The Ontario Superior Court of Justice’s recent decision in R. v. Cole emphasizes the importance of employer policies in determining whether an employee has a reasonable expectation of privacy in information stored on an employer’s computer.
In Cole, a teacher who had a role in supervising and monitoring student and staff use of the school’s computer network was charged with possession of child pornography. A school board information technologist found nude photographs of one of the school’s students in a "hidden" file on a laptop owned by the school and assigned to the accused teacher. The teacher had password-protected the laptop. He argued that he had a reasonable expectation of privacy in the contents of the laptop's hard drive — and that the search was therefore illegal.
In determining whether the teacher had a reasonable expectation of privacy, the court considered whether the teacher had a subjective expectation of privacy and whether his expectation of privacy was objectively reasonable. Given that the teacher had possession of the computer, and that he had password-protected it and shaded the folder with the images, the judge accepted that the teacher had a subjective expectation of privacy.
In assessing the second criterion, the court considered the accused’s employment contract, his employer’s ownership of and issuance to him of the laptop, as well as the rules regarding his use of it, including the permissibility of personal use and the user’s right to privacy.
The court found that the teacher’s expectation was not objectively reasonable based on the following facts:
- The laptop computer was owned by the school board.
- The teacher was aware of the terms of the school’s acceptable-use agreement for use of the school’s network. That agreement included a provision reserving the school’s right to monitor work, e-mail and data stored on school computers and servers, and indicating that such files were not private. All of the teachers at the school were notified annually that they were bound by the terms of this agreement. Further, the teacher played a role in enforcing the terms of the agreement.
- The teacher was bound by various school board policies posted on the board’s website. These policies provided that all data generated on or handled by board equipment (in this case, the laptop) were board property. The policies also prohibited the access and handling of inappropriate content.
In his contextual analysis, the judge noted an employer’s need to protect both its data and the operational integrity of its computer system: "I take judicial notice of the fact that employers, in their use of computers to carry on their business, invest tremendous amounts of money and time creating, inputting, analyzing, managing and protecting the data coming into, going out of, and stored on their computer system."
McCarthy Tétrault Notes:
In TLQ 4:1, we discussed whether an employee is entitled to privacy over e-mail and other data created and stored on a computer used for work purposes as well as what rights an employer has to access that information. We noted that the answer depends on whether the employee has a reasonable expectation of privacy. The Cole decision provides further guidance on the circumstances in which a reasonable expectation of privacy may be found.
In the Cole decision, two main factors against the employee’s reasonable expectation of privacy were board policies governing access to data and privacy, and the acceptable-use agreement that governed both student and teacher use of the school’s computer network. Employers would be well-advised to:
- Implement clear-cut and comprehensive policies governing the employee’s right to access data and systems. If an employer does not want an employee to have a reasonable expectation of privacy over any data found on a computer or the employer’s network, then this should be clearly stated.
- Ensure that employees acknowledge that they have read, understood, and agreed to abide by the employer’s policies.
- Make clear that copies of employer-owned data remain the employer’s property regardless of where the data is stored.
- Manage employee privacy expectations over information stored on laptops by providing company laptops to employees for offsite work and capitalizing on their ownership of the equipment.