CLOUD COMPUTING EMPLOYMENT LAW IMPLCIATIONS LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH PETER C. STRASZYNSKI 416-777-5447

CLOUD COMPUTING

EMPLOYMENT LAW IMPLCIATIONS

LEXPERT CLOUD COMPUTING CONFERENCE 2012CLOUD COMPUTING: A PRACTICAL APPROACH

PETER C. [email protected]

DECEMBER 3, 2012ST. ANDREW’S CLUB AND CONFERENCE CENTRE

THE “CLOUD”

Q: When is an employer in the “Cloud”?

• According to Wikipedia, the “Cloud” is made up of:

• “technologies that provide computation, software, data access and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services”

• According to the Office of the Privacy Commissioner of Canada, “Cloud Computing” involves:

• “the delivery of computing services over the internet…. for data processing, storage and backup, to facilitate productivity, for accounting services, for communications, or for customer service or support”

THE “CLOUD”

A: If employees are using applications or systems that store, manage or move information using servers not owned by the employer, not on employer premises or part of employer’s network, they are operating in the “Cloud”

Examples:

• Gmail (or any other web-based mail service provider)

• External Storage of data/documents

• External backup

• External mail screener

• Facebook

• LinkedIn

EMPLOYMENT LAW IMPLICATIONS

Cloud Computing and Workplace Issues

1. Practical HR Uses of the Cloud

Including the storage of “personnel” information

2. Other Uses of Cloud-based Applications

Social Media

Hybrid Personal and Business Use

3. Best Practices

Education

Contracts and policies

PRACTICAL HR USES OF THE CLOUD

HR in the Cloud

• Payroll accounting

• Storage and Management of HR data, manuals, policies, forms

• Storage and Management of “personnel” files and information

PRACTICAL HR USES OF THE CLOUD

Benefits

• Cost savings• Reduced infrastructure• Universal and centralized accessibility• Consistency of product

Risks

• Security of data• Accessibility of data• Ownership issues

STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION

Employers routinely store personal and (sometimes) health information about their employees

The Cloud permits remote storage and movement of this information anywhere in the world

Q: Are there statutory rules or requirements that affect an employer’s ability to store or manage “employee” information in the Cloud…. outside the workplace/province/country?

A: Limited number of jurisdictions have enacted “anti-export” legislation… Ontario has not… At least not yet


Employment Standards Act, 2000 (ESA)

• Availability

• 16. An employer shall ensure that all of the records and documents required to be retained under sections 15 and 15.1 are readily available for inspection as required by an employment standards officer, even if the employer has arranged for another person to retain them. 2000, c. 41, s. 16; 2004, c. 21, s. 3


Personal Information Protection and Electronic Documents Act (PIPEDA)

• The Federal statute does not apply to “personal information” collected, stored or used by an employer about its employees, unless:

• The employer is federally regulated, or

• The province has enacted its own privacy statute


Personal Health Information Protection Act (PHIPA)

• 10. (1) A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1).

Duty to follow practices

• (2) A health information custodian shall comply with its information practices. 2004, c. 3, Sched. A, s. 10 (2).

http://www.e-laws.gov.on.ca/html/statutes/french/elaws_statutes_04p03_f.htm#s10s1


Use of electronic means

• (3) A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (3).

Providers to custodians

• (4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).


Preventing Loss/Unwanted Disclosure

• Ensure

• Reliability of service provider

• Adequate security measures/assurances

• Educate employees

• Nature of Cloud Computing

• Privacy Issues

• Limit Access

• To information

• To the systems or applications themselves

OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE

Some basic facts about Social Media (according to a 2011 Comscore Study)

• 1 out of every 5 online minutes worldwide is spent accessing social media

• Facebook remains the most popular

• 1 out of every 7 minutes of online time worldwide

• Followed by Twitter, others, Blogs

• LinkedIn is the most used for “business/networking” purposes

• Whether employers like/authorize it or not, their employees are in the Cloud


Legitimate Workplace Uses

• Marketing

• Increasing recognition

• Building brand image

• Customer Satisfaction

• Receiving customer feedback

• Dealing with costumer complaints

• Reducing cost of service

• Business retention and acquisition


Employee Duties and Responsibilities

• Confidentiality

• Avoidance of Conflict of Interest

• Statutory compliance: Human Rights Code; PIPEDA, PHIPA

• Express contractual duties


Potential Risks and Employer Exposure

• Damage to Employer reputation or image

• Defamation of 3rd parties

• Breach of Human Rights legislation

• Breach of Privacy Legislation

• Breach of health information legislation (PHIPA)

• Breach of Common Law Privacy Rights (Jones v. Tsige)


Vicarious Liability

• Employers are vicariously liable for the tortious acts of their employees performed “in the course of employment”

• Employees can act in the course of employment while away from work and off of work time

• Is there a s sufficient “nexus”?


Employer Strategies

• Respond to Inaccurate or Inappropriate Information

• Restrict Use or Content

• Impose Discipline

• Monitor Usage

• Subject to privacy expectations

• R v. COLE


R v COLE

• Reasonable Expectation of Privacy Exists Where:

• Exclusive use of hardware

• Permitted personal use

• Password protection

• No express search policy

• No express privacy warning

HYBRID USES

Mixed or “mingled” personal and business usage

• LinkedIn is leading example of mixed personal and professional/business marketing

• Many employers do not even consider it until termination of relationship

• Who has property in a LinkedIn or Twitter Account that is used to generate business?

• eg. Eagle v. Edcomm (Pennsylvania)

• Typical IP rules may or may not apply in determining property in these types of accounts

• Can determine issue ahead of time with effective employment contracts

BEST PRACTICES

Education

• Educate employees on the nature of Cloud Computing

• Educate employees on dangers and associated risks

• Educate employees on service provider terms of use

• Have employees sign off acknowledging training

BEST PRACTICES

Effective Contracts and Policies

• Contracts should:

• Include confidentiality provisions prohibiting disclosure or use of specified information

• Include reference to relevant policies governing communications, use of internet and social media in the workplace, protection of personal privacy, personal and health information

• Specify that breach can result in termination for cause

• Identify and clearly articulate issues (assignment?) of “property” in Cloud-based applications or information

Best Practices


• Policies must:

• Adequately set out all terms of permissible use of Cloud-based applications in the workplace

• Describe uses of internet and social media that are permitted and those that are forbidden

• Make clear that even personal use of internet/social media will be subject to employer monitoring and scrutiny if connected to workplace in any way

• Explain that employees should have no “expectation of privacy” in their use of employer business tools, including network, internet, email, use of social media, despite passwords, private content, etc…

BEST PRACTICES


• Policies must:

• Explain that communications at work may be monitored at any time

• State that breaches will be subject to discipline up to and including termination for cause

• Require employees to sign as having “received, read and understood”

• Be consistently enforced

PETER C. [email protected]

TORKIN MANES – BARRISTERS & SOLICITORS151 YONGE STREET, SUITE 1500TORONTO, ON M5C 2W7

TORKINMANES.COM