employment law implications
Post on 24-Feb-2016
39 Views
Preview:
DESCRIPTION
TRANSCRIPT
Employment Law Implications
Cloud Computing
Peter C. Straszynski416-777-5447pstraszynski@torkinmanes.com
LEXPERT Cloud Computing Conference 2013November 28, 2013, Toronto
The “Cloud”Q: When is an employer operating in the “Cloud”?
According to the Office of the Privacy Commissioner of Canada (“OPC”) “Cloud Computing” involves: “the delivery of computing services over the internet…. for data
processing, storage and backup, to facilitate productivity, for accounting services, for communications, or for customer service or support”
According to Wikipedia, the “Cloud” is made up of: “technologies that provide computation, software, data access and
storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services”
The “Cloud”A: If employees are using applications or systems that store, manage or
move information using servers not owned by the employer, not on employer premises or part of employer’s network, they are operating in the “Cloud”
Common Examples: Gmail (or any other web-based mail service provider) External Storage of data/documents External backup External mail screener Facebook LinkedIn
Employment Law ImplicationsCloud Computing and Workplace Issues
1. Practical HR Uses of the Cloud Including the storage of “personnel” information
2. Other Uses of Cloud-based Applications Social Media Hybrid Personal and Business Use BYOD
3. Best Practices Education Contracts and policies
Practical HR Uses of the CloudHR in the Cloud
Payroll accounting
Storage and management of HR “work product” or data manuals, policies, forms
Storage and management of “personnel” files and information
Storage of medical information
Practical HR Uses of the CloudBenefits Cost savings Reduced infrastructure Universal and centralized accessibility Consistency of product
Risks Security of data/information Accessibility of data/information Ownership issues
Storage and Management of Personnel Information
Employers routinely store personal and (sometimes) confidential health information about their employees
The Cloud permits remote storage and movement of this information anywhere in the world
Q: Restrictions or risks ?
Limited number of jurisdictions have enacted “anti-export” legislation… Ontario has not… At least not yet
Foreign laws and rules may affect access to and ownership of information
Storage and Management of Personnel Information
Employment Standards Act, 2000 (ESA)
Availability
16. An employer shall ensure that all of the records and documents required to be retained under sections 15 and 15.1 are readily available for inspection as required by an employment standards officer, even if the employer has arranged for another person to retain them. 2000, c. 41, s. 16; 2004, c. 21, s. 3
Storage and Management of Personnel Information
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Federal statute does not apply to “personal information” collected, stored or used by an employer about its employees, unless:
The employer is federally regulated, or
The province has enacted its own privacy statute
Storage and Management of Personnel Information
Personal Health Information Protection Act (PHIPA) 10. (1) A health information custodian that has custody
or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1).
Duty to follow practices (2) A health information custodian shall comply with its
information practices. 2004, c. 3, Sched. A, s. 10 (2).
Storage and Management of Personnel InformationUse of electronic means (3) A health information custodian that uses electronic means
to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (3).
Providers to custodians (4) A person who provides goods or services for the purpose of
enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).
Storage and Management of Personnel InformationPreventing Loss/Unwanted Disclosure
Ensure Reliability of service provider Adequate security measures/assurances
Educate employees Nature of Cloud Computing Confidentiality Issues Privacy Issues
Limit Access To information To the systems or applications themselves
Other Uses of Cloud-based Applications in the Workplace
Some basic facts about Social Media 1 out of every 5 online minutes worldwide is spent
accessing social media Top 3: Facebook, Twitter, LinkedIn Facebook remains the most popular
1 out of every 7 minutes of online time worldwide LinkedIn is the most used for “business/networking”
purposes Whether employers like/authorize it or not, their
employees are in the Cloud
Other Uses of Cloud-based Applications in the Workplace
Legitimate Workplace Uses
Marketing Increasing recognition Building brand image
Customer Satisfaction Receiving customer feedback Dealing with costumer complaints
Reducing cost of service Business retention and acquisition
Other Uses of Cloud-based Applications in the Workplace
Employee Duties and Responsibilities
Confidentiality
Avoidance of Conflict of Interest
Statutory compliance: Human Rights Code; PIPEDA, PHIPA
Express contractual duties
Other Uses of Cloud-based Applications in the Workplace
Potential Risks and Employer Exposure
Damage to Employer reputation or image
Defamation of 3rd parties
Breach of Human Rights legislation
Breach of Privacy Legislation
Breach of Health Information legislation (PHIPA)
Breach of Common Law Privacy Rights (Jones v. Tsige)
Other Uses of Cloud-based Applications in the Workplace
Vicarious Liability
Employers are vicariously liable for the tortious acts of their employees performed “in the course of employment”
Employees can act in the course of employment while away from work and off of work time
Is there a s sufficient “nexus”?
Other Uses of Cloud-based Applications in the Workplace
Employer Strategies
Respond to Inaccurate or Inappropriate Information
Restrict Use or Content
Impose Discipline
Monitor Usage Subject to privacy expectations
R. v. COLE
Other Uses of Cloud-based Applications in the WorkplaceR. v COLE
Reasonable Expectation of Privacy Exists Where:
Exclusive use of hardware
Permitted personal use
Password protection
No express search policy
No express privacy warning
Hybrid Uses Mixed or “mingled” personal and business usage
LinkedIn is leading example of mixed personal and professional/business marketing
Many employers do not even consider it until termination of relationship
Who has property in a LinkedIn or Twitter Account that is used to generate business?
Typical IP rules may or may not apply in determining property in these types of accounts
Can determine issue ahead of time with effective employment contracts
BYOD “Bring Your Own Device”
Permission, Encouragement or Requirement that employees use personal devices at/for their work
Laptops, Tablets, Smartphones 54% of employers report majority of employees use
smartphones for work email, documents, calendars 33% report use of tablets for more “advanced”
purposes like CRM, project management, financial data analysis
BYOD Benefits of BYOD
Reduced cost of hardware Employee engagement and retention Increased productivity and collaboration
Risks Confidentiality
Danger of the “Drop-Box” Access to hardware/Monitoring Use Privacy Expectations
Can be lowered but not eliminated
Best PracticesEducation
Educate employees on the nature of Cloud Computing
Educate employees on dangers and associated risks
Educate employees on service provider terms of use
Have employees sign off acknowledging training
Best PracticesEffective Contracts and Policies
Contracts should:
Include confidentiality provisions prohibiting disclosure or use of specified information
Include reference to relevant policies governing communications, BYOD, use of internet and social media in the workplace, protection of personal privacy, personal and health information
Specify that breach can result in termination for cause Identify and clearly articulate issues (assignment?) of “property”
in Cloud-based applications or information
Best PracticesEffective Contracts and Policies
Policies must:
Adequately set out all terms of BYOD and permissible use of Cloud-based applications in the workplace or for work purposes
Describe uses of internet and social media that are permitted and those that are forbidden
Make clear that even personal use of internet/social media will be subject to employer monitoring and scrutiny if connected to workplace in any way
Explain that employees should have no “expectation of privacy” in their use of employer business tools, including network, internet, email, use of social media, despite passwords, private content, etc…
Best PracticesEffective Contracts and Policies
Policies must:
Explain that communications at work may be monitored at any time
State that breaches will be subject to discipline up to and including termination for cause
Require employees to sign as having “received, read and understood”
Be consistently enforced
Torkin Manes LLP151 Yonge Street, Suite 1500Toronto, ON M5C 2W7www.torkinmanes.com
Peter C. Straszynski416-777-5447pstraszynski@torkinmanes.com
top related