The “fuel” for many gadgets currently in the workplace is data, which may or may not relate to the employer. And I’m not just thinking of Smartphones provided by the employer.  I’m also thinking of social media websites such as Facebook and Twitter, which are often accessed after work hours on employees’ home computers.

What happens when an employer uses data gleaned from a company-owed iPhone or Blackberry to monitor an employee in the workplace? What about monitoring an employee’s Facebook page? After all, it’s not uncommon for information about an employer or its clients to appear on an employee’s Facebook page. Further, some employees have no second thoughts whatsoever about posting personal messages during paid company time. Many employers are introducing social media policies to mitigate the resulting legal risks. But how far should employers go to protect their interests?

Today’s post is the first in a series that I’ll publish in the coming weeks to provide you with an overview of legal developments regarding monitoring in the workplace, with a focus on employer monitoring of employee social media and Smartphone activities. Upcoming posts will also examine workplace privacy issues related to email, video and GPS monitoring. Stay tuned… 

In the meantime, click here to listen to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to attend a complimentary Social Media in the Workplace webinar that I’ll be providing with a few of my colleagues next week (May 19th). Click here for info and to register (space is limited so register soon).

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.

Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term.  That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section. 

Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation.  CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.

Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?

A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.

Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?

A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.

Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?

A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.

Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?

A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.

Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?

A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.

Q. Looking forward, what kind of privacy developments should we watch for in 2010?

A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.

We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.

Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.

Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?

A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!

CNET is reporting today that “a broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, will announce a major push [today] to update federal privacy laws to protect mobile and cloud computing users”.

Of course, in Canada cloud computers have the benefit of PIPEDA and – where they exist – substantially similar provincial privacy laws. To learn more about cloud computing, and related privacy law implications, you may want to check out this previous post.

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.

But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.

It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.

As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk  is also quoted.

Read the full story here…

It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca.  Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics.  Here’s what we covered…

On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week.  The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.

On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter.  As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.

On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions.  For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.

On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.

And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities.  Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.

Thanks to slaw.ca for the opportunity to contribute!

The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.

The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.

The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial. 

Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.

Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.

A case in point was the high profile finding by the Office of the Privacy Commissioner of Canada (OPC) against TJX Companies Inc., the parent company of HomeSense and Winners. The OPC noted that the massive data breach was caused by inadequate encryption software which didn’t protect the company’s wireless network. New software had apparently been purchased by the company a year prior, but employees of TJX had not installed the programming on a timely basis.

In 2008 a laptop computer containing the personal information of over 800 customers was stolen from the office of a bank employee. The computer was left unmonitored and unsecured in an area of the office that was easily accessible to the public. In the resulting finding, the OPC stressed the importance of procedural safeguards and the need to periodically re-educate employees on privacy policies and procedures.

Another example occurred when a bank’s customer learned that his personal banking information was found in a recycling bin. Two employees who were cleaning out the desk of a former employee had placed the documents in the recycling bin, rather than ensuring the information was shredded. This situation (and many others) may very well have been prevented had the respective employees been better educated in the area of privacy.

Canada’s Privacy Commissioner, Jennifer Stoddart, recently gave a speech which addressed the importance of employee privacy training. In her remarks, Stoddart cited research from 2007 that reported that only one-third of Canadian businesses polled had conducted employee privacy training. Furthermore, Stoddart demonstrated that over half of the complaints received by the OPC could have been prevented had there been adequate employee privacy training.

Pro-active businesses are hearing the message loud and clear. Privacy training is an essential feature of employee training especially in this era of rapid technological advancements. This type of training should help to prevent unnecessary headaches such as privacy complaints and lawsuits. .

Therefore, the question remains, what would happen if one of your employees recorded a video of an irate customer and then uploaded the video on YouTube. The answer is, it’s best not to find out.

(Cross-posted to slaw.ca)

These legal risks can include the fact that employees can use these devices to distribute emails or text messages that defame other parties or that include illegal sexual or racial content (which in Manitoba could give rise to employee and employer liability under The Human Rights Code). Employees may also use these devices to intentionally or unintentionally leak personal or corporate information. Employees, however, may have an expectation or legal right of privacy depending on the circumstances, so wholesale monitoring by employers may not be in the cards.

Doug Cornelius recently wrote on Compliance Building about a U.S. court decision (Quon v. Arch Wireless) concerning police conduct in accessing personal texts sent from a police-issued cellphone:

In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

Although this decision is based on U.S. law, similar results could happen in Canada. As a result, Canadian businesses should ensure that their employees clearly understand what they can and cannot do with the devices issued to them. One of the best ways to accomplish this goal is to develop appropriate policies and procedures, which will minimize the chances of being taken to court by third parties or employees.

Mobile devices prone to I.D. theft

My August 1, 2007 column in the Winnipeg Free Press points out the security risks inherent with mobile data holders such as USB drives, laptops and portable hard drives.