Advertisement

Company monitoring of former employee’s personal email considered unlawful

.
. Image courtesy of Google

Employees frequently use company-issued devices, including desk-tops, laptops, and mobile devices, to access their personal email account, Facebook account, or other social media. How much, if any, of that information is an employer entitled to see?

In a recent decision, the Alberta Office of the Privacy Commissioner held that accessing a former employee’s personal web-based email account contravened Alberta’s Personal Information Protection Act (PIPA). The case involved a complaint against Moore’s Industrial Service Ltd. by a former employee who had entered into a termination agreement in which he promised not to contact any customers or discuss the Company’s business with anyone. Upon his departure, the complainant returned a company-owned laptop. The complainant used that laptop to access his personal web-based email account and the login and password to his personal account were stored on the laptop. Following the return of the laptop, the complainant discovered that the CEO of Moore’s had used the login and password information to gain access to the complainant’s personal email account. The Company did have a privacy policy, however, it was silent about monitoring personal email accounts.

Story continues below advertisement

Moore’s admitted that it had indeed accessed the complainant’s personal email account. However, in its defence, it argued that the complainant’s login and password information was stored on the company laptop and therefore the complainant was deemed to have consented to the Company using that information to gain access to his personal email. The Company also argued that monitoring of the complainant’s emails was justified because of concerns that the complainant might breach his termination agreement.

Decision

The adjudicator confirmed that an individual’s personal email login ID, password as well as the content of one’s emails is ‘personal information’ that cannot be accessed, used or collected without the individual’s consent.

The adjudicator acknowledged that PIPA permits employers to collect ‘personal employee information,’ including information about former employees, for certain limited purposes. However, even if Moore’s suspected that the complainant breached his termination agreement, going to the measure of accessing his personal emails was not reasonable in the circumstances. Furthermore, storing login and password information on the company laptop could not be considered consent to monitoring the complainant’s personal email account. The adjudicator concluded that Moore’s actions were “excessively invasive and patently unreasonable” and were a breach of PIPA. The Company was ordered to stop collecting, using or disclosing the Complainant’s personal information. It was also ordered to provide training to employees concerning the appropriate management of personal information.

Take-away
A company’s ownership of workplace devices, including laptops or mobile phones, does not confer an unfettered right to access, use or collect an employee’s personal information that may be stored on such devices.

While Moore’s was admonished for its actions, the penalty issued was relatively minor. Employers should be cautioned that viewing an employee’s personal web-based email or social media account without consent may welcome liability for a breach of privacy rights, particularly in light of recent developments in the area of privacy law.

Story continues below advertisement

In 2012, the Ontario Court of Appeal established a new privacy tort ‘intrusion upon seclusion’, allowing individuals to sue for invasion of privacy. In addition, in 2012 the Supreme Court of Canada recognized that individuals may have a reasonable expectation of privacy to the personal information stored on employer-issued laptops. Finally, improper access and collection of personal information may be a breach of applicable privacy legislation.

As a result, employers should consider putting in place a comprehensive privacy policy to manage employee expectations regarding personal information stored on company devices. Caution should be applied when viewing personal email or social media accounts without an individual’s knowledge and express consent. There may be limited circumstances, however, when monitoring may be lawful for legitimate investigation purposes or management of the employment relationship. Companies should obtain legal advice before doing so.