The Ontario Court of Appeal issued a judgement today that will attract attention for its consideration of an employee's expectation of privacy in information stored on a work computer. The Court recognized an expectation of privacy in the specific circumstances of the case, but also demonstrated a willingness to allow employers to govern system information through policy and procedure.
A school board investigated a teacher after noticing he had an abnormal pattern of network use. A member of the board’s IT staff accessed his laptop remotely and found nude photographs of a 16-year-old Grade 10 student. Soon after, the board obtained the laptop from the teacher (who refused to provide his password) and provided it, along with two discs, to the police. The police charged the teacher with possession of child pornography and unauthorized use of a computer. In his defence, the teacher applied to exclude evidence based on a breach of his right to be free from unreasonable search and seizure under section 8 of the Canadian Charter of Rights and Freedoms.
Justice Karakatsanis wrote for the Court of Appeal. She assumed that the Charter applied to the board and found the teacher had a reasonable expectation of privacy in the contents of his laptop based on the following factors:
- he had exclusive possession of the laptop;
- he had permission to use it for personal use;
- he had permission to take it home on evenings, weekends and summer vacation;
- there was no evidence the board actively monitored teachers' use of laptops;
- the board had no clear and unambiguous policy to monitor, search or police the teacher's use of his laptop.
This last factor is unique and somewhat limits the significance of the reasonable expectation finding. The facts are that the applicable policy had a warning regarding searches of e-mail communications but not for other stored information. Justice Karakatsanis relied on this limitation rather notably, but nonetheless recognized a reduced expectation of privacy based on a general finding about system administrator privileges:
Business and other institutions commonly engage technicians to service and maintain their networks. Users understand that a technician can access computers connected to the network to ensure the integrity of the system.
Given the school board's technician stayed within an "implied right of access" corresponding to this privilege, Justice Karakatsanis held that the school board did not violate section 8 by its initial inspection of the laptop. She rejected the defence argument that, without a clear and unambiguous policy authorizing random searches, a government employer must meet either a reasonable and probable ground or reasonable suspicion standard to conduct a search. Instead, she suggested that the only question in determining whether a search is properly authorized in the absence of specific authorizing policy language is whether the search is conducted for a purpose consistent with proper systems administration.
There is more to this judgement – including an affirmation of a school board's duty to ensure a safe school environment, a finding that the police breached section 8 and a exclusion of evidence finding – but I'll end this post here in favor of brevity. For employers, this case highlights rising employee privacy expectations associated with personal use of employer systems (and the corresponding pressure on employers), but is relatively consistent with the prevailing employment jurisprudence in its recognition of an employer right to govern systems through policy.