In an age where technology is ever-present in our daily lives, many of us use computers as part of our jobs. Most employers will allow their employees some flexibility when it comes to personal use of work computers. Because of this, the question arises as to where the line is drawn when it comes to personal privacy.  As technology advances, threats to computers, and the information stored in them, becomes a growing concern.  Public agencies are obliged to protect data stored within their IT systems and are turning more and more to various technological tools, like automated surveillance programs, to do so.  But how do employers protect workplace IT systems while still upholding the privacy rights of their employees?

The Information and Privacy Commissioner for B.C. recently released an investigative report concerning the well-publicized use of employee monitoring software by the District of Saanich. This followed a public statement in January, 2015 by the Mayor of the District that software had been installed on his office computer that, without his knowledge or consent, collected his personal information.

The software collected data by monitoring all emails and websites, and tracking every keystroke. The District’s policy stated that the data collected by the software would only be accessed in the event of a security breach, such as hacking or data theft.

The Commissioner concluded that this means of collecting employee personal information was not within the District’s authority because it was: (a) not done for the purposes of law enforcement; (b) not all of the information collected related directly to the prevention of threats; and, (c) and not all of the information collected was necessary to accomplish the program’s purpose. Furthermore, employees were not notified of the collection of their personal information, as required by provincial privacy legislation.

Because the District allows employees to use the computers for some personal use, the software also collected the private information of its employees, such as sensitive data like banking information. This sort of information is protected by the Charter of Rights and Freedoms. Moreover, the Commissioner stated that by collecting personal information and storing it in one network location, the software created an additional security risk that attackers might target. The Commissioner recommended that various functions of the software be disabled, all of the information collected by the monitoring software be destroyed and that a privacy management program be implemented by the District of Saanich.

While companies must protect their data from threats, they must also ensure that they are complying with privacy legislation by respecting the rights of their employees, who may use the computers for personal use. Employees have the right to have their personal information protected and while this can be a difficult balancing act to achieve, it is necessary for protecting employee privacy.