USING ELECTRONIC MAIL AND THE INTERNET IN THE WORKPLACE:
A CANADIAN PERSPECTIVE ON
THE ISSUES, THE LAWS AND CORPORATE POLICIES

 

 

                     Presented at the American Bar Association Section

                                  Of International Law and Practice

                                             2003 Spring Meeting

 

                               The Internet and E-Commerce Primer

 

 

Robert L. Percival

Rosella Santilli

 

 

 

OGILVY RENAULT

Toronto, Ontario, Canada


TABLE OF CONTENTS

 TOC   \o "1-3"\f\x \* MERGEFORMAT I. INTRODUCTION PAGEREF _Toc40073384 \h 1

II. TWO PERSPECTIVES: EMPLOYER AND EMPLOYEE CONCERNS AND ISSUES PAGEREF _Toc40073385 \h 2

(a) Employees PAGEREF _Toc40073386 \h 2

(b) Employers PAGEREF _Toc40073387 \h 3

III. LEGAL ISSUES PAGEREF _Toc40073388 \h 5

(a) Privacy and the Monitoring of Employees PAGEREF _Toc40073389 \h 6

(i) Public Sector Privacy Legislation PAGEREF _Toc40073390 \h 6

(ii) Private Sector Privacy Legislation PAGEREF _Toc40073391 \h 7

(iii) Civil Actions PAGEREF _Toc40073392 \h 10

(iv) Criminal Invasions of Privacy PAGEREF _Toc40073393 \h 14

(b) Content and Use of E-mail and the Internet PAGEREF _Toc40073394 \h 14

(i) Loss of Productivity PAGEREF _Toc40073395 \h 15

(ii) Loss of Confidentiality PAGEREF _Toc40073396 \h 15

(iii) Viruses and Security Concerns PAGEREF _Toc40073397 \h 16

(iv) Workplace Harassment PAGEREF _Toc40073398 \h 17

(v) Tarnished Corporate Reputation PAGEREF _Toc40073399 \h 17

(vi) IP Infringement PAGEREF _Toc40073400 \h 18

(vii) Inefficient Network Performance PAGEREF _Toc40073401 \h 18

IV. DRAFTING EFFECTIVE CORPORATE E‑MAIL AND INTERNET POLICIES PAGEREF _Toc40073402 \h 18

(a) General Considerations PAGEREF _Toc40073403 \h 20

(b) Employee Acknowledgement PAGEREF _Toc40073404 \h 22

(c) Scope of Permitted Use By Employees PAGEREF _Toc40073405 \h 23

(d) Security Considerations PAGEREF _Toc40073406 \h 24

(e) Remote Access PAGEREF _Toc40073407 \h 25

(f) Specific Prohibited Activities PAGEREF _Toc40073408 \h 25

(g) Record Keeping and Back‑Ups PAGEREF _Toc40073409 \h 27

(h) Monitoring Employee Activities PAGEREF _Toc40073410 \h 27

(i) Breaches of the Technology Policy PAGEREF _Toc40073411 \h 28

(j) Ongoing Monitoring and Policy Review PAGEREF _Toc40073412 \h 29

V. CONCLUSION PAGEREF _Toc40073413 \h 30

SAMPLE EMPLOYEE POLICY ACKNOWLEDGEMENT AND CONSENT FORM PAGEREF _Toc40073414 \h 31

 


USING ELECTRONIC MAIL AND THE INTERNET IN THE WORKPLACE:
A CANADIAN PERSPECTIVE ON THE ISSUES, THE LAWS AND CORPORATE POLICIES

Prepared By:

Robert L. Percival

Rosella Santilli

OGILVY RENAULT
Toronto, Ontario, Canada

I.                   INTRODUCTION

The information age has provided business enterprises with powerful new workplace technologies, such as electronic mail (“e-mail”) and the Internet, providing such businesses and their employees with new tools to find, share and disseminate  information easier and at a cost that was only a short time ago unimaginable.  Electronic systems of this nature allow messages, information and data to be delivered to a mass audience simultaneously, while reducing the cost associated with paper transfers.  While employers and their employees may be reaping the benefits of such technological change, it has not been without some cost.  While e-mail and Internet tools may boost employee effectiveness and productivity, they also pose a threat to such effectiveness and productivity when utilized by employees for personal use during business hours.  Also, use of e-mail and the Internet for personal purposes raises employee privacy issues.  What degree of personal privacy can an employee expect to maintain when using their workplace e-mail system to discuss their personal life with friends and family either within or outside of the workplace?  Is using the Internet at work to hunt for recipes or monitor your stock portfolio appropriate employee behaviour?

Business may have legitimate reasons for limiting and monitoring employee e-mail and Internet use and employees may too have legitimate concerns about such restrictions and concerns about their personal privacy.  Many businesses have quickly realized that they must act in such a way so as to balance the competing business interests of the workplace with the needs and concerns of their employees so as to try and strike a balance between appropriate and non-appropriate use of workplace technologies.

To address the potentially competing interests and concerns of employers and employees, and the associated legal risks and liabilities, it is imperative that businesses develop, implement and enforce appropriate e-mail and Internet use policies for their workplace.  Establishing a policy helps to set the ground rules and expectations of both employer and employee concerning what is, and what is not, acceptable use of what are essentially tools of the business and will also indicate in advance what the repercussions of non-compliance will be.

II.                TWO PERSPECTIVES: EMPLOYER AND EMPLOYEE CONCERNS AND ISSUES

(a)               Employees

It is inevitable that regardless of a workplace policy employees will, to varying degrees, make use of the employer’s facilities for personal reasons.  Increasingly employees are working longer hours and in order to accomplish many of life’s tasks it is often necessary at work to use the telephone to call home or to e-mail an aunt in Edmonton or to use the Internet to order your groceries because it is 8:30 p.m., the store is closed and the milk is gone.  Practically speaking, absolute prohibitions on employee use of anything in the workplace for personal reasons, whether it be email, the Internet or anything else are destined to fail.  Most employees are cognizant of the fact, however, that it is necessary to strike the appropriate balance.

Perhaps the most significant concern that employees maintain is the extent to which their employer may monitor their use of workplace tools, such as e-mail and the Internet, and the impact that such monitoring has on their personal privacy and their continued employment.  Research has shown that employees generally have an expectation of privacy despite the fact that they are utilizing workplace equipment and networks. Many employees believe that access controls and security features of the workplace computer network or voicemail, such as personal passwords, do not permit the content of the electronic messages they send and received to be scrutinized by their employer.  Upon learning of an employer’s ability to monitor e-mail systems and Internet use, many employees fear that their employer’s perusal of the workplace electronic systems, even if  based on the legitimate business purposes of the employer, may ultimately become voyeuristic and exaggerate suspicion, going beyond what is actually necessary for business purposes.

Critics of electronic monitoring claim that such invasions of privacy may therefore backfire, interfering with employee productivity which is the result of deflated morale and rising tension levels.  Critics also argue that  the invasion of privacy that is created by monitoring has been linked to a number of different psychological and physical health problems including depression, boredom, fatigue, anger, anxiety, musculoskeletal problems and tension.

(b)               Employers

Employers purchase computer systems, provide access to the Internet and provide other workplace technology so that employees and the business will be more efficient.  Such technology is intended to be used for legitimate business purposes.  Personal use of workplace technology raises many concerns for employers among them:

·                    Loss of Productivity:  This is the most obvious concern.  Web surfing, on-line shopping, banking and games, bulletin boards and even simply circulating jokes amounts to significant time not spent attending to the employee’s job.

·                    Loss of Confidentiality:  The very ease and speed of e-mail communications should raise employers’ concerns about the leakage of confidential information and trade secrets.

·                    Viruses and Security Concerns:  Unwanted viruses that are attached to e-mail messages and jokes may severely damage or interrupt important corporate communications systems.

·                    Workplace Harassment:  Employers remain concerned that certain types of inappropriate e-mail and Internet use may lead to workplace harassment or discrimination.  Exposure to offensive materials on monitors or in e-mails may result in sexual harassment, racial harassment or a “poisoned” work environment which may result in criminal or civil liability for the employer.  

·                    Tarnished Corporate Reputation:  Employees surfing the Internet are surfing with the use of their employer’s IP address, traceable by many web sites that are visited. 

·                    IP Infringement:  Intellectual property infringement liability issues may arise in circumstances where employees download or disseminate certain material (such as music or videos) from the Internet for personal use without permission from the publisher.  Employees who break copyright laws using their employer-owned IP address, could put the employer at risk of lawsuits and/or fines.

·                    Inefficient Network Performance:  Internet misuse by employees can also lead to a decrease in the efficiency of computer network resources. 

In order to combat the myriad of concerns that e-mail and Internet use by employees may cause, whether as a result of personal or legitimate business use, many employers have begun to monitor use of the Internet and e-mail by their employees.  Employers argue that monitoring is necessary to guard against improper use of corporate resources, to protect against the leakage of confidential information of trade secrets, to protect against vicarious liability for harassment, discrimination, defamation, intellectual property infringement and other comparable activities, and to protect against unwanted viruses that may corrupt the electronic systems employed by the business.  Moreover, some employers contend that monitoring the electronic mail system may boost employee productivity, business efficiency and customer service.  Finally, employee monitoring is considered by many employers to be immune from reasonable privacy expectations, as the use of the electronic systems is in the ordinary course of employment.

III.             LEGAL ISSUES

The legal issues surrounding the use of e-mail and the Internet by employees can be broadly categorized into two classes: (i) legal issues surrounding the monitoring of an employee’s use by his or her employer; and (ii) legal issues involved with the content and use of e-mail communications and Internet. The objective of this section will not be an in depth analysis or resolution of these issues, but rather a survey of the potential legal problems that may arise from an employee’s use of e-mail and the Internet and the employer’s attempt to monitor the same.

(a)               Privacy and the Monitoring of Employees

There are essentially four areas in which an employer’s monitoring of its employees could run afoul of the law: (i) public sector privacy legislation; (ii) private sector privacy legislation; (iii) civil actions for invasion of privacy; and (iv) criminal invasions of privacy.

The law applicable to the monitoring of employee communications in the workplace suggests that employers who do wish to monitor such communications need to establish and communicate policies which clearly limit their employees’ expectations of privacy while engaged in the use of their employer’s workplace technologies.[1]

(i)                  Public Sector Privacy Legislation

The federal and provincial governments (with the exception of Prince Edward Island), have all enacted statutes governing the collection, use and disclosure of personal information by the public sector.[2] While these acts were adopted primarily to regulate the interaction between citizens and government they could potentially apply to the monitoring of government employees by their governmental employers. Where applicable, such monitoring would have to be in compliance with the act of the particular jurisdiction.

(ii)                Private Sector Privacy Legislation

(a)                Federal

The recently enacted Personal Information Protection and Electronic Documents Act, S.C. 2000, C-5 (“PIPEDA”) represents the first federally enacted privacy law with the objective of regulating the collection, use and disclosure of personal information in the private sector. PIPEDA presently applies only to federally regulated businesses and to companies subject to provincial legislation which disclose personal data for “consideration” across a provincial border.  As of January 2004, the Act will apply across the board to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations, except in the case where a province has enacted its own private sector legislation.  The obligations under PIPEDA are enforced by the Privacy Commissioner who is authorized to receive complaints, conduct investigations and issue reports on his findings.  Federal Privacy Commissioner George Radwanski has gone on the record stating that employees do have a reasonable expectation of privacy and that unless there is reason to suspect abuse, employers should find less privacy-intrusive means of regulation than monitoring[3].

As stated above, the essential activities that are regulated by PIPEDA are the collection, use and disclosure of personal information.  Such collection, use and disclosure are subject to two overriding restrictions:

(a)                unless such collection, use and disclosure falls within one of the exemptions specified in PIPEDA, the knowledge and consent of an individual is required before any collection, use or disclosure of personal information about that individual; and

(b)               even if appropriate consents are obtained, PIPEDA requires that such collection, use or disclosure must be limited to “purposes that a reasonable person would consider are appropriate in the circumstances”.

This overall reasonableness standard acts as a significant restriction on the ability of employers to conduct employee monitoring or surveillance.  Unless the monitoring is reasonable in all of the circumstances it will not satisfy PIPEDA, even if the employee has explicitly consented to the monitoring.

For example, in a recent decision (January 23, 2003) involving the installation by a railway company of video cameras in an attempt to combat vandalism in certain areas of the company’s premises, the Privacy Commissioner emphasized that, in considering whether the requirements of PIPEDA have been satisfied, he was required to examine both the appropriateness of the organization’s purpose in employing cameras and the circumstances surrounding those purposes.  [4]Although the Commissioner found that the purpose of reducing vandalism was reasonable, he analyzed the appropriateness of the use of cameras to address vandalism by asking the following questions:

·                    Is the measure demonstrably necessary to meet a specific need?

·                    Is it likely to be effective in meeting that need?

·                    Is the loss of privacy proportional to the benefit gained?

·                    Is there a less privacy-invasive way of achieving the same end?

In the result, the Commissioner determined that since the incidents of vandalism were in fact quite minor (most of the damage had been to the surveillance cameras themselves), and since the company had not seriously evaluated other less privacy-intrusive ways of addressing the problem, the use of the cameras was a violation of PIPEDA.  The Commissioner recommended that the cameras be removed.

In addition, the Commissioner noted that any use of the information collected by the cameras for purposes other than the stated ones of efficiency and safety (such as for employee discipline) would not be considered to be reasonable within the meaning of PIPEDA.

While the Federal Court has not yet considered this issue, this decision confirms that, at least in the view of the Commissioner, general monitoring of employees or employee work areas will not be permitted under PIPEDA.

(b)               Provincial

Several provincial governments are currently studying and considering enacting similar provincial personal privacy legislation and therefore, provincially regulated employers may in the short term face the prospect of complying with provisions very similar to PIPEDA’s in relation to the monitoring of their employee’s e-mail and Internet use irrespective of the fact that their commercial activities are only intra-provincially based.

In Ontario, the Ministry of Consumer and Business Services in conjunction with  the Ministry of Health and Long-Term Care have developed draft privacy legislation with the aim of providing privacy protection for businesses, non-governmental organizations and the health care sector.  The bill is currently in the consultation stage with the goal of being passed before January 2004 when the PIPEDA would otherwise apply to all commercial organizations in Ontario.  The draft legislation defines “personal information” very broadly so that employers may find it difficult to conduct any monitoring without infringement of the rules set out to protect “personal information”.  One such rule requires that employers obtain an employee’s consent prior to any monitoring in the workplace[5].

Presently, Quebec is the only province with legislation protecting personal information in the private sector. The Quebec Civil Code was modified in 1994[6] and contains provisions similar to those found in PIPEDA.

(iii)               Civil Actions

(a)                Statutory Tort for Invasion of Privacy

Several provinces have passed statutes that create a tort for the invasion of a person’s privacy.[7] Generally speaking, these torts apply where a person willfully and without claim of right violates the privacy of another. While such legislation has not been used very often, there is reason to believe that it could be applicable to the monitoring of an employee’s computer usage[8].

(b)               Common Law Tort for Invasion of Privacy

These provincial statutes aside, it is possible that a common law principle protecting privacy may exist in Canada. Indeed, as recognized in the seminal decision of the Supreme Court of Canada in Hunter v. Southam[9] and noted by Mandel J. in Roth v. Roth[10] there is “a right to be secure against encroachment upon citizen’s reasonable expectation of privacy in a free and democratic society”[11].  However, Mandel J also held that not all invasions of privacy give rise to a legal remedy.  Rather, a remedy was only available if “the invasion is substantial and of a kind that a reasonable person of normal sensitivity would regard as offensive and intolerable.”  Thus, an employee’s success in an action (whether under any common law principle that may exist or provincial statute establishing an invasion of privacy tort) claiming that the employer’s (e-mail) monitoring activities constitute a breach of personal privacy is likely dependent on proof that the employee’s expectation of privacy overrides the employer’s justifications for monitoring.

(c)                “A Reasonable Expectation of Privacy”

There has been limited case law in Canada dealing with the privacy of employee e-mail communication.  In the United States, most courts have held that the computer resources are owned by the employer and thus the employee has no reasonable expectation of privacy in his/her e-mail communications. In United States v. Angevine (2002) (No. 01-6097) the U.S. Court of Appeals for the 10th Circuit failed to uphold the privacy rights of a University of Oklahoma professor who downloaded more than 3,000 child pornography images on his office computer.  The Judge upheld a lower court’s denial of Angevine’s motion to suppress the pornographic images seized from his university computer on the grounds that his Fourth Amendment rights were violated.  The court ruled that he had no reasonable expectation of privacy given that the university policy explicitly stated that computers could be monitored by the school.  Further, the computer policy was displayed on a “splash screen” so that the computer user was warned that “all electronic mail messages are presumed to be public records and contain no right of privacy or confidentiality,” except as provided for in state or federal statutes, the court wrote.

However, even in the absence of an employee use policy, the employer may still be able to monitor an employee’s computer use.  In United States v. Slanina (2002) (No. 00-20926) the [12]5th Circuit Court upheld the city employee’s conviction for possession of child pornography. Slanina was the Fire Chief of Webster, Texas and had given consent for the information systems coordinator to access his computer for maintenance purposes which resulted in the discovery of significant child pornography. While the courts found that Slanina did have a reasonable expectation of privacy, the court held that the search was reasonable under the Fourth Amendment because an employer is entitled to take action necessary for the efficient operation of the workplace.

These findings are consistent with earlier U.S. case law:

·                    McLaren v. Microsoft Corporation (1999) WL 339015 (Tex. App), an employee was terminated by Microsoft Corporation for using the e-mail system for sexual harassment.  The employee then sued Microsoft for invasion of his privacy but the court dismissed the lawsuit stating that the e-mails were property of the company and thus reading these e-mails was not a breach of McLaren’s privacy rights.

·                    Smyth v. The Pillsbury Co. (1996), 914 F. Supp. 97, an employee used a company e-mail system to refer to the sales management of his employer and threatened to “kill the backstabbing bastards”.  He was terminated and he sued his employer for wrongful discharge alleging an invasion of his privacy.  The court dismissed his action and found that there was no reasonable expectation of privacy in the e-mail communications over a company-wide e-mail system.

·                    Bourke v. Nissan Motor Corp. No. B068705 (Cal. Ct. App. July 26, 1993) affirms the position in Smyth that an employer’s right to access employee e-mail prevails over an employee’s right to privacy over the contents of the e-mail.  The appellate [13]court, confirming the trial court’s granting of summary judgment in favour of Nissan Motor Corp., held that there was no reasonable expectation of privacy in e-mail messages received on the company system as the employees signed waivers which stated that the company policy restricted the use of  e-mail to business purposes only.  The appellate court recognized that although the use of safeguarded passwords may give rise to a subjective expectation of privacy, objectively these plaintiffs could not prove the existence of a reasonable expectation of privacy.

(iv)              Criminal Invasions of Privacy

Employers should be aware that s.184.5(1) of the Criminal Code makes it an offence to intercept private communications by means of any “electro-magnetic, accoustic, mechanical or other device”. This provision contains several exceptions, the most significant of which is the consent, express or implied, of either the originator or intended recipient of the communication. Thus, it would be prudent for employers to clearly post their e-mail and Internet use policies as well as obtain signed consent forms upon the initiation of employment. Such a course of action would also provide protection against prosecution under s.193(1) of the Criminal Code which makes it an offence to use or disclose private communications obtained without the consent of the originator or intended recipient.

Finally, employers should also be aware that s.342.1(1)(b) of the Criminal Code makes it an offence to fraudulently or without colour of right intercept (or cause to be intercepted) either directly or indirectly any computer service by means of any device.

(b)               Content and Use of E-mail and the Internet

Aside from the laws that employers should be aware of when attempting to monitor their employees' use of e-mail and the Internet, it is equally important to recognize that the legal issues raised by the use of e-mail and the Internet by employees for both personal and business purposes raise a number of concerns when one considers the potential content of those transmissions.  Employers may very well find themselves exposed to vicarious liability for defamation, copyright infringement and workplace harassment and discrimination due to the actions of their employees in certain situations.  Thus, it cannot be overstated how prudent it is for employers to prohibit these activities in their e-mail and Internet use policies.

(i)                  Loss of Productivity

The proliferation of e-mail and Internet use in the workplace has led to very real concerns that employee productivity may suffer. It is reported that, each week, Canadian spend 4.5 hours – more than half a working day – using the Internet for personal reasons.[14]  This “time theft” issue can be very problematic for a company that has to determine how liberal its e-mail and Internet use policy should be. However, a recent case in New Brunswick suggests it may be difficult to discipline employees for this behaviour. In New Brunswick Power Corp. v. Hadfield,[15] the New Brunswick Court of Queen’s Bench dismissed an application of an employer to quash an adjudicator’s decision to reinstate the employee to his position with the employer, imposing a seven-month suspension without pay for misappropriation of his employer’s time and resources for personal use, such as personal e-mails and phone calls during office hours.  In this case, the employee had previously been disciplined for having misappropriated the employer’s time and resources.

(ii)                Loss of Confidentiality

Another important concern for employers is that the ease with which e-mail is used and its ability to transfer information can undermine a company’s ability to protect its confidential information and trade secrets.  Employees, also tend to treat e-mail less formally than other forms of written communications.  This lack of employee vigilance when it comes to the dissemination of e-mails increases the likelihood that confidential information may be leaked.  In addition, even when an e-mail reaches its intended recipient, the recipient is free to send the e-mail to whomever he or she chooses.  Given the lack of control over the movement of e-mail and the ease with which it moves, it is easy to imagine how confidential information could slip outside of a corporation and into the hands of an unintended and potentially damaging recipient.

Not only do companies have to be concerned with the illicit interception of communications over un-secured Internet connections, but they must contend with the fact that things like corporate espionage have become easier to perform. A disgruntled employee suddenly has a powerful ability to steal the company’s intellectual property and trade secrets as a form of revenge or for the purpose of taking such information to a competitor. An even further threat is that if these matters are not taken seriously, a company could find itself in breach of confidentiality agreements it has entered into with third parties. Thus, there is a potential for legal liability where a company does not practice prudent security measures. Clearly, employers should attempt to minimize the risk of undesired exposure of confidential information.  Methods such as firewalls, keeping sensitive information off the network and on a protected system, using encryption systems for sending and storing information and generally educating and informing employees can go a long way to mitigating these risks.

(iii)               Viruses and Security Concerns

Viruses are not only dangerous and expensive because of their potential to damage network computers, but they may also result in security voids that enable hackers to gain access to corporate secrets and private information.

(iv)              Workplace Harassment

One of the more serious concerns surrounding an employee’s use of e-mail and the Internet is in relation to the inappropriate or offensive content of e-mails and Internet sites. This issue can create serious concern for an employer who could be subject to liability through the creation of a poisoned workplace. In these situations it may be important for the employer to act, and fortunately there is case law which indicates that inappropriate usage of the Internet and e-mail systems may be just cause for termination, depending on the circumstances of the case.

In Di Vito v. MacDonald Dettwiler & Associates Ltd.[16] (“Di Vito”), two employees were terminated for circulating inappropriate e-mail which involved a derogatory sexual description of an overweight female co-worker.  However, the British Columbia Supreme Court did not find that the actual sending of the e-mail amounted to just cause for termination of the employees.  Rather, their subsequent dishonesty relating to the transmission of the e-mail on more than one occasion persuaded the court that there was sufficient cause.  Otherwise, the transmission of the e-mail alone would not have been sufficient.  However, given the case law which has evolved in the United States (discussed above), that there was no mention as to a company policy regarding the usage of workplace electronic systems, perhaps the reasoning of the court may have differed in the event that a policy notifying employees was in place.

(v)                Tarnished Corporate Reputation

A visit to a questionable web site by an employee, is, in the eyes of that web site, a visit by that particular company.  Notwithstanding the issues such visits may raise (such as harassment and discrimination issues), many companies fear, understandably, the risk of media reports and publication that its employees are inappropriately using the Internet or visiting questionable websites.

(vi)              IP Infringement

Copyright infringement may be a very real source of vicarious liability for employers. Employees can and often do  use e-mail and the Internet to copy, post and transmit video, audio, pictures and software over and on the Internet without the proper permission of the copyright holder. If the employer is found to be knowingly encouraging or facilitating these actions, there is a possibility that the employer may be liable for contributory infringement.

(vii)             Inefficient Network Performance

The downloading of large amounts of information may result in the clogging of internal networks, thus slowing down the transfer of legitimate work-related information.  Similarly, misuse of e-mail can also cause a lull in network information transfers.  A U.S. study by GartnerGroup suggests that one third of employees’ e-mail time is wasted on jokes and gossip that can significantly clog up corporate networks[17].

IV.              DRAFTING EFFECTIVE CORPORATE E‑MAIL AND INTERNET POLICIES

Employers are faced with the difficult task of having to balance the competing interests of the need to maintain an efficient and productive work environment, free of harassment and discrimination, in a manner which protects its business interests with the needs and interests of its employees. The development and implementation of a workplace policy which addresses e‑mail and Internet use is a mechanism the employer can use to pro‑actively reduce the risk of liability and address the business needs and concerns of the employer while remaining sensitive to the personal and professional needs and concerns of its employees.

A well designed e‑mail and Internet use policy (a “Technology Policy” or “Policy”) will advise employees and provide guidelines on the appropriate uses of the employer’s e‑mail and Internet systems, clarify what expectations of privacy an employee should (or shouldn’t have), address the concerns of both the employer and employees alike and ultimately prevent potential conflicts (including legal conflicts) between employers and employees and other persons.

Employers are well advised to solicit the input and involvement of their employees in the development of a Technology Policy. Employee input will be critical to the employer’s understanding of its employees' professional and personal requirements and concerns. Employee participation will also serve to sensitize employees to the real business concerns that the employer maintains and will provide employees with a sense of control over the content of the Technology Policy. It is essential that employees ultimately recognize that the employer’s electronic communication systems, including e‑mail and Internet access, are company resources which are provided to the employee as a business tool and must be operated and treated in a manner which is consistent with other corporate resources.

Preparing a Technology Policy requires consideration of a multitude of factors. Technology Policies will differ depending on the specific business needs of each company, the reasonable expectations of its employees and a balancing of other material interests ‑ in other words, an employer must tailor its policy to its own unique needs.   What follows is a checklist of key issues that should be entertained by companies when drafting a Technology Policy.

(a)               General Considerations

Technology Policies should be reduced to writing to reduce the potential for misunderstandings and ambiguities. Language should be precise, clearly drafted and be unambiguous so that employees and employers are very clear on what is permissible use of the corporate technology resources and what is not. Poorly drafted or overly broad statements or prohibitions are recipes for future disputes between the employee and employer.

In order to set a constructive and positive tone, it may be useful to set out at the beginning of the Technology Policy what the purpose of the policy is. For example:

Purpose:  XYZ Co. is committed to providing a work environment that encourages the use of technology as essential tools to support XYZ Co.’s business. Electronic communications facilities used by employees in the course of their employment should be viewed as business assets, provided to improve communication, enhance efficiency, add value to our business and increase the quality of service provided to our clients. It is the responsibility of each employee to ensure that such technology is used in a professional and appropriate manner for the business purposes of XYZ Co., in a manner that is consistent with XYZ Co.’s other corporate policies and guidelines.

Technology Policies should be comprehensive and govern the use of all aspects of the employer’s technologies, including access to company computer systems and networks, telephone (including cellular telephones) and voice mail, e‑mail, access and use of the Internet and other similar technologies. The Technology Plan should be explicit about what technology and systems are intended to be covered by the policy.

In addition to a Technology Policy, employers will have a multitude of other policies designed to deal specifically with other matters which nonetheless will be related to the Technology Policy. For example, an employer may have harassment and discrimination policies, use of confidential information policies, communications policies, and data retention policies.  Where employers have multiple policies that overlap, it is imperative that prior to developing a Technology Plan, employers review all relevant corporate policies to ensure a consistent approach.

Employees should receive proper training in regard to all employer technology and any issues or implications surrounding the use of such technology.  Having a Technology Policy will not itself be sufficient and a lack of training could lead to a multitude of problems:

·                    For example, an employee might assume that once an e‑mail message has been transmitted or deleted, there is no record of such transmission or deletion.  However, in the case of a transmission a copy of the transmission may be saved and/or printed in a personal archive of both the sender and recipient and in the case of a deleted item, it may be saved as part of the employer’s daily system back‑up.

·                    Similarly, many employees remain unaware that their visits to most Internet sites are trackable, not only by the employer, but also by the web site visited.

·                    Many employees will be unaware of copyright infringement issues associated with the use of materials which have been downloaded from the Internet.

·                    Telephone conversations or data transmissions on cellular telephones are susceptible, in certain instances, to eavesdropping by other persons.

Employers should emphasize that employees continue to use good judgment in type, tone and content of communications when using corporate communications technology. Some forms of technology, particularly e‑mail, tend to foster a feeling of less formality which can lead to a degree of carelessness or inappropriateness that would rarely occur in more traditional forms of communication. E‑mail communications run the risk of being “fired off” without the realization that, like formally written letters, e‑mail is a form of communication that may have longevity and both short term and long‑lasting implications (both at a business and a legal level). Employees must ensure that e‑mail and similar forms of communications remain in line with acceptable standards of business conversation.

(b)               Employee Acknowledgement

Provide copies of the Policy to all employees of the business and ensure that the Policy has been reviewed and comprehended by all employees.

Ideally employees should upon the commencement of employment, execute an acknowledgement and agreement of the Policy as a condition of employment (see Attachment “A”).

Employers may consider linking the Policy to a screen that the employees open when they log on to the network.  This will provide employees ongoing written notification of the company’s rights in the information being transmitted over the company’s system by its employees.

(c)                Scope of Permitted Use By Employees

The scope or manner in which the employers’ technology systems may be used should be clearly enumerated.  The Technology Plan must provide a clear statement that such systems are the property of the employer and are provided to employees for business purposes and use.

If the employer is going to permit the personal use of its technology systems by employees (as discussed above it is unlikely, practically speaking, that employees will entirely refrain from such personal use or that an absolute prohibition is even desirable from an employee motivational perspective) clear and specific guidelines surrounding such use should be provided. Policies may range in this respect from zero tolerance to limited use.  To simply say that all activity must be “work‑related” may not be clear.  Employers should note that the appropriate usage may be harder to define in respect of Internet browsing, as it may not be possible to tell if a web page is relevant or appropriate until it has been read, as the operation of search engines may provide surprising and irrelevant search results.  Similarly, links from one web site to another may be misleading.

Considerations concerning the scope of permitted use may include:

·                    setting specific times for employee personal Internet / e‑mail use; during lunch hours, after business hours or on weekends only etc.

·                    a “reasonable use” guidelines on the amount of time spent during business hours attending to personal matters, such as personal e‑mail correspondence.

·                    prohibiting or indicating employee responsibility for any activity that results in charges to the employer, such as personal long distance telephone or fax charges.

(d)               Security Considerations

Employers should develop security practices and procedures to protect its technology systems from security breaches, viruses and employee misuse.

The Technology Policy may provide:

·                    that employees are required to log out at certain times (i.e. at lunch, the end of the work day etc.)

·                    that employees utilize passwords for their computers, voice mail, e‑mail, remote access etc.‑ passwords may be required to comply with certain minimum standards such as being a minimum of five characters.

·                    that employees change their passwords on a regular basis (alternatively the employer’s systems may automatically require the employee to change passwords on a regular basis) and that employees are prohibited from sharing their passwords with any other person.

·                    that employees subject documents received from external sources to virus scanning and protection software prior to using or saving to the corporate storage systems.

Where passwords are utilized in the workplace systems, the Technology Policy should clearly indicate that such passwords do not imply personal privacy to expressly bring to employee attention that passwords are not synonymous with privacy.

Employers should indicate that personal passwords do not protect against monitoring.

(e)                Remote Access

If the employer provides its employees with remote access to its technology, the Technology Policy should contemplate such access, provide that such access by the employee remains subject to the Policy (for example, if the employee logs into the employer systems remotely to use the employer’s Internet access connection, the same rules and prohibitions apply with respect to Internet use, notwithstanding the fact that it is the weekend and the employee is at home) and identify any additional specific considerations (for example, additional security precautions).

(f)                 Specific Prohibited Activities

If the employer wishes to prohibit certain types of use, such prohibitions should be specifically enumerated. For example, the Technology Policy might specifically prohibit:

·                    use of the employer’s systems for any form of illegal activity (such as hacking into third party or the employer’s systems).

·                    using the e‑mail system to distribute (internally or externally) obscene, profane, offensive, violent or hate related or similarly offensive materials.

·                    use of the employer’s systems to engage in activities that are discriminatory, harassing or defamatory.

·                    use of the employer’s systems to criticize the company, other employees, customers or suppliers.

·                    use of the employer’s systems to circulate chain e‑mail or spam.

·                    the use of personalized screen savers.

·                    the downloading of materials from the Internet that may expose the employer to infringement liability such as software, music, video and other property protected by intellectual property rights ‑ users of the Internet are often not aware that much of the material available on the Internet has been made available without the authority of the rights holder and that the downloading and use of such material may be illegal.

·                    the downloading of materials from the Internet that may cause damage or harm to the employer’s systems as a result of computer viruses or corrupted data or files.

·                    use of the employer’s systems to solicit (internally or externally) for non‑business related purposes (for example, soliciting donations for charity, advertising events, sale of personal items etc.)

·                    the establishment of external connections or links that could allow unauthorized persons access to the employer’s systems.

The employer may choose to have employees insert a standard disclaimer in all messages sent from the business’s virtual address such as “the opinions expressed in this message are those of the author and do not represent those of ABC Ltd.”

As a precaution, any materials downloaded should be scanned for potential viruses to protect the integrity of the electronic systems in place.

(g)               Record Keeping and Back‑Ups

Develop rules in regard to record keeping, backups and purges.  Due to the informal and uninhibited nature of e‑mail, employees and administrators should purge and delete unnecessary files periodically.  However, employees should be informed that using the computer’s delete key does not permanently eradicate the message.  Rather, deleted messages may still be discoverable by sophisticated computer programs.  Likewise, employees should be informed that visits to web sites are traceable.  Employers can record Internet activity by employees and, therefore, in order to limit employee expectation of privacy, employees should be advised of the use of such tracking programs.

(h)               Monitoring Employee Activities

The employer must reserve the right in the Technology Policy to monitor, review, audit and disclose employee’s use of its technology systems and any and all messages and communications that an employee sends or receives.

In order to eliminate any reasonable expectation of privacy, the Policy should not limit the employer’s reasons for monitoring as any such limitations could be argued to restrict the scope of the employee’s consent or awareness of such monitoring.

The Technology Policy should ensure that employees effect an express acknowledgement and consent to the employer’s monitoring.  In order to diminish the reasonable expectation of privacy, requiring employees to sign a form of consent will further eliminate any expectations of privacy in the information transmitted and should prevent employees from claiming that they were unaware of the Policy (see Attachment “A”).

The Policy may outline under what circumstances the employer will disclose the contents of the e‑mails and Internet browsing it has recorded.  Many businesses will only disclose such information when compelled during legal proceedings.

Where monitoring employee activities is deemed necessary in the circumstances, the employer may wish to consider using the least intrusive alternatives.  Direct observations of which the employee has knowledge are more acceptable to employees than are surreptitious surveillances.  Insidious monitoring should be limited to incidents of suspicion of criminal activity or blatant malfeasance.  Therefore, an employer may determine that reading every e‑mail message transmitted via company systems may not be necessary and may simply track which web sites are visited and the length of time elapsing for each visit.

Develop reasonable guidelines on the scope and extent of the monitoring capabilities of the employer.  The policy should be sensitive to employee concerns of invasion of privacy and, therefore, should indicate the degree of monitoring that the employees will be subjected to.

Inform employees of the basis for monitoring, such as the business’s accountability for all communications vacating the business’s addresses, both physical and virtual.

(i)                 Breaches of the Technology Policy

The Technology Policy should clearly outline sanctions that an employer is prepared to pursue for policy violations so that employees are aware of the consequences that may result from inappropriate activity. At a minimum it should provide that a violation may result in disciplinary action up to and including termination of employment. If the employer, for example, wishes to adopt a “zero‑tolerance policy” surrounding illegal activities or employee access to pornographic Internet sites, the Technology Policy should clearly state that such activity or type of Internet use by employees will be grounds for immediate dismissal.

Employers should also inform employees of penalties that may be imposed outside of the workplace, including sanctions under the Criminal Code of Canada[18] and the Copyright Act[19].

Where monitoring by an employer has revealed inappropriate employee conduct, the case law in this area indicates that the employer should ensure that any penalties imposed are proportionate to the conduct complained of.

Employers may wish to consider providing an impartial internal appeal or arbitration system so that employees have recourse against any adverse employment actions that are viewed by the employee to be unfounded or abusive.

(j)                 Ongoing Monitoring and Policy Review

Unfortunately the work is not done once the Technology Policy has been developed and implemented in the workplace. It is critical that the employer continue to monitor changes that occur both with respect to technology and the law to ensure that the Technology Plan remains current.

The Technology Policy should be revised, updated and reissued as necessary to reflect changes in technology and the law.

V.                 CONCLUSION

Amazing technological changes in the workplace have resulted in dramatic improvements to the efficiency and productivity of companies and their employees. Such technological improvements have, however, increasingly created and imposed new risks and hazards for employers and employees. Corporate awareness of the issues and risks and a pro‑active policy response that balances the business needs, concerns and risks of employers with the needs and concerns of its employees is essential for any employer utilizing technological tools such as e‑mail or the Internet in the workplace.

 


ATTACHMENT “A”

SAMPLE EMPLOYEE POLICY ACKNOWLEDGEMENT AND CONSENT FORM

I have read and understand XYZ Co.’s Policy on Technology Use attached to this Acknowledgement (the “Policy”) and, as a condition of my employment I agree to adhere to and abide by the terms of the Policy.

I understand and acknowledge that all information and data stored in, transmitted or received through XYZ Co.’s information technology and communication systems is the property of XYZ Co. and that authorized representatives of XYZ Co. may monitor my use of such systems and access any and all such information and data from time to time to ensure that such use is consistent with the terms of the Policy. I acknowledge that my use of passwords or similar protections does not restrict in any way XYZ Co.’s right or ability to access and monitor my use of such systems.

I am aware and acknowledge that any violation of the Policy may subject me to disciplinary action, up to and including the termination of my employment with XYZ Co.

 

 

 

Witness

 

Employee Signature

Name:

Date:

 



[1] For a useful resource, see “Privacy Protection Principles For Electronic Mail Systems” prepared by the Ontario Privacy Commissioner at http://www.ipc.on.ca/

[2] See for example: Freedom of Information and Protection of Privacy Act, R.S.O. 1990, F.31.

[3] V. Galt (2002).  Federal Privacy Commissioner Says Work e-mail Confidential.  [The Globe and Mail Online].  Available:  www.chebucto.ns.ca/`rakerman/articles/gm-Fed_priv_e-mail_confid.html [March 14, 2002].

[4] PIPEDA Act Case Summary #114 – Employee objects to Company's use of digital video surveillance cameras.  Issued January 23, 2003.  Available: www.privcom.gc.ca/cfdc/2003 [April, 2003].

[5] H. Levy (2002).  Draft Privacy Bill Flawed:  Lawyer. By Harold Levy [thestar.com].  Available: www.thestar.com [March 6, 2002].

[6] An Act respecting the protection of personal information in the private sector (Bill 68), S.Q. 1993, c.17.

[7] British Columbia, Saskatchewan and Newfoundland all have statutes of this nature.  See for example: Privacy Act, R.S.B.C., 1996 c.373.

[8] Richardson v. Davis Wire Industries Ltd.(1997) 33 B.C.L.R. (3d) 224 Kirkpatrick J. noted that where video tape surveillance in the workplace leads to a breach of the British Columbia Privacy Act it would provide a foundation for a claim in tort.

[9] [1984] 2 S.C.R. 145.

[10] (1991) 9 C.C.L.T. (2nd) 141 (Ont. Gen. Div.).

[11] Ibid.

[12] 283 F.3d 670, 2002

[13] Please note:  The California court has specified this case as unpublished.

[14] Canadian Inter@ctive Reid Report, April 2003, www.ipso-reid.com

[15] [1999] N.B.J. No. 477.

[16] [1996] B.C.J. No. 1436.

[17] C. Letemendia (2001).  Someone to Watch Over You:  Electronic Surveillance in the Workplace [Canada Computes Online Magazine].  Available:  www.canadacomputes.com/v3/print/1,1019,6966,00.html [March 11, 2002].

[18] R.S.C. 1985, Chap. C-46, as amended.

[19] R.S.C. 1985, Chap. C-42, as amended.