Virtually everyone has an online presence, whether through social media accounts, online banking and shopping or communication with family and friends. Workplace issues arise when an employee's personal online presence intersects with work: are employers allowed to collect, use and disclose personal information from a personal email account that is accessible on an employee's work computer?
It appears not. In late 2013, Alberta's Office of the Information and Privacy Commissioner ordered Moore's Industrial Services Limited to stop accessing the personal email account of one of its former employees (the complainant). Ultimately, Moore's did not have authority under Alberta's privacy legislation, the Personal Information Protection Act (PIPA), to collect, use or disclose the complainant's personal information contained in his personal email account that was accessible from a work laptop.
Under PIPA, an individual can make a complaint about the collection, use and disclosure of personal information by an organisation. Here, the complainant was unhappy that his former employer had gained access to his personal web-based email account through his work laptop. The complainant had retired from his position with Moore's in August 2009 and had returned his work laptop at that time. While employed, the complainant had used the laptop to access his personal web-based email. Before returning the laptop, the complainant believed that he had fully wiped its hard drive, including his log-in and password information for his personal email account. However, in October 2010, almost one year after his retirement, the complainant noticed that emails from his personal email account had been forwarded to the email account of Moore's CEO. Some of these emails were between the complainant and other Moore's employees, including a reference letter written by the complainant for a former co-worker. The complainant argued that Moore's had accessed his personal information without his consent, thereby violating PIPA. Moore's acknowledged that it had accessed the complainant's personal web-based email account.
One of the key issues was whether Moore's had improperly collected, used and/or disclosed the complainant's personal information and personal employee information as defined in PIPA. Section 1(1)(k) of Alberta's PIPA defines 'personal information' as information about an identifiable individual. Personal information can include an individual's name, log-in details for a personal email account (usually an email address) and the password to that account.
While the concept of a personal email address as personal information was not at issue, Moore's admitted that the CEO had forwarded at least one email to other employees of the organisation. While the organisation had not used the complainant's personal information in the email, it had disclosed the information to two other employees without the complainant's consent.
Section 1(1)(j) defines 'personal employee information' as information in respect of an individual who is a potential, current or former employee of an organisation, where the personal information reasonably required by the organisation is for the purposes of establishing, managing or terminating an employment or post-employment relationship between the organisation and the individual, but does not include personal information about the individual that is unrelated to that relationship.
Here, Moore's had a termination agreement with the complainant (arguably constituting a 'post-employment relationship'), where the complainant was not allowed to contact any of the organisation's customers and could not discuss the organisation's business with anyone else. While Moore's defence was that the CEO had viewed only emails that he felt may have pertained to the organisation's business and that it was enforcing a termination agreement, Moore's provided no reason to believe that the complainant may have or was about to violate the terms of the termination agreement. Therefore, without any reason to suspect a violation of the agreement, Moore's ongoing surveillance and continued access of the complainant's personal email account had no reasonable purpose in terms of enforcing Moore's termination agreement. Moreover, it was determined that even if Moore's had reason to expect that the complainant may have breached the termination agreement, it was not clear that accessing the complainant's personal email account would have been a reasonable next step for the purpose of managing a post-employment relationship.
Another key issue was whether Moore's had the authorisation to collect, use and/or disclose personal information without a former employee's consent. The complainant asserted that he had not provided consent for his employer to access his personal email account. He asserted that he had wiped the hard drive of the laptop before returning it to his employer. Moore's argued that the complainant had consented to the organisation's access to his personal email account by leaving personal email account information available on his work laptop. Since the complainant had the opportunity to remove any personal email account from the computer and to change his password, but did not do so, the employer presumed that this was done on purpose as an indication of consent.
However, in the adjudicator's view, even if the complainant had returned the laptop with his email account information intact, it was not reasonable for Moore's to conclude that the complainant intended his former employer to access his personal email account on an ongoing basis. Instead, a more reasonable conclusion was that the complainant had simply neglected to remove all of his personal information from the laptop or had tried to do so unsuccessfully. Furthermore, even if the complainant had known that his personal email account information remained on the laptop, there was nothing to suggest that it would be reasonable for him to expect unfettered access to his personal email account on an ongoing basis.
Ultimately, the complainant had not provided consent to his employer to access his personal email account. Moore's continuous access of the complainant's personal email was far from a reasonable collection, use or disclosure of personal information.
Sections 11(1), 16(1) and 19(1) of PIPA require an organisation to collect, use and disclose personal information only for purposes that are reasonable, including an investigation. Since the adjudicator found that Moore's did not have the authority to collect, use or disclose the complainant's personal information, there was no need to consider whether Moore's purposes for collection, use and disclosure were reasonable. However, the adjudicator again emphasised that Moore's continued access to the complainant's personal email account was far from a reasonable collection, use or disclosure of personal information. In reality, there was no reasonable purpose at all.
Ultimately, the CEO's actions of accessing a former employee's personal email account and forwarding his personal emails without consent led the adjudicator to find that Moore's had improperly collected, used and disclosed its former employee's personal information. Moore's was ordered to stop collecting, using and disclosing the complainant's personal information. Additionally, Moore's was ordered to provide training to staff concerning the appropriate management of personal information.
Privacy law and employment law often intersect, particularly when technological devices used for personal and work-related purposes are involved. Whether an employer is governed by privacy legislation with respect to employee personal information depends on:
- whether it is a federally regulated employer; and
- if not, the province in which it is located.
Federally regulated employers in all provinces – including banks, telephone operators and radio and television broadcasters – are governed by federal privacy legislation with respect to employee personal information. Provincial privacy legislation applies to employee personal information in Alberta, British Columbia and Quebec. This patchwork of governance results in a gap for provinces that are not governed by any privacy legislation with respect to employee personal information, including Ontario which is the province with the largest labour force.
Lastly, employers should be aware that a privacy commissioner's order does not prevent a complainant from bringing further legal action against his or her former employer for damages for loss or injury suffered as a result of privacy legislation breaches. While the awards so far have not been high, this still potentially means added litigation, time and costs and unwanted publicity that an employer could do without.
Bonny Mak Waterfall and Vanessa Mui.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.