Melissa Roth
Partner
On-demand webinar
CPD/CLE:
78
Elisa: Good morning, everyone, and thank you for joining us today. I'd like to begin by acknowledging the Indigenous people of all the lands that we are on today. While we meet today on a virtual platform I'd like to take a moment to acknowledge the importance of the lands which we each call home.
My name is Elisa Scali. I'm a partner with Gowling WLG, and I'm a member of the Gowling Employment Labour and Equalities Group, and on behalf of our Employment Labour and Equalities Group I'd like to welcome you today to the fifth webinar of our 2022 webinar series. Today is actually a Part 2 of an earlier webinar that we presented in May on Bill 88, focusing on the requirements of electronic monitoring in Ontario. If you missed Part 1, or any of our previous webinars, they are recorded and you can access those recorded sessions on our web page. The link will be found in the chat today. Back with us again to provide us with an update on Bill 88, and explain what developments have occurred since our last webinar, are Tushar Anandasagar and Melissa Roth. Unfortunately Alycia Riley is unable to be here with us today but she worked very hard on this presentation so we'll miss her today. Melissa and Tushar are members of our Employment Labour and Equalities team and their practice focuses primarily on employment law. Both Tushar and Melissa are located in our Waterloo office.
In addition to our ELE team today we have two very special guests that will be joining us later on in the presentation, Meghan Meade and Jennifer Daniels. Both Meghan and Jennifer are counsel in the United States. There are several States that have enacted monitoring laws and Meghan and Jennifer will be joining us later on today to provide us with some insight on how the laws have affected American employers and what lessons they can offer to us Canadian employers. So please stay tuned for that.
Now before we begin just a few housekeeping items. A copy of this presentation will be made available following this webinar so you will get a copy of the presentation sent to you. This session is also being recorded so you will be able to access the session again at a later date and it will be available on our web page. The Q&A function is open today, so if you do have questions please feel free to add your questions to the Q&A and our speakers today will do their very best to answer your questions, either throughout the presentation or at the end of the presentation. We will be having a Q&A period. So now I'd like to turn it over to Melissa to get us started.
Melissa: Thank you very much, Elisa, and thank you all for being here. We have a fantastic group of people that have joined us. Hopefully we'll provide you with some more information than we did on the first one of this webinar. We're going to do a quick refresher. We're going to start with a quick refresher of what we talked about in Part 1. Then we're going to talk about the requirements that your policies need to have. We're also going to tell you a little bit more about what we know now based on some guidance that the Ministry of Labour has provided us. We're also going to give you best practices on how to finalize your policy, and draft your policy, and then we'll be having our guest speakers, Jennifer and Meghan, to talk to us about what they know about their jurisdictions. At the end we'll have a quick Q&A period. With that, the only thing that I wanted to let you know before I pass it on to Tushar is that, as always, this presentation is not intended as legal advice. If you want specific legal advice please contact your trusted labour and employment lawyers. We would be more than happy to address your specific circumstances with you but today is more of a general information session. Thank you. Tushar, let's get started.
Tushar: Thank you so much, Melissa, and once again thanks, everyone, for joining us this morning from all over the country. Really appreciate you coming out and joining us. So a quick refresher, as promised, on Bill 88. Now we ran a lengthy webinar. It was about an hour and a half. We ran through a couple of virtual scenarios and moved through some of the thought process behind Bill 88. So we can certainly share the link to that webinar replay in the chat.
Just so that everyone is aware we do have more to Bill 88 than the electronic monitoring policy assets. So we're going to move through them very quickly here. The first is the Digital Platform Worker's Rights Act of 2022, the DPWRA, rolls off the tongue. In terms of scope it's applicable to online platforms that allow workers to choose or accept or decline work. So we're talking about ride share, deliveries, couriers and other services. Thank you, Steven. Key rights that are established under the DPWRA include the right to information regarding pay, tips, work assignments and performance ratings. The right to minimum wage for work assignments, earned tips and gratuities. The right to notice of removal and the provision of an explanation. There are record keeping requirements, compliance and enforcement mechanisms and a limitation period of 2 years under the DPWRA. In fact, one strange thing is that there is no actual penalty provision, at least in current law as drafted. The DPWRA, as of today we just checked, is not in force. So we are waiting for a proclamation date still to be announced.
Now the same can be said, I know that this garnered a lot of news coverage when it was first announced in I believe it was March, the Naloxone kit requirements under the Occupational Health and Safety Act. So very quickly, Naloxone, for those that don't know, is a medication that can temporarily relieve or reverse the effects of an opioid overdose and allow time for medical help, first aid, ambulance, etcetera, to arrive. In order to meet these theoretical compliance requirements, again once we have a proclamation date, an employer is required to assess whether or not they fall into a high risk work place category and determine effectively whether a kit is required. What does that entail? There's a procedure. There's maintenance of the kit making sure that it is in good working order. There are training requirements and essentially there are care and custody requirements that would apply with respect to the chain of custody of the kit. So it's not a sort of purchase and forget type of situation. There are specific requirements that apply. Who is this going to affect? According to Provincial news releases, 30%25 of death of employees due to opioid related causes were in construction sites. Very sad and by far there the highest industry sector affected. So we anticipate that this designation of a high risk sector will affect construction employers. We've also got bars, nightclubs and other similar working environments that are likely going to fall into this category of high risk.
We've also got a couple of changes I'll just breeze through very quickly. 2 year limitation period under the Occupational Health and Safety Act, which brings Ontario in line with Alberta, Nova Scotia and Saskatchewan, and that is 2 years from the date of an issue or incident or charge, to the point in time that the charge can actually be laid. There's a significant increase in time there. We've also got the legislated aggravating factors which relate to sentencing under the Occupational Health and Safety Act. I won't delve into them in detail. I think we'd invite you to review our previous webinar where we went into the nitty gritty for all of these changes. Next slide please, Shannon.
The next one down is the Fair Access to Regulated Professions and Compulsory Trades Act. In essence, we've got a couple of changes that are establishing new timelines within certain regulated professions. There are new requirements that I would say primarily apply to business consultants and IT consultants who meet certain criteria. Again, in the interest of time, we will keep to our focal point today which is the Bill 88 compliance requirements that relate to electronic monitoring policy. So I would invite you to once again review our Part 1 webinar where we went into this in further detail. I will say the same for the Reservist Leave components of the Employment Standards Act 2000. We put a couple of bullet points up there with respect to the Reservist Leave right at the end. We've got employees becoming eligible for Reservist Leave of Absence after 3 consecutive months of employment. We're talking about April 11 of 2022 as the effective date. So our Part 1 webinar goes into the details for all these changes. I will breeze over the next slide please as well, Shannon.
This is the focal point of our Part 2 webinar. We did cover a little bit of the more technical side when we ran our Part 1 but I do think, since we're here, we should review the electronic monitoring policy requirement under Ontario's ESA. So what did Bill 88 do to the ESA? We've got a new section, 41.1.1 subsection (1) of the Employment Standards Act, which effectively calls out that as of January 1 of any given year if an employer has 25 or more employees, that is the threshold, you'll notice that there's a little bit of alignment with the right to disconnect policy threshold in that regard, so there's 25 or more employees on January 1 of a given year. Before March 1 of that year an employer needs to establish a written policy with respect to electronic monitoring. We're going to talk about the actual recipe for the policy in a few slides. If you turn to the scope, this applies to Provincially regulated employers only. So if your business and your employees are subject to the Ontario Employment Standards Act this particular requirement applies to you. It applies to all employees of an employer. Meaning there are no exemptions for the CEO or the mail clerk or the person who's answering the phones at noon, temp employees. There are no exceptions. It applies equally to all employees. In terms of business types as well, there are no exemptions for private sector, for profit, not for profit, etcetera, other than an exemption for Crown employees. There are no specific rules for employer status or industry. It applies across all industries and I will just flag on the one hand that there's an asterisk here. The Province has reserved the ability, in theory, to exempt certain specific businesses, or business functions even, from the electronic monitoring policy requirement. So we might see that exercise as we see this development go forward, but at this point in time, there's nothing to suggest that any specific categories or business functions have been included or excluded.
What do we do in terms of coverage for the policy? Employees that are covered by the policy, it needs to apply to all employees in Ontario to whom this particular policy requirement and provision applies. That includes management, executives, shareholders if they are deemed to be employees under the Employment Standards Act. A policy only applies to some employees if the employer is technically not in compliance with the requirements under the ESA. So for instance, if you have a policy that just applies to sales staff but not managerial staff, you would be in breach of the ESA. This does not, however, mean that the employer is required to have a uniform identical policy for all its employees. The employer can have a single policy that subsets of the policy might apply to different divisions or departments. For instance, you might have a policy requirement that applies in terms of your sales staff, but you might want a different looking policy all together for an IT professional who would have access to the full scope of all the systems. Next slide please, Shannon.
Let's chat briefly about mandatory inclusions for the purposes of your electronic monitoring policy. First and foremost you need to highlight whether the employer monitors. A description of how and in what circumstances the employer may monitor. The purposes for which that information is obtained and so the information coming through electronic monitoring that might be used by the employer. I would imagine that most employers, because of we're in the age of the internet of things and everything is moving to paperless and whatnot, if you're running email you're doing a form of monitoring, I would imagine. There are ways to capture and obtain breadcrumbs from certain systems, from docking systems, from sales tracking methods, etcetera. There are the more universal types of monitoring that are happening. So I don't believe that a lot of employers are going to fall into the category of I am not actually monitoring and I don't have to disclose this to my staff. I would imagine most, if not all, employers are going to fall into category number one where the employer is actually monitoring. Requirement number two. The date that the policy was prepared and the date any changes were made to the policy. That is, sorry, excuse me, requirement number five, that is something that we need to be mindful of because of the rolling obligation to create this policy as things progress. Then finally, I'll close out, there is the same sort of caveat at bullet point number six there, such other information as may be prescribed. The Province has actually reserved the right to create new policy compliance requirement and alter the recipe on a going forward basis. I'm going to turn it over to Melissa to discuss some recent commentary about the electronic monitoring requirement policy from the Ministry.
Melissa: Thank you, Tushar. While we can now confirm what we had previously advised on Part 1 of this webinar, this ESA requirement does not establish a right for employees not to be electronically monitored by the employer. It does not create any new privacy rights for employees. So similarly to the disconnecting from work amendments that we saw earlier this year, there is no new right established with this requirement. The only thing that this requirement establishes is to have a policy and those certain parameters that Tushar has mentioned with respect to the policy. The requirement is really to be transparent. It wants to get employers being transparent about whether they electronically monitor employees. We know that this has come about in part to the changes that were brought on by the pandemic, and the fact that a lot of people started working remotely and then hybrid workplaces, and monitoring became a bigger concern. The policy itself can be a stand-alone document or it can be a part of another document. For example, a handbook or an employee manual, or perhaps even a different policy on electronic use. However, given that the policy may need to be produced to prove compliance, you may wish to write it, at least first, as a stand-alone policy. A policy that sets the enforceable rules for employee's use of a network. Then you still have to think about the privacy provisions that you have, for instance, in acceptable use policies and how do they fit in with your new electronic monitoring policies, and perhaps at some point it becomes a single document that can establish the employee's expectation of privacy.
Now what I'd like to do is I'd like to go over each of those requirements for your policy based on the commentary that we've gotten from the Ministry of Labour, and as you will see in this slide and then in the next one, you have the sources from the ESA guide, your guide to the Employment Standards Act online. The next slide tells us the first element of the policy is, as Tushar mentioned, whether the employer engages in electronic monitoring of their employees. So this, again, it means that if we don't engage in electronic monitoring of employees we still have to have a policy. We simply say in that policy that we do not engage in any monitoring. Now, the biggest question still is, what is electronic monitoring? We are told that electronic monitoring includes all forms of employee and assignment employee monitoring that is done electronically. Perhaps a bit circular. Doesn't give us too much. So this is not a great definition. The examples suggest items pertaining to performance and forms of active monitoring. So what we see there on your slide is GPS, electronic sensor tracking, tracking visits of our employees to different websites. The ESA itself does not include a definition of electronic monitoring. This is the first definition we have seen in that regard and it's in the policy and the ESA guide. There's also another document called the Employment Standards Act Interpretation Manual, which is used mostly by lawyers to understand what the ESA means, as well as employment standards officers who guide themselves by that document in making decisions. That document hasn't yet been updated. So since the definition is not pursuant to the statute or regulation, what we see in this ESA guide that we have sourced for you here on this slide, is not legally binding but it's presently the best that we have.
What we have to think about is that the scope of the policy is not limited to just active monitoring, because we need to be safe and we need to err on the side of inclusion, we should also include passive monitoring. Also the scope of the policy is not limited to devices or other electronic equipment that is issued by the employer only. Electronic monitoring that happens while employees are using their own devices needs to be covered as well, if that actually happens, because sometimes we have in a personal device we'll have a personal profile and a work profile, and so if that work profile can be monitored that should be included as well. Also electronic monitoring is not limited to only what happens while employees are at the workplace. It can be also off the workplace. So for instance, if you have an employer provided iPhone and they can use the find my iPhone to track you, presumably not just to track where you are but to track your work related activities. If the employer's electronically monitoring the employee through any kind of device, whether its personal or for work. It's for work purposes the policy has to capture that. So if we monitor we should say it.
We're going to go over a couple of examples that the Ministry of Labour has provided us as well, as to what it means to have an appropriate policy in certain specific circumstances. The first example that we'll see on the next slide is with respect to GPS monitoring. So we know that we have to include a description of how the employer may electronically monitor employees. There's circumstances in which the employer may electronically monitor the employees and the purposes for which the information obtained will be used. So with that in mind then when we're thinking of, for instance, an employer that tracks an employee's delivery vehicle using GPS, then we need to include a statement that the employer electronically monitors its employees, as we've said from the beginning. That's the first part. Then in terms of the how, for example, it would say the employer monitors the employee's movements by tracking the employee's delivery vehicle from GPS. Then we want to specify the circumstances and that would be, for instance, if the employer monitors the employee's movement in the vehicle for the entire workday, every day, so we don't want to leave the impression that there are certain circumstances where you don't monitor them. For example, if they're on lunch the GPS doesn't deactivate but we just know that, presumably, that's permissible. The purposes for which that information that we obtain, the purposes for which we may use it, so that can be for instance, for setting the route, for safety so that employees don't deviate from the routes, discipline where, for instance, the employee has been untruthful about their whereabouts during working hours. The example provides a very general level of disclosure.
The second example that the Ministry of Labour gives us is an employer who monitors its employees' emails and online chat. Example number two is in the next slide. Again, in this case when we get to the how the employer monitors, then we would say for instance, the employer monitors employees emails and online chats through a software program created specifically for this purpose. We can see that the Ministry of Labour is not suggesting to us that we have to disclose the name of that software program. That's consistent with the advice that we gave in the first part of this webinar where we said, because for every monitoring software or every monitoring technology, there are people who create anti-monitoring technology or software. We don't want to get into the details of what specific tools we're using. We need to comply with the Act but we don't want to over-disclose. When it comes to this monitoring of emails and chats, then when we get into the circumstances, we would have to say any time that the employee is using a, whether it's a work computer or their personal computer and logs into our VPN, something along those lines. At any time the employee is on emails or online chats. No expectation that you'll be able to send something in an email or a chat that will be considered completely private. Then the purposes for which the information is obtain and, again, the example that they give us is relatively generic and we're talking about evaluating employee performance, ensuring appropriate use of the equipment, ensuring work is being performed during working hours, if that's what you are doing. So we, again, recommend this general level of disclosure unless though you're an employer who does not monitor, because there are a lot of employers out there that say, and want to make it clear to their employees, we're only going to monitor you in these very specific circumstances. Or we barely monitor. If you want to give more detail so that in fact the employees know that there is not a lot of monitoring, and you don't want to be perceived as monitoring, then that's when you get into more detail. But we don't want to disclose too much to make ourselves vulnerable to anti-monitoring attacks. With that in mind I'd like to give the microphone back to Tushar so he can tell us a little bit more about the rest of the commentary from the Ministry.
Tushar: Thank you so much, Melissa, and it's great that the Ministry has actually provided examples that line up with our initial predictions back in April and in May and whatnot when we were first reviewing this. It's very interesting. We talked a little bit about their examples but what are the actual restrictions on use of the information that we obtain from electronic monitoring? The key here is that while we do have this policy creation, compliance and the disclosure requirements, the ESA does not actually affect or limit an employer's ability to use the information. It doesn't limit the employers use of the information to any specific stated purposes. So an employer may create a policy setting out that the information that it collects through electronic monitoring will be used for purposes of monitoring and tracking internet usage and they can use that for the purposes of assessing overall employee productivity. How much time is being spent on Pinterest or you name your website here. If, however, the employer discovers that an employee has been accessing inappropriate websites contrary to company IT policies, the employer can use that information for any reason that it sees fit. So there is a flexibility that's actually baked into the legal requirements as they currently are. The employer can then rely on that information to determine whether or not it needs to discipline, terminate, investigate, etcetera, etcetera, and so forthwith. In terms of practical implications the Ministry's commentary sounds very encouraging but I think, and Melissa you probably would agree with me, employers should still tread cautiously in policy drafting. In our view courts are generally disinclined to enforce a policy against an employee unless there is some form of a disclaimer. So this would be particularly important when we consider electronic monitoring on personal devices, as Melissa had spoken about, used for work related purposes. It's possible that an employer may stumble across other forms of employee wrongdoing in electronic monitoring, particularly if we're talking about personal devices, and we cannot always foresee exactly how that may happen. We are currently dealing with these circumstances during the context of the COVID-19 pandemic with a lot of the workforce moving remote. So we've seen case law in several instances that certain forms of monitoring, maintenance, etcetera, are undertaken and then something turns up, inadvertently, as was the case in a hallmark criminal case, R. versus Cole, where a routine update of a computer revealed nude photographs of a teenage student on a teacher's computer. We cannot perceive how these things are going to come out. Sometimes we're just in these circumstances. At a bare minimum, keeping that in mind, we should specify that the employer may rely upon electronic monitoring for performance management purposes, including discipline up to and including termination of employment without pay or pay in lieu of notice. Something to keep in mind. In terms of the unions, the last bullet point on this particular slide, there's a completely separate series of considerations that would apply for unions because there are collective agreement rights, there's arbitral case law, there are statutory compliance requirements that may apply with respect to electronic information under the Labour Relations Act. So we need to keep in mind that while we have a framework that applies in the non-union sector we might have a completely separate set of considerations and a more developed case law, for sure, in an unionized sector. Next slide please, Shannon.
Legal considerations relating to Bill 88. We have to keep in mind that we're dealing with Ontario legislation, specifically, and there was a question in the chat about location and where the employee is located, etcetera. We need to keep in mind that the rights of an employee in the applicable labour and employment rule set is essentially the one that applies where the employee is domiciled in most, if not all, cases. So we've got different sets and different series of considerations for Federal jurisdiction employees. Employees that are domiciled and based in or working in BC, Alberta and Quebec. Each of Quebec, Alberta and BC have private sector privacy legislation that is separate and apart from employment standards legislation. That's a critical difference. It's not baked into their version of the ESA. That private sector privacy legislation regulates employee information. Same said for the Federal sector. Ontario does not have such private sector privacy laws that apply to employees. So if an employer's Federally regulated then their operations are subject to PIPEDA or the applicable public sector statute. The rules that apply in Ontario will not be the same for your operations in other jurisdictions and so we need to keep in mind that Canada's patchwork of privacy laws make it sometimes difficult for multi-Provincial or national employers to achieve compliance with all relevant legal requirements. Meeting the electronic monitoring compliance requirement here in Ontario may not mean that your complying with rules that apply in Alberta, BC, Quebec or in any applicable Federal legislation. We'll reiterate our disclaimer at the start. Obtain specific advice about your individual circumstances before pushing out a policy that meets the Ontario compliance requirements to all staff that are located across the country.
The next bullet here is the common law. As we've just mentioned, I've alluded to R. versus Cole, the common law considerations regarding privacy are also different. So since the Supreme Court of Canada recognized a limited employee expectation of privacy in the workplace, again this is back in R. versus Cole, employers should already be stipulating all purposes for which they may act as network data, including information in user accounts, maintenance of work, etcetera, so the ability to maintain work, and investigate misconduct, and support the continuity of work is already a requirement under common law. Just want to flag that. All purposes need to be called out to an employee and meeting the minimum requirements under Bill 88, under the ESA, may not meet best practice risk mitigation standards pursuant to the common law when we consider cases like R. versus Cole. Again, obtain specific legal advice.
Contractual rights versus statutory compliance requirements. Be mindful of section 5, subsection (2) of the ESA which deals with the creation of a greater right or benefit. So Bill 88 does not create a legislative right to privacy, as we've already spoken about, and an employer who moves too quickly and establishes a policy that goes way above what is actually required could actually create a contractual right, or at least an expectation of privacy that may severely restrict its ability to monitor. I'll reiterate something that Melissa said earlier, a policy should be designed so that they're open ended and capable of being modified. They should not be set in stone. I will touch upon, briefly, risks associated with over-disclosure. Certain forms of monitoring might be critically important to employer's security protocols. I can think of a number of different sectors; finance, defense and the list goes on, where employers should be sensitive to balancing the need for compliance with these requirements, as opposed to operational and strategic risks in terms of security for the needs of the business. We strongly recommend consulting with your IT department and looping in all relevant stakeholders when you're developing your policy, which we will get into shortly. Next slide, please.
Carve outs and exemptions and gaps in the legislation with respect to Bill 88. The first thing I'll flag, and we've already sort of touched upon this briefly, we certainly covered this in Part 1 webinar so just a very quick discussion point here, the Lieutenant Governor and Counsel of Ontario can make regulations that provide for certain part of exemptions; the addition of best practices. The creation of protocols such as what we've seen with the Ministry's new guidelines and the provision of best practices and codes of practice for electronic monitoring. Just want to flag that. We could in fact see carve outs of industry sectors, business functions, etcetera, and I will leave that topic for the time being. We had hoped, I think initially, that we would have seen by now a more detailed list of potentially exempt industries or sectors or business functions, such as IT infrastructure or finance, defense, cyber-tech, police. We have not seen such listing or disclosure by the Province as yet and nothing has taken place since March 1 of 2022, despite the enormous amount of public consulting that went into this particular legislation. I will flag as well, again we covered this in our Part 1, that Bill 88 does not differentiate between active versus passive monitoring. So it's evident from the Ministry of Labour examples that active monitoring is encompassed under the policy requirement. So we talked about GPS, Melissa did, recording of meetings and calls, etcetera. Those are clearly going to meet the threshold of employee monitoring and therefore will need to be disclosed. There was already a question in the chat about if I can access this retroactively and I can track an approximated employee's location, etcetera, that to my mind looks like a form of passive monitoring. There is no distinction under Bill 88 between active and passive monitoring. The definition within the statute and the guidance from the Ministry of Labour so far, simply state that all forms of employee and assignment employee monitoring that is done electronically could be affected by this policy compliance requirement. Would be affected. If you need to retain for instance, Slack messages or Teams messages, something along those lines, are you really using the system to monitor employees? At this point we can think of a way to say no, but given the compliance requirement and that all types of monitoring are captured, argue is that they need to be disclosed at a high level. What about phone bills and closed captioning that listens to employee calls or tracks the number of calls? Is that monitoring? We would think the answer would be, yes. Consider adopting a stated purposes approach as well for electronic tools, software, etcetera, and we'll discuss this in further detail when we get into the best practices as we sort of unfold.
Finally, we talked about this, I'm not going to go too far into repetition here, we talked about extensive disclosure for purposes of a policy. Loop in your stakeholders. Be mindful of that there are specific requirements and there are specific risks that are posed by listing the specific make and model of your software. For instance, the type of anti-virus or security protocol that you're using. The type of VPN that you're using, etcetera. Be mindful that the legislation does not actually require such specific disclosure. It actually allows for some generality and I think as part of that public consultation that went into this, there was a lot of pushback from industry about not being required to list specific make, model, year, etcetera, of your software so that we are not creating a security risk by trying to disclose and advise employees that they're being monitored. Next slide please, Shannon.
A lot of this has already been covered. We're going to try and keep this brief. Again there is no limitation on electronic monitoring. We've included a caveat for unionized employers. We've touched upon that. We had some hypothetical scenarios in our Part 1 webinar that we went through that we would invite you to move through. They're by and large still relevant and still in line with the Ministry's guidance today. We talked about common law as well as statutory privacy rights. Please be mindful of the interactions between common law and statutory privacy rights. If you have any questions on this front please don't hesitate to reach out to us. We'd be happy to connect or your regular Gowling WLG labour employment lawyer. We'd be happy to chat about it. Again, we talked about network security tools. We talked about the risks of over-disclosure. We talked about end points versus network devices. All of this was covered off during our Part 1 and what we can do with the data, and how we can sort of utilize what we need to keep in mind for purposes of the policy, is where we want to focus today. Next slide please, Shannon.
We're going to chat briefly about risks associated with over-disclosure. I think, once again to avoid vulnerabilities, we cannot be too detailed with our policy. Nonetheless we need to anticipate employee questions and prepared to be transparent. This is more on the practical side. By overcorrecting and disclosing too much that's certainly one aspect, but if an employee is pushing for this information, HR needs to be ready to deal with these particular inquiries and call out the rationale behind potentially withholding some information about the specific monitoring strategies and protocols that we're using. So anticipate the questions is the next one down. The final point that I'll call out here is the asset map and we need to determine how employees are monitored in order to figure out the highwater marks that we need to touch upon and include in our policy. Once we know what are asset map looks like, meaning what devices, what software, which department, what is this being used for, how could we possibly need to use this information, from there we can actually determine how best to deal with this information. How best to call this information out to employees while still meeting the statutory compliance requirements. When we have the asset map in hand it gives you goalposts for purposes of figuring out how to move in terms of next steps. This is also an invitation for your IT division, or other divisions in your company, to root out unmanaged apps and devices which could be creating security risks that you're not aware of. We worked this in a couple of instances with clients and the feedback that they've been providing us so far is that we are finding out certain things about certain apps, because we are actually looking at what is monitoring and figuring out whether it is absolutely essential. Rooting out unmanaged apps is a standup best practice for minimizing the risk of data breaches, security vulnerabilities, ransomware attacks, etcetera. Very helpful. Now in terms of preparing and finalizing a policy. I'm going to actually turn it back over to Melissa because we've had the benefit of a couple of months since our Part 1 and she's going to walk you through our go to recommendations for drafting.
Melissa: Thank you, Tushar. Now before I get to the policy I want to address a lot of the questions that were coming up in the Q&A, because a lot of them were the same, and I answered some of them but then I told some of you we'll answer this live. A lot of questions about, number one, what is the definition of electronic monitoring? As we noted the ESA does not have a definition. The Ministry of Labour has provided us a very helpful definition that says that electronic monitoring is any kind of monitoring that is done electronically. So that is a lot of circular. Doesn't give us much information. You'll see when we get to our guest speakers. There have been some definitions in the US. Now the reality is that some of the questions that were asked are things that we have considered. So for instance, and the things that appear to cause the most questions are the kinds of passive monitoring that we see. So if your employer has an entry that is key fob entry, and they have the ability at some point to gather a log and see when Tushar came in and when he left, when Melissa came in and when she left, then we believe that that's considered electronic monitoring. You may wish to state in your policy that, for instance, we have certain means of monitoring such as accessing and exiting our offices and that's through electronic key fobs, we do not monitor this on a regular basis but we may access this information to assess performance, to assess attendance at the workplace, or for health and safety purposes. Right? So it doesn't mean that you have to be actively monitoring. We can't be left with the idea that the only thing we have to disclose is if we have an active log that we're looking at every single day. If we're keeping a record that is then able to be pulled and looked at and monitored, for whatever purposes it might be, it is our advice that that should be included. We believe that this is broad enough to include both active and passive monitoring. Somebody else asked the question that is interesting and that is beyond the actual specific things that might be done. Like a key fob, or the find my iPhone or the personal and work profile in a personal phone, but this person said there's electronic fingerprints and everything. Search history, transaction logs, user logs. So if we have that, that would be as an employer, anything that you do in your work computer may be monitored, whether it is through the software that is being used or whether it is through a third party, that was another question that was asked. In our view, the purpose of this was being transparent, so if we do have access to that type of monitoring then we should disclose it. I have some clients who say I have absolutely no monitoring at all with employees. Or I have some clients who say I don't monitor anything but I might be able to go into their emails if they're gone for an extended leave. That would be the type of thing that you include in your electronic monitoring policy, if you think that you don't have anything else. But as this person said, about the electronic fingerprints, there's often logs so when you log in and log out. It doesn't have to be your outmost explicit monitoring, for instance, key stroke log reports. There are companies that are able to recreate everything that you typed in the computer. That's very extreme. That's very active. But that will have to be included just as much, in our view, as the passive monitoring.
Now that I've covered that, because we did have a lot of questions on the same thing, I'd like to get into what we need to put in your policy. Before you get started you need to know exactly what your organization is actually doing in terms of monitoring and tracking. You need to think outside the box. With what I just said in mind, keep in that in mind when you think, I don't monitor my employees at all. You will have to involve support from IT and securing departments, where those departments exist, because obviously they will be able to tell you a lot more easily if there's monitoring that you're not even aware of. Now when you start creating your draft policy we recommend that you include a definition of electronic monitoring in your policy and provide some examples. As we mentioned, employer own their electronic devices, accessories, computer networks, stock ware. We also, as I mentioned just now and that's in the next slide, active and passive monitoring needs to be included. It is unclear whether the ESA is intended to capture both but we should assume both to err on the side of caution. I'll give you some more examples of basic activities, for example. Email; internet; chat monitor; GPS on vehicles; key cards; key fobs; badge swipes to track who's coming into the office; telephone monitoring in call centers; calls being recorded; video surveillance; cameras that are in certain areas of the workplace; tools that are used to determine work attendance; other activities, for instance, performance monitoring; tracking an activity in a computer; measuring the number of defects in the work performance; keystroke vlog reports, as I mentioned; biometrics, which is your face recognition or fingerprints that are being used. Then there's also for cause monitoring. So those are the types of things that you'll want to include in your policy. For cause monitoring would be monitoring that is following a complaint or where you have reasonable grounds to suspect an employee is breaching their obligations or breaching your policies. You want to define the purpose of the monitoring and how it can be used. So practically speaking it may be easiest to define the purposes as a group of purposes, rather than trying to list each purpose under each form of monitoring use. We believe that will still be compliant and you may, as Tushar said, you may need to answer some questions of the employees when they're asking you, you have all of these general statements, what are you using? For instance, my key fob logs, are you using them for this, or for performance, for attendance? Are you checking my hours? It may not be necessarily be advisable for all situations but you may not want to get into each purpose for each specific type of monitoring that you do.
Continuing on with best practices for drafting your policy, your policy has to have a defined scope, as it's noted in the next slide. If you have across Canada operations, like Tushar mentioned, you'll have to ask yourself, is this something that is going to be a Canada wide policy or is it only going to be Ontario? Because if you're going to include other Provinces you have privacy legislation that applies to the private sector in some of them, like Tushar mentioned, BC, Alberta and Quebec. So we have requirements for obtaining employee consent, for instance sometimes, when collecting, using and disclosing personal information. There may be an exception that applies to information that is collected only to manage the employment relationship. You're going to have to be conscious of that if you're going to make your policy apply Canada wide. Bill 88 does not require consent. As we noted from the beginning there is no right to not be monitored or a right to complain about the monitoring that your employer is undertaking. Bill 88 does not require any consent; it only requires disclosure. So if you make this a Canada wide policy it will not absolve you of any other privacy requirements that are in those Provinces but similarly you may not want to obtain employee consent in Ontario with respect to this policy. So you'll have to really consider it. Lastly, remember it applies to all employees, regardless of their work setup. Whether they're in the office. Whether they're remote or they're hybrid and everyone is included in the count. Some trainees are included. Some officers of the corporation. Officers of the corporation who perform work or supply services are also included. There is a very broad definition.
Now you'll see in the slides that there's a question mark about temporary assignment employees or temporary health agencies. Tushar might have mentioned but I'll go over it quickly. Assignment employees are employees of the agency and are included in their count. However, where the employer is required to have a written policy in place, the policy must also apply to all assignment employees who are assigned to perform work for that employer in Ontario. Assignment employees don't have to be addressed separately in the policy but it has to apply to them. So if an assignment employee's assigned to perform work for an employer in a role that is not covered, or not otherwise addressed in the policy, then the employer would need to amend the policy to address the work being done by that assignment employee. An explanation of who, like which levels of employees or departments can review the information collected. When we have it it's also important because that allows for the sense of increase employee morale. Not everyone is going to be, okay my employer is monitoring but not everyone is going to be looking at this information. So we want to say who can review this and when. Is it going to be in isolated instances? This again goes to the questions that we were receiving in the Q&A, there may be situations where only we review the information in isolated instances. If there is an investigation, for instance, with respect to those electronic fingerprints or if there is an issue with respect to attendance or safety or where is this information is being reviewed on an ongoing basis. So that's the type of thing that you'll want to include. Not necessarily because it is required under the ESA but because it is required to maintain a healthy work environment and good employee morale. We also want to have enforcement mechanisms and disciplinary measures. If you want to rely on this policy as grounds for discipline you're going to have to say so, and you also want to make sure that you have provisions in there with respect to no reprisal for trying to enforce the policy, because at the end of the day this is still part of the ESA and is still a requirement that deserves the protection of the ESA with respect to enforcing your rights to that too. The policy does not create new rights but you also have to be very careful that when you're drafting your policy you're not creating new rights, as we noted prior to this with the disconnecting from work policy. There can be ways where you end up creating new rights. You've got to make sure that you contact your counsel to make sure that that's not happening.
The last slide with respect to drafting your policy. You want to make sure that you reserve your discretion to amend or change the policy. You want to be able to implement changes to the policy or get rid of the policy if the ESA changes and you no longer require it. You have to have your date of publishing and then data provisions, like you would have in any other policy. There has to be some ongoing assessments. You want to let them know where questions can be directed and you want to make sure that you have an employee acknowledgment. Employee's have to receive the policy, and be trained on the policy, and have the ability to ask questions, especially if once again we want to rely on the policy for any kind of discipline. We want to question ourselves. Do we want to include a reference to the policy in our employment agreements? If we're an employer who consistently has more than 25 employees we could, just like we do with sometimes the poster that needs to be given as part of the ESA, we may want to include these policies as an acknowledgement that you received a copy of your policy. It is very crucial that your management, IT and security departments be aware of the existence of this policy. Any new forms of monitoring will likely necessitate a change in the policy. So they need to actually let you know if there's going to be any such changes. That way you can ensure that your policy is updated as it needs to be. It can also include a provision that specifies the employer's right to change the form of monitoring. For instance, we monitor your performance and reserve the right to use whichever software would be appropriate to do so. At this point we believe all of this would be compliant.
The last step is providing copies of the policy. We have new guidance from the Ministry of Labour on how we provide these copies. Print it, attachment to an email or a link to a document if the employee has the opportunity to access the document and the printer, and they know how to use the computer and the printer. The copies need to be provided to each employee. Existing employees have to be given a copy within 30 days from the day the employer is required to have the policy in place, which would be 30 days from October 11, or if an existing policy is changed within 30 days of the changes. October 11, for those who had 25 employees on January 1 of this year. For new employees who have been given the policy within 30 days of the date the employee becomes an employee, or within 30 days that the employer's required to have a policy, and for temp health agency employees, an employer that is a client of a health agency must provide their assignment employee a copy of the policy within 24 hours of the start of the assignment, or within 30 days from the date the employer's required to have the policy in place, whichever is later. When it comes to complaints and enforcement mechanisms, well we can confirm that very much as with the disconnecting from work policy, the ESA rights to complain and enforcement are very limited. There is nothing prohibiting an employer from engaging in monitoring the employees. They just need to be up front about it. The legislation only allows certain types of complaints, and essentially those complaints are making sure that the employer has the policy in place, and has complied with their requirements to present the policy, and has the specific content of the policy. So it's very clear that a complaint under the ESA alleging a contravention of the section dealing with electronic monitoring, which Tushar said is quoting 41.1.1, is only with respect to the subsections (3), (4) and (5). Meaning a person cannot file a complaint alleging a contravention of any other provision or alleging contravention of the ESA because a certain type of monitoring was not listed, for instance. As long as we have the policy and we include the how, the purposes and the circumstances, and how the information is going to be used, then we just have to provide the policy to the Ministry of Labour to prove compliance.
Lastly, record keeping. Employers have to retain a copy of every written policy in electronic monitoring that was required by the ESA for 3 years after the policy is no longer in effect. We know what to do. We have policies now. We know how to provide them for employees and we need to maintain records. We have given you everything we can with respect to Ontario and we've provided you with as much guidance as we can. Now we what we would like to do is we would like to hear from our guest speakers. But once again, as Elisa mentioned at the beginning of this webinar, Alycia would have been here with us presenting on this, and we want to thank you Alycia for the work that she put onto this webinar and we are sorry that you couldn't be here today.
Now it is my pleasure to introduce our guest speakers. We'll start with Jennifer Daniels. She's a partner in the privacy, Security and Data Protection Group at Blank Rome LLP. She represents clients on privacy and security issues in the United States, Europe and around the world on data protection laws. For the past 20 years Jennifer has counselled clients including Global Fortune 100 companies. She has extensive experience advising clients and responding to data security breaches, including working with law enforcement and forensic investigators and addressing legal and contractual obligations. Jennifer is a frequent speaker on issues related to privacy and security as well as on topics related to consumer protection matters. In her spare time she loves entertaining family and friends and she enjoys travelling to places off the beaten path. Thank you, Jennifer, for being here. Now, our second guest speaker, and the first one who will chat with you about her jurisdiction is, Meghan. Meghan is a lawyer at K&L Gates in the firm's New York office. Meghan represents management in employment related litigation, including defense against Federal and State law claims of employment discrimination, retaliation, whistleblowing, wage and hour disputes, employment contracts, misappropriation of trade secrets, and fair competition and non-competition, and non-disclosure agreements. She works with compliance with Federal State and local anti-discrimination laws, wage an hour laws, and implementation of workplace policies and employee handbooks, and labour and employment issues related to mergers and acquisitions. Meghan represents clients in a range of industries including healthcare, technology and real estate. Meghan was a 2018 and 2019 New Jersey Super Lawyer Rising Stars, so thank you, Meghan, and without further ado I will let you all hear from Meghan now.
Meghan: Thank you so much, Melissa, for that introduction. Good morning, everybody. I am pleased to report that the New York version of employee electronic monitoring law is far more straightforward and simple than what is happening in Canada. It is very much not a heavy lift in terms of what New York is requiring employers to do. A little background. It started out as an amendment to the New York State civil rights law that was signed back in November of 2021. It officially went into effect May 7 of 2022. It really does not require a whole lot. Beyond updating perhaps a handbook that already exists and adding one more notice to new hires, to what is already a very lengthy list of paperwork that has to be handed to new hires in New York as it is. So generally the law applies to all New York employers, all private New York employers. It is defined as all private employers who have a New York place of business. In this instance, which is a little bit different for New York, there's no size requirement. A lot of the New York State and City laws have employee size requirements before they go into effect but this applies to everybody. Like many laws in New York these days, or over the past couple of years, it's a little vague as to what New York place of business is going to mean, especially with its remote workforces. It could likely refers to any remote worker who lives in New York. It could also refer to a remote worker who was officially assigned to the New York location, even though that remote worker perhaps lives in Connecticut. Because this isn't asking a lot initially of employers it's best to just assume that it applies to any remote worker who either lives in New York, or could be understood to be assigned to a New York location, because it's really just updating policies so err on the side of inclusion when it comes to remote workers. Very generally it applies to all employers who monitor or otherwise intersect phone calls, emails and internet usage. They drilled down that's really what this comes down to. It applies regardless of whether the company is asking employees to use company issued equipment, or if they have a bring your own device policy, it applies equally. Even if you have employees who are putting work emails on their personal iPhones, if those emails are going to be monitored through the system on the personal phone, the notice requirement is still applicable.
So what does monitor intercept mean? It likely means real time monitoring or interception. It probably does not extend to more of a post-hoc review of stored emails or voice mails, as you often come across in terms of litigation. It probably does not apply to that. It's not specifically defined in the New York law. But in other circumstances New York courts have looked to the Federal wire tapping legislation and the way that definition has been played out, it suggests real time monitoring, real time intercepting. Again though, I'm going to say this 8 million more times, because it's not a heavy lift just put it in your handbook. No matter how your systems work it's not require a whole lot beyond just adding a little paragraph to your handbook that already exists. What it does not apply to is any sort of processing or security system. If you have something in place that basically is going to down spam or whatever, showing how little I understand how technology works, but however it works so that you can only send and receive certain volumes of emails or voice mails, those sorts of processes are not going to be impacted because those are just for the maintenance of the integrity of security of the company's electronic systems. That's implicated by this. It also doesn't apply to any sort of monitoring or intercepting that's not actually targeted at an individual employee. Same idea. Any sort of monitoring to remove spam, that's my easiest example, because that's not looking at a particular employee's activity or communications. That's not going to get covered by this law.
It also is limited to electronic communications. It's not going to cover like video surveillance cameras. It doesn't cover whatever system you use to track people coming and going in and out of the building. It wouldn't cover whatever system you might have to track company equipment in terms of vehicle fleets. So if you have tracking systems on the trucks that you use, that's not implicated by this law. It also excludes, as I said, anything that's for system maintenance or protection. So that's something called data loss prevention software. I don't know how that works. I think it is malware. I'm really showing how little I know about this but anything that your IT systems have in place to, again, keep your information secure and operating properly is not covered by this. It's outside the purview. It has to be specific, likely real time monitoring, or intercepting communications to/from individual employees.
What does the law actually require? It's just two things. The first one is to post a notice that employees are subject to electronic monitoring in a conspicuous place. Any New York based employer will already have a conspicuous place set up. It could be, again, one of several, several posters that have to be posted. It's the lunchroom, coffee room, etcetera, where people are going to be coming and going, next to all the other posters. It also requires obtaining a written acknowledgement from every new hire upon hire. One thing to keep in mind, though this is probably not relevant in … in September, but it did not apply to current employees. So employers do not have to go back and obtain written authorization from all of the employees who were already there. It's just on a forward going basis. When you actually on board somebody you have to provide them a written copy of your notice explaining that you do engage electronic monitoring and then we get their written acknowledgement in response. Both of those things can be done electronically. You can send them an email attaching the form and they can acknowledge it back through DocuSign, etcetera. It doesn't have to be in an actual physical hard copy.
What does the law have to say? It must advise that any and all telephone conversations or transmissions, electronic mail or transmissions or internet access usage by an employee, by an electronic device or system, including but not limited to use of a computer, telephone, wire, radio, electromagnetic, photo-electronic or photo-optical systems, may be subject to monitoring at any and all times, by any lawful means. What I'm reading is directly out of the statute itself. So what this notice has to say is taking that paragraph, cut and pasting it into whatever sort of IT or systems policy you have in place already, putting it into a document that requires a signed acknowledgment at the bottom and that's pretty much it. At this point in time, considering most workplaces are all electronic at this point, very few employers I'm assuming, are operating with hard copy systems and because so many people are remote most employers probably already have these policies in place. Most employers probably already let their employees know that they are monitoring their access and that they should have no expectation of privacy in anything that's sent over the system. So it really is just a slight tweak of a policy to make sure the specific paragraph that I just read out from the statute is now in there and then adding the signature line. Of course you're always permitted to develop a more elaborate policy if you'd like. You can be more specific. You can say exactly which systems are being monitored and for what reason. Like what you would be looking for. If that is what you would like to provide your employees, that is fine. There is no reason to other than wanting to appear more transparent. Of course if you do that then it will limit what you were able to monitor, because it will have to be then applied consistently in accordance with your policy, and apply consistently across all employees. So the more details you give, the more you sort of hamstring yourself. Of course, with every policy in New York, it does have to be uniformly applied across all employees unless you can provide some sort of legitimate business reason as to why a certain employee was subjected to a more severe level of monitoring. I don't recommend doing that all that. It opens up a can of worms every time.
The important take away though, however, is that there is no private right of action under this statute. So employees cannot sue employers directly for not posting in a conspicuous place, for not getting written authorization upon hire. The Attorney General is charged with enforcing this particular law. It is a $500.00 penalty for the first offense. $1,000.00 for subsequent and then $3,000.00 for third and subsequent offences. It remains to be seen how employers who are not in compliance will get on the Attorney General's plate. Obviously there's always an option for employees to report violations or non-compliance. So we'll just sort of wait and see how motivated either of the Attorney General or employees are in terms of this law. It's been in effect since May and I have to say it has required very little in terms of counselling employer clients. Most people already had something like this in place. It was more of a check that box and going forward make sure your new hiring on boarding packages are up to date. That's it for New York and I think I'm turning it over to Jennifer.
Melissa: Thank you.
Jennifer: Great. Hi, I'm Jen Daniels. So along the lines of what Meghan was just explaining, the law in the United States, there have been laws around for awhile now in addition to these specific laws that are specific to employer electronic monitoring. Most employers, I would say in the United States, have had policies for some time because of other laws that exist that impact how they monitor their employees. So here in the US, like all things privacy, the law is a patchwork of Federal and State law, statutory and common law and what tends to rise to the top, in terms of what needs to be complied with, are the laws that are enforced or that have a private right action. Mostly laws that have a private right of action are the ones that folks focus on because employees bring claims, or in some cases where AGAs are well funded to enforce laws like certain privacy laws in California and whatnot, you'll see much more activity and therefore people putting in place more detailed policies.
So here the Federal law there is the Federal Wiretap Act and Stored Communications Act are the ones that are kind of most impact employee monitoring and there is a private right of action. In the Wiretap Act prohibits live real time interception of electronic communications in the United States. That's telephone, email, text message, internet chats. What's considered an interception is not really settled law but basically the distinction is between kind of a real time collection of information from a transmission versus accessing stored emails and electronic records. The stored communications are covered by a certain communication act, which I'll mention in a second, but the Wiretap Act requires consent from the employee in order to intercept the contents of an email or a text message or a telephone call. Generally, implied consent is acceptable which generally we would recommend a clear policy that explains what kinds of communications are being intercepted, under what circumstances and then explaining that by using company equipment you're consenting to that monitoring. The Stored Communications Act is, again, a Federal law that protects communication records that are in storage and may be intended to be private. The law has been interpreted to say that employers that access stored communications are employer systems and employer email services that have to disclose that they do that to their employees. Again, that's generally done through a policy. If you are accessing personal emails on employer systems, or personal systems, we recommend that you get permission to do that. You would actually get a sign off on the policy explaining that you would be accessing those communications.
Then in addition to those Federal laws, there's also State wiretapping laws and note that in some States that you have to permission from both individuals to a conversation in order to intercept a communication. So you have to consider the person who's sending the email, or receiving the email, the other part of the email in addition to the employee. In there like the definition of an employee doesn't matter in wiretap cases because it could be an independent contractor, it could be a temp worker, anybody that you're intercepting a communication from, conceivably, could be covered by these Wiretap Acts. Then in a layer on top of that there will all these comprehensive privacy laws in the United States now. In some States, California, Virginia, Colorado, Connecticut, Utah have laws that have been passed. Only California has a law that applies to employee information. In there you have to provide a notice of how you use employee personal information. So you would have to consider that also if you're doing electronic monitoring. You'd have to cover that in your policy. State common law is one of, again another thing to be paid attention to, invasion of privacy type claims. Generally, an employee's ability to sustain an invasion of privacy claim is very fact specific when it comes to employer monitoring, and focus is on expectation of privacy in the particular circumstance that your monitoring, and whether you have a legitimate business interest in the monitoring. There's like a weighing. Again, we recommend that policies explain exactly what your doing, why you do it, because in terms of commenting any common law claims but also for employee morale and things like that, explaining why you're engaging in the monitoring, why it makes sense is important in those policies and also so you can kind of show that weighing of the balance of expectation of privacy versus legitimate business interest.
Important also to focus on laws that are specific to biometric information collection. Handprints, face scans, fingerprints. A lot of employers use those types of biometric systems for checking in/checking out of work every day and walking into the office. In Illinois you may have heard in the United States there is a private right of action under the Illinois Biometric Information Privacy Act and that has generated a ton of litigation in Illinois. So be careful of laws that are specific to biometric and GPS tracking. Kind of layered on top of all this. Next slide. Can you go to the next slide?
So Connecticut does have a specific law on employee monitoring. It is as, Meghan said with New York, these laws because there's no private right of action, they don't get a lot of play but you do have to have a notice posted in a conspicuous place in Connecticut regarding your employee monitoring so that employees can see it. You can go to the next slide. It does define electronic monitoring in the Connecticut law. It is the collection and information on an employer's premises, concerning employee's activities or communications by any means other than by direct observation. It includes computer, telephone, wire, radio, camera. There are some exceptions for security purposes in common areas but generally any kind of electronic monitoring, and has been said about the Canadian law, pretty much everybody engages in some kind of electronic monitoring now or may at some point want to be able to access records that they've stored and things like that. So we would recommend providing this narrative pretty much across the board. Employees are anybody who performs services for an employer in a business. If the employer has the right to control and direct the person as to the result to be accomplished by the services, and the details and means of such result is accomplished. So that's similar in a lot of ways to the way that you kind of distinguish independent contractors and employees in a lot of circumstances but it's helpful that you have a definition in Connecticut. But the only obligation in Connecticut is to post this very simple notice and the Department of Labour, in Connecticut, provides a sample of what the notice has to look like and it's very, very basic. Again, not a heavy lift in Connecticut. Next slide.
Delaware prohibits monitoring or intercepting any telephone, email or internet transmission, or access or usage unless the employee either gets daily notice of the monitoring or a one time notice that they acknowledge. That's an option. You can either provide that every day or you can provide a one time notice to the employee when they start and have them acknowledge it. I wanted to just, real quick, mention a case in Georgia that just happened this summer where an employer fired an employee, and the employee brought suit against the employer in Georgia, because the employee was apparently forwarding a bunch of private company information to his personal email account. The employer accessed that personal email account. Deleted the emails and also changed the employee's password to his personal email account so that he couldn't get in and access those emails. The court originally gave summary judgment to the employer and then the Georgia Court of Appeals overturned that and said that there were material issues of fact as to whether or not the employee ever saw the handbook that told him that his personal emails may be monitored, and then also there were issues about whether or not there was unauthorized access to the personal email account. Anyway, lesson there is have a clear policy. Have your employees sign it so you can prove that they saw it, and also have people who are trained actually investigate these things so that they know what to do when they need to look at somebody's emails, and they don't do stupid things like delete the emails in their personal email account. Anyway, lessons learned. I know we're running short on time so I just wanted to mention that.
Melissa: Thank you, Jennifer, and thank you, Meghan. I think a lot of the questions that we had in the Q&A have been answered and have been addressed by all of us. The only thing, I know we have 2 minutes left, but if we can take 30 seconds from either Jennifer or Meghan to give their thoughts. One question that kept on coming up was, your advising us to disclose passive monitoring. That is, to use Meghan's example, it's not something that is monitored or intercepted, but that the records could be there. Your advice throughout has been err on the side of caution. If you have anything to add to that, Jennifer and Meghan, from your experience, please do so.
Jennifer: Real quick. My advice is to err on the side of caution in any law in the United States that allows for a private right of action, here in the US. In Ontario it may be different but I will tell you right now the wiretap laws that have this interception language are what are being used in the US to bring suits against Google for online tracking of advertising. Again, those are situations where you're just grabbing the information from the transmission. It's hard to say whether they're actually being kind of analyzed in real time. But those are the laws that people are suing under because they can. So I would just caution that there are private rights of action. Err on the side of caution.
Melissa: Thank you.
Meghan: I would just add there shouldn't be huge downside to advising employees ahead of time that their communications may be monitored. I think most employees expect that and it does not kind of reinforce to them the idea that what you exchange and put on your employer's systems does not belong to you. That can also come up often. I just dealt with this with another client where someone was terminated and she made a huge fuss because she had attorney privilege information saved on her desktop, saved on her email, and it turned into a whole fight. But at the end of the day we were able to say, listen you got a policy that very clearly said don't do this. Don't put it on our systems. We did not invade her privilege but she didn't have the right to then say that she could keep her laptop, or etcetera, because it was very clearly communicated that everything you do on your work laptop, and on your work email, is ours. It's not yours. So this is just one more thing to sort of reinforce that, that if you don't want us looking at it, do it at home. That's how this goes.
Melissa: Thank you.
Tushar: We do have one comment. One Q&A. Final question to find me. I know we're just over time. We've actually developed a policy package. Melissa, maybe we could just touch upon this very briefly. Elisa, you as well. We developed a policy package as we did with the right to disconnect. We're in the process of finalizing and it's soon to be posted on our website, I understand, and we're basically making recommendations, assisting employers with developing your asset map, working between your different divisions/departments and making sure that you're taking into account all the relevant considerations as you design and draft your policy.
Melissa: The policy package is a checklist and a sample policy. That if you use that sample policy and complete your forms of monitoring that, is our view, should be compliant with ESA so that's available for sale. Please do not hesitate to contact any of the Gowling ELE lawyers for a copy of this policy and checklist.
Elisa: Thank you so much to all of our speakers today. That was very informative. It was great to get an update because I know when we had Part 1 we had limited information so it's good to have some more information. I'd like to just say a special thank you to our guests from the US, Jennifer and Meghan. Thank you so much for your insightful comments. We appreciate that you took time out of your busy day to be with us today. So thank you. Now, just a few points. We have a web page dedicated to employment law so if you'd like to access that page, we have the link up in the presentation which, again, you will be receiving after this webinar concludes. So you can access that. It has a lot of information on employment law that you may find helpful. Part 1, we've mentioned of this webinar, the recorded session is available also. If you access our webpage you'll find the link there. This session will also be posted after this webinar today so if you want to review it again, you will be able to access this session, as well as our previous sessions will be also linked on our webpage. We have another session coming up on October 25. That session will be on workplace investigations and we hope you'll be able to join us for that session. Before you go today, I know everyone's busy, but if you could take a few moments to complete our survey. Your feedback is important to us. So if you just hold up your phone to the screen and take a snapshot of that QR code it will forward you to our survey. So I'd like to wish everybody a great day. It's rainy here in Ottawa but hopefully it's sunny where you are. Enjoy your day. Thank you.
Melissa: Thank you, everyone.
Bill 88 amended Ontario's Employment Standards Act, 2000 to include a new obligation for many Ontario employers to have a written "electronic monitoring" policy in place by October 11, 2022.
This webinar is Part 2 of our series on Bill 88 and electronic monitoring (to view Part 1 please click here). Our team of lawyers explain what developments have occurred since our first webinar was held in May 2022. Our team also share their insights and best practices on how employers can develop and draft electronic monitoring policies to achieve ESA compliance, while balancing business needs such as maintaining flexibility and security.
You will also hear from special guest speakers in the United States about several states that have already enacted employee monitoring laws, how those laws have affected American employers, and what lessons they offer to Canadian employers.
This on-demand webinar is part of our Employment, Labour & Equalities Law Webinar Series. Watch more from the series »
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.