SPEAKING NOTES FOR CANADIAN INSTITUTE FOR ASSOCAITION OF
JUSTICE WORKPLACE PRIVACY PANEL OCTOBER 15, 2014 The employer perspective on workplace privacy In the workplace privacy context, to derive a privacy right we balance the employee interest in protection of privacy and the employer interest in managing the workplace. I have seven minutes to provide a general perspective on managements interest. And the first of two points Ill make is that the management interest at play in any given privacy dispute is typically much weightier than a mere economic interest. Consider what the Supreme Court of Canada said in the Robichaud case. Youll recall that this is the case in which it held that employers face a form of absolute liability for workplace harassment. Heres what Mr. Justice La Forest said: [Employer liability places] responsibility for an organization on those who control it and are in a position to take effective remedial action to remove undesirable conditions. Robichaud, in 1987, signals that control a concept abhorred by privacy advocates can be a good thing in the workplace. And between 1987 and the time the Supreme Court of Canada decided the Cole workplace privacy case in October 2012 labour arbitrators issued hundreds of decisions affirming sanctions for sending harassing and inappropriate e-mails and for doing similarly poisoning things on work systems. This misconduct was often discovered because of rudimentary system monitoring technologies, mostly without dispute. When privacy was raised as an objection disposed of the objection on a no expectation of privacy analysis that Cole has plainly - 2 - eradicated. Nonetheless, before and after Cole one can make a clear case for system monitoring based on Mr. Justice LaForests invitation to control the workplace. And if it is not enough to assert control over a work information system because of an employers duty to provide a safe and harassment free workplace, today employers have a far more compelling need to monitor and control the need for good data security. With data security, having insight into and control over the data flowing through a corporate information system is an end in and of itself. Corporations must govern their data today. This is the second of the two points Ill make in this short address. I dont have time to set out a detailed proof, but let me explain the need for data control or governance in broad terms by reference to the changed external and internal environment. External threat is increasing Since 2012 the Obama administration has recognized cyber-security as a top national security concern. It has warned businesses responsible for critical infrastructure that they must be prepared to resist malicious attacks by cyber- terrorists. We have not yet experienced a North American cyber terrorist attack but we see other evidence of malicious outsider activity on the daily news, with recent payment card breaches at Target, Home Depot and now Kmart. The recent compromise of the Chase Bank was particularly frightening to the Obama administration because it was done by an unknown actor with the capability to breach a highly-secure bank network. So were not just loosing our corporate information any more (though that happens lots). Bad people are trying to take it. - 3 - The internal challenge in securing networks is also much greater. Theres more data on a corporate network. It used to be that a spike in network traffic showed that something was wrong. Today, there is so much data flowing in and out of a corporate network that its harder to see when there is a problem. Also, organizations are also employing a greater variety of IT services. The only way to keep business users working on a safe and secure network is to give business users the tools they want to use. There are so many appealing consumer options for business users that organizations have loosened their approach to IT in order to compete. Organizations have allowed for a proliferation of devices and software applications, each of which is associated with its own risks and, all together, are quite hard to maintain a more boring locked down system. So achieving good data security is an extreme challenge for corporations. And getting back to my theme about the weightiness of the employer interest that supports workplace monitoring, the interest in good data security is just an economic interest. There is a genuine public interest in good data security. It is an interest about custodianship and the duties owed by a person who is entrusted with sensitive information at a time when the harm associated with loss and theft has become quite foreseeable. Ill end with a case example that illustrates this quite vividly. Its a 2014 class action certification decision in which justice Robert Smith of the Ontario Superior Court of Justice certified a class action against a bank. The claim was based on the bad acts of a mortgage officer named Wilson who allegedly took customer information for the use of fraudsters. In finding the plaintiff had made out a case for negligent supervision Justice Smith made the following statement: the Bank had the ability to monitor Wilsons activities and yet the Bank admitted that it has done nothing to supervise the activities of its employees, - 4 - including Wilson, with regards to the access of customers confidential information for improper purposes. The Bank was able to determine that on July 23, 2011, Wilson had accessed 47 customer profiles in about 46 minutes. The Bank also knew that, on average, Wilson would normally access between 15 and 40 profiles a day. Wilson also attended at the office late at night to access customer profiles on some occasions. This is a great paragraph for what it illustrates. First, that after an incident, an employers ability to view employee system use in fine grained detail is highly relevant. Justice Smith is saying, if I may, the Court needs to know why you, defendant, didnt employ a simple algorithm an alarm to flag that Wilson was accessing about one profile a minute. And second, that employers have a duty their customers, the public and (okay) their shareholders (too), to supervise (which means watch) the behavior of employees to a standard of due care. This is the incredibly important interest most affecting employers right now. In crafting workplace privacy rights, it must not be discounted. - 5 - Talking points on Cole Cole does not establish a workplace privacy right. It establishes an expectation of privacy thats derived from personal use of a work system i.e., an interest that supports a workplace privacy right thats yet to be defined. This could ultimately be a right that impinges on a legitimate management interest. Or it could be a right that prevents only truly obnoxious employer behavior! My view is that the expectation will not and should not impinge significantly on management rights. Why? Because the expectation of privacy that has been recognized rests on personal use of a work system, and personal use is a merely a convenience. Let me explain. A number of parties who participated in Cole on the privacy rights side argued that employees need to have private personal use nowadays because we all work so hard. The Court did not endorse this rather argument in its decision, in my view, because it was wary of suggesting that the Charter provides a right to employer-provided, secure and private IT services. Thats a very radical proposition. In reality were dealing with privacy impact resulting from the extension of a mere convenience. We let employees engage in personal use because we know its a pain for them to bring their iPads to work. Thats it. Our Charter-protected democracy will not crumble without this convenience, which is why (ultimately) employers who tell their employees to exercise their choice carefully should have a very strong ability to access data their systems for legitimate purposes notwithstanding Cole. - 6 - Talking points on social media and off-duty conduct The law does preserve a zone of privacy for off-duty expression that has special expressive value, but most expression on social media can and should fall outside this zone. An employers jurisdiction is grounded in an impact on its legitimate interests. Two employees can bitch about their manager in a bar with impunity because there is no impact on the employer. Im sure we could find a psychologist to testify that this kind of expression contributes to ones emotional well being and ought to be encouraged as a matter of health policy and public interest. Once the conversation moves online, however, there is an immediate likelihood of harm to the manager which engages the employers interest and provokes a legitimate response. The more subtle aspect of the law is that some employee expression that negatively affects an employers interest and is nonetheless treated as private and beyond an employers. This is expressed in the Supreme Court of Canadas decision in Fraser v PSSRB, which says that public servants get to citizen government policy but must exercise extreme caution so not to jeopardize the publics perception of their impartiality, neutrality, fairness and integrity. Another example is a case called Taylor- Baptiste from Ontario, in which the HRTO held that union blog posts that implied a female manager slept her way to her position was legitimate union expression and therefore did not constitute discrimination in respect of employment. So the law does recognize a small protective space for certain expression that serves a valuable purpose criticizing government policy, doing union business as Ive illustrated . There are those that would argue that the value in online dialogue itself is of such value in our society that this protected zone should grow. Im a social media user, but I still think the value of the dialogue that I regularly see on my Facebook page warrants no special protection. In fact, I think the public interest would be best served if we all look up from our handheld devices, logoff our Facebook accounts and go back to the bar. - 7 - Intrusive conduct by third parties Ill use this as an opportunity to make a brief point about the impact of the cyberbullying phenomenon on employers. Online disparagement often arises out of an individuals employment. Principals get targeted by parents frequently. Teachers get targeted by students. Managers get targeted by former employees. Ive represented our employer clients in respect of such matters numerous times. The standard response is: to recognize the duty to provide a safe and harassment free work environment; to open a discussion about the impact of the online disparagement on the work environment and to offer appropriate remedial assistance (starting with measures short of an internet takedown); and to make clear that the employee is responsible for seeking a remedy on his or her own and to recommend independent legal advice. Drawing the distinction between responsibility for workplace harms (employers) and reputational harms (individuals) is difficult for employers to draw, but has a sound legal basis. It still leaves, however, a question about whether an employer is required, as part of the duty to provide a safe and harassment free workplace, to either pursue directly or provide financial support for an internet takedown. I think we all understand, that at their worst, an action to remove something from the internet (usually pleaded in defamation) can be an extremely costly and principled battle to the death. The employer duty to takedown is therefore a duty employers are vary wary of acknowledging. Also, employers might benefit from the same type of solution that individuals are looking for an regime outside of the court system that facilitates the cost effective, expeditious yet fair removal of content from the internet. - 8 - Geolocation issues Geolocation privacy is an example of where the administrative law regime has produced a relatively clear answer for employers and employees. We have consistent decisions from privacy regulators and arbitrators that recognize that the geolocation technology does is not particularly invasive and can be used for a variety of legitimate purposes. There also seems to be a relatively clear proscription against continuous monitoring of an employees location that most employers can live with. - 9 - Exclusion of evidence for privacy breach in arbitral context This is about the exercise of arbitral discretion to exclude evidence that is collected by an employer in breach of an employees privacy. Question 1 Does an arbitrator have such a discretion to exclude for a privacy breach? Yes, but the discretion is confined. Let me explain the basis for the discretion to exclude for a privacy breach. Two bases. Basis one. An arbitrator has a narrow discretion to exclude relevant evidence. This is supported by the SCC decision in University du Quebec c Larocque. Basis two. Some say this discretion should be exercised with a view to protecting individual privacy out of respect for Charter values. Others say this discretion should be exercised to discourage conduct that is harmful to labour relations. The weakness in this approach, if one were inclined to attack it, is that arbitrators are taking a discretion thats about procedure and using it to provide a remedy for breach of substantive rights. On an orthodox view, substantive rights between parties to a collective agreement are governed by contract and cant add or subtract to an agreement. The other problem is made plain from the Larocque case, which indicates the discretion to exclude relevant evidence is confined by the duty of fairness. Mr. Justice Lamer says, the rule of autonomy in administrative decision making in administrative law had never had the effect of limiting the obligation on administrative tribunals to observe the requirements of natural justice. So arbitrators must be very careful in excluding evidence on any basis because their ultimate role is to hear the parties and find the truth, not to advance labour relations policy or individual rights at the expense of that process. - 10 - Question 2 Is there an alternative? Some arbitrators treat reasonableness as a prerequisite the admissibility of surveillance evidence: if you cant establish the conduct of surveillance meets some form of reasonableness test it doesnt get in whatever the impact on the hearing process. If an arbitrator is going to exclude evidence, there should at least be a consideration of the overall impact of the exclusion decision on the administration of arbitral or workplace justice. This is reflected in some arbitral case law, but not clearly enough. There should always be a discussion about how exclusion will impact on justice between the parties. Id be quite concerned about excluding surveillance evidence, for example, if the surveillance evidence reveals untrustworthy behavior and the employee is in a position of trust (e.g. with discretionary power over vulnerable persons ). We need to account for this aspect of the problem if we are going to exclude. Question 3 - Whats the appropriate standard for conducting surveillance? The standard should be a generalized rather than exacting standard. That is, an employer should not be required (like police are required) to have reasonable and probable grounds to believe that that evidence of misconduct will likely be found. A reasonableness in all the circumstances test is more appropriate because it can be employed more readily by laypersons: employers are not professional investigators like police. The interest at stake in a workplace investigation should not be discounted too greatly, but is a far more limited interest than at stake than in a criminal investigation. A reasonableness in all the circumstances standard is flexible and allows for the consideration of factors that might make sense in the workplace. For example, it might make sense to consider the gravity of the misconduct, which would never be permitted under a criminal law analysis. It might also make sense to consider (as a threshold question) what kind of surveillance is contemplated if were talking about limited - 11 - video surveillance at a single public event (a sporting event), it might be reasonable to conduct surveillance based on a generalized suspicion. In much the same vein the less intrusive means criteria sometimes employed by adjudicators as a hurdle should only be part of the reasonableness analysis. This has become quite an offensive criterion for employers, particularly when it is applied to operational monitoring technologies a biometric time clock, for example. Employers rightly feel entitled to use the best reasonable technology, even if it is more intrusive than another alternative.
Proposed Arbitration Agreement Between Shaffi Mather and Shri. P C George To Establish Truth of Allegations Raised by Shri. P C George Against Shaffi Mather PDF