B.C. Privacy Commissioner to investigate District of Saanich use of employee monitoring software

B.C.’S Information and Privacy Commissioner Elizabeth Denham has initiated an investigation into the District of Saanich’s use of monitoring software to track employee activity on its computer systems.

“My office has been closely following recent events in the District of Saanich, where allegations have been made that spyware is being used on district-owned computers to monitor employees with or without their consent,” said Denham on Tuesday.

“In light of many outstanding questions and concerns, I have decided to act on my own motion and initiate an investigation into whether the District’s use of employee monitoring software complies with the Freedom of Information and Protection of Privacy Act.

“We need the facts concerning implementation of the software, including what methods of data capture have been enabled and the extent to which personal information is being collected from employees,” said Denham.

In the course of an investigation, the Commissioner has the power to compel disclosure of documents, interview government or company officials, make legal findings, and issue compliance orders or recommendations for change.

The investigation is expected to be complete before the end of March. The Commissioner’s findings will be made public.

The Office of the Information and Privacy Commissioner will not make any further comment on this matter until the investigation is complete.

 

LAST week in a letter to The Times Colonist titled “Employees have privacy rights at work,” Denham wrote:

 

Recent events in Saanich have created some confusion about employee privacy in the workplace, but the law is clear.

Employees have a reasonable expectation of privacy in the workplace, even when using a computer supplied by an employer. These rights were affirmed by the Supreme Court of Canada in R v. Cole and are enshrined in B.C.’s comprehensive privacy laws covering the public and private sector.

We all expect governments and businesses to secure their networked systems against outside intrusions, malware or other threats. But employees don’t check their privacy rights at the office door. Privacy law sets a very high threshold for the use of routine monitoring tools such as keyboard logging, workstation mirroring or tracking of personal messages.

In 2007 my Office ruled on a case where a university installed spyware on an employee’s computer to track their activities. We found that data collected by the spyware didn’t meet the necessity test and therefore did not comply with privacy law.

Employee monitoring isn’t as simple as picking a software tool off the shelf. Careful consideration must be paid to what is necessary and reasonable in the circumstances. Employers must ensure that in securing their systems, the privacy rights of employees are respected.