A pair of judgments from Ontario courts have highlighted the fluid nature of the law governing sensitive private documents and digital information. They also make it clear that, while the law is unsettled, employers should establish clear policies about the limits on personal employee information that is accessible through workplace computers.

In Jones v. Tsige the plaintiff was a customer and employee at a major bank. She claimed that the defendant, a financial planner, graduate of the Canadian Securities Course and her co-worker at the bank, had invaded her privacy by accessing her private banking records. The snooping occurred on 174 occasions over four-years. The snooper/defendant was living with the plaintiff’s ex-husband at the time and wanted to know whether he was paying support to the plaintiff.

The plaintiff claimed that she had a common-law right to privacy and that it had been invaded by the defendant, who was firmly disciplined but not fired by the bank. The Ontario Superior Court disagreed, holding that no such common-law right exists and suggesting that the plaintiff’s privacy rights were protected under statutory regimes, such as the Personal Information Protection and Electronic Documents Act.

“In Ontario,” the decision states, “it cannot be said that there is a legal vacuum that permits wrongs [involving privacy] to go unrighted — requiring legal intervention.”

Another recent judgment from the Ontario Court of Appeal involves a school teacher who was found to have nude images of a student on his school-owned laptop. The pictures were discovered by a computer technician gaining access to the computer through the school’s network during a hunt for a virus.

The technician copied the images, as well as temporary Internet files found in the computer’s browsing history, onto a disk. The teacher subsequently faced criminal charges and alleged that his privacy rights under Section 8 of the Charter of Rights and Freedoms had been violated.

The court found that the teacher had a reasonable expectation of privacy because the school board had given “explicit permission to use the laptops for personal use.” That right was limited, however by the right of the school’s computer technician to access school computers and the right granted by the school to search and seize the laptop. However, the teacher’s Sec. 8 charter privacy rights were violated by the subsequent police search and seizure of the laptop without a warrant. Ultimately, the court found the laptop should be excluded from the evidence.@page_break@David Edler, counsel with Stikeman Elliott LLP in Ottawa, says that the law concerning damages for a breach of privacy is still in its infancy in Canada because there simply haven’t been that many cases on the issue. Still, the threshold to find a breach of privacy seems to have been set “fairly high,” says Edler. “You need to show really clear damages flowing from the privacy breach itself, not necessarily the information contained in the breach.”

Edler adds that the two court cases should prompt employers to re-examine their policies on the use of computer equipment by employees. That is, they should create policies that establish whether or not employees can put personal information on work computers. If it is allowed, employees need to know that employers may need to provide access to the information on the laptop if there are complaints or if the firm is contacted by investigators.

Brian Bowman, a partner with Pitblado LLP in Winnipeg who specializes in privacy and access to information law, says employers that set out privacy policies regarding the use of computers make things easier for everybody. For employees, they’ll be able to conduct themselves accordingly, while employers can set out in advance the steps they can take in instances in which they need to monitor an employee’s computer activity. “It protects [firms] from an employee claiming privacy in situations in which they shouldn’t be claiming privacy rights. It’s all about openness and transparency at the outset. That’s the key.”

Companies that deal with personal financial information have even greater duties when it comes to the storage of sensitive documents. Whether an advisor is a sole proprietor or works for the biggest Bay Street firm, Bowman says it’s a legal requirement to have a privacy policy covering issues such as how client information can be safeguarded, how long it should be retained and with whom it can be shared.

“It’s a good policy for companies to do because you can end up going to court to duke it out in the grey areas,” he says. “Privacy for customer information creates a good framework that can be adopted by the employers for the management of the advisor’s personal information in the workplace.”

The recent court decisions suggest a two-pronged process is required if a client wants to claim damages from an advisor: a complaint to the federal privacy commissioner, followed by a lawsuit, Edler says: “[This] might make it more difficult to get financial redress where we’ve been the victim of a privacy breach or somebody who is holding our personal information doesn’t fulfil their obligations under privacy statutes. Now, you have two processes to go through instead of one.”

Bowman says technology is developing so rapidly that it’s only a matter of time until new privacy issues emerge: a person might have their privacy violated with the simple posting of a picture or a comment. And while laptops are already central to privacy issues, soon they will extend to tablet PCs. “An iPad lends itself to personal uses in ways that laptops don’t,” Bowman says. “These issues are going to become more acute as the technology evolves.” IE