Recently, the Office of the Information and Privacy Commissioner (Alberta) issued an Order in which it sanctioned an employer, Moore's Industrial Service Ltd. (Moore's), for improperly accessing the personal web-based email account of one of its former employees, contrary to the Personal Information Protection Act (PIPA).
The complainant, a former employee of Moore's, returned a company-issued laptop computer upon his retirement. He mistakenly believed that he had "wiped" its hard drive before doing so. Moore's was then able to access his personal web-based email account as both his login and password remained available on the computer. The complainant eventually noticed that emails from this account were being forwarded to Moore's CEO and he concluded that Moore's had hacked into his email account. Personal information of others was accessed, but the Adjudicator confined her review to the complainant's situation, noting that others were free to make their own complaints if they wished to do so.
For its part, Moore's admitted that it had accessed the complainant's personal web-based email account but primarily defended on the following basis:
- the complainant had consented (implicitly) to the collection, use or disclosure of any personal information by returning the laptop with the login and password to the email account intact;
- the information in question was "personal employee information" and therefore consent was not required for its collection, use or disclosure and that accessing such information was necessary to enforce a termination agreement that had been entered into between Moore's and the complainant;
- the information reviewed was limited and confined to information concerning Moore's business;
- the information was accessed to ensure that the complainant was complying with the terms of the termination agreement between the parties in which he agreed that he would not contact customers or discuss its business, suggesting that consent was not required because the collection, use or disclosure was reasonable for the purposes of an investigation (ss. 14(d), 17(d) and 20(m) of PIPA, respectively).
The Adjudicator found that:
- a login ID and password for a personal email account are personal information for the purposes of PIPA;
- to whom someone corresponds with by email is personal information;
- the information was not "personal employee information". As a former employee, the only basis upon which it could possibly considered to be personal employee information would be if it were necessary to "manage" the post-employment relationship. Even if enforcing a termination agreement could be considered a part of managing the post-employment relationship, the information had to be reasonably required for that purpose. The Adjudicator concluded that without any reason or basis to suspect a violation by the complainant of the termination agreement, the ongoing surveillance could not be justified. She also noted that even if they would have had reason to suspect a breach of the termination agreement, such surveillance may not have been reasonable;
- the investigation exemption was not available because no breach of the termination agreement had occurred or was likely to occur and it was not reasonable for it to conduct an investigation to determine whether he had breached such agreement. The Adjudicator also noted that even had there been a breach, such access still may not have been reasonable;
- the complainant had not consented to Moore's accessing his email, finding that just because he returned the laptop with his login and password to his personal web-based email account intact, it was not reasonable for it to conclude that he intended for Moore's to access his email on an ongoing basis and that the more reasonable conclusion was that he simply neglected to delete such information as he had tried to do; and
- Moore's continued access of the complainant's personal information was far from being a reasonable collection, use or disclosure of personal information and that it was "excessively invasive and patently unreasonable".
Accordingly, the Adjudicator ordered that Moore's stop collecting, using or disclosing the complainant's personal information and to train its staff on the appropriate management of personal information.
While the remedy in this case was little more than an embarrassing slap on the wrist for the employer, it should be noted that the complainant is not precluded from bringing further legal action against his former employer for damages for loss or injury suffered as result of PIPA breaches. Such a claim would be similar to the "intrusion upon seclusion" tort claim advanced in the Ontario Court of Appeal's decision in Jones v. Tsige (described in detail in a previous post). The door is also open for other PIPA complaints from the others whose personal information was improperly collected, used or disclosed.
This case also serves as a reminder that privacy policies need to be carefully crafted and well thought out to ensure that they adequately address expectations of privacy. The existence (or lack of thereof) of a considered policy that clearly addresses privacy expectations was noted as an important, albeit not determinative, factor in the Supreme Court of Canada's 2012 decision in R. v. Cole (also described in detail in a previous post). As a new year's resolution, employers may want to dust off and revisit their privacy and technology use policies to ensure that they are keeping pace with legal and technological developments and will accomplish what is intended. While it is unlikely that a policy in this case would have given Moore's the right to access and monitor their employee's personal web-based email accounts, the proper usage of company laptops and the employee's expectation of privacy relating to such laptops is something that typically would be covered off in an effective policy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.