I’ve been asked to speak early next year on how information and privacy issues are shaping the future of employment law. In preparation, I’d like to share three developing thoughts here that relate to: (1) the impending clash between information governance and personal use of corporate IT systems; (2) internet use and the “virtualization” of workplace harms; and (3) labour stability, departing employees and information-related harms. Part 1 is below. Parts 2 and 3 will follow. Please comment.
What does the “information governance” movement mean for employers?
In my view, the building pressure to govern corporate information is bound to create labour and employment conflict unless employers effectively manage employee privacy expectations starting now.
Information governance is an approach to corporate information management that features strategic, enterprise-wide frameworks for defining how information is controlled, accessed and used. It answers the question, “What information do we need, how do we make use of it and who is responsible for it?”
Information governance demands more of organizations than can be borne by the “acceptable use policy,” which has traditionally played a central role in the control of information on corporate systems. An acceptable use policy is most often promulgated by IT and human resources and focuses on the control of IT and human resources risks – e.g. the risk of viruses, the risk of time theft, the risk of non-compliance with the duty to provide a harassment-free workplace.
The acceptable use policy is not a document typically rooted in corporate strategy, yet information governance elevates the control of information to a level of strategic importance. Under an information governance framework, control over information supports regulatory compliance, risk management and business value generation. The risks addressed through information governance initiatives are perceived and managed as enterprise risks – e.g. financial control risks, record preservation risks and so on.
The traditional acceptable use policy can’t meet these higher-order objectives on its own. Newly-created corporate privacy policies and procedures now govern significant corporate information flows. Additionally, information security and record retention policies (with retention schedules) have gained in prominence and specialized e-mail management policies are badly needed. Other vehicles for asserting control over corporate information will no doubt gain in use.
The control exercised through this rise of new policy will invite conflict with employees because employers have also become ambivalent or even laissez faire about personal use. Employees now expect privacy in their personal communications, and though Canadian employers have long-enjoyed a relatively unfettered right to access, use and otherwise control information on their systems, there are signs in the case law that employers’ laissez faire approach to personal use is causing this right to be threatened.
Take the impact of personal use on e-discovery, for example. Quality e-discovery requires organizations to abandon “field filtering” – in which individuals apply instructions to identify responsive records – in favour of harvesting and centrally processing entire collections of electronically stored records. Employee custodians resist centralized processing because they fear access to personal communications, thereby impeding efficient and effective e-discovery. And if personal communications are collected, their presence in a collection of business communications can nonetheless cause a constraint on the e-discovery process. At the very least, producing an entire collection to an opposing party pursuant to a “quick peek” or “clawback” agreement to deal with solicitor-client communications becomes a difficult option. This may seem about mere cost and inconvenience, but it also illustrates a real loss of control over corporate information.
I’m only writing this to identify the issue and not to recommend a solution. It does seem, however, that we may soon revert to greater restrictions on personal use. Better get ready to carry two cell phones!