Nowadays most employees spend at least a portion of their workday using a computer, raising important privacy questions of what kinds of computer surveillance employers can implement on their employees’ work computers and under what circumstances.

Questions relating to employer surveillance – when? why? how much is too much? – are long-standing issues in both unionized and non-unionized workplaces. Traditionally, decision-makers have been sharply divided over when employers can implement surreptitious video surveillance over their employees, for example, and then rely on videotape evidence for later discipline.

This division has largely centred on a fundamental disagreement between decision-makers as to whether employees have a right to privacy in the workplace. This same disagreement carried over into the early computer surveillance decisions, where courts and arbitrators routinely found that employees had no expectation of privacy in work computers and upheld discipline and even termination based on non-work computer use.

Protecting the “Biographical Core”: R v Cole

That perception was shaken by a number of cases in the early 2000’s, but none moreso than the Ontario Court of Appeal’s 2011 and the Supreme Court’s 2012 decisions in R v Cole. While Cole dealt with a challenge to the search and seizure of an employee’s work computer by police, the Supreme Court took the opportunity to comment more broadly on employees’ right to privacy in their work computers. The Court found that an expectation of privacy could be inferred where personal computer use was permitted or reasonably expected:

Computers that are reasonably used for personal purposes – whether found in the workplace or the home – contain information that is meaningful, intimate, and touching on the user’s biographical core. Vis-à-vis the state, everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind.

While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely: The nature of the information at stake exposes the likes, interest, thoughts, activities, and searches for information of the individual user.

Implications for Employees: Right to Privacy at Work

While the long-term implications of Cole are not yet clear – particularly given that the Court declined to comment specifically on employer computer surveillance or the ability of an employer to seize and search a work computer – decision-makers have begun to adopt its reasoning to find a breach of employee privacy rights when employers engage in surreptitious, unjustified computer surveillance. For example:

  • The British Columbia Information and Privacy Commissioner found an employer internet usage audit to be a breach of privacy where the employee had never attempted to hide his internet usage and had never been approached about it by the employer prior to the audit.
  • The Alberta Office of the Information and Privacy Commissioner found that an employer had contravened privacy legislation when it installed keystroke logging software on an employee’s computer to monitor productivity. The Commissioner particularly noted the availability of less intrusive measures and the failure to limit the scope of the employer’s investigation.

These examples aside, however, decision-makers have yet to fully address the question of what Cole will mean for the traditional approaches to employer surveillance. While older cases extended employers a nearly unfettered right to set ethical, professional and operational standards for their workplace, Cole recognized that employer policies and practices may diminish a privacy right but cannot remove it entirely. Whether future decision-makers will accept a robust conception of employee privacy rights or will return to tests largely based on employer reasonableness remains to be seen.

A Right Without A Remedy

In any event, the suggestion in some post-Cole case law that employers ought to undertake less intrusive steps prior to surveilling employee computers raises a separate, perplexing question: what happens if employers don’t?

So far, Privacy Commissioners, in large part because of the nature of their authority, have provided for little in the way of remedy beyond ordering that the surveillance cease. For employees whose privacy was breached or who have been disciplined as a result of this intrusion, this may provide little comfort.

More recently, the New Brunswick Court of Queen’s Bench upheld the decision of a labour arbitrator which relied in part on an employee’s privacy interest in her work computer to reduce a termination for inappropriate email use to a suspension.

Other decision-makers, however, have found that an employer’s violation of privacy rights cannot lessen the seriousness of inappropriate work computer use. In these circumstances, it has been suggested that decision-makers can do no more than recommend that the employer take privacy interests into account in the future.

The decisions in Cole took significant steps towards changing how we discuss employee privacy in relation to work computers. As the trial judge in Cole stated, office computers are much like office desks and personal papers much like personal computer files. However, until decision-makers develop a substantive way to provide remedies for the breach of an employee’s privacy interest in his or her work computer, the change in how we talk about privacy rights at work cannot translate into protection for employees.

[This article is for informational purposes only and does not constitute legal advice, which cannot be given without consideration of your individual circumstances.]