Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
Investigation Report F15-01, 2015 BCIPC No. 15.
I presented today at the Canadian Institute’s program on advanced administrative law. My topic was about how to deal with the privacy interests of affected non-parties. Here are my slides, revised based on my evolving understanding of this (difficult) issue. My thesis as it stands: we need to develop a principled exception to the audi alteram partem rule that governs when affected non-parties get notice and right to be heard. Courts and admin law decision makers appear to be attracted to solution that rests on the involvement of an appropriate representative party, but the current solutions are not driven by any express principle.
On July 14th, Arbitrator Kuttner ordered an employer (and MFIPPA institution) to disclose retiree contact information to a union and to deliver a notice to retirees about his production decision.
MFIPPA does not apply to employment-related records nor, in general, does it give employees and retirees of MFIPPA institutions privacy rights. Arbitrator Kuttner seemed to accept this in finding that MFIPPA did not preclude him from making the requested order, though he also made a finding that the requested disclosure was permissible under MFIPPA as a “consistent purpose.”
More significant is how Arbitrator Kuttner dismissed the employer’s argument that the procedural rights of affected retirees must be respected in determining the production motion. He said:
The situation before me is far removed from that dealt with by the [Court of Appeal for Ontario’s decision] in Re Bradley. There are not here two groups of employees covered by the same collective agreement competing for benefits under its terms, with one group stripped of benefits previously accorded in favour of another group to which they are newly afforded. Rather a bargaining agent, bound to represent fairly before an employer a discrete group of retired employees whose common interests under a collective agreement are in jeopardy, seeks disclosure of their personal contact information held by the employer, so that it can fulfill its representational role. As discussed above, that role is one with common law underpinnings, now rooted in the LRA, and recognized by the parties to the Collective Agreement. Of note in PIPSC v. Canada (Revenue Agency) supra, where employee privacy rights were at issue, is the Supreme Court’s comment that “the usual practice” is not to give affected employees notice of such proceedings, and the same would hold here in the case of retirees.
Arbitrator Kuttner nonetheless considered it “appropriate” to advise the retirees of his production decision and ordered the employer to deliver the letter I’ve attached below.
CUPE, Local 27 and The Greater Essex County District School Board (14 July 2014, Kuttner).
Here’s a copy of a 10 minute prepared address I gave to a client seminar today on CASL readiness. Four practical points to guide your readiness initiative.
Happy New Year!
2013 was a good and busy year for your AAI primary contributor. I’ve paddled a traditional paddleboard for about twelve years now but committed to a dedicated year of competition in 2013, knocking off my first Molokai 2 Oahu crossing with a surprisingly good result and a win (!) against a small but core group of prone paddlers at the Chattajack 31 in Tennessee. I’m over 40 but feel like a kid again and am going to channel my current paddling obsession into another year of competition. If all goes well, I’ll repeat the Molokai 2 Oahu crossing and add a first time result in the famed and highly-competitive Catalina Classic. If you’re in Toronto and prone paddling looks interesting get in touch in the Spring. I’d be glad to loan a board and go for a paddle.
This is all to say that AAI suffered slightly from paddling-, family- and practice-induced anemia in 2013. We posted about 75 entries. They were on the most relevant of content, selected more conservatively than in years past, but this was lower output for a blog that’s now has 825 entries since its birth in the summer of 2007. We’ll aim for more of the same in 2014, thank you for reading and hope you enjoy. We hope you had a nice holiday and are feeling invigorated and ready for a good 2014!
Here is Paul Broad and my summary of today’s remarkable Supreme Court of Canada decision in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401. (The Court struck down Alberta PIPA as violating section 2(b) of the Charter.)
I’m more open in this forum to think openly about the decision, which strikes me as being most characterized by its unrestraint. The Court could have issued a pronouncement clearly confined to the precise labour-relations context before it, but did not. The general questions it raises about how privacy legislation operates may be quite well-founded, but are not helpful. The decision today is likely to cause litigation that – after much time and energy – leads to necessary clarification and confinement.
There are “narrowing cues” in the decision. For example, the Court suggests that our federal commercial privacy statute (PIPEDA) is better positioned to withstand a challenge because restrains only commercial expression. The Court also signals that some publicly available information will warrant privacy protection.
These cues are mixed in with big questions that are dealt with briefly and in no factual context. The policy makers should not over-react, and should brace themselves for a fight!
On August 28th, the British Columbia OIPC affirmed two elevator companies’ (Kone’s and Thyssenkrup’s) use of telematic data for the purpose of managing their service employees.
The outcome is not surprising. The Commissioner herself affirmed another elevator company’s fleet management program in a thoroughly-reasoned decision last December. Also, all Canadian decisions (by privacy regulators and arbitrators) have recognized the legitimacy of such programs (which rest on the collection of location data and vehicle operation data). Kone’s program was unique in that it collected data from cellar telephones (rather than vehicle units). The OIPC held that Kone’s program collected more sensitive personal information but was nonetheless reasonable.
The decisions are notable for the OIPC’s conclusion that an organization in BC does not need a stand alone GPS or Telematics policy to comply with the notice and “policies and practices” requirements in BC PIPA. It held that Kone complied with its obligation by giving a detailed PowerPoint presentation that outlined the specific purposes for which it would use employee personal information in advance of implementing its program. Thyssenkrup breached its obligations; it had difficulty establishing that it had a formal communication program that addressed the purposes of its program in any detail.
Order P13-01(28 August 2013).
Order P13-02 (28 August 2013).