Advances in technology have brought privacy issues to the
forefront of Canadian society, and the workplace is no exception.
Employers need to consider privacy and confidentiality for not only
their customers, but also their employees.
Can an employee be terminated with cause for snooping on a
co-worker? A recent decision (Steel v Coast Capital Savings Credit Union),
also discussed in
Employee privacy breaches – do they warrant discipline?
demonstrates how seriously courts will take violations of co-worker
privacy and sheds some light onto what proactive employers can do
to be prepared. Below are some practical tips to protect employee
privacy and your business. Taking appropriate action now will be
crucial should you need to discipline or terminate a snoop in the
future.
What happened?
Ms. Steel, a help desk analyst in the IT department of the
employer credit union, remotely accessed private and confidential
information in a co-workers personal computer folder. She did not
have permission or authorization to do so. The documents included
an employee parking lot waitlist, which Ms. Steel was on, as well
as sensitive information about the seniority and salary of other
employees. Despite the fact that Ms. Steel had been an employee of
the credit union for over 20 years, the court sent a strong message
by upholding her termination for cause.
Tip 1 – Develop policies and procedures to govern
access to private documents
Well-crafted policies and procedures make employees'
expectations clear and show that you take the issue seriously. In
the Steel case, the court made note of the fact that the employer
had properly communicated its privacy expectations through each of
the following:
- The job description, which required respect for the privacy and confidentiality of all customer and staff information.
- Various policies, including an Acceptable Use Policy, a Code of Conduct Policy, and an Information Confidentiality Policy.
- A specific procedure governing the access of personal folders by helpdesk employees.
Ideally, policies and procedures should lay out the discipline
process for any violations.
Tip 2 – Ensure that your employees are aware of the
policies and procedures
Should the time come when an employee needs to be held
accountable, you will want to be able to prove that they were aware
of their expectations. The employer in this case took advantage of
the annual review process to have employees acknowledge that they
had reviewed, understood and signed off on the policies and
procedures. As a result, there was no disputing that Ms. Steel was
aware of the privacy expectations she had violated.
Tip 3 – Consider the importance of trust in your
industry and for the particular position
Trust is important in every employment relationship, but employees
will be held to a higher standard in industries such as financial
services and health care, where privacy and confidentiality is
vital. Likewise, employees in positions involving a high degree of
autonomy and access to private and confidential information will be
held to a higher standard of trust.
For this reason, the court held Ms. Steel, as an IT employee for a
credit union, to a particularly high standard. It was not practical
for the employer to monitor which documents were being accessed and
for what purposes, so the employer's ability to trust Ms. Steel
was fundamental to the employment relationship.
Depending on the industry, position and circumstances, a single
breach of an employee privacy policy or procedure may not be
sufficient to terminate an employee for cause. When in doubt,
obtain specific legal advice.
Tip 4 – Enforce the policies and procedures
consistently and evenly
Failure to treat similar misconduct with similar discipline can
come back to bite you. Should litigation become a reality, the
appropriateness of any individual instance of discipline will be
judged in light of previous responses to the same misconduct by
other employees. As a result, make sure that discipline is
implemented consistently and evenly.
If you have clearly set out the consequences for violating a
policy or procedure in writing, consistent enforcement will be
easier to achieve, and if necessary, prove.
What this means for employers
This decision illustrates the value of clear policies and
procedures for employers who expect high standards of privacy and
confidentiality from and for their employees. While employers
can't expect to be able to terminate an employee with cause for
every incident of snooping, a well-crafted and consistently
enforced privacy policy can help justify the appropriate discipline
of an employee.
Employers who don't have workplace policies and procedures
dealing with employee privacy and confidentiality should consider
implementing them. If challenged, employee discipline and
particularly termination may be difficult to justify without
policies in place. Even if you already have a policy, it should be
continuously reviewed to ensure that it is well-suited to deal with
privacy breaches – especially in a world where technology
changes and breaches are all too common.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.