The Supreme Court of Canada has affirmed employer rights to
assert control over employee computer use, but with
Some employer-friendly principles are stated in today's
decision of R. v. Cole. They have to be untangled
from the criminal law and Charter of Rights context and
understood in light of the Court's statement "I leave for
another day the finer points of an employer's right to monitor
computers issued to employees". But there is help here for
employers trying to understand what they must do to ensure proper
use and control over computer resources provided to employees.
The Facts and the Criminal Case
A quick review of the facts:
Cole was a teacher with a school
board issued laptop. He was responsible for policing student use of
school networked laptops and so was permitted access to the hard
drives of student laptops.
School board policy:
allowed for incidental personal use
of the laptops,
specifically stated that
teachers' email was private, subject to certain conditions,
stated that all data and messages
generated on or handled by board equipment were the property of the
school board, and
warned users not to expect privacy in
A school board technician also had
access to all school board laptops. In the course of doing normal
maintenance on the laptop issued to Cole, the technician found a
folder with nude and partially nude photographs of an underage
The technician told the principal who
directed him to copy the photographs onto a CD. After consultation
with school board officials, the principal siezed the laptop, and
eventually another CD was made with a copy of temporary internet
The school board contacted the
police. The police took the CDs and the laptop without a
The criminal case against Cole turned
on the admissibility of evidence from the seized CDs and laptop.
The Supreme Court of Canada has now decided that the seizure by the
police of the second CD and the laptop was a breach of Cole's
Charter rights, but the administration of justice would
not be brought into disrepute by the evidence being admitted. The
matter is being sent back for a new trial in which all the evidence
from the CDs and laptop will be admissible.
The Employment Law Implications
This is not an employment law case as such, and not every
employer is directly subject to the Charter of Rights.
Nevertheless, here is what employers should think about from the
Cole case when addressing personal use of workplace
An employee may reasonably expect
privacy in the information on work computers where personal use is
permitted or reasonably expected.
Computers used for personal purposes,
and especially those conected to the internet, will reveal private
information at the heart of the "biographical core" of
personal informaiton which is protected by the
The "operational realities"
of the employer's policies, practices and customs may diminish,
but do not eliminate, the expectation of privacy.
In the circumstances of this case
(which include the responsibilities of a school relating to one of
the technician's search of the
laptop provided to Cole, and the principal's and school
board's search and seizure, were all authorized by law and
the school board was legally entitled
to inform the police of its discovery.
Employers should review their policies and practices regarding
personal use of computer resources. A blanket prohibtion of
personal use is probably not practical or enforceable, so it is
better to carefully and consistently manage personal use.
Review and communicate to employees the employer's interest
in the proper use – and the concerns about improper use - of
Purge policies of all ambiguity and ensure limits on expectation
of privacy are emphatically stated.
Review methods of communicating and reminding employees of the
policies. Ensure there is regular reinforcement of the message.
Monitor computer use to the extent required to ensure policies
are adhered to. Promptly and consistently deal with any
In the event of a breach, consider all the circumstances,
including the employer's legitimate concerns about its legal
obligations, operations and reputation.
A credit union (the "Employer") dismissed a helpdesk analyst (the "Analyst") with cause after discovering the Analyst had, without permission or authorization, remotely accessed another employee’s confidential document stored on the Employer’s network.
With security breaches being on the rise, the requirement to have organizations notify the relevant privacy commissioners and affected individuals upon a security breach taking place is becoming increasingly important.
The Office of the Privacy Commissioner of Canada has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an "Internet Privacy Sweep".