Right to privacy: Are you protected when using your work phone? - Action News
Home WebMail Tuesday, November 26, 2024, 01:51 AM | Calgary | -16.1°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Ottawa

Right to privacy: Are you protected when using your work phone?

Legal experts highlight important privacy issues in the wake of Radio-Canadas story on the use of data-extracting tools on government-issued phones and computers.

Legal experts weigh in on use of data-extraction tools by federal departments

A close-up of someone typing on a cell phone.
In November, a Radio-Canada report revealedthat at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones. (Sean Kilpatrick/The Canadian Press)

Employees in both the private and public sectors in Canada have rights regarding the protection of their personal information, even when they use devices that belong to their employer, say legal expertsconsulted by Radio-Canada.

In November, aRadio-Canada report revealedthat at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones.

Thesecan include text messages, emails, photos and travel history.Certain software can also access a user's cloud-based data andreveal their internet search history, deleted content and social media activity.

A parliamentary committee will be looking into the federal department's use of these instruments starting Thursday.

The right to privacy

Many departments say they utilize these tools and software for investigations into alleged violations of various laws, and only after obtaining a search warrant.

But others say they also use them without a warrant on government-issued devices when employees are suspected of wrongdoingsuch as harassment or false overtime claims, for example.

One needs to ensure that the collection of this data is absolutely necessary.- Pierre-Luc Dziel, Laval University

"An employee will maintain a reasonable expectation of privacy with regard to their data, even when they use a device that is provided and administered by their employer, who remains the owner of this shell, if you will," Pierre-Luc Dziel, a professor of law at Laval University who specializes in privacy protection, told Radio-Canada in French.

When it comes to privacy, Canadian law distinguishes between the device and the personal information it holds, Dziel explained.

"Just because an employee does not own the devicethe tablet, the phone, the computer, whateverdoes not mean that their privacy rights with respect to the data that is contained in this device are completely extinguished."

An upper body portrait of a bearded man wearing a suit jacket and tie.
Pierre-Luc Dziel is a professor of law at Laval University who specializes in privacy protection. (Universit Laval)

lose Gratton, a partner atBorden Ladner Gervaiswho leads the law firm's privacy and data protection practice,offered a similar observation.

"Whether in the public sector or the private sector, the employer does not have free play. The employee has certain privacy rights, even in the workplace or in a work context," Gratton said in French.

However, that protection may be diminished depending on the nature of the work, she said.

"If the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues, for example, it would be more acceptable to carry out some surveillance or use data-extracting tools to ensure public safety."

Internal investigations

Shared Services Canada (SSC) is among the federal institutions that uses data-extraction instruments for internal investigations. The agency provided additional information to Radio-Canada after the initial article was published in November.

"Examples of such investigations include when there is suspected inappropriate website browsing, a malicious software installed on a device, or a suspected false claim of overtime,"the agency said.

"Digital forensics tools are exclusively used on government-issued devices and in very specific and limited circumstances."

The department said it has used these tools six times over the last two years.

The stern of a Fisheries and Oceans Canada vessel docked with a helicopter and crew on the deck.
Fisheries and Oceans Canada said it uses thetools for internal investigations 'involving government policy violations, such as fraud or workplace harassment.' In such cases 'no judicial authorization is required, because the data belongs to the department,' the department said. (Charles-tienne Drouin/Radio-Canada)

Fisheries and Oceans Canada also said it uses thetools for internal investigations "involving government policy violations, such as fraud or workplace harassment."

In those cases"no judicial authorization is required, because the data belongs to the department," it said.

The tools are also used to maintain computer network integrity, according to variousfederal departments.

Black text on a blue background about Health Canada using a data-extraction tool in what it says was 'a limited capacity' from 2016 to 2021.

Gratton and Dziel both say an employee'sexpectationto privacy is augmented if their employer allows them to use their work phone or computer for personal purposes.

Personal use of government of Canada devices and networks is allowed if conducted on personal time and if it's not done for financial gain, does not incur additional costs for the department and does not interfere with its conduct of business.

Making personal travel arrangements, buying products online, paying bills, banking, contributing to discussion groups and updating a personal blog are some of the examples listed as acceptable personal use bythe federal government's "directive on service and digital."

The directive also states that employees who choose to store their personal information on a government network or its equipment do so at their own risk.

4 questions for employers

The use of potentially intrusive technology on employees' phones or computers may be permitted in certain circumstances, according to the two legal experts.

But they add that an employer should ask themselves fouressentialquestions before they allow such use, to ensure that it complieswith Canadian law:

  1. Is there a specific and legitimate problem to resolve? (In the absence of a specific and legitimate problem, privacy violations are difficult to justify.)
  2. Is the chosen tool effective in solving the problem?
  3. Is the invasion of the employee's privacy proportional to the objective being pursued?
  4. Are there less intrusive ways to achieve the same ends?

"Retrieving almost all of the data or history of a device is a very significant form of invasion of privacy,"Dzielsaid. "So the objective must also be very important. One needs to ensure that the collection of this data is absolutely necessary."

It's not knownwhat data the federal institutions retrievedfrom the targeted devices.

A head and shoulders portrait of a smiling woman with dark hair who's wearing a shiny green blouse.
lose Gratton is a partner at Borden Ladner Gervais where she leads the law firm's privacy and data protection practice. (Submitted by lose Gratton)

No impact assessments performed

A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information.

According to their written responses to Radio-Canada, no department did so before using data-extracting tools, but they say they acted in accordance with a series of legal requirements.

"The President of Shared Service Canada (SSC)is authorized under the Financial Administration Act to conduct these investigations at the request of SSC's Chief Security Officer,"the agency wrote.

"These investigations comply with the Policy on Government Security and are conducted in a secure, isolated SSC forensic lab."

An out-of-focus person is seen in a room filled with computers.
A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information. (Oleksiy Mark/Shutterstock)

SSCsaidthe lab is notinternet-accessible and the data is only transmitted to its chief security officer.

Fisheries and Oceans Canada also saidits internal investigations "are based on policies and procedures delegated by the Chief Security Officer." Personal information is kept in "isolated laboratories" and in compliance with the Privacy Act, the department said.

Gratton saidit's good practice to have security measures in place to protect the seized personal information, but she insists on the need for an employer to checkat the outsetwhether the means used to obtain suchdatais justified.