When is it acceptable for an employer to search into its employees’ electronic emails or computer equipment? Part 2 of 2

I recently published an article with Patrick Gingras on this topic. The article is entitled “Accéder ou ne pas accéder au matériel informatique de son employé, telle est la question” (which translates to: “To access or not to access its employees’ technological devices: That is the question”).

The article is in French so I have summarized the relevant criteria that may be taken into account by employers when assessing whether they are legally entitled to access their employees’ computers. I blogged a few days ago on the Expectation of privacy in data stored on or accessible from a computer used for employment purposes is assessed on the basis of a variety of factors. I will discuss second part of this topic which deals with the legitimacy of the inspection of the employees’ computer by the employer.

PART II: Legitimacy of inspection: by whom, how and why?

There are six criteria that may be relevant in order to assess whether an inspection of the employees’ computer by the employer is legitimate.

1. Authority level of person requesting an inspection

The authority level of the person who authorizes an inspection of the employee’s computer is a decisive factor in determining the legitimacy of the inspection. An employer should not authorize a third-party service provider to carry out such a search without having obtained the consent of a person in the company with the necessary authority.

Employers should, where appropriate, specify in their employment agreements or adopt internal guidelines that specify whether or not a given employee may search the computers of other employees, and, if so, identify the categories of employees who may be subject to such inspections. Employers could also specify in their contracts with external service providers or representatives that they may not search employees’ computers on their own initiative, in order to avoid legal action by employees for breach of privacy.

2. Grounds for an inspection

An employer may only carry out an inspection for the purpose of obtaining more information on its employee. Mere suspicions on the part of the employer do not justify an inspection of the employee’s computer. An inspection must be justified on reasonable grounds.

• Chance discoveries

A chance discovery is where the employer happens to discover evidence raising reasonable doubt and justifying further inspection. Examples of such chance discoveries include:

• the employer comes across an employee’s email that proves his/her lack of loyalty;
• the president of the company discovers a document related to a project for another company in the same sector;
• the discovery of a printed version of the logo of another company, or material constituting child pornography is found during routine maintenance;
• a large email was intercepted after being blocked by the company’s computer system, which was considered a chance discovery indicating that the employee was using the company’s email system in an unauthorized manner.

However, chance discoveries have inherent limits, as they do not justify repeated inspections or inspections over a long period of time in the hope of finding or obtaining additional evidence.

• Decreased productivity, often associated with theft of time

Reduced work productivity and an unjustifiable increase in the number of overtime hours claimed may justify an inspection of the employee’s computer. Caution: before making such an inspection, the employer must ensure that the reduction in productivity is significant or unreasonable enough to justify the inspection. It might be a good idea to start an inspection by non-intrusive actions, such as reviewing log files to analyse visited websites and the time that the employee spent browsing the Internet during working hours, without necessarily reviewing all the content consulted by the employee or his/her activities.

• Insubordination

 In some cases, the employee’s insubordination may justify the employer’s searching his/her computer. Sending inappropriate emails might make it easier to justify the inspection by the employer if such behaviour has already occurred in the past, especially if such emails could damage the reputation or image of the employer or expose it to liability. For example: an offensive email sent by an employee to the latter’s colleagues and supervisor prompted the employer to search the computer of the sender to determine if any other such emails had been sent.

• Complaints or findings of inappropriate use

A complaint of inappropriate use may justify an inspection of the employee’s computer, but the complainant must be trustworthy and the seriousness of the misuse must be established.When the use of a computer for personal purposes is sought to be construed as a wrongful act of the employee, it is relevant to consider whether there is a policy in place allowing or prohibiting use of a computer for personal purposes.Examples of inappropriate use of a computer include:

• accessing illegal content or pornographic material
• using employer-owned computers for the purposes of distributing pirated movies
• the fact of having noticed an employee consulting the tax file of another employee

3. Nature of use of the computer by the employee

The nature of the use of the computer by the employee is a factor to consider, particularly if it is abusive or the employee has been warned about it on more than one occasion.

Repeated offences. The more the employee’s actions are abusive, unreasonable or illegal, the greater the likelihood that the employer’s inspection will be deemed legitimate.Employers seeking to justify their inspection on this basis should document repeated offences and warnings given to the employee in order to be able to demonstrate that the inspection was reasonable.

Seriousness of inappropriate use. In some cases, the seriousness of the suspected misuse is sufficient to justify the computer search. For example, where the employee is suspected of having committed a criminal offence such as theft or fraud, or of watching pornographic material.

Operating a personal business on the side. Operating a business on the side during working hours or use of the employee’s work computer for such purposes may justify the employer’s inspection.

4. Employee’s consent to an inspection

One of the decisive criteria for establishing the legitimacy of the inspection of the employee’s computer is his/her consent, either express or implied, to the inspection.The employee’s awareness of restrictions on the personal use of computers or of the fact that the employer reserves the right to search them, including pursuant to a policy in effect, should be considered.

Express or implied consent. The employer’s inspection will be more likely to be deemed legitimate if the employee consented to it. Such consent may be express, for example if the employee has signed a form authorizing the employer to carry out the inspection. It should be noted that the mere fact of the employee’s signing the form does not justify an inspection. Therefore, all the circumstances tending to show that the employee gave his/her free and informed consent to the inspection are to be taken into account.

Consent to an inspection may also be implied. For example, the employee submits his/her computer to the employer knowing that it will be inspected or the employee abandons his/her personal computer without having erased all personal and private information.

The consent must be free and informed and not given solely out of fear of adverse consequences (dismissal, disciplinary action, etc.).For example, to prove that the employee agreed to the inspection, a standard-form document signed by the employee as a pre-condition to his/her employment is not sufficient. Such a document may however be used to prove that the employee was aware that such an inspection was possible and might eventually be carried out pursuant to the employer’s policies.

Awareness of the prohibition and of a potential inspection under the employer’s policies. Awareness of the prohibition and of the potential for an inspection pursuant to the employer’s policies gives greater legitimacy to such inspections for two reasons: (i) It makes it easier to identify a reasonable cause legitimizing the inspection; and (ii) It reduces the employee’s expectation of privacy in the information stored on work-related computers.

The employer must prove that such policy: exists, is known, is up-to-date, and applies to all employees, including the officers of the company. The absence of a policy will not in itself be determinative of the legitimacy of an inspection. In such situations an inspection may be legitimate if the employees have at least been notified of the possibility of an inspection by the employer. Nor does the existence of a policy legitimize all inspections. All the circumstances must be examined to determine if there was an expectation of privacy.

5. Method or process used to access information

The legitimacy of the inspection will also be determined in light of the methods used by the employer to obtain or access data stored on a computer.

Legitimacy of the method or process. The employer may not use surreptitious or underhanded means to obtain employee information that it would not otherwise be able to obtain except through a court order. For example, using a fake Facebook account to gain access to the information shared by the employee on her/her Facebook account is considered an illicit means on the part of the employer.

Reasonableness of the inspection includes searching for relevant information only. The employer may only consult information related to the reason for the inspection. According to best practices in this area, once the information is accessed, only information related to the reason for the inspection should be searched for. The reasonableness of the search will be determined based on the circumstances of each situation. All actions taken should be documented so that such a record can, if necessary, be filed as evidence to allow the court or tribunal to determine the reasonableness of the search.

6. Acting urgently in order to preserve information

Some situations justify prompt action in order to avoid the deletion of relevant information by the employee. In such situations, the employer may make a back-up copy of the information, if it is authorized to access it or obtain a court order enjoining the employee (or online service) not to delete relevant information (note: such an order will be rendered only in exceptional circumstances.)

This content has been updated on August 29, 2014 at 12 h 41 min.