We wrote about this in two previous HRLaw blogs: Workplace Confidentiality: More about insisting on privacy! and If you expect privacy and confidentiality at the workplace – take steps to get it!. Both blogs dealt with a British Columbia Decision that was recently appealed from to the Court of Appeal. The Court of Appeal dispensed with the matter in a decision released last month at Steel v. Coast Capital Savings Credit Union 2014 BCCA 127. That decision is 14 pages long and deserves a full-read. Below is our summary of salient points from the decision.

What happened

The appellant was a Helpdesk Analyst in the IT department. In this role, she had special access to the respondent's network including "Personal Folders" that were confidential and could only be read by the employee assigned to a file. Here's what the Court said about the appellant's employment and the respondent's view of privacy and confidentiality at its workplace:

[20] The appellant was fired from her employment of 21 years for accessing a confidential document contrary to internal privacy protocols. She was part of the Helpdesk team which provided internal technical assistance to other employees of the respondent. The appellant was in a position that required the complete trust of the respondent. Notably, she worked unsupervised in her day-to-day functions and was one of only a handful of people that had complete access to the respondent's computer system. As a result, she had unfettered access to every document and file on the system, including the private and personal files of the respondent's employees.

[21] The respondent took privacy and confidentiality very seriously. All of its employees were assigned personal folders which were kept on the network and were to be used solely by that employee. The folders were intended to be used for confidential information (personal and business) pertaining to the company. Employees were forbidden from accessing anyone else's emails or files without permission.

At trial, the trial judge found that there was just cause to terminate the employee. On appeal the Court considered:

  • whether the leading case of McKinley was correctly followed; and
  • a subsidiary issue of whether the trial judge correctly elevated the standard of trust on the basis that the respondent is a financial institution.

What the Court of Appeal said

McKinley

The trial judge applied the McKinley analysis properly. The Court said:

In my view, the trial judge did not err in principle in applying the McKinley analysis. As the above-cited passage illustrates, she applied a contextual approach and considered whether the nature of the misconduct, which the appellant admitted was the result of a deliberate choice, was reconcilable with a continuing employment relationship. ...

Standard of Trust

The Court found it was open to the trial judge to find that a "fundamental obligation" of an employee placed that employee in a position of substantial trust relationship:

The trial judge was aware of the length of the appellant's service, which she noted at para. 3 of her reasons, and the seriousness of the transgression, all of which she considered in the circumstances of the employment relationship and the respondent's clear policy on privacy-related matters. The record established that accessing confidential documents only in accordance with the privacy policy of the respondent was a fundamental obligation of a Helpdesk employee. It was open to the trial judge to find that this fundamental obligation placed the appellant in a position of substantial trust, and made the continuing existence of that trust fundamental to the viability of the employment relationship. In addition, it was open to the trial judge to find that, in the circumstances of the case before her, breach of the confidentiality policy and failure to follow Helpdesk protocols resulted in a fundamental breakdown of the employment relationship.

What this means for employers?

If privacy and confidentiality is a fundamental obligation in the workplace, ensure you have and maintain policies specifically dealing with access to information at your workplace. This is more critical in industries where trust is of central importance (e.g., banking or healthcare) and particularly necessary where an employee has unsupervised access to an IT system.

In your annual review process, review privacy and confidentiality policies and ensure there is acknowledgement by employees that they are aware of them. Any report of questionable access should be properly investigated and if an employee is found to be in violation of your policies and discipline is warranted, apply your policy evenly and consistently.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.