DAN MICHALUK

SPEAKING NOTES FOR CANADIAN INSTITUTE FOR ASSOCAITION OF

JUSTICE WORKPLACE PRIVACY PANEL
OCTOBER 15, 2014
The employer perspective on workplace privacy
In the workplace privacy context, to derive a privacy right we balance the employee
interest in protection of privacy and the employer interest in managing the workplace.
I have seven minutes to provide a general perspective on managements interest. And
the first of two points Ill make is that the management interest at play in any given
privacy dispute is typically much weightier than a mere economic interest.
Consider what the Supreme Court of Canada said in the Robichaud case. Youll recall
that this is the case in which it held that employers face a form of absolute liability for
workplace harassment. Heres what Mr. Justice La Forest said:
[Employer liability places] responsibility for an organization on those who
control it and are in a position to take effective remedial action to remove
undesirable conditions.
Robichaud, in 1987, signals that control a concept abhorred by privacy advocates can
be a good thing in the workplace. And between 1987 and the time the Supreme Court of
Canada decided the Cole workplace privacy case in October 2012 labour arbitrators
issued hundreds of decisions affirming sanctions for sending harassing and
inappropriate e-mails and for doing similarly poisoning things on work systems. This
misconduct was often discovered because of rudimentary system monitoring
technologies, mostly without dispute. When privacy was raised as an objection
disposed of the objection on a no expectation of privacy analysis that Cole has plainly
- 2 -
eradicated. Nonetheless, before and after Cole one can make a clear case for system
monitoring based on Mr. Justice LaForests invitation to control the workplace.
And if it is not enough to assert control over a work information system because of an
employers duty to provide a safe and harassment free workplace, today employers
have a far more compelling need to monitor and control the need for good data
security. With data security, having insight into and control over the data flowing
through a corporate information system is an end in and of itself. Corporations must
govern their data today. This is the second of the two points Ill make in this short
address.
I dont have time to set out a detailed proof, but let me explain the need for data control
or governance in broad terms by reference to the changed external and internal
environment.
External threat is increasing
Since 2012 the Obama administration has recognized cyber-security as a top
national security concern. It has warned businesses responsible for critical
infrastructure that they must be prepared to resist malicious attacks by cyber-
terrorists.
We have not yet experienced a North American cyber terrorist attack but we see
other evidence of malicious outsider activity on the daily news, with recent
payment card breaches at Target, Home Depot and now Kmart. The recent
compromise of the Chase Bank was particularly frightening to the Obama
administration because it was done by an unknown actor with the capability to
breach a highly-secure bank network.
So were not just loosing our corporate information any more (though that
happens lots). Bad people are trying to take it.
- 3 -
The internal challenge in securing networks is also much greater.
Theres more data on a corporate network. It used to be that a spike in network
traffic showed that something was wrong. Today, there is so much data flowing
in and out of a corporate network that its harder to see when there is a problem.
Also, organizations are also employing a greater variety of IT services. The only
way to keep business users working on a safe and secure network is to give
business users the tools they want to use. There are so many appealing consumer
options for business users that organizations have loosened their approach to IT
in order to compete. Organizations have allowed for a proliferation of devices
and software applications, each of which is associated with its own risks and, all
together, are quite hard to maintain a more boring locked down system.
So achieving good data security is an extreme challenge for corporations. And getting
back to my theme about the weightiness of the employer interest that supports
workplace monitoring, the interest in good data security is just an economic interest.
There is a genuine public interest in good data security. It is an interest about
custodianship and the duties owed by a person who is entrusted with sensitive
information at a time when the harm associated with loss and theft has become quite
foreseeable.
Ill end with a case example that illustrates this quite vividly. Its a 2014 class action
certification decision in which justice Robert Smith of the Ontario Superior Court of
Justice certified a class action against a bank. The claim was based on the bad acts of a
mortgage officer named Wilson who allegedly took customer information for the use of
fraudsters. In finding the plaintiff had made out a case for negligent supervision Justice
Smith made the following statement:
the Bank had the ability to monitor Wilsons activities and yet the Bank
admitted that it has done nothing to supervise the activities of its employees,
- 4 -
including Wilson, with regards to the access of customers confidential
information for improper purposes. The Bank was able to determine that on July
23, 2011, Wilson had accessed 47 customer profiles in about 46 minutes. The
Bank also knew that, on average, Wilson would normally access between 15 and
40 profiles a day. Wilson also attended at the office late at night to access
customer profiles on some occasions.
This is a great paragraph for what it illustrates.
First, that after an incident, an employers ability to view employee system use in fine
grained detail is highly relevant. Justice Smith is saying, if I may, the Court needs to
know why you, defendant, didnt employ a simple algorithm an alarm to flag that
Wilson was accessing about one profile a minute.
And second, that employers have a duty their customers, the public and (okay) their
shareholders (too), to supervise (which means watch) the behavior of employees to a
standard of due care. This is the incredibly important interest most affecting employers
right now. In crafting workplace privacy rights, it must not be discounted.
- 5 -
Talking points on Cole
Cole does not establish a workplace privacy right. It establishes an expectation of
privacy thats derived from personal use of a work system i.e., an interest that
supports a workplace privacy right thats yet to be defined. This could ultimately be a
right that impinges on a legitimate management interest. Or it could be a right that
prevents only truly obnoxious employer behavior! My view is that the expectation will
not and should not impinge significantly on management rights.
Why?
Because the expectation of privacy that has been recognized rests on personal use of a
work system, and personal use is a merely a convenience. Let me explain.
A number of parties who participated in Cole on the privacy rights side argued that
employees need to have private personal use nowadays because we all work so hard.
The Court did not endorse this rather argument in its decision, in my view, because it
was wary of suggesting that the Charter provides a right to employer-provided, secure
and private IT services. Thats a very radical proposition.
In reality were dealing with privacy impact resulting from the extension of a mere
convenience. We let employees engage in personal use because we know its a pain for
them to bring their iPads to work. Thats it. Our Charter-protected democracy will not
crumble without this convenience, which is why (ultimately) employers who tell their
employees to exercise their choice carefully should have a very strong ability to access
data their systems for legitimate purposes notwithstanding Cole.
- 6 -
Talking points on social media and off-duty conduct
The law does preserve a zone of privacy for off-duty expression that has special
expressive value, but most expression on social media can and should fall outside this
zone.
An employers jurisdiction is grounded in an impact on its legitimate interests. Two
employees can bitch about their manager in a bar with impunity because there is no
impact on the employer. Im sure we could find a psychologist to testify that this kind
of expression contributes to ones emotional well being and ought to be encouraged as a
matter of health policy and public interest. Once the conversation moves online,
however, there is an immediate likelihood of harm to the manager which engages the
employers interest and provokes a legitimate response.
The more subtle aspect of the law is that some employee expression that negatively
affects an employers interest and is nonetheless treated as private and beyond an
employers. This is expressed in the Supreme Court of Canadas decision in Fraser v
PSSRB, which says that public servants get to citizen government policy but must
exercise extreme caution so not to jeopardize the publics perception of their
impartiality, neutrality, fairness and integrity. Another example is a case called Taylor-
Baptiste from Ontario, in which the HRTO held that union blog posts that implied a
female manager slept her way to her position was legitimate union expression and
therefore did not constitute discrimination in respect of employment. So the law does
recognize a small protective space for certain expression that serves a valuable purpose
criticizing government policy, doing union business as Ive illustrated .
There are those that would argue that the value in online dialogue itself is of such value
in our society that this protected zone should grow. Im a social media user, but I still
think the value of the dialogue that I regularly see on my Facebook page warrants no
special protection. In fact, I think the public interest would be best served if we all look
up from our handheld devices, logoff our Facebook accounts and go back to the bar.
- 7 -
Intrusive conduct by third parties
Ill use this as an opportunity to make a brief point about the impact of the
cyberbullying phenomenon on employers.
Online disparagement often arises out of an individuals employment. Principals get
targeted by parents frequently. Teachers get targeted by students. Managers get
targeted by former employees. Ive represented our employer clients in respect of such
matters numerous times.
The standard response is:
to recognize the duty to provide a safe and harassment free work environment;
to open a discussion about the impact of the online disparagement on the work
environment and to offer appropriate remedial assistance (starting with
measures short of an internet takedown); and
to make clear that the employee is responsible for seeking a remedy on his or her
own and to recommend independent legal advice.
Drawing the distinction between responsibility for workplace harms (employers) and
reputational harms (individuals) is difficult for employers to draw, but has a sound
legal basis. It still leaves, however, a question about whether an employer is required, as
part of the duty to provide a safe and harassment free workplace, to either pursue
directly or provide financial support for an internet takedown. I think we all
understand, that at their worst, an action to remove something from the internet
(usually pleaded in defamation) can be an extremely costly and principled battle to the
death. The employer duty to takedown is therefore a duty employers are vary wary
of acknowledging. Also, employers might benefit from the same type of solution that
individuals are looking for an regime outside of the court system that facilitates the
cost effective, expeditious yet fair removal of content from the internet.
- 8 -
Geolocation issues
Geolocation privacy is an example of where the administrative law regime has
produced a relatively clear answer for employers and employees. We have consistent
decisions from privacy regulators and arbitrators that recognize that the geolocation
technology does is not particularly invasive and can be used for a variety of legitimate
purposes. There also seems to be a relatively clear proscription against continuous
monitoring of an employees location that most employers can live with.
- 9 -
Exclusion of evidence for privacy breach in arbitral context
This is about the exercise of arbitral discretion to exclude evidence that is collected by
an employer in breach of an employees privacy.
Question 1 Does an arbitrator have such a discretion to exclude for a privacy breach?
Yes, but the discretion is confined.
Let me explain the basis for the discretion to exclude for a privacy breach. Two bases.
Basis one. An arbitrator has a narrow discretion to exclude relevant evidence.
This is supported by the SCC decision in University du Quebec c Larocque.
Basis two. Some say this discretion should be exercised with a view to protecting
individual privacy out of respect for Charter values. Others say this discretion
should be exercised to discourage conduct that is harmful to labour relations.
The weakness in this approach, if one were inclined to attack it, is that arbitrators are
taking a discretion thats about procedure and using it to provide a remedy for breach
of substantive rights. On an orthodox view, substantive rights between parties to a
collective agreement are governed by contract and cant add or subtract to an
agreement.
The other problem is made plain from the Larocque case, which indicates the discretion
to exclude relevant evidence is confined by the duty of fairness. Mr. Justice Lamer says,
the rule of autonomy in administrative decision making in administrative law had
never had the effect of limiting the obligation on administrative tribunals to observe the
requirements of natural justice. So arbitrators must be very careful in excluding
evidence on any basis because their ultimate role is to hear the parties and find the
truth, not to advance labour relations policy or individual rights at the expense of that
process.
- 10 -
Question 2 Is there an alternative?
Some arbitrators treat reasonableness as a prerequisite the admissibility of
surveillance evidence: if you cant establish the conduct of surveillance meets some
form of reasonableness test it doesnt get in whatever the impact on the hearing process.
If an arbitrator is going to exclude evidence, there should at least be a consideration of
the overall impact of the exclusion decision on the administration of arbitral or
workplace justice. This is reflected in some arbitral case law, but not clearly enough.
There should always be a discussion about how exclusion will impact on justice
between the parties. Id be quite concerned about excluding surveillance evidence, for
example, if the surveillance evidence reveals untrustworthy behavior and the employee
is in a position of trust (e.g. with discretionary power over vulnerable persons ). We
need to account for this aspect of the problem if we are going to exclude.
Question 3 - Whats the appropriate standard for conducting surveillance?
The standard should be a generalized rather than exacting standard. That is, an
employer should not be required (like police are required) to have reasonable and
probable grounds to believe that that evidence of misconduct will likely be found.
A reasonableness in all the circumstances test is more appropriate because it can be
employed more readily by laypersons: employers are not professional investigators like
police. The interest at stake in a workplace investigation should not be discounted too
greatly, but is a far more limited interest than at stake than in a criminal investigation. A
reasonableness in all the circumstances standard is flexible and allows for the
consideration of factors that might make sense in the workplace. For example, it might
make sense to consider the gravity of the misconduct, which would never be permitted
under a criminal law analysis. It might also make sense to consider (as a threshold
question) what kind of surveillance is contemplated if were talking about limited
- 11 -
video surveillance at a single public event (a sporting event), it might be reasonable to
conduct surveillance based on a generalized suspicion.
In much the same vein the less intrusive means criteria sometimes employed by
adjudicators as a hurdle should only be part of the reasonableness analysis. This has
become quite an offensive criterion for employers, particularly when it is applied to
operational monitoring technologies a biometric time clock, for example. Employers
rightly feel entitled to use the best reasonable technology, even if it is more intrusive
than another alternative.