…[the employer] had to trust Ms. Steel to only access such documents as part of the performance of her duties and to follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position. …
So concludes the court in Steel v. Coast Capital Savings Credit Union, a recent decision that will be of interest to employers who place a high expectation on employees to ensure the privacy and confidentiality of their clients.
Ms. Steel was employed by Coast Capital for more than 20 years, most recently as a Helpdesk analyst in the IT Department. Her duties included providing internal technical assistance to other employees of Coast when they experienced trouble with the network. As Helpdesk analyst, Ms. Steel had access to any document or file in the organization; her work was unsupervised; and, no one monitored what documents she accessed or for what reason or purpose. Why? It would not be practical. Although the position was not managerial, the job description required that the analyst “Respect the privacy and confidentiality of all customer and staff information at all times”.
What did Ms. Steel do that was wrong?
Ms. Steel could access employee personal folders when assisting with technical problems. Access, however, was to be made only after the employee had given permission or the VP of corporate security had authorized it. The Helpdesk analyst was expected to follow a specific protocol. During her annual review process, Ms. Steel acknowledged that she had reviewed, understood and signed off on the Acceptable Use Policy, Code of Conduct Policy and Information Confidentiality Policy. Yet, after this review Ms. Steel, accessed a spreadsheet in a co-worker’s personal file that contained confidential employee information including pay grades and seniority dates.
As a result of investigation into the matter, Ms. Steel was terminated on a “with cause” basis. In its termination letter to her, Coast Capital said the “severity of this breach of trust has led Coast Capital Savings to lose faith in your judgement. It has resulted in a serious loss of confidence in you which we believe has irreparably damaged the employment relationship”…
What happened next?
Ms. Steel sought summary judgement in an action for damages for wrongful dismissal saying that even if the employer’s version of events was true, the alleged conduct did not amount to just cause for dismissal. Coast Capital agreed that the issue could be resolved at summary dismissal and that evidence Ms. Steel had provided during discovery was not in conflict with the facts giving rise to the dismissal. The court agreed that it could dispose of the matter and it did, in favour of the employer.
What did the court note was key?
There are some key points of this decision that should not be overlooked. If they had not existed, the employer may have had a more difficult time asserting just cause. What made this case different?
- The relationship of trust is particularly critical in the banking industry where employees are held to a higher standard of trust than employees in other undertakings.
- Employees who work with greater autonomy are held to a higher standard of trust – the greater the autonomy the employee enjoys, the more fundamental trust is in the employment relationship.
Madam Justice Ross relied on these circumstances in finding cause to dismiss saying:
Ms. Steel occupied a position of great trust in an industry in which trust is of central importance. In her position [she] was given the ability to access confidential documents. The employer established clear policies and protocols known to Ms. Steel at the relevant time that were to govern access to confidential documents.
Ms. Steel knew that to remotely access other employee files without first receiving specific permission to do so was forbidden. In her role, it was not practicable for Coast to monitor what she accessed and for what purpose. The court noted that the ’trust’ fundamental to her position was broken, and her actions amounted to just cause for dismissal.
What does this mean for employers?
If you expect privacy and confidentiality from employees you should have and maintain policies dealing with access to information within your computer system. This is more critical in industries where trust is of central importance (e.g., banking or healthcare) and particularly necessary where an employee has unsupervised access to the system. In your annual review process, review those policies and ensure there is acknowledgement by employees that they are aware of them. This issue will usually only arise when someone complains. Consider whether there are proactive ways to monitor access (e.g., by way of routine audits or by requiring a log book to be submitted each day detailing access and providing consent information for that access). In many workplaces it will be impractical to impose such a system. There is no doubt that if you’re going to take privacy and confidentiality seriously, any report of questionable access should be properly investigated and if an employee is determined to be in violation of your policies and discipline is warranted, apply your policy evenly and consistently.