Who owns business data on personally owned computers?

• Author: Montana, John C.

Blurring boundaries between what is work time and equipment and what is personal time and equipment bring into question the ownership of information created on personal computers. What rights do employers have to access employee-owned computers used for work purposes? What expectation of privacy do employees have to personal information on employer-owned computers? A well-structured information policy can clarify the access and privacy rights of all parties.

The intersection of an employee's personal and work life and responsibilities has long been a difficult subject area for both employee and employer. This tension has increased over time as longer work hours and greater demands on employees make for an ever-longer workday. Often, it also means that employees work at home in the evening and on weekends.

In many cases, this work is done on a computer provided by the employer for the purposes of facilitating the employee's at-home work. In many other cases, however, the work is performed on a computer owned by the employee or by someone else living in the employee's residence. If the employee is doing substantive work on the employer's behalf from such a computer, employee and employer may at some point find themselves in an adversarial position. The employer may expect or assume that it has some property right to at least some of the computer's contents, while the employee may assume that contents on a personally owned computer is his or hers in its entirety and that the employer has no right of access to it.

Privacy Law Governs Rights of Access

Rights and access to potentially personal computer data is a topic that falls under the general rubric of "privacy." Privacy law is a complex and often poorly defined combination of common law doctrines, constitutional law, and statutes and regulations. Much of this law is general privacy law and pre-dates computers; but increasingly, both statutory law and case decisions are directly on the topic of computer privacy.

Under the common law in the United States, invasion of privacy is a tort, for which the wronged party may seek compensation (Restatement, Second, of the Law of Torts, [section] 652B).

One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person. This statement is illustrative of the most common formulation of any common law wrong--the standard of conduct in most cases is that of what a "reasonable person" would do/think/expect in that particular situation. It is also illustrative of the continuing conundrum of privacy law, in general, and of computer privacy in particular: If a person believes that he or she has a privacy right or would be offended by an intrusion, such a right may exist if those expectations are consistent with the expectations of the hypothetical reasonable person whose actions and expectations are the plenary standard of the common law. In practice, that reasonable person is the judge or jury hearing the case.

Canada offers a different common law landscape. In contrast to the United States, a general common law privacy right has never been recognized or enforced by the courts. Recently, however, Canadian courts have begun examining this question and edging closer to recognition of a general right of privacy. In R. v. Dyment, the Canadian Supreme Court stated that privacy is "essential for the well-being of the individual." In Roth v. Roth, an Ontario court found the basis for a right of privacy in the Charter of Rights and Freedoms. These cases, however, have never fully articulated an actionable general right of privacy. Thus, the nature of and the sources for a "reasonable" expectation of privacy will necessarily be different.

Reasonable Expectation of Privacy May Limit Access

A long line of decided cases (e.g., TGB Insurance Services Corp. v. Zieminski) makes clear that, in the absence of other factors, anything on an employer-owned computer system located on employer premises is properly the property of the employer and that the employer has a right of access at any time.

There are, however, factors that might give rise to such a privacy expectation. One such factor is an explicit employer grant of privacy, such as a personnel or information policy stating that the employer will limit its review or monitoring of employee communications or data on its systems. In such a case, the explicit grant of privacy presumably operates as an enforceable contractual provision. However, even in a case such as this, an employee privacy right that trumps all other considerations is by no means assured. If, for example--as in Shoats v. Epson America, Inc--the information over which a privacy right is asserted is communicated to another party over an employer-owned e-mail system, any right of privacy arising out of an explicitly stated email privacy policy may be lost.

Another is an employer course of action implicitly granting the employee some privacy. This could be the...