Legal experts consulted by Radio-Canada say Canadian employees in both the private and public sectors have rights to the protection of their personal information, even when using devices that belong to their employers. said the house.
In November, a Radio-Canada report revealed that at least 13 federal departments are using tools and software that can also recover encrypted and password-protected data on computers, tablets and mobile phones. I made it.
These include text messages, emails, photos, travel history, and more. Certain software can also access users’ cloud-based data and reveal internet search history, deleted content, and social media activity.
A parliamentary committee is scheduled to investigate the federal department’s use of these measures starting Thursday.
right to privacy
Many departments say they use these tools and software to investigate various suspected violations of law only after obtaining a search warrant.
But some say they are using government-issued devices without a warrant, such as when employees are suspected of misconduct, such as harassment or false overtime claims.
You must ensure that collecting this data is absolutely necessary.– Pierre-Luc Desiel, Laval University
“Employees will continue to have a reasonable expectation of privacy regarding their data even when using devices provided and managed by their employer. Keep going,” says Pierre-Luc Desiel. A law professor at Laval University who specializes in privacy protection spoke to Radio-Canada in French.
When it comes to privacy, Desiel explained that Canadian law distinguishes between devices and the personal information they hold.
“Just because an employee does not own a device, such as a tablet, phone, or computer, does not completely eliminate their right to privacy regarding the data contained on this device.”
Eloise Gratton, a partner at Borden Radner Gervais who leads the law firm’s privacy and data protection practice, echoed that view.
“Employers, whether in the public or private sector, do not have unfettered rights. Employees have certain privacy rights, even in their workplaces and work situations,” Gratton said in French. Ta.
However, she said that protection could be weakened depending on the nature of the work.
“For example, if the employee works in an industry with a lot of national security issues, whether in the public or private sector, they may need to conduct some kind of surveillance or extract data to ensure public safety. It would be more acceptable to use tools.” ”
internal investigation
Shared Services Canada (SSC) is one federal agency that uses data extraction methods for internal investigations. The agency provided Radio-Canada with additional information after the initial article was published in November.
“Examples of such investigations include inappropriate website browsing, suspected malicious software installed on a device, suspected false claims for overtime pay, etc.” authorities said.
“Digital forensic tools are only used on government-issued devices and in very specific and limited circumstances.”
The ministry said it has used these tools six times in the past two years.
Fisheries and Oceans Canada said it also uses the tool for internal investigations “involving violations of government policy, such as fraud and workplace harassment.”
In such cases, “the data belongs to the ministry, so permission from judicial authorities is not required.”
Various federal government departments say these tools are also used to maintain the integrity of computer networks.
Gratton and Deziel say that allowing employers to use work phones and computers for personal purposes increases employees’ expectations of privacy.
Personal use of Government of Canada devices and networks is permitted if it is done on personal time, is not for financial gain, does not incur additional costs to the department, and does not interfere with the performance of business operations.
Arranging personal travel, purchasing goods online, paying bills, banking, posting to discussion groups, updating personal blogs, etc. are permissible under the federal government’s Services and Digital Directive. Some examples are listed for personal use.
The directive also states that if employees choose to store their personal information on government networks or their equipment, they do so at their own risk.
4 questions to ask your employer
Two legal experts say the use of potentially intrusive technology on employees’ phones and computers could be allowed in certain circumstances.
But before allowing such use, they add, employers should ask themselves four important questions to ensure they comply with Canadian law:
- Is there a specific, legitimate problem to solve? (It’s difficult to justify a privacy violation unless there’s a specific, legitimate problem.)
- Is the selected tool effective in solving the problem?
- Is the invasion of employee privacy proportionate to the objective being pursued?
- Is there a less intrusive way to achieve the same goal?
“Retrieving almost all data and history on a device is a very serious privacy violation,” Desiel said. “So the purpose has to be very important as well. We have to make sure that collecting this data is absolutely necessary.”
It is unclear what data the federal agency obtained from the targeted devices.
Impact assessment has not been carried out
The federal directive requires all departments to conduct a privacy impact assessment before new activities that involve the collection or handling of personal information.
A written response to Radio-Canada said none of the departments had used the data extraction tool before, but it acted in accordance with a set of legal requirements.
“The president of Shared Services Canada (SSC) is empowered under the Financial Management Act.” “We are conducting these investigations at the request of the Chief Security Officer of the SSC,” the agency wrote.
“These investigations comply with government security policies and will be conducted at the secure and isolated SSC Forensic Laboratory.”
The institute does not have internet access and data will only be sent to the chief security officer, the SSC said.
Fisheries and Oceans Canada also said its internal investigation was “based on policies and procedures mandated by the Chief Security Officer.” The ministry said personal information would be stored in “isolated laboratories” in accordance with privacy laws.
Mr Gratton said it was good practice to take security measures to protect seized personal information, but employers should ensure that the means used to obtain such data were legitimate. He argued that it was necessary to check first whether or not.