Employers often have the actual ability to access their employees’ private email accounts. But do they have the legal right to do so?
Providing employees with mobile technology, such as smart phones, laptop computers, tablets, etc. has the potential to be a minefield for employers. As I wrote in a post titled Overtime Pay and Mobile Technology, providing employees with smart phones carries with it the real risk of exposing employers to claims for unpaid overtime.
Yet there is another risk that employers face when they provide their employees with mobile technology and fail to implement policies on the uses to which to those employees may put that technology: The risk that employees will use that technology for non-work related purposes.
In this post I do not wish to consider the implications of employees posting inappropriate material to the internet and the employer’s potential liability for such content. Rather I wish to consider the more common practice of employees using employer-provided technology to do seemingly innocuous, rather mundane things, and the risks that allowing employees to do so can have if the employment relationship breaks down.
The Set Up
If you are reading this post I will assume that you are interested in employment law issues. I would further assume that you are either an employment lawyer or a HR professional. If I am correct in those assumptions, then I will make two further assumptions: your employer has provided you with form of mobile technology and you use that technology for purposes other than work.
When I speak about non-work-related purposes I am talking about non-work email (such as Gmail, Hotmail, etc.), social networking for personal use, and banking. For example, it would not be uncommon for an employer to find on its technology passwords to its employee’s Hotmail, Gmail, Facebook, LinkedIn, Twitter, Reddit, blog, and banking website accounts.
Why would an employee store such information on his or her employer-provided equipment? Because they can. For most employees, their work-provided phone is the only phone they truly use. To that end some employees use the phone as if it were their own. After having the phone in one’s own possession 24/7/365 – including while on vacation –many employees forget that it is actually not ‘theirs.’
But what if that employee loses his or her job? It’s certainly possible.
The first thing that one’s employer would likely do is demand is that the employee return to them the laptop computer that has been toted home for lo those many years, i.e. the same laptop that contains all the aforementioned passwords. The second thing that the employer would likely demand be returned is the employee’s phone. Correction, their phone.
Suppose that somewhere in the chaos of finding oneself suddenly unemployed that employee forgets, or is not afforded the opportunity, to delete the passwords saved on the computer and/or phone.
The Legal Question
Can the former employer, once in possession of the equipment that they provided to the employee and that indeed they own, use that technology, and more to the point the passwords saved on it, to access the emplyoee’s personal email or bank records?
Readers of this blog may recall two earlier posts that I have authored on similar topics, Employees’ Rights to Privacy in Workplace Equipment and Ontario Recognizes Torts of Invasions of Privacy.
The Right to Privacy: The Decision in R. v. Cole, 2012 SCC 53
In the first post I looked at the case of R. v. Cole, 2012 SCC 53, a criminal case decided by the Supreme Court of Canada. Writing for the majority in that case, the Honourable Justice Fish opened the Court’s reasons with the following:
 The Court left no doubt in R. v. Morelli, 2010 SCC 8 that Canadians may reasonably expect privacy in the information contained on their own personal computers. In my view, the same applies to information on work computers, at least where personal use is permitted or reasonably expected.
 Computers that are reasonably used for personal purposes - whether found in the workplace or the home - contain information that is meaningful, intimate, and touching on the user’s biographical core. Vis-à-vis the state, everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind.
 While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely: The nature of the information at stake exposes the likes, interests, thoughts, activities, ideas, and searches for information of the individual user.
On the issue of whether Mr. Cole had a reasonable expectation of privacy in his employer-provided laptop Justice Fish wrote that:
 Computers that are used for personal purposes, regardless of where they are found or to whom they belong, “contain the details of our financial, medical, and personal situations” (Morelli, at para. 105). This is particularly the case where, as here, the computer is used to browse the Web. Internet-connected devices “reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read, watch, or listen to on the Internet” (ibid.).
 This sort of private information falls at the very heart of the “biographical core” protected by s. 8 of the Charter.
Writing in dissent with respect to the disposition of the criminal case, but agreeing on the point in issue for employment law, the Honourable Justice Abella wrote that:
 Workplace computers are increasingly given to employees for their exclusive use, and employees are allowed — and often expected — to use them away from the workplace for both work-related and personal use. And as more data is stored in the cloud and accessed on both workplace and personal computers, the ownership of the device or the data, far from being determinative of the reasonable expectation of privacy, becomes an increasingly unhelpful marker. In deciding whether to exclude evidence illegally seized from workplace computers, this blurring of the line between personal and workplace usage should inform the analysis.
What that decision in Cole stands for, I would submit, is that employers have the right to access the technology that they provide to their employees, for the purposes of updating or maintaining that technology – but that simply because employers are permitted to use that technology does not entitle them to ‘snoop’ through their employee’s personal affairs.
If an employee provides ‘his’ laptop to his employer’s tech support person for the purposes of upgrading software, that would not entitle the employer to access the employee’s Hotmail account even though the password to access Hotmail is saved on the computer.
Similarly, on dismissal, just because the equipment is returned to the physical possession of the employer does not, in my opinion, entitle the employer to access the dismissed employee’s personal accounts. The information so accessed is stored on third-party systems, such as Hotmail, and the only reason that the employer is able to access that information is because the employee forgot to delete his password at an overwhelming time.
Consequences for Breaching Right of Privacy: Jones v. Tsige
Continuing with this scenario, what would be the dismissed employee’s rights as against his former employer if he could prove that the former employer had accessed such personal accounts? The answer would appear to lie in the case of Jones v. Tsige, 2012 ONCA 32.
In that case, the Court of Appeal for Ontario first recognized the tort of invasion of privacy at Ontario law.
Based upon a reading of that decision, I would submit that an employer who accessed an employee’s personal email records, social media accounts, or bank records (whether the employee was dismissed or not) would be liable to the employee for “moral damages.” Depending upon the nature and severity of the breach, the employer could be liable to the employee for damages of between $10,000 and $25,000, perhaps more.
The scenario contemplated above is not unforeseeable. Given the proliferation of mobile technology and the common practice of providing employees with such technology, the possibility of the above-contemplated scenario actually playing out is high.
There are three ways to prevent such events from occurring:
- Employees could refrain from using their employer-provided device for personal use;
- Employees could ensure that they are not storing their passwords for personal accounts on their employer-provided technology; and
- Employers develop strict policies about the use of employer-provided equipment.
Prudent employers would be wise to develop policies: (1) prohibiting employees from using employer-provided technology for any personal use, including email, social networking, etc.; and (2) prohibiting technology-support staff from accessing employee’s personal data if the employee violates the first policy.
The failure to develop such policies has the potential to cost employers more than the cost of having a professional develop them. Of course, employers should also be cautious about attempting to impose new policies upon existing employees, partially for the reasons considered in my earlier post No Changes without Consideration.
If you are an employer concerned about that which has been considered above, and wish to speak to someone about drafting such policies, the professional, experienced and cost-effective employment lawyers for employers at Ottawa's Kelly Santini LLP would be happy to be of service to your business or organization.
If you are an employee who believes that your rights to privacy have been breached by your current or former employer, then the professional, experienced and cost-effective employment lawyers for employees at Ottawa's Kelly Santini LLP would be happy to be of service to you.
To reach the author of this blog, Sean Bawden, email email@example.com or call 613.238.6321 x260.--
As always, everyone’s situation is different. The above is not intended to be legal advice for any particular situation. It is always prudent to seek professional legal advice before making any decisions with respect to your own case.
Sean P. Bawden is an Ottawa, Ontario employment lawyer and wrongful dismissal lawyer practicing with Kelly Santini LLP. He has also been a part-time professor at Algonquin College teaching Trial Advocacy for Paralegals and Small Claims Court Practice.