A Canadian reader sends along this press release from the Office of the Information and Privacy Commissioner for British Columbia:
In an investigation report released today, B.C. Information and Privacy Commissioner Elizabeth Denham is recommending that the District of Saanich disable key features of its employee monitoring software including keystroke logging, automated screen shots and continuous tracking of computer program activity because they violate the privacy rights of employees and elected officials.
Commissioner Denham has also recommended the District destroy all data collected by the software, Spector 360. The District has agreed to do so following the conclusion of the Commissioner’s investigation.
“Public bodies have a responsibility to secure and protect their computers and networked systems against internal and external threats, however they must also respect an employee’s legal right to privacy,” said Commissioner Denham.
“When the District of Saanich implemented employee monitoring software, staff enabled tools that would collect sensitive personal information from employees including personal websites visited, online banking transactions, confidential correspondence, and private passwords or images.
“The District can only collect personal information that is directly related to and necessary for the protection of IT systems and infrastructure. An employee’s every keystroke and email, or screen captures of computing activities at 30-second intervals clearly exceeds that purpose and is not authorized by privacy law.”
The Commissioner also found that the District failed to provide adequate notice to employees and elected officials about the amount and type of personal information it was collecting.
“The District has written policies for the use of its equipment and facilities, which employees must read and sign before starting work. But the policies do not describe the personal information collected by the District as required by privacy law,” said Denham.
The Commissioner makes five recommendations for change, chief among them the implementation of a comprehensive privacy management program and the appointment of a privacy officer for the District of Saanich.
“One of the most disappointing findings in my investigation is the District’s near- complete lack of awareness and understanding of the privacy provisions of B.C.’s Freedom of Information and Protection of Privacy Act. The law has been in place for more than 20 years, yet the District appears to not understand its most basic privacy provisions.
“I therefore recommend that the District immediately appoint a chief privacy officer, who will audit the District’s current access to information and privacy practices, and provide staff training to make sure employees understand and follow through on the District’s access to information and privacy obligations,” said Denham.
Investigation Report F15-01: Use of employee monitoring software by the District of Saanich is available for download at: https://www.oipc.bc.ca/report/investigation-reports/