When is it acceptable for an employer to search into its employees’ electronic emails or computer equipment? Part 1 of 2

I recently published an article with Patrick Gingras on this topic. The article is entitled “Accéder ou ne pas accéder au matériel informatique de son employé, telle est la question” (which translates to: “To access or not to access its employees’ technological devices: That is the question”).

The article is in French so I have summarized the relevant criteria that may be taken into account by employers when assessing whether they are legally entitled to access their employees’ computers. Please note that the summary is based on Canadian and Quebec recent caselaw on the issue and that this post is not intended to be legal advice. This post is principally meant to serve as a resource for lawyers who may be interested on the topic.

• Employer’s right to inspect employees’ computers is recognized
• Such an inspection may not be arbitrary or discriminatory
• Any intrusion into the employee’s privacy by the employer must be reasonably justified so that infringement of the employee’s right of privacy is minimal
• Any unjustified intrusion into the employee’s privacy may lead to legal action
• The obligation to respect the private nature of information extends to the information stored on the computer that is capable of being accessed and used by the employer rather than to the computer itself.

PART 1: Expectation of privacy in data stored on or accessible from a computer used for employment purposes is assessed on the basis of a variety of factors:

1. Computer ownership

The fact that a computer is owned by the employer does not entitle the latter to access the employee’s data without cause.The expectation of privacy regarding data stored by an employee is even higher when the employee owns the computer and uses it for work.

Factors justifying an inspection of an employee-owned computer which is used for work must be more compelling than those for an employer-owned computer. It can be argued that an employee who, upon termination of employment, voluntarily leaves behind and does not wish to recover his or her personal computer used for work, has waived his or her privacy expectation with respect to the information stored on it.

2. Nature of information sought

An employee’s expectation of privacy depends on the nature of the information sought. The more the information sought is personal or private, the higher the expectation of privacy. Likewise, the more the information is work-related, the lower the expectation of privacy. The following types of personal information in particular are considered private: medical information, family information, information on the employee’s love life, information on the employee’s sex life, political views, philosophical opinions, religious beliefs, private communications, finances, any other information which, when disclosed, might cause humiliation or embarrassment to the employee, particularly if the information was not known to others at the time of such disclosure.

3. Location of data

Employees have a greater expectation of privacy in data stored in their personal email box than in information located in their work email box. However, it is possible for an employer’s inspection to be legitimate even if the emails are stored in the employee’s personal email box.

The expectation of privacy in information shared through an online service, such as Facebook, varies depending on the account settings and the number of persons who have access to the information. The expectation is eliminated if the information is public and diminished when the information is shared with a limited number of persons. Information stored on a company server is subject to a lower expectation of privacy than information stored on the employee’s computer. Information stored on an employee-owned computer used for work, or on an online service such as Facebook and accessible to a limited number of individuals, should benefit from an even higher expectation of privacy.

If the employee has marked certain files or folders as personal, or asked the employer not to consult them, that increases the expectation of privacy in the information they contain.

4. Technological protection measures

The absence of a password orencryption restricting access to data stored on a computer or accessible through it may reduce the employee’s expectation of privacy in such information.The employee’s practices regarding protection measures may be taken into account in determining his or her expectation of privacy.If private information, particularly the employee’s emails and browsing history, is easily available to or accessible by a third party (employer, IT technician, etc.), the expectation of privacy will be lower.

5. Deleting data

Simply deleting an item of information does not have a definitive impact on the employee’s expectation of privacy, and the nature of the deleted information must to be taken into consideration. In certain cases the expectation might be reduced if the deletion could be considered abnormal, such as a complete wipe of a hard drive or directory, or if it might have been done to conceal wrongful acts. For example, the fact that the employee deleted his or her browsing history may be viewed as an indication of bad faith and awareness of having done something wrongful with the computer, which would help justify sanctions imposed on the employee.

This content has been updated on September 12, 2014 at 13 h 33 min.