On March 30, 2015, the British Columbia Office of the Information and Privacy Commissioner issued an Investigation Report regarding its finding that the District of Saanich’s (“District”) use of employee monitoring software violated employee privacy rights. A News Release was issued as well.

The Investigative Report examined the use of employee monitoring software, called Spector 360, and whether its use was compliant with the British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”).

In the Report, the Commissioner made four findings in relation to the District’s use of the employee monitoring software.

First – the District did collect the personal information of employees and citizens through its use of monitoring software and actually collected all personal information that a user entered into their workstation. The District argued that it did not collect personal information in its use of Spector 360 because the information did not relate to a program or activity of a public body and it took no action with respect to the information as per s. 27.1 of FIPPA. However, the Commissioner held that s. 27.1 of FIPPA did not apply to the District in this matter as s. 27.1 simply clarified that a public body that has received personal information, for example by fax or email, does not collect that personal information for the purposes of FIPPA where the information does not relate to a program or activity of the public body. The Commissioner held, that the information collected by the use of Spector 360 was not “passively” received, but rather “purposefully collected through a program that was expressly authorized by the Director of Corporate Services”. Further, as the District’s workplace policy allows for some personal use of workplace computers and internet, the information recorded by Spector 360 was all personal information that a user entered into their workstation including personal internet use which included such matters are internet banking, and private passwords.

Second – the District did not have the authority under FIPPA to collect the personal information recorded by the monitoring software. The District argued that four provisions of FIPPA authorized its collection of personal information using Spector 360, namely s. 26(a) that the collection is expressly authorized by FIPPA; s. 26(b) that the information is collected for the purposes of law enforcement; s. 26(c) that the information relates directly to and is necessary for a program or activity of the public body; and s. 26(d)(i) and (ii) that the individual consented in a prescribed manner to the collection and a reasonable person would consider the collection appropriate in the circumstances.

Regarding s. 26(a), the Commissioner held that the requirement that the collection of personal data must be expressly authorized pursuant to the FIPPA means that FIPPA must clearly state that the collection of personal information is permitted, authorized or required. Section 30 does not authorize a public body to collect personal information but is simply a requirement that a public body have reasonable security measures in place to protect personal information in its custody or control.

Regarding s. 26(b), the provision requires the public body to have a common law or statutory law enforcement mandate, which the District did not have.

Regarding s. 26(c), which authorizes collection where the information relates directly to, and is necessary for a program or activity of the public body, the District argued that it was collecting personal information using Spector 360 for the valid purpose, of “identifying, investigating and remediating risks or threats” to its IT infrastructure, and s. 30 of the FIPPA requires a public body to have reasonable security measures in place to protect personal information in its custody or control. The Commissioner held that, while it may help IT staff identify information illegitimately accessed by an employee, it was not effective against most malware. Spector 360 was neither a preventative nor a detective tool. It provided a detailed description of the actions of employees which can only provide IT staff with the ability to review those actions after a security breach has already taken place.

The Commissioner relied on the Supreme Court of Canada’s decision in R. v. Cole, where it stated at paras. 47 and 48:

Computers that are used for personal purposes, regardless of where they are found or to whom they belong, “contain the details of our financial, medical, and personal situations” (Morelli, at para. 105). This is particularly the case where, as here, the computer is used to browse the Web. Internet-connected devices “reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read, watch, or listen to on the Internet” (ibid.).

This sort of private information falls at the very heart of the “biographical core” protected by s. 8 of the Charter.

The Commissioner held that in Cole, the employer allowed employees a limited use of workplace computers for personal use which gave rise to the employee’s reasonable expectation of privacy. Further, as the District also permits the limited personal use of District workstations for personal use, it is, “collecting very large amounts of personal information through its use of Spector 360, but some portion of that information is also very sensitive personal information, going to the “biographical core” of its employees”.

Third – the District did not notify employees of the collection of their personal information as required by FIPPA. The District argued that it provided notice to employee through its “Network Access Terms and Conditions Form” (“Form”). However, the Commissioner ruled that the Form did not contain the information required by s. 27(2) of FIPPA, namely notice of the District’s purpose for collecting their personal information, the District’s legal authority to collect it, and the contact information of an officer or employee of the District that an employee could contact to enquire about the collection.

Fourth – the Commissioner could not determine whether the District used or disclosed personal information collected by the monitoring software in compliance with FIPPA because the District had not activated the functionality to monitor user access through logs that showed user activity.

As a result of these findings, the Commissioner made the following five recommendations:

  • that the District disable key features of its employee monitoring software, Spector 360, including keystroke logging, automatic screen shots and continuous tracking of computer program activity because they violate the privacy right of employees and elected officials;
  • that the District destroy all data collected by the software;
  • that the District update various policies to provide employees with notice of the collection of their personal information as required by FIPPA;
  • that the District implement the capability to generate logs of administrator level access to all IT systems which collect, store, use or disclose personal information; and
  • that the District implement a comprehensive policy privacy management program to ensure it is able to meet all of its obligations under FIPPA, which includes the appointment of a Privacy Officer who should conduct a comprehensive audit of the District’s compliance with FIPPA as wells as the provision of training to all employees in relation to the District’s access to information and privacy obligations under FIPPA.

Finally, the Commissioner intends to issue a general set of employee privacy guidelines in the near future.