In an effort to boost information security levels and impress its new mayor, a municipality in British Columbia learned the hard way that employee privacy trumps security.
In early 2015, the District of Saanich installed monitoring software on the computers of certain “high-profile” employees considered to be possible targets for an IT security breach, including the new mayor, Richard Atwell, the CAO, and several other directors. It was to be an interim measure until a district-wide intrusion detection and intrusion prevention system could be installed.
But it was the wrong approach, says B.C.’s privacy commissioner.
Among other things, the software from Spector 360 did keystroke logging, took screenshots at 30-second intervals, and logged all web sites visited by a user. In doing so it captured personal information of the employees — a practice not authorized by the Freedom of Information and Protection of Privacy Act.
“They were focusing on the security aspects without considering the flipside of security, which is privacy,” says Lyndsay Wasser, co-chairwoman of the privacy group at McMillan LLP. “Security can work hand in hand with privacy but some security measures do have an adverse effect on privacy and that’s where you get into a balancing scenario.”
The District of Saanich did not tell the employees collection of their personal information was happening, a requirement in the FIPPA in the public sector and Personal Information Protection and Electronic Documents Act in the private sector.
One of the arguments for installing the software was that the newly elected mayor was perceived to be IT savvy, and he might be critical of perceived security weaknesses in the system.
When he found out, Atwell went to the police, and then the media. The news caught the eye of the privacy commissioner, who quickly launched an investigation. Following the investigation the municipality was told to implement a comprehensive privacy program and appoint a privacy officer as well as roll out training to employees. It was also told to disable the employee monitoring software functions and destroy all personal information collected.
“It’s going to cost them money to roll out those recommendations,” says Wasser.
In her report, Elizabeth Denham, the information and privacy commissioner for B.C. said: “ . . . employees do not check their privacy rights at the office door. There is a right to privacy in the workplace, which has been upheld by Canadian courts and must be respected by public bodies as they consider what security controls are necessary to protect information in government networks.”
Denham expressed dismay that public agencies have been subject to these privacy laws for more than 20 years but still seem ignorant to the rules.
“[O]ne of the most disappointing findings in my investigation of the District of Saanich’s use of employee monitoring software is the near-complete lack of awareness and understanding of the privacy provisions of B.C.s Freedom of Information and Protection of Privacy Act.”
In fact, the district also made an inaccurate assertion in a press release issued Jan. 13, 2015, that employees do not have a “reasonable expectation of privacy . . .”
The appeal of monitoring technology combined with the continued lack of awareness of the fundamental right to privacy in the workplace is such that there is a “perfect storm” occurring right now leading employers to “cross a line” says Chantal Bernier, formerly head of the Office of the Privacy Commissioner of Canada, now counsel at Dentons Canada LLP in Ottawa.
“We see widespread lack of awareness, sadly,” says Bernier. “If you look at other cases, you have one in the U.S. right now where the company is taken to court for having dismissed an employee who refused to be tracked 24/7. Why would the company even think of doing that?”
Bernier said the issue of right to privacy in the workplace is becoming “urgent” as the technology to monitor employees is becoming more intrusive, yet attractive to employers.
“There is the line between privacy and the rights of an employer to exercise due diligence and monitor employees, and secondly the adaptation of that right to the new technological context,” says Bernier.
Bernier points out there are now many ways to monitor employees including the use of GPS, dashboard cameras, RFID chips, and many other technologies.
“It’s a convergence of a few factors,” says Bernier, who adds there are several takeaways from the District of Saanich case.
Bernier says any organization that chooses to adopt some form of monitoring in the exercise of due diligence should first do a privacy impact assessment to determine how intrusive the technology would be and whether that intrusiveness is proportionate to the objective sought.
“If safety of employees is an issue then there may be more latitude to be more intrusive, because it would be more proportionate,” she says.
Secondly, once the assessment is done, develop the mitigating policies to address the intrusiveness, such as limiting the catchment area for video camera surveillance.
Also, she says, have clear policies around the extent of monitoring and retention of data and be transparent with employees what is being watched and why. And regular audits to make sure the monitoring does not exceed what it was intended to do are a must.
“That comes out from this report and is truly the best practice,” says Bernier.
Denham says as part of the investigation, her office is becoming aware that municipalities and other public bodies could benefit from some added guidance about employee privacy.
“I think there is a lack of understanding of how these laws apply to employee information,” says Wasser. “I think that is going to be very well received because there’s not a lot of talk about that in the public sector. In the private sector it’s a little better understood but there’s room for guidance there too.”
Wasser says privacy commissioners have not tackled employee privacy issues as comprehensively as other areas.
Apart from R. v. Cole, which went to the Supreme Court of Canada, most breaches that hit the headlines tend to revolve around client or customer information.
“There are so many issues for the privacy commissioner to look at that employee privacy is not always at the top of the list but this may change that, especially in the public sector where it’s not as well understood,” says Wasser.