy’s approach to e-mail surveillance was therefore reasonable, she took issue with the part of the policy permitting the monitoring of personal e-mails that pertained to Rideauwood and that were accessed through the employer’s network “when circumstances warrant,” characterizing it as “overly broad and unclear,” and stating that this phrasing “needs to be much clearer and tailored to ensure that the [e]mployer’s ability to monitor staff personal emails is limited to truly legitimate [e]mployer needs.” She also ordered the employer to clearly explain how it would determine whether a personal e-mail “pertains to Rideauwood.”
Turning to assess the policy’s approach to internet and network use, Abramsky, acknowledging the employer’s legitimate business need to monitor work-related computer use to ensure that its resources were being properly used, again determined that employees had a “very low” expectation of privacy regarding their work-related activities, given their awareness that the employer collected and stored the information on work-issued laptops. However, she determined that the policy’s broad monitoring of personal use on work-issued laptops was excessive, particularly since employees were allowed to use work-issued laptops for personal purposes outside of work hours, stating:
Under the [policy], employees are “encouraged” to use their work computer “for business purposes only”. This is quite different than a prohibition on personal use. Under its IT policies, personal use is permitted after hours as well as during breaks. The [e]mployer’s monitoring, however, does not cease at the end of the business day, or during breaks, and consequently includes monitoring of personal use.
While the [e]mployer has a legitimate interest in monitoring employee work-related use of Rideauwood computers and IT, and employees have a low expectation of privacy in relation to work-related usage, the same is not true for personal use.
In this regard, Abramsky noted that in Cole, the Supreme Court of Canada observed that such information may include financial, medical, and personal details, which “falls at the very heart of the ‘biographical core'” protected by s.8 of the Canadian Charter of Rights and Freedoms, and held that while employer ownership and written polices pertaining to personal use were relevant considerations, they were not determinative. Thus, Abramsky held that this aspect of the policy was unreasonable, stating:
The [policy] currently allows monitoring of internet, network, and app activity of both personal and work-related usage, without distinction. … [T]his part of the policy [is] unreasonable. While the [e]mployer has a legitimate interest in monitoring work-related internet use[,] which outweighs the employees’ low expectation of privacy, its interest in monitoring personal internet use is significantly less — though it still exists, while the employees’ reasonable expectation of privacy is higher. The reason the [e]mployer still has an interest in an employee’s personal use of their work-issued laptop is because employees must adhere to Rideauwood’s policies, and ensure the protection of client information, confidential matters and Rideauwood’s reputation.
Although acknowledging that one could again argue that employees had the option of not using their work computer for personal use in order to avoid monitoring, she held that the situation differed due to the fact that employees were explicitly permitted to use the computers for personal use, and noted that one option would be for the employer to explicitly state that work-issued computers could only be used for work purposes. In any event, she directed the parties to collaboratively consider “how the legitimate interests of the [e]mployer in monitoring employees’ internet use on work-issued laptops may be achieved without unduly interfering with employees’ reasonable expectations of privacy in relation to personal use,” noting that if such a balance could not be achieved, “it must be made explicitly clear to employees that any personal use of the employer-issued laptop is collected, stored and monitored,” adding that “[w]here personal use is prohibited and enforced, and notice of monitoring is provided, it is questionable whether an employee can have an objectively reasonable expectation of privacy. In this case, education and clarity is key so that employees may make an informed choice.” [emphasis in original]
Finally, while Abramsky noted that the policy lacked some clarity regarding the storage and security of monitored information, she did not deem this deficiency significant enough to fail the test established in KVP. Nevertheless, she stressed the importance of education, stating that “information concerning how the information is stored and secured should be shared with the [u]nion and employees, even though it need not be part of the [policy].” She also directed the employer to hold educational sessions with both employees and the union to ensure that employees could make informed choices and to revise the policy “to explicitly state how employees may avoid employer monitoring of private calls, texts, emails and internet use, and consideration should be given to amending the user agreements to include such information.”
In the result, Arbitrator Abramsky allowed the grievance in part, ruling that the policy was unreasonable with respect to internet and network use, but reasonable in its approach to cell phones and e-mails, with certain revisions needed for clarification.
Comment:
On April 11, 2022, provisions related to electronic monitoring were incorporated into the Employment Standards Act, 2000, with the passage of Bill 88, the Working for Workers Act, 2022. These provisions mandate that larger employers establish a written electronic monitoring policy “for all employees with respect to electronic monitoring of employees.” Employers with 25 or more employees on January 1 of any given year must have their policy in place by March 1 of that year. As noted by the arbitrator in the instant case, although the Act was introduced in recognition that “[a]s technology has changed and developed, the ability of an employer to monitor employees’ online activity has significantly increased,” which “can clash with employees’ privacy rights and interests,” the Act requires only that employees be notified about the extent and purpose of monitoring, but “does not prohibit monitoring or limit its use,” or “create any new privacy rights.”
As Mitchnick and Etherington note in Leading Cases on Labour Arbitration Online, a central consideration in cases that involve the permissibility of employer’s electronic monitoring or searches “is often the existence of an employer policy stipulating that electronic resources are to be used only for legitimate work-related purposes, prohibiting or restricting personal use (either by reference to the volume of such use or the times at which it may be engaged in), expressly setting out the types of content or material which are proscribed as offensive or otherwise inappropriate, warning employees that use of the system cannot be considered confidential and is subject to monitoring, and advising of the potential for disciplinary consequences in the event of non-compliance.”
In reaching her decision, the arbitrator in the instant case made particular mention of the decision in Cole, which Mitchnick and Etherington characterize as a “ground-breaking decision” on the issue of management’s right to electronic surveillance and searches. In that criminal case, the Supreme Court of Canada held that a secondary school teacher had a reasonable expectation of privacy in respect of personal information on his workplace laptop computer, which had been provided and owned by the school, and which was found to contain sexually explicit photos of a Grade 10 student at the school on its hard drive. That content was discovered by a school IT technician who, after noticing a large amount of activity between the teacher’s laptop and the school’s server, remotely accessed the hard drive to perform a virus scan and verify the integrity of the system. While the Court held that the employer’s actions, including searching the laptop, copying the temporary files of the teacher’s surfing history and the images onto disks, and turning the laptop and disks over to the police, were justified by its authority under s.265 of the Education Act to protect students, it held that the subsequent warrantless search conducted by the police violated the individual’s right under s.8 of the Charter to be secure against unreasonable search and seizure. Although Cole dealt with a search by the police, rather than an employer, the Supreme Court recognized that, while an employer’s written policies may diminish a privacy interest, they are not determinative of a person’s reasonable expectation of privacy. Although the employer had clear policies indicating that employees had no right to privacy in respect of information on employer-owned devices, the Supreme Court ruled that the employee still had a reasonable expectation of privacy in respect of information on the laptop that was “meaningful, intimate, and organically connected to his biographical core.” Mitchnick and Etherington further observe that “[e]ven in cases where the employer was not directly subject to the Charter, arbitrators have referred to R. v. Cole in determining whether management was entitled to conduct a search of electronic records which directly or indirectly revealed an employee’s personal information.”
The principles set out in the Court’s ruling in R. v. Cole, with respect to the right to privacy and the right under s.8 of the Charter to be secure against unreasonable search and seizure, were taken a step further by the Supreme Court of Canada in York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22 (CanLII), reviewed in Lancaster’s Education Employment Law, eAlert No. 167, October 15, 2024. In that case, the Supreme Court of Canada confirmed that teachers working for Ontario public school boards have a right under s.8 of the Charter to be free from unreasonable search and seizure of their personal information stored on workplace computers, since Ontario public schools are by their nature governmental. Moreover, the Court held that a grievance arbitrator had erred in deciding the grievance filed by two teachers who alleged that they were disciplined without cause, and that their right to privacy was violated by the board, when the school principal accessed their personal information contained on a board-owned laptop to determine if they had engaged in unprofessional behaviour with respect to a third teacher. According to the majority, by failing to consider and apply the Charter in determining whether the search of the laptop unreasonably infringed the grievors’ rights, the arbitrator erred in examining the grievors’ privacy rights solely through a common law lens. Accordingly, the decision of the arbitrator was quashed.
For other decisions involving the monitoring of employees in the workplace, albeit not involving s.8 of the Charter, see: Canadian Media Guild v. Canadian Broadcasting Corporation, 2021 CanLII 761 (CA LA), reported in Lancaster’s Discharge and Discipline, eAlert No. 287, September 29, 2021, in which Arbitrator Lorne Slotnick ordered the Canadian Broadcasting Corporation (CBC) to reinstate a reporter who was fired after the CBC was made aware of private messages on a company laptop in which the reporter admitted to contacting other media outlets to inform them of allegedly racist practices at the CBC, holding that the employee, who had inadvertently failed to log out of his personal social media accounts on the company computer, had a reasonable expectation of privacy with respect to his private messages, which was violated when the CBC conducted an overly intrusive search of his private accounts; and Unifor, Local 481 v. Saskatchewan Government and General Employees’ Union, 2015 CanLII 28482 (SK LA), reviewed in Lancaster’s Human Rights in Employment, February 9, 2016, eAlert No. 274, in which Arbitrator Allen Ponak held that personal e-mails between a public servant and his wife that were found on the employer’s e-mail system during an investigation into allegations that he was affiliated with a biker gang were not admissible at the arbitration hearing reviewing his dismissal, since the extremely personal nature of communications between spouses gave rise to a reasonable expectation of privacy with respect to the e-mails, despite the employer’s clear policy stating that employees had no expectation of privacy regarding their use of the employer’s e-mail system.
For further discussion of employer rules affecting privacy, see Chapter 14.2 in Mitchnick & Etherington’s Leading Cases on Labour Arbitration Online.
Ontario Public Service Employees Union v. Rideauwood Addiction and Family Services
Ontario
Grievance Arbitration
Randi Abramsky
December 3, 2024
2024 CanLII 120507 (ON LA)
This legal commentary was delivered by First Resort. For more information on subscriptions and pricing. Click here.