Monitoring the use of company-issued technology is controversial. For some, the notion of monitoring employees’ use of computers, smartphones, and emails is inconsistent with personal privacy. To others, monitoring employees’ use of technology in the workplace is both the right and the responsibility of the prudent employer.
While Canadian courts and tribunals have generally accepted that employers can monitor employees’ use of technology, the limits on the nature and scope of such monitoring are murky at best. Employers that have already implemented some form of technological monitoring, or are considering doing so, should keep in mind that the legal landscape is evolving. There are some best practices to consider that may help to avoid problems.
Why Monitor at All?
The arguments that favour the monitoring of company technology are easy to understand.
Company time and resources spent using computers and smartphones for personal reasons is a drain on productivity and costs employers millions of dollars annually. There are numerous studies which have found that productivity problems faced by employers in the digital age of “distraction” is nothing short of an epidemic. Last year’s March Madness basketball tournament alone – which can be watched by employees on most computers and smartphones – was estimated to cost U.S. employers approximately $175 million in wasted time in just the first two days (and March Madness is just around the corner!).
Ensuring that employees are using company time and resources properly and productively is only part of the concern; liability abounds. Misuse of company technology exposes employers to a myriad of legal risks, including workplace harassment complaints. Consider a scandalous multimillion dollar lawsuit where the apparently unchecked use of internal computer systems alleged to have allowed male members of management to regularly send a female co-worker pornographic photos and texts. Employers can be found vicariously liable for the bad behaviour of their employees even if it occurs in cyberspace.
Employee misuse of company technology may also result in the public disclosure – inadvertently or intentionally – of sensitive, confidential and proprietary company information. As we have seen from the media attention it has garnered in recent months, data breaches in the computer systems of a number of high profile companies and government agencies has resulted in financial losses, a lack of public trust and confidence and damage to their brands.
Unchecked web surfing or other non-work related computer use by employees may also expose company computers and networks to viruses or various forms of malware, threatening not only the information contained on computers and networks, but the viability of the company’s entire technological infrastructure. Such technological failures cause system downtime and give rise to serious financial costs.
What Are the Legal Risks of Monitoring?
Given the risks, the question many employers ask is not whether they should be monitoring employees’ use of company technology, but how far can they go?
There are limits.
For one thing, several Canadian provinces have privacy legislation regulating the collection, use or disclosure of employees’ personal information. Federally-regulated organizations and government bodies are also subject to broad privacy legislation. Inappropriate monitoring, even if implemented for what are believed to be legitimate and good faith reasons, may breach those laws.
Moreover, leaving privacy legislation aside, our courts have started to incrementally recognize that employees have some reasonable expectation of privacy even when using company owned technology. The move to greater protection of employee privacy has been incremental, but there can be little doubt protections for employees will continue increase. Take for example, the recent recognition by the Court of Appeal for Ontario of the tort of invasion privacy (so-called “intrusion upon seclusion”) that allows individuals to sue in court where they believe their privacy has been breached even if the alleged privacy breach is not contrary to privacy legislation.
How Can the Risks be Minimized?
There are a number of steps employers can take in minimizing the risks of monitoring. These include the following:
- Know the law: The legal protections for employee privacy may differ from province to province and are likely to become stronger. The prudent employer will not only know the law and how it applies to the workplace, but will also stay on top of the changing legal landscape to ensure compliance.
- Be upfront with employees: No matter how you spin it, monitoring is going to be viewed as a significant intrusion on the privacy of employees. Tell employees what you are doing and why you are doing it. If employees know that their computer related-conduct will be monitored, it may prevent problems before they happen. Not telling employees what you are doing will seem a lot more like snooping, than risk-management.
- Have a policy: Adopt and enforce a policy relating to the use of company technology. The policy should be clearly written (with as little legal speak as possible), reviewed often, and easily accessible to employees. It should include, at a minimum, that employees should not reasonably expect privacy when using company technology, the scope of potential monitoring and set out the types of computer use that are acceptable and unacceptable.
- Review data: If your monitoring generates data about the employee use of company technology, review it often. Don’t bother monitoring if you are not going to make use of the data that it generates.
Get an IT Expert Involved: Even employers with modest IT budgets are well-served by consulting with an IT expert to determine what measures can be put in place. You may be surprised, but there are easy steps that can be taken with little cost. These includes blocking your employees from going to certain websites – such as gambling, pornography or television or movie streaming – on company issued technology. Again, this may prevent problems before they happen.