Ontario’s Electronic Monitoring Policy Requirement: FAQ
Every breath you take
And every move you make
Every bond you break
Every step you take
I'll be watching you
- “Every Breath You Take”, The Police
As of October 11, 2022, the Employment Standards Act, 2000 (“ESA”) requires Ontario employers with 25+ employees to have a written policy on electronic monitoring. In subsequent years, employers with 25+ employees on January 1 of a given year have to have the policy in place by March 1 of that year.
In two weeks, I’ll be posting a follow-up blog on Writing the Electronic Monitoring Policy Right, with tips and strategies for actually writing the policy (UPDATE: Here it is!). But before the policy writing begins, this blog will address four frequently-asked questions:
What is “Electronic Monitoring”
Can I electronically monitor my employees?
What has to be in the policy?
Will the Ministry of Labour (MOL) enforce the policy?
What is Electronic Monitoring?
There’s no definition of “electronic monitoring” in the ESA itself, and the MOL’s definition is circular:
“Electronic monitoring” includes all forms of employee and assignment employee monitoring that is done electronically”
The definition is not limited to company devices, nor is it limited to monitoring that happens at the physical workplace. Since there aren’t many limits in the definition, employers need to think broadly about what practices could constitute “electronic monitoring”. Some fairly clear examples of electronic monitoring include:
GPS tracking;
Video or audio surveillance;
Browser tracking and keystroke logging; and
Sensors that track employee movement or efficiency.
Electronic monitoring could also include commonplace security measures like passcards and key fobs, or data loss prevention solutions, where they enable the employer to monitor and control access.
There’s also some grey area. For example, we can all see if someone is “Away” on Teams, etc. – is that electronic monitoring? I think it will depend on the circumstances. If there’s a policy in place that requires employees to be logged in to Teams with updated statuses when working, the answer is likely “yes,” because the status is being used to monitor employee location and productivity.
Can I electronically monitor my employees?
Like all good legal questions, the answer is “Yes, But”.
The ESA requirement for an Electronic Monitoring Policy does not create a new right for employees not to be electronically monitored, nor does it confer any new privacy rights. However, employers need to be aware of employees’ already-existing privacy rights under the common law and any applicable legislation.
In Ontario, there’s very little provincial[1] legislation protecting employees’ privacy rights save for limited exceptions that apply in specific circumstances (e.g. regarding private health information, harassment complaints, etc.).[2]
But at common law, employees have some reasonable expectation of privacy in relation to their personal information. What is “reasonable” depends on the totality of the circumstances, which can include:
Whether the employee is using a personal or company-owned device;
Whether they are aware of, or consented to, monitoring;
Whether there’s a robust workplace policy regarding collecting and accessing employee data;
The type of information; and so on.
In Ontario, there’s also a tort of “intrusion upon seclusion” that can apply in the employment context. It applies where one party intentionally or recklessly invades, without lawful justification, the other’s private affairs or concerns, and a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.[3] Economic harm need not be proven. It’s a case-by-case determination and the bar is high, although there are certainly types of electronic monitoring that could meet the threshold of tortious conduct (e.g. undisclosed surveillance of washrooms, etc.).
While a full review of privacy requirements is beyond the scope of this blog, a basic guideline is that monitoring is more likely to be acceptable where it is: (i) disclosed, or better, consented to; (ii) tied to a specific, reasonable purpose; and (iii) as unintrustive as possible in the circumstances. The ESA requirement for an Electronic Monitoring Policy will push employers to meet these criteria by requiring increased transparency and a clearly-stated purpose for monitoring.
What has to be in the policy?
The written policy must include:
A statement as to whether the employer engages in electronic monitoring of employees
If not, the policy must specifically state that the employer does not electronically monitor employees.
If so, the policy must also include:
A description of how the employer may electronically monitor employees;
A description of the circumstances in which the employer may electronically monitor employees; and
The purposes for which information obtained through electronic monitoring may be used by the employer
The date the policy was prepared and the date any changes were made.
The government may later create a Regulation setting out additional mandatory content, but as of today, there is none.
Will the MOL enforce complaints about the electronic monitoring policy?
Barely. The ESA explicitly prohibits complaints to the MOL about any aspect of the Electronic Monitoring Policy requirements, except the requirement that it be provided to employees within 30 days. So as long as the Electronic Monitoring Policy is properly created and distributed, there can be no other complaints to the MOL.
This contrasts with MOL’s approach to the Disconnecting-From-Work Policy, where the MOL indicated it would enforce policies that create a greater right or benefit than the ESA provides.
***
UPDATE: Here is my follow-up blog that identifies helpful tips and strategies for actually writing the Electronic Monitoring Policy, including:
An unofficial (but not circular!) working definition of electronic monitoring;
Strategies for tailoring the policy to the individual workplace; and
Discussion of some common pitfalls to avoid.
***
[1] The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation, and applies to federally-regulated workplaces in Ontario (which make up only a small percentage of Ontario employers). PIPEDA does not apply to employee information in provincially-regulated organizations.
[2] These limited exemptions are beyond the scope of this blog, but may appear in the Occupational Health and Safety Act, Personal Health Information Protections Act, or Freedom of Information and Protection of Privacy Act, among others.
[3] Jones v Tsige, 2012 ONCA 32.