Writing the Electronic Monitoring Policy Right
As of October 11, 2022, the Employment Standards Act, 2000 (“ESA”) requires Ontario employers with 25+ employees (including assignment employees, as defined by the ESA)[1] to have a written policy on electronic monitoring. In subsequent years, employers with 25+ employees on January 1 of a given year have to have the policy in place by March 1 of that year.
Earlier this month, I posted a blog answering some frequently asked questions about the new policy requirement. Check it out here.
In this follow-up blog, I’ll set out some tips and strategies for actually writing the policy. But employers, take note: this is a “meatier” policy than the Disconnecting-From-Work policy, which has very few substantive requirements (and which I wrote about here). The Electronic Monitoring Policy has mandatory content that really needs to be tailored to each individual workplace, so there is no one-size-fits-all approach or policy that will be appropriate for every workplace.
With that said, here’s some tips to get started.
Tips for Drafting the Electronic Monitoring Policy
1. Define “Electronic Monitoring”.
The ESA doesn’t include a definition of “electronic monitoring”, and the Ministry of Labour’s guidance is circular (i.e. defining electronic monitoring as “monitoring that is done electronically”).
In the absence of a clear official definition, employers should adopt a working definition to ensure they can identify what falls into the category of “electronic monitoring” and what does not. The appropriate definition may depend on the workplace, but in general, I think of electronic monitoring as:
Using electronic means to observe, record, track, or collect data on employees (including but not limited to employee performance, location, and resource use), where such information may be accessed and/or reviewed by the employer or someone acting on the employer’s behalf.
Again – this isn’t an official or exhaustive definition. It’s meant only as a conceptual aid to help distinguish between electronic processes that are not monitoring vs. those that are monitoring. This definition may not be appropriate for every workplace, or it may need some more tweaks and nuance.
2. Do a walk-through.
Before you start writing, it can be useful to do a “walk-through” of a typical work day to assess where and how electronic monitoring may occur. Apply the definition to the steps of each day and identify where electronic monitoring occurs, e.g. when you:
Open the door with a passcard;
See the surveillance camera in the lobby;
Sign in to work applications;
Drive your company vehicle with GPS tracking to a client site; etc.
Applying the definition of “electronic monitoring” to the steps of a typical day can help identify sources of electronic monitoring that you may not otherwise notice.
3. Ask yourself: Is it necessary?
Just because you can do it, doesn’t mean you should.
Take this opportunity assess each form of electronic monitoring. Consider:
Is the monitoring necessary to meet a specific need?
Is it likely to be effective in meeting that need?
Is the employee’s loss of privacy proportionate to the benefit gained?
Is there a less intrusive option that would be effective in meeting the need?
While a full review of privacy requirements is beyond the scope of this blog (though I discuss it a bit in the FAQs), employers must remember that employees do have some expectation of privacy at work and there are legal limits on what’s allowed. And beyond potential legal repercussions, excessive monitoring can create employee morale and retention problems.
If the monitoring is not helpful or necessary, eliminate it. If a less intrusive option is available, use it. Being circumspect about monitoring will help keep it targeted and reasonable, which minimizes the chances of employee pushback.
4. Consult with IT.
“Monitoring” encompasses more than just endpoint monitoring of user devices. It can also capture network security processes that monitor and track employees behind-the-scenes. It’s important to consult with the company’s IT people to understand the following:
What technologies is the company using (i.e. automatic backup, data protection solutions, remote access by third parties, etc.);
What data is being collected;
Who can access the data, and how/why it would be accessed; and
What, if any, are the data security implications of the policy and any potential changes to the practices.
For computer applications, IT can advise whether there are any functions that can or should be disabled to avoid unnecessary monitoring and preserve employee privacy.
5. Don’t overdescribe the technology.
The ESA doesn’t require a name or precise description of each monitoring application. Instead of listing specific applications, keep the language high-level (e.g. “network threat detection tools” or similar language). Use practical and simple terms, and try not to get bogged down in details.
I say this for two reasons:
Many employees won’t gain anything from knowing the names or minutiae of the actual technology, and it will just over-complicate the policy; and
In general, security controls and tech details should be kept confidential to minimize network security risks.
6. Don’t unduly limit the purposes for which data can be used.
Yes, employers have to list the purposes for which data may be used. But no, the ESA does not prohibit employers from using the collected data for other purposes, beyond those listed in the policy.
For this reason, I’d generally avoid including a categorical statement promising that employee data “will only be used for the purposes stated in the policy.” Including such a statement goes beyond what’s required by the ESA, and may unduly hamstring the company from other legitimate and unforeseen uses of collected data.
To be clear though, the key word is “legitimate”. The absence of an ESA prohibition does not mean employers have free rein to use employee data however they like, and using data for illegitimate or undisclosed purposes can still attract sanction including under common law, contract, or another statute.
7. Avoid “mission creep”.
Electronic monitoring touches on a range of other issues – privacy, remote work, use of company devices, confidentiality, etc. While these issues are related to electronic monitoring, the Electronic Monitoring Policy should not try to address all of these areas. It’s mission creep, and it’s too much for one document.
My suggestion is to include a list of “Related Policies” that are separate from the Electronic Monitoring Policy, but that include related information and expectations. This helps point employees towards those other policies without reiterating their content. Just make sure to read through the related policies and ensure they synch up with the new Electronic Monitoring Policy.
8. Be ready for questions.
Even if the policy is simple and the monitoring is reasonable, it’s fair to expect employee questions. Ensure you have a plan in place for addressing them.
* * *
There’s no one-size-fits-all approach to drafting the Electronic Monitoring Policy. Tech-forward organizations are going to require a different level of disclosure than old school companies working in paper files. That said, in general, I think it’s best to keep the Electronic Monitoring Policy simple, practical, clear, and with a little bit of flexibility.
The tips above will hopefully help employers tailor the policy to each individual workplace and avoid some common pitfalls. But as always, we’re here to help if needed!
______________________________________________________________________
[1] For ease of reference, this blog collectively refers to employees and assignment employees as “employees”.