Advances in technology have brought privacy issues to the forefront of Canadian society, and the workplace is no exception. Employers need to consider privacy and confidentiality for not only their customers, but also their employees. 

Can an employee be terminated with cause for snooping on a co-worker? A recent decision (Steel v Coast Capital Savings Credit Union), also discussed in Employee privacy breaches – do they warrant discipline? demonstrates how seriously courts will take violations of co-worker privacy and sheds some light onto what proactive employers can do to be prepared. Below are some practical tips to protect employee privacy and your business. Taking appropriate action now will be crucial should you need to discipline or terminate a snoop in the future. 

What happened?

Ms. Steel, a help desk analyst in the IT department of the employer credit union, remotely accessed private and confidential information in a co-workers personal computer folder. She did not have permission or authorization to do so. The documents included an employee parking lot waitlist, which Ms. Steel was on, as well as sensitive information about the seniority and salary of other employees. Despite the fact that Ms. Steel had been an employee of the credit union for over 20 years, the court sent a strong message by upholding her termination for cause.

Tip 1 – Develop policies and procedures to govern access to private documents

Well-crafted policies and procedures make employees’ expectations clear and show that you take the issue seriously. In the Steel case, the court made note of the fact that the employer had properly communicated its privacy expectations through each of the following: 

  1. The job description, which required respect for the privacy and confidentiality of all customer and staff information.
  2. Various policies, including an Acceptable Use Policy, a Code of Conduct Policy, and an Information Confidentiality Policy.
  3. A specific procedure governing the access of personal folders by helpdesk employees.

Ideally, policies and procedures should lay out the discipline process for any violations. 

Tip 2 – Ensure that your employees are aware of the policies and procedures 

Should the time come when an employee needs to be held accountable, you will want to be able to prove that they were aware of their expectations. The employer in this case took advantage of the annual review process to have employees acknowledge that they had reviewed, understood and signed off on the policies and procedures. As a result, there was no disputing that Ms. Steel was aware of the privacy expectations she had violated. 

Tip 3 – Consider the importance of trust in your industry and for the particular position 

Trust is important in every employment relationship, but employees will be held to a higher standard in industries such as financial services and health care, where privacy and confidentiality is vital. Likewise, employees in positions involving a high degree of autonomy and access to private and confidential information will be held to a higher standard of trust. 

For this reason, the court held Ms. Steel, as an IT employee for a credit union, to a particularly high standard. It was not practical for the employer to monitor which documents were being accessed and for what purposes, so the employer’s ability to trust Ms. Steel was fundamental to the employment relationship. 

Depending on the industry, position and circumstances, a single breach of an employee privacy policy or procedure may not be sufficient to terminate an employee for cause. When in doubt, obtain specific legal advice. 

Tip 4 – Enforce the policies and procedures consistently and evenly 

Failure to treat similar misconduct with similar discipline can come back to bite you. Should litigation become a reality, the appropriateness of any individual instance of discipline will be judged in light of previous responses to the same misconduct by other employees. As a result, make sure that discipline is implemented consistently and evenly. 

If you have clearly set out the consequences for violating a policy or procedure in writing, consistent enforcement will be easier to achieve, and if necessary, prove.

What this means for employers

This decision illustrates the value of clear policies and procedures for employers who expect high standards of privacy and confidentiality from and for their employees. While employers can’t expect to be able to terminate an employee with cause for every incident of snooping, a well-crafted and consistently enforced privacy policy can help justify the appropriate discipline of an employee. 

Employers who don’t have workplace policies and procedures dealing with employee privacy and confidentiality should consider implementing them. If challenged, employee discipline and particularly termination may be difficult to justify without policies in place. Even if you already have a policy, it should be continuously reviewed to ensure that it is well-suited to deal with privacy breaches – especially in a world where technology changes and breaches are all too common.