Ciaj Notes

8/10/2019 Ciaj Notes

1/11

DAN MICHALUK

SPEAKING NOTES FOR CANADIAN INSTITUTE FOR ASSOCAITION OF

JUSTICE WORKPLACE PRIVACY PANEL

OCTOBER 15, 2014

The employer perspective on workplace privacy

In the workplace privacy context, to derive a privacy right we balance the employee

interest in protection of privacy and the employer interest in managing the workplace.

I have seven minutes to provide a general perspective on managements interest. And

the first of two points Ill make is that the management interest at play in any givenprivacy dispute is typically much weightier than a mere economic interest.

Consider what the Supreme Court of Canada said in the Robichaudcase. Youll recall

that this is the case in which it held that employers face a form of absolute liability for

workplace harassment. Heres what Mr. Justice La Forest said:

[Employer liability places] responsibility for an organization on those who

control itand are in a position to take effective remedial action to remove

undesirable conditions.

Robichaud, in 1987, signals that control a concept abhorred by privacy advocates can

be a good thing in the workplace. And between 1987 and the time the Supreme Court of

Canada decided theColeworkplace privacy case in October 2012 labour arbitrators

issued hundreds of decisions affirming sanctions for sending harassing and

inappropriate e-mails and for doing similarly poisoning things on work systems. Thismisconduct was often discovered because of rudimentary system monitoring

technologies, mostly without dispute. When privacy was raised as an objection

disposed of the objection on a no expectation of privacy analysis that Colehas plainly


2/11

- 2 -

eradicated. Nonetheless, before and afterColeone can make a clear case for system

monitoring based on Mr. Justice LaForests invitation to control the workplace.

And if it is not enough to assert control over a work information system because of an

employers duty to provide a safe and harassment free workplace, today employers

have a far more compelling need to monitor and control the need for good data

security. With data security, having insight into and control over the data flowing

through a corporate information system is an end in and of itself. Corporationsmust

govern their data today. This is the second of the two points Ill make in this short

address.

I dont have time to set out a detailed proof, but let me explain the need for data control

or governance in broad terms by reference to the changed external and internal

environment.

External threat is increasing

Since 2012 the Obama administration has recognized cyber-security as a top

national security concern. It has warned businesses responsible for critical

infrastructure that they must be prepared to resist malicious attacks by cyber-

terrorists.

We have not yet experienced a North American cyber terrorist attack but we see

other evidence of malicious outsider activity on the daily news, with recent

payment card breaches at Target, Home Depot and now Kmart. The recent

compromise of the Chase Bank was particularly frightening to the Obama

administration because it was done by an unknown actor with the capability to

breach a highly-secure bank network.

So were not just loosing our corporate information any more (though that

happens lots). Bad people are trying to take it.


3/11

- 3 -

The internal challenge in securing networks is also much greater.

Theres more data on a corporate network. It used to be that a spike in network

traffic showed that something was wrong. Today, there is so much data flowing

in and out of a corporate network that its harder to see when there is a problem.

Also, organizations are also employing a greater variety of IT services. The only

way to keep business users working on a safe and secure network is to give

business users the tools they want to use. There are so many appealing consumer

options for business users that organizations have loosened their approach to IT

in order to compete. Organizations have allowed for a proliferation of devices

and software applications, each of which is associated with its own risks and, all

together, are quite hard to maintain a more boring locked down system.

So achieving good data security is an extreme challenge for corporations. And getting

back to my theme about the weightiness of the employer interest that supports

workplace monitoring, the interest in good data security is just an economic interest.

There is a genuine public interest in good data security. It is an interest about

custodianship and the duties owed by a person who is entrusted with sensitiveinformation at a time when the harm associated with loss and theft has become quite

foreseeable.

Ill end with a case example that illustrates this quite vividly. Its a 2014 class action

certification decision in which justice Robert Smith of the Ontario Superior Court of

Justice certified a class action against a bank. The claim was based on the bad acts of a

mortgage officer named Wilson who allegedly took customer information for the use of

fraudsters. In finding the plaintiff had made out a case for negligent supervision Justice

Smith made the following statement:

the Bank had the ability to monitor Wilsons activities and yet the Bank

admitted that it has done nothing to supervise the activities of its employees,


4/11

- 4 -

including Wilson, with regards to the access of customers confidential

information for improper purposes. The Bank was able to determine that on July

23, 2011, Wilson had accessed 47 customer profiles in about 46 minutes. The

Bank also knew that, on average, Wilson would normally access between 15 and40 profiles a day. Wilson also attended at the office late at night to access

customer profiles on some occasions.

This is a great paragraph for what it illustrates.

First, that after an incident, an employers ability to view employee system use in fine

grained detail is highly relevant. Justice Smith is saying, if I may, the Court needs to

know why you, defendant, didnt employ a simple algorithm an alarm to flag that

Wilson was accessing about one profile a minute.

And second, that employers have a duty their customers, the public and (okay) their

shareholders (too), to supervise (which means watch) the behavior of employees to a

standard of due care. This is the incredibly important interest most affecting employers

right now. In crafting workplace privacy rights, it must not be discounted.


5/11

- 5 -

Talking points on Cole

Coledoes not establish a workplace privacy right. It establishes an expectation of

privacy thats derived from personal use of a work system i.e., an interest that

supports a workplace privacy right thats yet to be defined. This could ultimately be a

right that impinges on a legitimate management interest. Or it could be a right that

prevents only truly obnoxious employer behavior! My view is that the expectation will

not and should not impinge significantly on management rights.

Why?

Because the expectation of privacy that has been recognized rests on personal use of a

work system, and personal use is a merely a convenience. Let me explain.

A number of parties who participated inColeon the privacy rights side argued that

employees need to have private personal use nowadays because we all work so hard.

The Court did not endorse this rather argument in its decision, in my view, because it

was wary of suggesting that theCharterprovides a right to employer-provided, secure

and private IT services. Thats a very radical proposition.

In reality were dealing with privacy impact resulting from the extension of a mere

convenience. We let employees engage in personal use because we know its a pain for

them to bring their iPads to work. Thats it. Our Charter-protected democracy will not

crumble without this convenience, which is why (ultimately) employers who tell their

employees to exercise their choice carefully should have a very strong ability to access

data their systems for legitimate purposes notwithstandingCole.


6/11

- 6 -

Talking points on social media and off-duty conduct

The lawdoespreserve a zone of privacy for off-duty expression that has special

expressive value, but most expression on social media can and should fall outside this

zone.

An employers jurisdiction is grounded in an impact on its legitimate interests. Two

employees can bitch about their manager in a bar with impunity because there is no

impact on the employer. Im sure we could find a psychologist to testify that this kind

of expression contributes to ones emotional well being and ought to be encouraged as a

matter of health policy and public interest. Once the conversation moves online,

however, there is an immediate likelihood of harm to the manager which engages the

employers interest and provokes a legitimate response.

The more subtle aspect of the law is that some employee expression that negatively

affects an employers interest and is nonetheless treated as private and beyond an

employers. This is expressed in the Supreme Court of Canadas decision in Fraser v

PSSRB, which says that public servants get to citizen government policy but must

exercise extreme caution so not to jeopardize the publics perception of their

impartiality, neutrality, fairness and integrity. Another example is a case calledTaylor-

Baptistefrom Ontario, in which the HRTO held that union blog posts that implied a

female manager slept her way to her position was legitimate union expression and

therefore did not constitute discrimination in respect of employment. So the law does

recognize a small protective space for certain expression that serves a valuable purpose

criticizing government policy, doing union business as Ive illustrated .

There are those that would argue that the value in online dialogue itselfis of such value

in our society that this protected zone should grow. Im a social media user, but I still

think the value of the dialogue that I regularly see on my Facebook page warrants no

special protection. In fact, I think the public interest would be best served if we all look

up from our handheld devices, logoff our Facebook accounts and go back to the bar.


7/11

- 7 -

Intrusive conduct by third parties

Ill use this as an opportunity to make a brief point about the impact of the

cyberbullying phenomenon on employers.

Online disparagement often arises out of an individuals employment. Principals get

targeted by parents frequently. Teachers get targeted by students. Managers get

targeted by former employees. Ive represented our employer clients in respect of such

matters numerous times.

The standard response is:

to recognize the duty to provide a safe and harassment free work environment;

to open a discussion about the impact of the online disparagement on the work

environment and to offer appropriate remedial assistance (starting with

measures short of an internet takedown); and

to make clear that the employee is responsible for seeking a remedy on his or her

own and to recommend independent legal advice.

Drawing the distinction between responsibility for workplace harms (employers) and

reputational harms (individuals) is difficult for employers to draw, but has a sound

legal basis. It still leaves, however, a question about whether an employer is required, as

part of the duty to provide a safe and harassment free workplace, to either pursue

directly or provide financial support for an internet takedown. I think we all

understand, that at their worst, an action to remove something from the internet

(usually pleaded in defamation) can be an extremely costly and principled battle to the

death. The employer duty to takedown is therefore a duty employers are vary wary

of acknowledging. Also, employers might benefit from the same type of solution that

individuals are looking for an regime outside of the court system that facilitates the

cost effective, expeditious yet fair removal of content from the internet.


8/11

- 8 -

Geolocation issues

Geolocation privacy is an example of where the administrative law regime has

produced a relatively clear answer for employers and employees. We have consistent

decisions from privacy regulators and arbitrators that recognize that the geolocation

technology does is not particularly invasive and can be used for a variety of legitimate

purposes. There also seems to be a relatively clear proscription against continuous

monitoring of an employees location that most employers can live with.


9/11

- 9 -

Exclusion of evidence for privacy breach in arbitral context

This is about the exercise of arbitral discretion to exclude evidence that is collected by

an employer in breach of an employees privacy.

Question 1 Does an arbitrator have such a discretion to exclude for a privacy breach?

Yes, but the discretion is confined.

Let me explain the basis for the discretion to exclude for a privacy breach. Two bases.

Basis one. An arbitrator has a narrow discretion to exclude relevant evidence.

This is supported by the SCC decision inUniversity du Quebec c Larocque.

Basis two. Some say this discretion should be exercised with a view to protecting

individual privacy out of respect forChartervalues. Others say this discretion

should be exercised to discourage conduct that is harmful to labour relations.

The weakness in this approach, if one were inclined to attack it, is that arbitrators are

taking a discretion thats about procedure and using it to provide a remedy for breach

of substantive rights. On an orthodox view, substantive rights between parties to acollective agreement are governed by contract and cant add or subtract to an

agreement.

The other problem is made plain from theLarocquecase, which indicates the discretion

to exclude relevant evidence is confined by the duty of fairness. Mr. Justice Lamer says,

the rule of autonomy in administrative decision making in administrative law had

never had the effect of limiting the obligation on administrative tribunals to observe the

requirements of natural justice. So arbitrators must be very careful in excluding

evidence on any basis because their ultimate role is to hear the parties and find the

truth, not to advance labour relations policy or individual rights at the expense of that

process.


10/11

- 10 -

Question 2 Is there an alternative?

Some arbitrators treat reasonableness as a prerequisite the admissibility of

surveillance evidence: if you cant establish the conduct of surveillance meets some

form of reasonableness test it doesnt get in whatever the impact on the hearing process.

If an arbitrator is going to exclude evidence, there should at least be a consideration of

the overall impact of the exclusion decision on the administration of arbitral or

workplace justice. This is reflected insomearbitral case law, but not clearly enough.

There should always be a discussion about how exclusion will impact on justice

between the parties. Id be quite concerned about excluding surveillance evidence, for

example, if the surveillance evidence reveals untrustworthy behavior and the employee

is in a position of trust (e.g. with discretionary power over vulnerable persons ). We

need to account for this aspect of the problem if we are going to exclude.

Question 3 - Whats the appropriate standard for conducting surveillance?

The standard should be a generalized rather than exacting standard. That is, an

employer should not be required (like police are required) to have reasonable and

probable grounds to believe that that evidence of misconduct will likely be found.

A reasonableness in all the circumstances test is more appropriate because it can be

employed more readily by laypersons: employers are not professional investigators like

police. The interest at stake in a workplace investigation should not be discounted too

greatly, but is a far more limited interest than at stake than in a criminal investigation. A

reasonableness in all the circumstances standard is flexible and allows for the

consideration of factors that might make sense in the workplace. For example, it mightmake sense to consider the gravity of the misconduct, which would never be permitted

under a criminal law analysis. It might also make sense to consider (as a threshold

question) what kind of surveillance is contemplated if were talking about limited


11/11

- 11 -

video surveillance at a single public event (a sporting event), it might be reasonable to

conduct surveillance based on a generalized suspicion.

In much the same vein the less intrusive means criteria sometimes employed by

adjudicators as a hurdle should only be part of the reasonableness analysis. This has

become quite an offensive criterion for employers, particularly when it is applied to

operational monitoring technologies a biometric time clock, for example. Employers

rightly feel entitled to use the best reasonable technology, even if it is more intrusive

than another alternative.

Documents

Ciaj Notes