UBC seeks review of spyware order

The Vancouver Province reports that the University of British Columbia has asked the British Columbia Supreme Court to review the Information and Privacy Commissioner for British Columbia’s September 24th order that was made in response to its reasonable grounds investigation into employee time theft (my report here).

The Province says material filed in court by the University says the order “denies the university the ability to investigate misconduct.” Indeed, one of the issues raised by the order is the level of scrutiny that is appropriate to apply to how an investigation is conducted when there are clear grounds for conducting it. Those with an interest in security will claim that once there are grounds for an investigation, an investigator needs sufficient flexibility to conduct a thorough investigation even if it involves “fishing.” Although it may be explained by the context – perhaps the IPC is only saying something about the stakes at play in a time theft investigation – the IPC’s order conflicts with this view. Thanks to Michael Geist for posting on this.

Case report – Condonement means employer barred from investigating computer misuse

On September 24th the Office of the Information and Privacy Commissioner for British Columbia held that the University of British Columbia violated the British Columbia Freedom of Information and Protection of Privacy Act by conducting a “reasonable grounds investigation” of an employee’s personal computer use.

The employee, an engineering technician, had a history of productivity problems. Although the University adduced evidence that it was managing the
employee’s performance, the complainant countered with evidence that he used his computer for non-work-related purposes openly and that and that the University tolerated this. The University’s acceptable use policy also allowed for “incidental personal use” within some restrictions.

The University decided to investigate the employee’s computer use after receiving a complaint about the his untimely service. It started by collecting the log file that listed websites visited. This showed a significant number of non-work-related websites, so the University then used software (spyware) to collect data that allowed it to identify the period of time the grievor spent on non-work-related sites. The spyware also captured screen shots in two minute intervals and, as a result, captured the employee’s personal correspondence, his bank account number and other information about his personal finances.

The adjudicator held that the University was not authorized to collect the log file, the more detailed information collected by the spyware and the screenshots. Her decision is significant for three reasons.

First, the adjudicator applied the contextual necessity test recently articulated by Commissioner Loukidelis in Order F07-10 (my report here). In this test, necessity is assessed in the entire context and in light of the privacy-protective purpose of the Act. In discussing this test, the adjudicator held that an employer must not necessarily exhaust all less intrusive means of meeting a legitimate objective to meet the necessity test, but that this is one factor to consider in the analysis.

Second, the adjudicator’s reason for finding that the collection of screen shots was violative rules out the collection of screen shots as an investigatory tool unless the content of the websites is the basis for the investigation – e.g. for pornography investigations. She said:

Information which reveals the complainant’s specific activities on non-work related websites is not, in this case, directly related to UBC’s human resources activities. As UBC notes, this is not a case involving an allegation that an employee accessed inappropriate material on the internet. The specifics of the complainant’s banking transactions, or his personal correspondence, are not relevant to any program or activity of UBC’s. The GESS Report, therefore, has some information that is relevant to managing the complainant’s employment, and some information which is not.

Third, in finding it was not necessary for the University to collect the log data and information about the amount of time the employee spent on non-work-related sites, the adjudicator relied heavily on the University’s permissive approach to personal use. In light of this approach, she held that the next necessary and reasonable step would have been to put the employee on notice of his misconduct rather than conduct surreptitious surveillance.

It is difficult to understand how the surreptitious collection of information about an employee’s internet use can be necessary in the absence of any attempt to question the employee about his activity, especially when the supervisor was aware of that activity and the complainant knew the supervisor was aware of it.

While it would be easy to frame this case as a message to employers about the harms of condoning personal use, there may be more to it than first meets the eye. This is because the foundations of workplace computer use are arguably changing. Not only are the internet applications used in day-to-day living more pervasive, the rise of “Web 2.0” is starting to blur the line between personal use and business use. One may also argue that employees in some sectors (especially professionals) are spending more and more of their waking day working. So can the reasonable employer afford to do anything but condone personal use? And what does this do to the idea, accepted widely in the existing case law, that an employee should have no expectation of privacy on a work computer system? This case may signal a next wave in workplace monitoring litigation in which some of these questions will be raised and answered.

University of British Columbia (Re), 2007 CanLII 42407 (BC I.P.C.).