cloud computing employment law implciations lexpert cloud computing conference 2012 cloud computing:...
TRANSCRIPT
CLOUD COMPUTING
EMPLOYMENT LAW IMPLCIATIONS
LEXPERT CLOUD COMPUTING CONFERENCE 2012CLOUD COMPUTING: A PRACTICAL APPROACH
PETER C. [email protected]
DECEMBER 3, 2012ST. ANDREW’S CLUB AND CONFERENCE CENTRE
THE “CLOUD”
Q: When is an employer in the “Cloud”?
• According to Wikipedia, the “Cloud” is made up of:
• “technologies that provide computation, software, data access and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services”
• According to the Office of the Privacy Commissioner of Canada, “Cloud Computing” involves:
• “the delivery of computing services over the internet…. for data processing, storage and backup, to facilitate productivity, for accounting services, for communications, or for customer service or support”
THE “CLOUD”
A: If employees are using applications or systems that store, manage or move information using servers not owned by the employer, not on employer premises or part of employer’s network, they are operating in the “Cloud”
Examples:
• Gmail (or any other web-based mail service provider)
• External Storage of data/documents
• External backup
• External mail screener
EMPLOYMENT LAW IMPLICATIONS
Cloud Computing and Workplace Issues
1. Practical HR Uses of the Cloud
Including the storage of “personnel” information
2. Other Uses of Cloud-based Applications
Social Media
Hybrid Personal and Business Use
3. Best Practices
Education
Contracts and policies
PRACTICAL HR USES OF THE CLOUD
HR in the Cloud
• Payroll accounting
• Storage and Management of HR data, manuals, policies, forms
• Storage and Management of “personnel” files and information
PRACTICAL HR USES OF THE CLOUD
Benefits
• Cost savings• Reduced infrastructure• Universal and centralized accessibility• Consistency of product
Risks
• Security of data• Accessibility of data• Ownership issues
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Employers routinely store personal and (sometimes) health information about their employees
The Cloud permits remote storage and movement of this information anywhere in the world
Q: Are there statutory rules or requirements that affect an employer’s ability to store or manage “employee” information in the Cloud…. outside the workplace/province/country?
A: Limited number of jurisdictions have enacted “anti-export” legislation… Ontario has not… At least not yet
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Employment Standards Act, 2000 (ESA)
• Availability
• 16. An employer shall ensure that all of the records and documents required to be retained under sections 15 and 15.1 are readily available for inspection as required by an employment standards officer, even if the employer has arranged for another person to retain them. 2000, c. 41, s. 16; 2004, c. 21, s. 3
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Personal Information Protection and Electronic Documents Act (PIPEDA)
• The Federal statute does not apply to “personal information” collected, stored or used by an employer about its employees, unless:
• The employer is federally regulated, or
• The province has enacted its own privacy statute
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Personal Health Information Protection Act (PHIPA)
• 10. (1) A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1).
Duty to follow practices
• (2) A health information custodian shall comply with its information practices. 2004, c. 3, Sched. A, s. 10 (2).
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Use of electronic means
• (3) A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (3).
Providers to custodians
• (4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).
STORAGE AND MANAGEMENT OF PERSONNEL INFORMATION
Preventing Loss/Unwanted Disclosure
• Ensure
• Reliability of service provider
• Adequate security measures/assurances
• Educate employees
• Nature of Cloud Computing
• Privacy Issues
• Limit Access
• To information
• To the systems or applications themselves
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Some basic facts about Social Media (according to a 2011 Comscore Study)
• 1 out of every 5 online minutes worldwide is spent accessing social media
• Facebook remains the most popular
• 1 out of every 7 minutes of online time worldwide
• Followed by Twitter, others, Blogs
• LinkedIn is the most used for “business/networking” purposes
• Whether employers like/authorize it or not, their employees are in the Cloud
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Legitimate Workplace Uses
• Marketing
• Increasing recognition
• Building brand image
• Customer Satisfaction
• Receiving customer feedback
• Dealing with costumer complaints
• Reducing cost of service
• Business retention and acquisition
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Employee Duties and Responsibilities
• Confidentiality
• Avoidance of Conflict of Interest
• Statutory compliance: Human Rights Code; PIPEDA, PHIPA
• Express contractual duties
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Potential Risks and Employer Exposure
• Damage to Employer reputation or image
• Defamation of 3rd parties
• Breach of Human Rights legislation
• Breach of Privacy Legislation
• Breach of health information legislation (PHIPA)
• Breach of Common Law Privacy Rights (Jones v. Tsige)
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Vicarious Liability
• Employers are vicariously liable for the tortious acts of their employees performed “in the course of employment”
• Employees can act in the course of employment while away from work and off of work time
• Is there a s sufficient “nexus”?
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
Employer Strategies
• Respond to Inaccurate or Inappropriate Information
• Restrict Use or Content
• Impose Discipline
• Monitor Usage
• Subject to privacy expectations
• R v. COLE
OTHER USES OF CLOUD-BASED APPLICATIONS IN THE WORKPLACE
R v COLE
• Reasonable Expectation of Privacy Exists Where:
• Exclusive use of hardware
• Permitted personal use
• Password protection
• No express search policy
• No express privacy warning
HYBRID USES
Mixed or “mingled” personal and business usage
• LinkedIn is leading example of mixed personal and professional/business marketing
• Many employers do not even consider it until termination of relationship
• Who has property in a LinkedIn or Twitter Account that is used to generate business?
• eg. Eagle v. Edcomm (Pennsylvania)
• Typical IP rules may or may not apply in determining property in these types of accounts
• Can determine issue ahead of time with effective employment contracts
BEST PRACTICES
Education
• Educate employees on the nature of Cloud Computing
• Educate employees on dangers and associated risks
• Educate employees on service provider terms of use
• Have employees sign off acknowledging training
BEST PRACTICES
Effective Contracts and Policies
• Contracts should:
• Include confidentiality provisions prohibiting disclosure or use of specified information
• Include reference to relevant policies governing communications, use of internet and social media in the workplace, protection of personal privacy, personal and health information
• Specify that breach can result in termination for cause
• Identify and clearly articulate issues (assignment?) of “property” in Cloud-based applications or information
Best Practices
Effective Contracts and Policies
• Policies must:
• Adequately set out all terms of permissible use of Cloud-based applications in the workplace
• Describe uses of internet and social media that are permitted and those that are forbidden
• Make clear that even personal use of internet/social media will be subject to employer monitoring and scrutiny if connected to workplace in any way
• Explain that employees should have no “expectation of privacy” in their use of employer business tools, including network, internet, email, use of social media, despite passwords, private content, etc…
BEST PRACTICES
Effective Contracts and Policies
• Policies must:
• Explain that communications at work may be monitored at any time
• State that breaches will be subject to discipline up to and including termination for cause
• Require employees to sign as having “received, read and understood”
• Be consistently enforced
PETER C. [email protected]
TORKIN MANES – BARRISTERS & SOLICITORS151 YONGE STREET, SUITE 1500TORONTO, ON M5C 2W7
TORKINMANES.COM