Workplaces have transformed in the past month with many employees working from home in light of the Coronavirus (COVID-19) pandemic. Several employees have children underfoot as a result of school closures amidst social distancing mandates from federal, provincial and municipal governments. Others in the employee’s home may include dependants as some Canadians assume a caregiver role during COVID-19.
Depending on job requirements, working from home may involve bringing work devices and materials outside of the office in order to fulfill tasks, including laptops and computers with remote access to a work virtual private network (VPN), files and documents, client or customer information and sharing work information with other colleagues through different platforms like Dropbox.
Prudent employers and employees should be mindful of confidentiality obligations which the practice of working remotely may render more susceptible to breach, even if the breach may be inadvertent.
Areas where a breach of confidentiality outside of the workplace may potentially occur include:
- in a person’s household, as there may be other people present who are not permitted to access confidential work information;
- in a person’s household because it may not have the proper physical and technological security and/or backup systems to ensure the information remains secure and confidential; and
- in transit between work and home.
Confidentiality obligations stem from multiple sources, including the following.
Common Law Obligations
In general, all employees owe their employer an implied duty of good faith and fidelity, which prohibits them from disclosing their employer’s confidential information. Common law also guides that employers must protect a person’s confidential information. These confidentiality obligations have developed through previous decisions of judges over a long period of time; this is known as “common law”.
Some employees owe an elevated set of duties, known as “fiduciary duties”, to their employer and to their clients.
Generally, a fiduciary relationship is one in which a vulnerable party has a special level of trust and reliance on another party, who is the “fiduciary.” A vulnerable party’s confidential information is particularly protected because they are likely to give information to their fiduciary that most people are not privy to. Further, the vulnerable party will make decisions based on the influences of the fiduciary.
When there is a fiduciary relationship between parties, there is an implied term that the fiduciary party will protect the confidentiality of the vulnerable party in order to ensure open and honest communication to ensure the best possible outcome for the vulnerable party.
In the employment context, the Supreme Court of Canada has determined in the case of Lac Minerals Ltd v International Corona, that a fiduciary duty owed by an employee will generally arise where:
- The fiduciary has scope for the exercise of some discretion or power.
- The fiduciary can unilaterally exercise that power or discretion so as to affect the beneficiary’s legal or practical interests.
- The beneficiary is peculiarly vulnerable to or at the mercy of the fiduciary holding the discretion or power.
Fiduciary duties are usually only ascribed to employees who are upper managerial and executive level, however, there are examples where the Courts have determined that employees with less seniority, such as sales persons and hairdressers, owed fiduciary duties to the (former) employers.
Fiduciary duties owed by employees exist during the employment relationship and continue after it terminates for a reasonable length of time. The period during which a fiduciary duty is owed is determined through several factors, including the position of the employee, their seniority etc…
Conversely, employers can also owe fiduciary duties to their employees.
Employees owe an equitable “duty of confidence”. Where an employee misuses confidential information communicated to them, an employee could be liable for breach of confidence. This duty remains in place indefinitely as long as the information in question remains confidential. When information is made readily available to the public, an employee will generally no longer be obliged to keep it confidential.
Employers and employees working in a professional field may also have duties of confidentiality arising from statute, regulations and their governing body. For example, doctors, lawyers, accountants and organizations employing these types of professionals are all highly regulated and owe professional obligations to their patients or clients, including confidentiality. Under these obligations, client information entrusted to a professional can only be disclosed if the patient or client gives the professional permission to do so, with only limited exceptions.
In the employment context, an employer of professional employees will also generally be subject to elevated confidentiality obligations to its clients.
Where an employee acts in breach of professional confidentiality obligations, the employer may have grounds to allege just cause for dismissal of the employee, without any termination or severance pay. A breach of professional obligations by an employee, which leads to disciplinary action by the employee’s regulating body, could result in the end of the employment contract. In such circumstances, the employee may be left with little or no recourse.
In addition to the above sources of obligations, further confidentiality obligations may form part of an employment agreement. Many employment agreements and employee handbooks include confidentiality clauses and it is important that employees are aware of what is outlined in any provisions applicable to their employment. If an employee oversteps a contractual confidentiality clause, the contract may be breached. The result could be termination of the employee’s employment. The most serious breaches of confidentiality may constitute a breach of contract that could result in the employee’s dismissal for just cause, depending on the overall circumstances.
Intrusion Upon Seclusion
In 2012, the Ontario Court of Appeal recognized a new tort of “Inclusion upon Seclusion” in the case of Jones v Tsige. Canada has a long history of case law to protect a business’ information from those outside the business, however, in Jones v Tsige, it was determined that internal protections for confidential information should be established. Broadly speaking, an intrusion upon seclusion is an intentional or reckless invasion of privacy that a reasonable person would regard as “highly offensive”, causing humiliation or anguish.
In this case, Jones and Tsige both worked for the same bank, but worked at different branches and did not personally know each other. Jones was in a relationship with Tsige’s ex-husband and Tsige used the bank’s records to pry into Jones’ life. From her work computer, Tsige accessed Jones’ personal account information. The Court awarded Jones $10,000 even though she had suffered financial loss as a result of Tsige’s actions. The decision publicly signified the severity of Tsige’s misconduct and acted as a public deterrence.
Employers should note that they also have additional statutory obligations regarding confidentiality. The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is the framework for private-sector companies and businesses in Canada that collect, use or disclose a person’s confidential information, unless they are subject to substantially similar provincial legislation.
Importantly, Schedule 1 of PIPEDA contains 10 fair information principles that employers must follow in order to abide by the statute. The principles address accountability, consent, limiting disclosure, accuracy and safeguards and other requirements.
Provinces have also enacted their own statutes which are substantially similar to PIPEDA. Ontario, for example, has enacted the Personal Health Information Protection Act in respect of collection, use and disclosure of personal health information. In the public sector of Ontario, the Freedom of Information and Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act apply.
Further, certain professions have their own set of regulations created pursuant to statute by governing bodies to which employers must comply. For example, the College of Registered Psychotherapists of Ontario has Professional Practice Standards which licensees must follow. Section 3.1 of the Standards sets out obligations regarding confidentiality.
It can be overwhelming and difficult for an employer to navigate through all statutes and regulations that mandate confidentiality within their business. It can be advantageous to contact a lawyer to clarify statutory obligations.
Takeaways for Employees
In breaches of confidentiality, there does not need to be evidence of malicious intent. The singular fact that confidential information was made public to a third party may result in a breach. There are many ways that an employee may breach confidentiality; some inadvertent. Examples of this include participating in a phone or video conference call in which a family member can overhear the discussion or leaving a document visible to members of the household.
Steps that employee can take to meet their confidentiality obligations include:
- restrict all work to a dedicated and private part of one’s home to help control placement of confidential information and access to the confidential information
- review any work-from-home and confidentiality policies established by their employers
- ask for support from their employer to maintain adherence to confidentiality obligations
- avoid the use of personal email accounts or personal devices for work matters where the employer has not given approval
Takeaways for Employers
Within an office or bricks and mortar facility, it is much easier for an employer to control and maintain confidentiality. With changes to working environments because of COVID-19 outside of a central location, it is just as important that employers equip their employees with the right set of tools and information in order to ensure their company’s confidential information does not fall into the wrong hands and become public.
Steps and precautions that employers should take before permitting employees to work from home include:
- implementing clear work from home policies and sending a guideline or information sheet home with employees with “how-to”s when dealing with clients, confidential information, websites, portals, emails, databases, accounts, files, etc.
- communicating confidentiality obligations and policies with employees to help guard against breaches
- ensuring that a proper VPN is installed and considering extra security features such as strong encryption algorithms
Given the complexity of the legal framework surrounding work-related confidentiality issues and the consequences for breaching confidentiality, employees and employers are advised to speak to a lawyer for guidance about the scope of duties that may apply to them.
If you have questions or inquiries on duties of confidentiality or the best ways to deal with confidential information, call Zubas + Associates at 416-593-5844 or send an email to firstname.lastname@example.org.