Employees frequently use company-issued devices, including desk-tops, laptops, and mobile devices, to access their personal email account, Facebook account, or other social media. How much, if any, of that information is an employer entitled to see?
Moore’s admitted that it had indeed accessed the complainant’s personal email account. However, in its defence, it argued that the complainant’s login and password information was stored on the company laptop and therefore the complainant was deemed to have consented to the Company using that information to gain access to his personal email. The Company also argued that monitoring of the complainant’s emails was justified because of concerns that the complainant might breach his termination agreement.
The adjudicator confirmed that an individual’s personal email login ID, password as well as the content of one’s emails is ‘personal information’ that cannot be accessed, used or collected without the individual’s consent.
The adjudicator acknowledged that PIPA permits employers to collect ‘personal employee information,’ including information about former employees, for certain limited purposes. However, even if Moore’s suspected that the complainant breached his termination agreement, going to the measure of accessing his personal emails was not reasonable in the circumstances. Furthermore, storing login and password information on the company laptop could not be considered consent to monitoring the complainant’s personal email account. The adjudicator concluded that Moore’s actions were “excessively invasive and patently unreasonable” and were a breach of PIPA. The Company was ordered to stop collecting, using or disclosing the Complainant’s personal information. It was also ordered to provide training to employees concerning the appropriate management of personal information.
A company’s ownership of workplace devices, including laptops or mobile phones, does not confer an unfettered right to access, use or collect an employee’s personal information that may be stored on such devices.
While Moore’s was admonished for its actions, the penalty issued was relatively minor. Employers should be cautioned that viewing an employee’s personal web-based email or social media account without consent may welcome liability for a breach of privacy rights, particularly in light of recent developments in the area of privacy law.
In 2012, the Ontario Court of Appeal established a new privacy tort ‘intrusion upon seclusion’, allowing individuals to sue for invasion of privacy. In addition, in 2012 the Supreme Court of Canada recognized that individuals may have a reasonable expectation of privacy to the personal information stored on employer-issued laptops. Finally, improper access and collection of personal information may be a breach of applicable privacy legislation.