June 16, 2010
Can the act of connecting with other professionals on social networking websites such as LinkedIn constitute a violation of a non-compete or non-solicitation contractual undertaking? Are departing employees that are subject to such restricted covenants required to disconnect and “de-friend” colleagues and customers of their former employer until the contractual undertaking have expired?
ComputerWorld is reporting today that an IT staffing firm has accused one of its former employees of violating her non-compete undertaking through her conduct on LinkedIn. I’m not aware of any similar lawsuit to date in Canada so it’ll be interesting to see how this particular case evolves in the U.S. This case and others that I’ve previously noted highlight the blurring line between online and offline worlds. Businesses should consider whether or not, and to what extent, they should try to enforce such restrictive covenants in the social networking world. Stay tuned…
Leave a Comment » | 
Employee Monitoring, Internet, Monitoring, Online Reputation Management, Social Networking Websites | Tagged: Businesses, Customers, Employees, Internet, Online Reputation Management, Social Networking | 
Permalink
Posted by Brian Bowman
May 20, 2010
Thanks to everyone from Europe, the U.S. and across Canada who attended last week’s Social Media and the Workplace webinar. If you didn’t have a chance to attend, you can now watch the webinar here.
Related information on this blog that may be of interest to you includes this audio link to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to read this article I penned with my colleague Andrew Buck entitled Monitoring Employee Email: A Privacy Primer. And, of course, you can use the blog’s “Tags” to navigate to specific content of interest.
Leave a Comment » | Employee Monitoring, Facebook, Monitoring, Privacy, Social Networking Websites | Tagged: Employees, Facebook, Social Networking | Permalink
Posted by Brian Bowman
May 10, 2010
There’s no question that as we dive deeper into the information age technology will continue to permeate the workplace. Tech gadgets such as iPhones and Blackberries are cheaper and more convenient than ever before. But as the workplace becomes inundated with these tech tools, businesses increasingly have to ask themselves how they can manage the corresponding legal risks inevitably raised by empowering a legion of employees armed with Smartphones. If only there was “an app for that”!
The “fuel” for many gadgets currently in the workplace is data, which may or may not relate to the employer. And I’m not just thinking of Smartphones provided by the employer. I’m also thinking of social media websites such as Facebook and Twitter, which are often accessed after work hours on employees’ home computers.
What happens when an employer uses data gleaned from a company-owed iPhone or Blackberry to monitor an employee in the workplace? What about monitoring an employee’s Facebook page? After all, it’s not uncommon for information about an employer or its clients to appear on an employee’s Facebook page. Further, some employees have no second thoughts whatsoever about posting personal messages during paid company time. Many employers are introducing social media policies to mitigate the resulting legal risks. But how far should employers go to protect their interests?
Today’s post is the first in a series that I’ll publish in the coming weeks to provide you with an overview of legal developments regarding monitoring in the workplace, with a focus on employer monitoring of employee social media and Smartphone activities. Upcoming posts will also examine workplace privacy issues related to email, video and GPS monitoring. Stay tuned…
In the meantime, click here to listen to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to attend a complimentary Social Media in the Workplace webinar that I’ll be providing with a few of my colleagues next week (May 19th). Click here for info and to register (space is limited so register soon).
Leave a Comment » | Employee Monitoring, Facebook, Mobile devices, Privacy, Smartphones, Social Networking Websites | Tagged: Employees, Facebook, Mobile devices, Social Networking | Permalink
Posted by Brian Bowman
March 18, 2010
In what should serve as a valuable reminder of the need to educate employees about what constitutes acceptable postings on social networking websites, BBC is reporting that “the Israeli military cancelled a planned raid on a Palestinian village after one of its soldiers posted details of the operation on Facebook. The unnamed soldier revealed the time and place of the raid and the name of his unit on the social networking site.”
I’ve previously commented on social networking websites and employer-employee relationships. This BBC report is just one more example of a situation which may have been prevented with better employee training and a clear social networking policy. Common sense should, and typically does, guide employees in determining what to post online. Yet, if an Israeli soldier can’t think twice before posting the details of a planned operation it’s easy to see how some employees of Canadian businesses – perhaps yours - unintentionally post valuable corporate information online.
Leave a Comment » | Facebook, Internet, MySpace, Online Reputation Management, Social Networking Websites | Tagged: Corporate Information, Employees, Facebook, Online Reputation Management, Social Networking | Permalink
Posted by Brian Bowman
February 5, 2010
It’s safe to say that the Alberta provincial government is regarded as being right wing. But Manitoba’s? Not at all. So why then is Alberta light years ahead of Manitoba at protecting workers’ privacy?
Read more>>
The above link takes you to the Winnipeg Sun. I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis. I hope you find them of interest!
Leave a Comment » | Employee Monitoring, Government, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Commissioner | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information | Permalink
Posted by Brian Bowman
November 28, 2009
According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.
More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information. The favoured medium for stealing corporate information is a USB memory stick followed by e-mail.
As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping. In today’s economy, information is the most valuable corporate asset. For this reason, businesses of all sizes should take proactive steps to protect corporate data. Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.
The Global Recession and its effect on Work Ethics
Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: Corporate Information, Due Diligence, Employees, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
November 18, 2009
The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies. Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.
As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping.
This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.
3 Comments | Data Protection, Due Diligence, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: Businesses, Corporate Information, Due Diligence, Employees, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
August 10, 2009
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
- a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
- amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
- modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: Businesses, Data Protection, Due Diligence, Employees, Identity Theft, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
June 2, 2009
As I’ve previously discussed, Social networking websites such as MySpace and Facebook are provoking new questions about the appropriate boundaries in employee-employer relationships. This is evident in a United States Federal Court case coming to a head in New Jersey. The case pertains to the conduct of a manager who logged into a private social networking website and observed employees slandering company supervisors and customers. Those same employees were later dismissed. The case exemplifies a rapidly expanding “grey area” between an employee’s work life and personal social life. It begs the question, at what point does a “private” comment to friend made outside of the office constitute defamation, and at what point are such comments simply banter between individuals? Of course, the answer is, it all depends on the facts.
For an interesting discussion on the matter, check out Myrth on a Blog, a personal journal of law, technology and social media.
1 Comment | Access to Information, Blogs, Defamation, Employee Monitoring, Facebook, Internet, MySpace, Online Reputation Management, Privacy, Social Networking Websites, Technology | Tagged: Access to Information, Employee-Employer Relationship, Employees, Facebook, Internet, MySpace, Online Reputation Management, Privacy, Social Networking Websites, Technology | Permalink
Posted by Brian Bowman
May 29, 2009
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities. Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.
Thanks to slaw.ca for the opportunity to contribute!
1 Comment | Blogs, Copyright, Facebook, Government, Intellectual Property, PIPEDA, Privacy, Social Networking Websites, Technology, Training | Tagged: Businesses, Copyright, Corporate Information, Employees, Facebook, Information Technology, Intellectual Property, Internet, Inventions, Manitoba, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Social Networking, Technology | Permalink
Posted by Brian Bowman
May 25, 2009
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
Read the rest of this entry »
1 Comment | Internet, Online Reputation Management, PIPEDA, Privacy, Safeguarding, Safekeeping, Technology, Training, Video Surveillance, You Tube | Tagged: Customers, Employees, Internet, Mobile devices, Online Reputation Management, Personal Information, Privacy, Privacy Compliance, Safeguarding, YouTube | Permalink
Posted by Brian Bowman
May 21, 2009
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information, PIPEDA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
April 13, 2009
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
On May 20, 2009, the
Manitoba Bar Association will be hosting an IP/Technology Section luncheon where I will be speaking about emerging privacy issues. Of course, you need to be a member or a guest of the Manitoba Bar Association to attend.
If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Due Diligence, Employees, Manitoba, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
March 2, 2009
Most Canadian businesses these days supply their employees with devices such as laptops, cellphones and PDAs that are then often used by employees after work hours for personal use. In most cases, this isn’t a problem for either the employer or the employee. But too many businesses that issue cellphones, laptops or PDAs to their employees have not taken the necessary steps to mitigate the associated legal risks.
These legal risks can include the fact that employees can use these devices to distribute emails or text messages that defame other parties or that include illegal sexual or racial content (which in Manitoba could give rise to employee and employer liability under The Human Rights Code). Employees may also use these devices to intentionally or unintentionally leak personal or corporate information. Employees, however, may have an expectation or legal right of privacy depending on the circumstances, so wholesale monitoring by employers may not be in the cards.
Doug Cornelius recently wrote on Compliance Building about a U.S. court decision (Quon v. Arch Wireless) concerning police conduct in accessing personal texts sent from a police-issued cellphone:
In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.
Although this decision is based on U.S. law, similar results could happen in Canada. As a result, Canadian businesses should ensure that their employees clearly understand what they can and cannot do with the devices issued to them. One of the best ways to accomplish this goal is to develop appropriate policies and procedures, which will minimize the chances of being taken to court by third parties or employees.
3 Comments | Employee Monitoring, Privacy, Technology | Tagged: Employees, Mobile devices, Personal Information, Privacy, Risks, Technology, Workplace Surveillance | Permalink
Posted by Brian Bowman
February 25, 2009
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Employees, PIPEDA, Privacy, Privacy Compliance, Privacy Forum, Privacy Policy, Training | Permalink
Posted by Brian Bowman
February 20, 2009
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance. I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints. These costs can include settlements, legal fees and lost productivity. Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints. That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.” The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Businesses, Due Diligence, Employees, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Privacy Forum, Training | Permalink
Posted by Brian Bowman
February 12, 2009
Leave a Comment » | Marketing, Privacy, Safeguarding, Sale Transactions, Security | Tagged: Businesses, Customers, Employees, Marketing, Privacy, Privacy Commissioner, Privacy Training, Safeguarding, Security | Permalink
Posted by Brian Bowman
Can the act of connecting with other professionals on social networking websites such as LinkedIn constitute a violation of a non-compete or non-solicitation contractual undertaking? Are departing employees that are subject to such restricted covenants required to disconnect and “de-friend” colleagues and customers of their former employer until the contractual undertaking have expired?
Privacy matters to most customers: Staff should be able to handle concerns
Facebook website not all fun and games
Why employers should care about blogging
