BC OIPC addresses network security and endpoint monitoring

Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.

The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”

The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).

The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.

The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.

Investigation Report F15-01, 2015 BCIPC No. 15.

 

Arbitrator says that an employer owes an employee no duty to investigate reasonably suspected wrondoing

On December 21st, Ontario arbitrator Ian Anderson dismissed a termination grievance brought by an employee who was terminated for bringing personal computing devices into a high-security workplace and downloading significant volumes of unauthorized (and risky) software onto an employer’s network.

The outcome is driven by the facts, but Arbitrator Anderson did deal with an asserted employer duty to investigate suspected wrongdoing. He dismissed the union’s argument that the employer could not charge the grievor with the downloading offence given it did not investigate and discover the grievor’s downloading sooner, at the same time it discovered and disciplined the grievor with excessive internet use. Arbitrator Anderson said:

The Union suggests that an employer has a responsibility to investigate potential misconduct of which it has reasonable suspicion. Put differently, the Union suggests that in order to justify discipline delayed on the basis of earlier lack of knowledge of the alleged misconduct, there must previously have been no reasonable basis to suspect that misconduct.

The Union’s argument, as I understand it, is not restricted to circumstances that might give rise to estoppel. Absent some provision in the collective agreement, I do not agree that there is such a general duty of investigation on an employer. Nor, in my view, is this proposition supported by the cases relied upon by the Union.

General Dynamics Land Systems v National Automobile, Aerospace, Transportation and General Workers Union (Caw-Canada, Local no 27), 2012 CanLII 86240 (ON LA).