Tag Archives: Employment

What not to do with employee monitoring software

The British Columbia Information and Privacy Commissioner has published a report strongly criticising The District of Saanich’s use of employee monitoring software, which included keystroke logging, automated regular screen captures and a range of other intrusive features across the District’s IT systems.

The report reminds readers that “employees do not check their privacy rights at the office door”, and goes on to set out the Commissioner’s findings that:

  • The District did collect personal information through its use of monitoring software. In fact, because of how the software was configured, the District collected all personal information that a user entered into their workstation.
  • Under the Freedom of Information and Protection of Privacy Act (FIPPA), which regulates only public bodies, the District did not have the authority to collect the personal information recorded by the monitoring software.
  • The District did not notify employees of the collection of their personal information as required by FIPPA.
  • It could not be determined whether the District used or disclosed personal information collected by the monitoring software in compliance with FIPPA because the District had not activated the functionality to monitor user access through logs that show user activity.

Link (CanLII): Saanich (District) (Re), 2015 BCIPC 15 (Hat-tip: Barry Sookman)

Sony Pictures settles with former employees in data breach lawsuit

Sony Pictures has reached a settlement with former employees whose personal information (including financial and medical data) was posted online last year after a data breach.  The settlement agreement was announced just days before a court hearing scheduled for 14 September 2015 to decide whether the case would achieve class-action status.  The lawsuit alleged that Sony failed to protect employee’s data, especially in light of previous breaches of the company’s servers.

Link (WSJ): Sony Pictures settles with former employees in data breach lawsuit

$15,000 award for failing to follow workplace complaints policy

A majority of the Human Rights Review Tribunal has awarded $15,000 to Ms Watson (a former Capital Coast DHB nurse) for being denied information about a harassment compliant she made against her former manager (Ms Slade).

Under the DHB’s workplace policy, the person complained against must be given the signed written complaint and given an opportunity to answer the allegations, and the complainant in turn must have an opportunity to rebut any defences.  The DHB had refused Ms Watson’s request for access to Ms Slade’s written response to her complaint, on the basis that disclosure of the response would involve “unwarranted” disclosure of Ms Slade’s own affairs, relying on s 29(1)(a) of the Privacy Act 1993.

The Tribunal observed that the term “unwarranted” in s 29(1)(a) requires a balancing of the requester’s right of access to personal information about him or her, against the competing interest recognised in s 29(1)(a).  This required consideration of the context in which the information was collected and the purpose for which it was collected, held and used.  The Tribunal also observed that an individual’s “personal information” may include records of others’ opinions about him or her.

The Tribunal held that the DHB had not proved that providing Ms Watson with Ms Slade’s response would be an “unwarranted” disclosure of Ms Slade’s own affairs.  The Tribunal gave several reasons, including:

  • first, the legal right of access to personal information conferred by Information Privacy Principle 6 and s 11 of the Privacy Act is a strong right,
  • secondly, DHB’s harassment policy explicitly stated that Ms Watson would have an opportunity to rebut the written response advanced by Ms Slade, and
  • thirdly, this was not a case in which personal information about two persons had been collected for various purposes over various periods of time, accompanied by an “expectation” of non-disclosure or limited disclosure.  The information here was collected in the context of an official policy which made explicit the need not only for the person complained against to be given an opportunity to be heard in her defence but also for the complainant to be able to rebut to any defences to the allegation.

Link: Watson v Capital & Coast DHB [2015] NZHRRT 27