Employment Law Implications

Cloud Computing

Peter C. Straszynski

416-777-5447

pstraszynski@torkinmanes.com

LEXPERT Cloud Computing Conference 2013

November 28, 2013, Toronto

The “Cloud”

Q: When is an employer operating in the “Cloud”?

According to the Office of the Privacy Commissioner of Canada (“OPC”) “Cloud Computing” involves: “the delivery of computing services over the internet…. for data

processing, storage and backup, to facilitate productivity, for accounting services, for communications, or for customer service or support”

According to Wikipedia, the “Cloud” is made up of: “technologies that provide computation, software, data access and

storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services”

The “Cloud”

A: If employees are using applications or systems that store, manage or move information using servers not owned by the employer, not on employer premises or part of employer’s network, they are operating in the “Cloud”

Common Examples: Gmail (or any other web-based mail service provider) External Storage of data/documents External backup External mail screener Facebook LinkedIn

Employment Law Implications

Cloud Computing and Workplace Issues

1. Practical HR Uses of the Cloud Including the storage of “personnel” information

2. Other Uses of Cloud-based Applications Social Media Hybrid Personal and Business Use BYOD

3. Best Practices Education Contracts and policies

Practical HR Uses of the Cloud

HR in the Cloud

Payroll accounting

Storage and management of HR “work product” or data manuals, policies, forms

Storage and management of “personnel” files and information

Storage of medical information

Practical HR Uses of the Cloud

Benefits Cost savings Reduced infrastructure Universal and centralized accessibility Consistency of product

Risks Security of data/information Accessibility of data/information Ownership issues

Storage and Management of Personnel Information

Employers routinely store personal and (sometimes) confidential health information about their employees

The Cloud permits remote storage and movement of this information anywhere in the world

Q: Restrictions or risks ?

Limited number of jurisdictions have enacted “anti-export” legislation… Ontario has not… At least not yet

Foreign laws and rules may affect access to and ownership of information

Storage and Management of Personnel Information

Employment Standards Act, 2000 (ESA)

Availability

16.  An employer shall ensure that all of the records and documents required to be retained under sections 15 and 15.1 are readily available for inspection as required by an employment standards officer, even if the employer has arranged for another person to retain them. 2000, c. 41, s. 16; 2004, c. 21, s. 3

Storage and Management of Personnel Information

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Federal statute does not apply to “personal information” collected, stored or used by an employer about its employees, unless:

The employer is federally regulated, or

The province has enacted its own privacy statute

Storage and Management of Personnel Information

Personal Health Information Protection Act (PHIPA) 10.  (1)  A health information custodian that has custody

or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1).

Duty to follow practices (2)  A health information custodian shall comply with its

information practices. 2004, c. 3, Sched. A, s. 10 (2).

Storage and Management of Personnel Information

Use of electronic means (3)  A health information custodian that uses electronic means

to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (3).

Providers to custodians (4)  A person who provides goods or services for the purpose of

enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).

Storage and Management of Personnel Information

Preventing Loss/Unwanted Disclosure

Ensure Reliability of service provider Adequate security measures/assurances

Educate employees Nature of Cloud Computing Confidentiality Issues Privacy Issues

Limit Access To information To the systems or applications themselves

Other Uses of Cloud-based Applications in the Workplace

Some basic facts about Social Media 1 out of every 5 online minutes worldwide is spent

accessing social media Top 3: Facebook, Twitter, LinkedIn Facebook remains the most popular

1 out of every 7 minutes of online time worldwide LinkedIn is the most used for “business/networking”

purposes Whether employers like/authorize it or not, their

employees are in the Cloud

Other Uses of Cloud-based Applications in the Workplace

Legitimate Workplace Uses

Marketing Increasing recognition Building brand image

Customer Satisfaction Receiving customer feedback Dealing with costumer complaints

Reducing cost of service Business retention and acquisition

Other Uses of Cloud-based Applications in the Workplace

Employee Duties and Responsibilities

Confidentiality

Avoidance of Conflict of Interest

Statutory compliance: Human Rights Code; PIPEDA, PHIPA

Express contractual duties

Other Uses of Cloud-based Applications in the Workplace

Potential Risks and Employer Exposure

Damage to Employer reputation or image

Defamation of 3rd parties

Breach of Human Rights legislation

Breach of Privacy Legislation

Breach of Health Information legislation (PHIPA)

Breach of Common Law Privacy Rights (Jones v. Tsige)

Other Uses of Cloud-based Applications in the Workplace

Vicarious Liability

Employers are vicariously liable for the tortious acts of their employees performed “in the course of employment”

Employees can act in the course of employment while away from work and off of work time

Is there a s sufficient “nexus”?

Other Uses of Cloud-based Applications in the Workplace

Employer Strategies

Respond to Inaccurate or Inappropriate Information

Restrict Use or Content

Impose Discipline

Monitor Usage Subject to privacy expectations

R. v. COLE

Other Uses of Cloud-based Applications in the Workplace

R. v COLE

Reasonable Expectation of Privacy Exists Where:

Exclusive use of hardware

Permitted personal use

Password protection

No express search policy

No express privacy warning

Hybrid Uses

Mixed or “mingled” personal and business usage

LinkedIn is leading example of mixed personal and professional/business marketing

Many employers do not even consider it until termination of relationship

Who has property in a LinkedIn or Twitter Account that is used to generate business?

Typical IP rules may or may not apply in determining property in these types of accounts

Can determine issue ahead of time with effective employment contracts

BYOD

“Bring Your Own Device” Permission, Encouragement or Requirement that

employees use personal devices at/for their work Laptops, Tablets, Smartphones 54% of employers report majority of employees use

smartphones for work email, documents, calendars 33% report use of tablets for more “advanced”

purposes like CRM, project management, financial data analysis

BYOD

Benefits of BYOD Reduced cost of hardware Employee engagement and retention Increased productivity and collaboration

Risks Confidentiality

Danger of the “Drop-Box”

Access to hardware/Monitoring Use Privacy Expectations

Can be lowered but not eliminated

Best Practices

Education

Educate employees on the nature of Cloud Computing

Educate employees on dangers and associated risks

Educate employees on service provider terms of use

Have employees sign off acknowledging training

Best Practices

Effective Contracts and Policies

Contracts should:

Include confidentiality provisions prohibiting disclosure or use of specified information

Include reference to relevant policies governing communications, BYOD, use of internet and social media in the workplace, protection of personal privacy, personal and health information

Specify that breach can result in termination for cause Identify and clearly articulate issues (assignment?) of “property”

in Cloud-based applications or information

Best PracticesEffective Contracts and Policies

Policies must:

Adequately set out all terms of BYOD and permissible use of Cloud-based applications in the workplace or for work purposes

Describe uses of internet and social media that are permitted and those that are forbidden

Make clear that even personal use of internet/social media will be subject to employer monitoring and scrutiny if connected to workplace in any way

Explain that employees should have no “expectation of privacy” in their use of employer business tools, including network, internet, email, use of social media, despite passwords, private content, etc…

Best Practices

Effective Contracts and Policies

Policies must:

Explain that communications at work may be monitored at any time

State that breaches will be subject to discipline up to and including termination for cause

Require employees to sign as having “received, read and understood”

Be consistently enforced

Torkin Manes LLP151 Yonge Street, Suite 1500Toronto, ON M5C 2W7www.torkinmanes.com

Peter C. Straszynski

416-777-5447

pstraszynski@torkinmanes.com