270 likes | 399 Vues
Employment Law Implications. Cloud Computing. Peter C. Straszynski. 416-777-5447. pstraszynski@torkinmanes.com. LEXPERT Cloud Computing Conference 2013. November 28, 2013, Toronto. The “Cloud”. Q: When is an employer operating in the “Cloud”?
E N D
Employment Law Implications Cloud Computing Peter C. Straszynski 416-777-5447 pstraszynski@torkinmanes.com LEXPERT Cloud Computing Conference 2013 November 28, 2013, Toronto
The “Cloud” Q: When is an employer operating in the “Cloud”? • According to the Office of the Privacy Commissioner of Canada (“OPC”) “Cloud Computing” involves: • “the delivery of computing services over the internet…. for data processing, storage and backup, to facilitate productivity, for accounting services, for communications, or for customer service or support” • According to Wikipedia, the “Cloud” is made up of: • “technologies that provide computation, software, data access and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services”
The “Cloud” A: If employees are using applications or systems that store, manage or move information using servers not owned by the employer, not on employer premises or part of employer’s network, they are operating in the “Cloud” Common Examples: • Gmail (or any other web-based mail service provider) • External Storage of data/documents • External backup • External mail screener • Facebook • LinkedIn
Employment Law Implications Cloud Computing and Workplace Issues • Practical HR Uses of the Cloud • Including the storage of “personnel” information • Other Uses of Cloud-based Applications • Social Media • Hybrid Personal and Business Use • BYOD • Best Practices • Education • Contracts and policies
Practical HR Uses of the Cloud HR in the Cloud • Payroll accounting • Storage and management of HR “work product” or data • manuals, policies, forms • Storage and management of “personnel” files and information • Storage of medical information
Practical HR Uses of the Cloud Benefits • Cost savings • Reduced infrastructure • Universal and centralized accessibility • Consistency of product Risks • Security of data/information • Accessibility of data/information • Ownership issues
Storage and Management of Personnel Information • Employers routinely store personal and (sometimes) confidential health information about their employees • The Cloud permits remote storage and movement of this information anywhere in the world • Q: Restrictions or risks ? • Limited number of jurisdictions have enacted “anti-export” legislation… Ontario has not… At least not yet • Foreign laws and rules may affect access to and ownership of information
Storage and Management of Personnel Information Employment Standards Act, 2000 (ESA) • Availability • 16. An employer shall ensure that all of the records and documents required to be retained under sections 15 and 15.1 are readily available for inspection as required by an employment standards officer, even if the employer has arranged for another person to retain them. 2000, c. 41, s. 16; 2004, c. 21, s. 3
Storage and Management of Personnel Information Personal Information Protection and Electronic Documents Act (PIPEDA) • The Federal statute does not apply to “personal information” collected, stored or used by an employer about its employees, unless: • The employer is federally regulated, or • The province has enacted its own privacy statute
Storage and Management of Personnel Information Personal Health Information Protection Act (PHIPA) • 10. (1) A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1). Duty to follow practices • (2) A health information custodian shall comply with its information practices. 2004, c. 3, Sched. A, s. 10 (2).
Storage and Management of Personnel Information Use of electronic means • (3) A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (3). Providers to custodians • (4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).
Storage and Management of Personnel Information Preventing Loss/Unwanted Disclosure • Ensure • Reliability of service provider • Adequate security measures/assurances • Educate employees • Nature of Cloud Computing • Confidentiality Issues • Privacy Issues • Limit Access • To information • To the systems or applications themselves
Other Uses of Cloud-based Applications in the Workplace Some basic facts about Social Media • 1 out of every 5 online minutes worldwide is spent accessing social media • Top 3: Facebook, Twitter, LinkedIn • Facebook remains the most popular • 1 out of every 7 minutes of online time worldwide • LinkedIn is the most used for “business/networking” purposes • Whether employers like/authorize it or not, their employees are in the Cloud
Other Uses of Cloud-based Applications in the Workplace Legitimate Workplace Uses • Marketing • Increasing recognition • Building brand image • Customer Satisfaction • Receiving customer feedback • Dealing with costumer complaints • Reducing cost of service • Business retention and acquisition
Other Uses of Cloud-based Applications in the Workplace Employee Duties and Responsibilities • Confidentiality • Avoidance of Conflict of Interest • Statutory compliance: Human Rights Code; PIPEDA, PHIPA • Express contractual duties
Other Uses of Cloud-based Applications in the Workplace Potential Risks and Employer Exposure • Damage to Employer reputation or image • Defamation of 3rd parties • Breach of Human Rights legislation • Breach of Privacy Legislation • Breach of Health Information legislation (PHIPA) • Breach of Common Law Privacy Rights (Jones v. Tsige)
Other Uses of Cloud-based Applications in the Workplace Vicarious Liability • Employers are vicariously liable for the tortious acts of their employees performed “in the course of employment” • Employees can act in the course of employment while away from work and off of work time • Is there a s sufficient “nexus”?
Other Uses of Cloud-based Applications in the Workplace Employer Strategies • Respond to Inaccurate or Inappropriate Information • Restrict Use or Content • Impose Discipline • Monitor Usage • Subject to privacy expectations • R. v. COLE
Other Uses of Cloud-based Applications in the Workplace R. v COLE • Reasonable Expectation of Privacy Exists Where: • Exclusive use of hardware • Permitted personal use • Password protection • No express search policy • No express privacy warning
Hybrid Uses Mixed or “mingled” personal and business usage • LinkedIn is leading example of mixed personal and professional/business marketing • Many employers do not even consider it until termination of relationship • Who has property in a LinkedIn or Twitter Account that is used to generate business? • Typical IP rules may or may not apply in determining property in these types of accounts • Can determine issue ahead of time with effective employment contracts
BYOD • “Bring Your Own Device” • Permission, Encouragement or Requirement that employees use personal devices at/for their work • Laptops, Tablets, Smartphones • 54% of employers report majority of employees use smartphones for work email, documents, calendars • 33% report use of tablets for more “advanced” purposes like CRM, project management, financial data analysis
BYOD • Benefits of BYOD • Reduced cost of hardware • Employee engagement and retention • Increased productivity and collaboration • Risks • Confidentiality • Danger of the “Drop-Box” • Access to hardware/Monitoring Use • Privacy Expectations • Can be lowered but not eliminated
Best Practices Education • Educate employees on the nature of Cloud Computing • Educate employees on dangers and associated risks • Educate employees on service provider terms of use • Have employees sign off acknowledging training
Best Practices Effective Contracts and Policies • Contracts should: • Include confidentiality provisions prohibiting disclosure or use of specified information • Include reference to relevant policies governing communications, BYOD, use of internet and social media in the workplace, protection of personal privacy, personal and health information • Specify that breach can result in termination for cause • Identify and clearly articulate issues (assignment?) of “property” in Cloud-based applications or information
Best Practices Effective Contracts and Policies • Policies must: • Adequately set out all terms of BYOD and permissible use of Cloud-based applications in the workplace or for work purposes • Describe uses of internet and social media that are permitted and those that are forbidden • Make clear that even personal use of internet/social media will be subject to employer monitoring and scrutiny if connected to workplace in any way • Explain that employees should have no “expectation of privacy” in their use of employer business tools, including network, internet, email, use of social media, despite passwords, private content, etc…
Best Practices Effective Contracts and Policies • Policies must: • Explain that communications at work may be monitored at any time • State that breaches will be subject to discipline up to and including termination for cause • Require employees to sign as having “received, read and understood” • Be consistently enforced
Peter C. Straszynski 416-777-5447 pstraszynski@torkinmanes.com