This document discusses employee privacy considerations for internal investigators. It outlines that employee privacy rights come from statutes, collective agreements, and employment contracts. Investigators must view tactics through a risk assessment lens of balancing necessity and privacy. Collecting electronic communications and surveillance footage requires justification of grounds and consideration of less invasive means. Third party records require limited ability to access under privacy statutes. Investigation records should factually document interviews and communications without commentary to protect credibility.
1. Internal Investigations and Employee Privacy (and More) Dan Michaluk13th Annual ACFI Fraud Conference May 3, 2011
2. Outline Investigators and employee privacy How the investigation exemptions work Special collection issues The investigation record
3. Investigators and Employee Privacy Employee privacy rights Come from statute in the federal sector, the public service (excluding Ont.) and in B.C., Alta. and PQ Come from collective agreements and arbitrator-driven law (for unionized employees) At the very outside range of acceptable conduct, come under an individual employment contract (Colwell)
4. Investigators and Employee Privacy Why your internal clients care about privacy Employees and unions care more now There’s been a slow shift in attitude about privacy in the workplace An institution’s relationship with its privacy regulator matters Some labour arbitrators exclude evidence obtained through an “unlawful” collection
5. Investigations and Employee Privacy Help your client view investigation tactics by their risk Legal issue is usually “reasonable necessity” It’s never right to say “yes or no” - assessing a tactic is about articulating the degree of risk Usually your client should make the call Demand that your clients make a risk-based assessment
6. Investigations and Employee Privacy Your quid pro quo is to acknowledge that privacy matters You can help by recognizing some tactics as invasive and assessing its relative efficacy If you dismiss privacy as inimical to your role you will run in to problems Protect your own internal credibility
7. How the Investigation Exemptions Work You’re not “law enforcement” any more Public sector privacy statues include broad authorizing provisions to enable law enforcement Courts have recognized that police need to police and can make assumptions about criminal behaviour Private security is different
8. How the Investigation Exemptions Work Relieve against consent rule on certain conditions* Condition 1 – reasonable grounds Condition 2 – necessary part of covert investigation Condition 3 – breach of agreement or “law” *Differ by statute and have interpretive peculiarities
9. How the Investigation Exemptions Work Commissioner powers Have broad power to scrutinize how you investigate They don’t have a strong history of interference UBC Spyware case is a notable exception If you think about privacy and can demonstrate you have done so they are less likely to interfere
10. Specific Collections Electronic communications Very rich information Fairly full right of access historically and today Ont. C.A. has recently recognized an expectation of privacy in stored files (different than e-mail and text messages) Employers should make personal use conditional on an audit right and investigation right
11. Specific Collections Covert video surveillance Surveillance images are recognized by commissioners as sensitive personal information Now addressed by (relatively strict) OPC guideline More than “mere suspicion” required Likely to be efficacious Consider less invasive means Delete or depersonalize extraneous PI Decision-making process is key
12. Specific Collections Customer records of employees There’s a “two hat” problem here Employees enrol as customers and expect to be treated as customers The “use” exemption in PIPEDA is worded than the “disclosure” exemption – does this pose a problem for investigations that can’t be framed as an investigation into a breach of public law?
13. Specific Collections Records of PI held by third-parties Cell phone records or credit history records Private security has limited ability ask and receive from 3P under privacy statutes (check jurisdiction) So generally part of the “open” investigation Enforcement duty to cooperate with investigation will hinge on the logic of the demand (won’t get away with fishing, but ee “right to silence” is limited)
14. The Investigation Record Interview notes Name and date No paraphrasing Essence of response plus behaviour No commentary Nothing beats ink
15. The Investigation Record Project communications Facts and plans are safe Don’t deliberate over e-mail Don’t send draft conclusions/reports over e-mail
16. Internal Investigations – Staying on Side of Employee Privacy (and More) Dan Michaluk13th Annual ACFI Fraud Conference May 3, 2011