Due to COVID-19, teleworking has become the new norm in Canada and many parts of the world. In the traditional physical workplace, employers are generally permitted to take certain reasonable steps to observe or supervise what employees are doing throughout the day. In part, this is because the workplace is not considered a private space and it is normally reasonable for employers to exert control over what employees do in the workplace in the general course of their employment-related duties.
However, in a teleworking world, an employer's right or ability to monitor its employees is less clear. For teleworking employees, the lines between personal space and personal information, and work-related space and work information can often be blurred. For this reason, it is important for employers to take into account a number of considerations when monitoring teleworking employees while minimizing liability concerns.
What are employment-related monitoring technologies?
Employment-related monitoring technologies have been used by employers for some time. While these technologies are not new, applying these technologies to teleworking employees is relatively novel. The most typical monitoring technologies focus on monitoring computer, email, and telephone usage to assist in determining when employees are actively working and when they are not. Some employers utilize network software that can monitor the network, internet, and email usage of a large group of employee users, including recording the amount of time users are idle and not working, the frequency of internet surfing, and rates of incoming and outgoing emails and phone calls.
Using employment-related monitoring technologies has a number of benefits both for assisting in supervising employees working remotely and otherwise. Most commonly, monitoring technologies are used to keep track of log-in times and employee assiduity. These technologies can also provide employers with information on efficiency and productivity, network performance, and compliance with employer policies and applicable laws. Additionally, these technologies can assist employers in meeting their legal obligations in a remote working environment such as protecting the confidentiality of business information, and keeping records of work hours and overtime to comply with employment standards.
Moreover, employers can use such technologies to signal potential human rights issues related to employees. For example, a situation where an employee should, but has not, logged on for a notable period of time may signal to the employer that something is not okay, and in some cases, may trigger a duty to inquire under applicable human rights legislation or other laws, including with respect to mental health. This is especially the case where there's a reasonable belief an employee may be suffering from a mental health disability, including addiction.
These above-discussed forms of monitoring technologies differ, however, from more controversial technologies that can be referred to as "content monitoring" or "spyware." Technologies that allow employers to intercept communications, scan or capture images for content, monitor keystrokes, or covertly listen into phone calls are much more invasive and may be found overly intrusive and not justified for general use depending on the circumstances.
What considerations exist regarding a teleworking employee's reasonable expectation of privacy?
In a nutshell
In Canada, privacy law is governed by legislation, the common law, Quebec's civil law, as well as employment contracts and collective agreements. The federal jurisdiction, British Columbia, Alberta and Quebec all have provincial privacy legislation that governs the protection of personal information in the context of employment. As for Ontario, there is no overarching provincial privacy legislation governing the protection of employee personal information.
However, in 2016, the Ontario Court of Appeal recognized a tort of privacy invasion called "intrusion upon seclusion." which may impose requirements on employers akin to those found in other jurisdictions. Without specific legislation on the issue in Ontario, the guiding principles flowing from the federal Personal Information Protection and Electronic Documents Act are generally followed by employers in order to minimize risk and liability in this area. Undoubtedly, the application of privacy laws will depend on the factual matrix of any given situation. Employees may also have a reasonable expectation of privacy by virtue of a contract or collective agreement.
Monitoring teleworking employees can, in some cases, also have fundamental and human rights implications. Specifically in Quebec, privacy is included as a human right under the Quebec Charter of Rights and Freedoms. The Quebec Charter also enacts protections against unfair and unsafe working conditions that endanger health, safety and physical integrity.
Further, the Quebec Civil Code expressly provides for the right to privacy. The Civil Code provides that specific situations may be considered invasions of privacy, and one example is entering and taking anything in a person's dwelling, intentionally intercepting a person's private communications or keeping a person's private life under observation by any means.
Use of company devices and teleworking
In contrast to the physical workplace, the right to a reasonable expectation of privacy for teleworking employees is much more nuanced, as the lines between work and personal space can become blurred. Whether or not a teleworking employee has a reasonable expectation of privacy will depend on a constellation of factors, including whether or not they are using company or personal equipment and what level of monitoring an employer wishes to use. Indeed, the case law suggests an employee's reasonable expectation of privacy depends on the "totality of the circumstances," which generally includes the following:
- what information is being collected;
- how "personal" or sensitive the information is;
- whether the employee has a subjective expectation of privacy; and
- whether the subjective expectation of privacy is reasonable in the circumstances.
For teleworking, some employers have provided employees with company-owned devices with which to complete their work, while others may rely on employees to use personal devices, such as computers and phones.
In terms of company-owned devices, generally speaking, even where some personal use is allowed, employees may have a diminished but reasonable expectation of privacy for such use. When it comes to using employee personal devices to accomplish work, the law in this area remains fact specific and nebulous. Notably, however, the Supreme Court of Canada has held that, "[i]t is difficult to imagine a more intrusive invasion of privacy than the search of one's home and personal computer."1 That being said, while ownership is a relevant consideration in assessing an employee's reasonable expectation of privacy, it is not always determinative.
Indeed, other relevant and important considerations when assessing an employee's reasonable expectation of privacy may include the employer's policies, practices, and customs. As the Supreme Court of Canada has noted, "[t]hese 'operational realities' may diminish the expectation of privacy that reasonable employees might otherwise have in their personal information."2 But, as with ownership of the device being used, written policies alone are not always determinative and are generally considered together with the totality of the circumstances.
Perhaps one of the chief considerations when contemplating the implementation of monitoring technologies for teleworking employees is their consent. Consent, in most cases, may be implicitly or expressly obtained. In any case, the prudent employer would strive for transparency with employees, including with respect to monitoring techniques and expectations.
To mitigate potential risks in this area, employers should bear in mind some guidelines as best practices. For instance, the privacy commissioners of Canada, Alberta, and British Columbia promote certain guidelines on obtaining meaningful consent from employees. While other jurisdictions are not necessarily bound by these guidelines, employers who plan to monitor their employees in any way should be aware of these best practices. The guidelines include:
- Emphasizing key elements of policies in a comprehensive way, such as what personal information is being collected, who the information is being shared with, the purpose for collecting, using, or disclosing the information, and any risks and consequences associated with the collection, use, or disclosure thereof.
- Employers would be wise to provide a clear choice for employees to grant or withhold consent and employers must be prepared to explain why any collection, use, or disclosure is a condition of employment.
- Employers would be well advised to draft their policies and consent requests in a comprehensive and understandable way because consent is generally only valid where the employee understands what he or she is consenting to.
- Obtaining meaningful consent should be an ongoing process, and where circumstances change, as they have in light of COVID-19, employers must notify employees and obtain their consent prior to the changes taking effect.
Practical considerations and take-aways
In light of the privacy and human rights issues discussed above, employers may wish to carefully consider either creating or revising their existing applicable policies. To that end, some considerations employers can keep in mind include the following:
1. Develop a plan
- Develop or agree on a daily work schedule for each employee. Depending on the circumstances, schedules can differ from one employee to another. For example, an employee who has child care obligations may not be able to work the standard hours, but could certainly be expected to be online and working at different or accommodated times;
- Consider holding regular team meetings (including by video conference) to enable the team to discuss goals and connect with other employees;
- Establish clear and objective performance measures and goals;
- Establish milestone dates to keep projects on track and identify issues in a timely manner;
- Encourage social networking and remote social activities in a safe manner and;
- Address problems right away to prevent teleworkers from feeling like they are isolated.
2. Develop a policy
- Develop and disseminate clear employee privacy policies defining rights, obligations, reasonable expectations of privacy, monitoring techniques being used, as well as permissions and limitations, including in relation to electronic devices.
- Designate a privacy officer and resource person in information technology, human resources and/or management to whom employees can turn to should they have any questions or concerns.
3. Consult with employees
- Lawfully obtaining employee consent can be key in limiting employer liability and helping to ensure productivity in the workplace.
- As part of this exercise, consideration should be given to consultation strategies with employees to ensure they are aware of the monitoring techniques being used and understand their responsibilities in the remote workplace.
- In the labour context, introducing new or revisiting existing policies should be done in compliance with any applicable collective agreement, and, where possible, in consultation with the union or trade representative.
As it can be expected that many employees will continue to work remotely, on a part- or full-time basis, it can also be expected that their reliance on technology, including company-owned equipment, such as cell phones, computers, and more will continue. Given this reality, employers would be well served to promote a culture of transparency and trust with employees. Not only can this serve to facilitate consent, but there is evidence in the literature indicating that a strong employer-employee bond of trust and clear and meaningful communication can contribute to a more harmonious and respectful work environment.
The authors would like to thank summer students Emma Hammer, Elizabeth Kazakov and Florence Picard for their contributions to this legal update.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.