Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2009-019

Collection and use of employee’s email deemed acceptable for purposes of investigating breach of agreement

[Principle 4.3; Paragraphs 7(1)(b), 7(2)(d)]

Lessons Learned

  • Even where emails sent or received by employees on an organization’s system are considered to be corporate records, such emails are also the employees’ personal information protected by the Act.  Our Office considers it unacceptable for organizations to monitor employee email without good reason justifiable under the Act.
  • An organization’s accessing and using employee emails would normally require the knowledge and consent of the individual employee.  However, subsections 7(1) and (2) of the Act provide exceptions whereby an organization may collect and use employee emails without the individual’s knowledge and consent where circumstances warrant.
  • Notably, paragraphs 7(1)(b) and 7(2)(d) allow for non-consensual collection and use of personal information, including employee emails, for purposes of investigating a possible breach of an agreement or a contravention of the laws of Canada or a province.

The complainant, an employee of a telecommunications company, alleged that the company had accessed his personal email account during a labour dispute and inappropriately used information obtained from it to support disciplinary actions against him.

The Assistant Commissioner found that the company had been entitled to collect and use the personal information in question without the complainant’s knowledge and consent by virtue of the exceptions in paragraphs 7(1)(b) and 7(2)(d), relating to an investigation of a possible breach of an agreement.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The complaint stemmed from a meeting at which the company is alleged to have presented the complainant with a copy of an email as evidence that he had been involved in the distribution of the company’s copyrighted material in an online labour union discussion forum.  The company alleged that the complainant had, without authorization, posted content belonging to the company.

The complainant alleged that, on being presented with the email in question by a company investigator, he had recognized it as one he had sent to a third party from his personal email account.  According to the complainant, however, he had been unable to definitively determine its origin because the investigator had hidden the email header.

For its part, the company denied both that its investigator had presented an email to the complainant at the meeting and that it had improperly accessed the complainant’s personal email account.  In fact, the company provided our Office with evidence that the complainant had forwarded emails from his personal account to his corporate account.

The company stated that information available publicly on the forum had led it to believe that the person who had posted the material was an employee who worked in a particular geographical area and whose name had the same initials as the complainant’s.  After narrowing the search, the company reviewed the complainant’s corporate email account, where it found additional supporting evidence.

The company’s corporate security policy states that messages sent by email are the company’s records, that it reserves the right to access and disclose all messages sent over its email system for any purpose, and that it: may also disclose e-mail messages to law enforcement officials without prior notice to the workers who may have sent or received such messages.  The policy further states that company email should be used only for business purposes, must not interfere with normal business activities, must not involve non- job-related solicitation, and must not potentially embarrass the company.

At the end of the meeting in question, the complainant’s immediate supervisor had informed him that he was suspended.

Findings

Issued May 29, 2009

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Paragraph 7(1)(b) states that an organization may collect personal information without the knowledge or consent of the individual if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.  Paragraph 7(2)(d) states in part that an organization may use personal information without an individual’s consent if the information was collected under paragraph 7(1)(b).

In making her determinations, the Assistant Commissioner deliberated as follows:

  • Despite the complainant’s assertion that the respondent accessed his personal email account, hosted on systems owned and operated by the respondent, there is no evidence to suggest that the complainant’s allegation is true.
  • Rather, the evidence before this Office confirms that the complainant had forwarded emails from his personal account to his corporate account.
  • It is not in dispute that the respondent accessed the complainant’s corporate email account.
  • The respondent has established a policy for the acceptable use of email in the workplace and requires employees to be familiar with the policy by completing an annual security training course.
  • The policy creates an expectation that the respondent will consider messages sent using the respondent’s system as its own records and will reserve the right to access and disclose such messages for any purpose.
  • While the Office is concerned that the respondent’s corporate security policy may not establish adequate parameters for the monitoring of employee emails (it appears to permit the respondent to monitor employee emails without a justifiable reason), the facts of this case reveal that the respondent had a justifiable reason to access the complainant’s corporate email account, namely, for the purpose of investigating a breach of the complainant’s employment agreement.
  • The respondent accessed the complainant’s corporate email account to confirm evidence that suggested the complainant’s involvement in an activity the respondent believed was inconsistent with the complainant’s employment obligations.  The respondent accessed the complainant’s corporate email account only after conducting an external investigation which led the respondent to believe that a person posting material on the Forum was likely an employee, who worked in the same geographical region as the complainant, and had initials corresponding to the complainant’s initials.
  • The respondent’s actions were in response to specific concerns related to an identifiable individual who the respondent felt was using the corporate email system in contravention of an established corporate policy by which employees were required to abide.
  • Absent a legislated exception to the requirement to obtain consent, there is nothing about the employment context that operates to absolve the general obligation under Principle 4.3 of the Act to obtain knowledge and consent before collecting, using or disclosing personal information.
  • In the circumstances of this case, I find that two legislated exceptions to the requirement to obtain consent apply.  In my view, the respondent was entitled to collect the complainant’s personal information pursuant to paragraph 7(1)(b).  With respect to the respondent’s subsequent use of the personal information it obtained about the employee through accessing his corporate account, I am of the view that paragraph 7(2)(d) applies.

Conclusion

The Assistant Commissioner concluded that the complaints were not well-founded.