Internet & Email Policy (Canada)

An Internet & Email Policy in Canada sets the rules for employees’ use of the organisation’s internet and email systems, governed primarily by common-law employment and provincial privacy principles.

In Canada, an Internet and Email Policy operates at the intersection of several legal frameworks. Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) imposes strict requirements on commercial electronic messages sent from Canadian computers, including consent, sender identification, and unsubscribe mechanisms. Any employee who sends marketing, promotional, or commercial emails on behalf of the employer is a CASL compliance risk if they are not trained on the requirements. The policy is a primary vehicle for communicating CASL obligations to staff.

The Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial private-sector privacy laws (Alberta's PIPA, BC's PIPA, and Quebec's Law 25) govern how personal information — including personal emails or browsing data inadvertently captured on company systems — must be handled. Under PIPEDA, information collected from monitoring must be used only for the purpose disclosed to employees.

Ontario's Working for Workers Act, 2022 introduced a mandatory electronic monitoring policy requirement for employers with 25 or more Ontario employees. The policy must disclose whether employees are monitored through the use of electronic devices or systems, and if so, the nature and purpose of that monitoring. Failure to have a compliant electronic monitoring policy exposes Ontario employers to employment standards complaints.

Beyond statutory compliance, the policy protects the employer from liability arising from employees sending harassing, defamatory, or infringing content through company systems. Canadian courts have found employers vicariously liable for discriminatory or harassing communications sent by employees using company email. A clear policy that prohibits such use and is enforced consistently provides an important defence.

Finally, the policy sets expectations about personal use of company systems. While most Canadian employers allow limited personal use, unlimited personal use creates productivity losses, consumes bandwidth, and creates security risks. The policy defines what personal use is permitted and what is not, forming the basis for disciplinary action if boundaries are crossed.

The forms-legal.com Internet and Email Policy Canada template addresses all key compliance requirements. Section 6 of CASL 2010 governs commercial electronic messages. Section 41.1 of the Employment Standards Act 2000 mandates electronic monitoring disclosure for Ontario employers with 25 or more employees. Section 3 of the Personal Information Protection and Electronic Documents Act 2000, enforced by the Office of the Privacy Commissioner of Canada, governs personal information collected through monitoring. Section 5 of Alberta's Personal Information Protection Act 2003 and Section 6 of British Columbia's Personal Information Protection Act 2003 set equivalent standards for provincially regulated employers. The Canadian Radio-television and Telecommunications Commission enforces CASL under the Fighting Internet and Wireless Spam Act 2010 and may impose penalties under Section 20 of that Act. The Competition Bureau administers Section 74.01 of the Competition Act 1985 which prohibits false or misleading electronic communications in commerce.

An Internet and Email Policy is needed by any Canadian employer whose employees use company-provided computers, email accounts, internet access, or communication platforms — which describes virtually every modern workplace.

Ontario employers with 25 or more employees are legally required to have a written electronic monitoring policy under the Employment Standards Act, 2000 (as amended by the Working for Workers Act, 2022). Non-compliance can lead to employment standards complaints and penalties.

Organizations subject to CASL that send commercial electronic messages to clients or prospects need the policy to confirm employees understand consent and identification requirements before sending bulk or promotional emails from company accounts.

Any employer that has experienced (or wants to prevent) an incident where an employee sent harassing, discriminatory, or confidential information through company email needs a clear written policy to demonstrate that reasonable preventive steps were taken — which is a defence to vicarious liability claims.

Organizations handling sensitive client data, financial information, or personal health information need the policy to define data handling requirements and prohibit risky behaviors like forwarding sensitive data to personal email accounts or using unauthorized cloud storage.

Employers in regulated sectors — financial services, healthcare, legal — may have additional record-keeping and archiving requirements for electronic communications that the policy should address. Federally regulated financial institutions supervised by the Office of the Superintendent of Financial Institutions under the Bank Act 1991 must comply with additional record retention obligations. Healthcare employers subject to provincial health information legislation — Ontario's Personal Health Information Protection Act 2004 and Alberta's Health Information Act 2000 — must address how personal health information transmitted through workplace email systems is protected and retained. Section 230 of the Criminal Code 1985 creates offences for unauthorized interception of private communications, and the Internet and Email Policy should confirm that employer monitoring is conducted in a lawful manner consistent with disclosed purposes. Employers across Canada should prepare and communicate the Internet and Email Policy proactively rather than waiting for an incident to occur — courts and labour arbitrators consistently hold that disciplinary action is only supportable where employees had prior notice of the prohibited conduct and its consequences.

Scope — Which systems, devices, and accounts are covered (corporate email, company-provided internet, work-issued devices, business communication platforms like Teams or Slack), and whether the policy applies to personal devices used for work (BYOD).

Permitted and Prohibited Uses — A clear description of what employees may and may not do with company systems. Prohibited uses typically include accessing illegal or inappropriate content, sending harassing or discriminatory messages, using company email for unauthorized commercial purposes, downloading unlicensed software, and connecting insecure external devices.

Personal Use — Whether limited personal use of company internet and email is permitted, and if so, under what conditions. A reasonable personal use policy is more realistic and enforceable than a blanket prohibition.

CASL Compliance — Requirements for employees who send commercial electronic messages on behalf of the employer, including obtaining express or implied consent, including required sender identification information, and providing a working unsubscribe mechanism. CASL violations expose the employer to administrative monetary penalties of up to $10 million per violation.

Electronic Monitoring Disclosure — A clear statement of whether the employer monitors employee use of company systems, what types of monitoring are conducted (internet logs, email scanning, keylogging, screen capture), the purpose of monitoring, and who has access to monitoring data. Required for Ontario employers with 25+ employees under the ESA, 2000.

Privacy and Confidentiality — Employees' obligation to protect confidential business information and personal information of clients and colleagues when using company systems. Prohibition on forwarding sensitive data to personal accounts or unauthorized third parties.

Consequences of Violation — The range of disciplinary actions that may result from violations of this policy, up to and including termination for cause, and any potential personal legal liability (e.g., for CASL violations or copyright infringement committed using company systems).

Retention and Records — How long emails and electronic records are retained, the employer's right to access and review stored communications, and employees' obligations regarding document retention in the context of litigation holds. Section 78 of the Canada Business Corporations Act 1985 requires that corporate records be retained for specified periods. The Canada Revenue Agency requires retention of business records for a minimum of six years under Section 230 of the Income Tax Act 1985. Ontario's Evidence Act 1990 and the Canada Evidence Act 1985 govern the admissibility of electronic records in legal proceedings before the Ontario Superior Court of Justice and the Federal Court of Canada.

The forms-legal.com Internet and Email Policy Canada template incorporates all mandatory disclosure requirements under Section 41.1 of the Employment Standards Act 2000, Section 6 of CASL 2010, and Section 3 of the Personal Information Protection and Electronic Documents Act 2000. Employment and Social Development Canada administers the Employment Standards Act 2000 and the Canada Labour Code 1985 for federally regulated workplaces. The Office of the Privacy Commissioner of Canada enforces PIPEDA compliance for all federally regulated employers. The Canadian Radio-television and Telecommunications Commission enforces CASL penalties under Section 20 of the Fighting Internet and Wireless Spam Act 2010. Disputes under this policy are adjudicated by the Ontario Superior Court of Justice, applicable provincial superior courts, or the Federal Court of Canada for federally regulated employers. The policy should be reviewed and updated whenever relevant legislation changes — including amendments to the Employment Standards Act 2000, CASL 2010, or provincial privacy statutes — to maintain ongoing compliance and enforceability.