To what extent are device ownership and acceptable use policies determinative of an employee’s expectation of privacy?
Many employers attempt to diminish the expectations of privacy of employees in work-supplied electronic devices through “computer use” policies that state explicitly that these devices are to be used solely for work purposes and that employers may monitor the use of these devices. These policies are perhaps honoured more in their breach. Moreover, the “bring-your-own-device” (BYOD) movement is rapidly eroding the black-and-white nature of these policies. With BYOD, the employee will own the laptop or smartphone. This limits the employer’s legal and practical ability to control the employee’s use of the device. Nevertheless, the employer has an interest in ensuring that the device is secure and may install software or applications onto the device. Indeed, the employer’s IT department may provide support for this software and applications.
On October 19, 2012, the Supreme Court of Canada released its much anticipated decision in R. v. Cole. The case involved whether an employee had a reasonable expectation of privacy in material on a work-issued laptop such that the computer could not be searched by the police without a warrant even if the employer handed the computer over to the police. A majority of the court concluded that the employee had a reasonable expectation of privacy and that a warrant would ordinarily be required. However, in the circumstances of the case, the remedy for the breach of the employee’s constitutional rights would not be exclusion of the evidence.
The court’s reasons establish the following important privacy principles:
- In assessing the privacy interest, the focus is on the informational content of the device and not the device itself. Ownership of the device is a relevant factor but not determinative in determining whether an expectation of privacy is reasonable.
- Computers used by employees may “contain information that is meaningful, intimate, and touching on the user’s biographical core.” The information may expose biographical information regarding “the likes, interests, thoughts, activities, ideas and searches for information of the user.”
- Everyone in Canada has the constitutional right to privacy from the state (law enforcement) with respect to this type of biographical personal information of on workplace computers provided that it would be reasonable to expect the computer to be used for personal purposes.
- Workplace acceptable use policies may diminish an employee’s reasonable expectation of privacy but will not, on their own, remove the expectation entirely. The operational context will also include the practices and customs of the employment context will also be relevant, which may include the reality that workplace-issued devices are permitted to be used by employees for incidental personal use.
R. v. Cole was decided in the criminal law context in a situation in which the employer was a public body that was conceded to be subject to Canada’ Charter of Rights and Freedoms. Caution should be exercised, therefore, in extrapolating the principles in R. v. Cole to the private sector and non-criminal contexts. Indeed, the majority of the court expressly stated that it would “leave for another day the finer points of an employer’s right to monitor computers issued to employees.”
However, one point is clear: the court concluded that even if the employer has lawful possession of a device for the employer’s own administrative purposes, this does not mean that the employer can waive the reasonable expectation of privacy of the employee by turning the device over to the police, nor does it vest the police with lawful authority to search the device for the purposes of a criminal investigation. This does not mean that the employer cannot tell the police what it has found, which would permit the police to obtain a warrant.
R. v. Cole demonstrates that ownership and acceptable use policies will not be determinative in assessing whether employees have a reasonable privacy interest in information stored on device used for employment. Ownership and acceptable use polices are, however, relevant as part of the totality of circumstances that the employer (and the state) must take into consideration.
It should be obvious, therefore, that in a BYOD environment, the privacy interest may be even greater. If an individual may have a reasonable expectation of privacy in the information stored on a workplace-issued device, it is likely a shorter step to concluding that an individual has a reasonable expectation of privacy in the context of a BYOD program. Furthermore, employers should consider whether their administrative policies and practices are appropriately tailored to the operational reality that employees are using workplace-issued devices and BYODs for personal use and how that may affect their ability to monitor employees, particularly where that monitoring is surreptitious. An overreaching policy will not provide comfort to an employer if it is out of step with the practical reality of the workplace.